False positive

Hello, yesterday I saw that Avast is blocking all of my websites because of some reasons that I don’t understand

My website hxxps://beta.bigcoding.com has the URL:Mal2 infection on url hxxps://beta.bigcoding.com/

My website hxxp://www.exile-craft.com has the HTML:Script-inf on url hxxp://www.exile-craft.com/|>{gzip} → I really don’t understand what is it

and URL:Mal2 on hxxp://beta.bigcoding.com/bigTracker/track which is a kind of analyctics.

I’m am really fed up about all of your false infections “viruses”

Can you please remove all these FP and/or show me in details what’s causing it

I also saw that Sucuri (I don’t know if Avast use it to check for viruses) was detecting a virus because of a php error but i fixed it.

Thanks. Bye.

You have to wait for an explanation from one of Avast Team Members, we are volunteers with relevant knowledge but not Avast Team Members that can unblock. Some issues: WARNING: Name servers software versions are exposed:
5.135.153.149: “9.9.5-9+deb8u6-Debian”
Exposing name server’s versions may be risky, when a new vulnerability is found your name servers may be automatically exploited by script kiddies until you patch the system. Learn how to hide version.
Missing certificate should be installed: BEAST
The BEAST attack is not mitigated on this server.
Certificate information
This server uses a Domain Validated (DV) certificate. No information about the site owner has been validated. Data is protected, but exchanging personal or financial information is not recommended.
Common name:
beta.bigcoding.com
SAN:
beta.bigcoding.com, bigcoding.com
Valid from:
2015-Jul-01 15:43:18 GMT
Valid to:
2016-Jul-01 17:56:29 GMT
Certificate status:
Unknown
Revocation check method:
Not available
Organization:

Organizational unit:

City/locality:

State/province:

Country:
BE
Certificate Transparency:
Not Enabled
Serial number:
05ed6ff5652386
Algorithm type:
SHA256withRSA
Key size:
4096

Also see: https://seomon.com/domain/beta.bigcoding.com/
and https://securityheaders.io/?q=https%3A%2F%2Fbeta.bigcoding.com%2F

The site has a bad Avast web rep because of a large number of negative votes :o

What about this: https://whois.domaintools.com/horipvp.com

polonus

polonus

URL:Mal(2) > https://forum.avast.com/index.php?topic=185110.msg1304746#msg1304746

Blacklisted :
http://zulu.zscaler.com/submission/show/ea366e48faa266ad484823dd81a0d130-1459955289
http://urlquery.net/report.php?id=1459955424033
http://urlquery.net/report.php?id=1459955546282
http://multirbl.valli.org/lookup/5.135.153.149.html

Suspicious code :
http://quttera.com/detailed_report/beta.bigcoding.com

@polonus

Ok, so I removed the ssl cert and now the version is hidden

; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2303 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;version.bind. CH TXT

;; ANSWER SECTION:
version.bind. 0 CH TXT “unknown”

;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.

;; Query time: 0 msec
;; SERVER: 5.135.153.149#53(5.135.153.149)
;; WHEN: Wed Apr 06 19:21:58 CEST 2016
;; MSG SIZE rcvd: 75

@Eddy

If I understand, the HTML:Script-inf is due to the fact I include http://beta.bigcoding.com which is blacklisted ? How to remove bigcoding.com from the blacklist ?

For the three first links you sent to me, I don’t see any blacklisted items and for the fourth link I sent a request for removing the ip

Also, the suspicious code is simply jquery.js Why is it reported as Potentially Suspicious ?

Thanks for you answers. Tell me if I forgot something.

I removed bigcoding.com from our blacklist :wink:

Thank you very much !

Thanks, moffa13, for coming here and reporting, and great your site has come off of that blacklist.
Always good to report here and also good to get the free security advice we gladly have provided to you.
Stay safe and secure and keep working towards better website security, so we all get more secure.

polonus