Hoping an Avast person will read this

We’re blacklisted for 4 weeks. I have no idea what or when, where or how. There are 35 domains hosted on that server and this one website is declared infected. I installed Avast Server Edition on this server and it returns 100% clean. Submitted a ticket with Avast and they respond in broken English that the site is infected. That’s it. No cause no reason. Mean while I stripped the site from all iFrames and JavaScript scripts. Spent a week on this and customer goes over the roof. NO other virus scanner reports us as infected, Avast does. Simple as that. Frustrating and stressful to say the least, not to mention the cost of labor. I fully agree to have a system in place that looks for viruses but before shutting down a domain have at least the courtesy to point it with facts out before you do and not treat me like a criminal.

The site is wxw.embroidershoppe.com

Dutchie

There is an suspicious Javascript code injection detected by Quettra: http://www.quttera.com/detailed_report/www.embroidershoppe.com

Please break the link with wxw or hxxp, we dont want to link on malware containing sites.

This script below is generated by a repeater control from whw.devexpress.com. I paid over $800 for this .NET controls suite and you are suggesting it’s potentially dangerous. Thousands of people use those controls so is DevExpress and all those others blocked?

ScriptResource.axd?d=QAPP1-xZVVRpy7V68WnRu1lzbgnE51KTpb1Sz3cXQBfYXGJP0CeR4Yxp-rLI8EonMT0S0WwvAriXCgJzbk4bHWC2OxILL2TuAefhnBvEO-4U5WfPoGuoAK_IxU6R3hsYy0fx_EnEkkGiILaprKp5QA2&t=ffffffffdd783992

NO other virus scanner reports us as infected, Avast does.
and what infection does avast say you have?

if you think the Block is wrong, report it here

http://www.avast.com/contact-form.php (select subject according to Your case)

I reported the site last week. This is their answer.

Hello,
Thank you for contacting AVAST Software company with your concerns.
Detection is correct, in our opinion. Site is infected.
If you need further assistance, don’t hesitate to contact me again.

then i would do as the last sentence in the mail say :wink:

Hi Dutchie,

This is the third thread you opened up on this issue,
You got a reply here: http://forum.avast.com/index.php?topic=140990.msg1026254#msg1026254
Problems with the script were confirmed here:
http://connect.microsoft.com/VisualStudio/feedback/details/434997/invalid-webresource-axd-parameters-being-generated

Malcode-status was confirmed by someone from avast team that your site is indeed/was infected.
So I think it is urgent you will get the site cleansed.

On this scan I get : htxp://www.embroidershoppe.com/includes/includes/smooth.pack.js
200 OK
Content-Length: 32406

htxp://www.embroidershoppe.com/includes/includes/includes/smooth.pack.js
200 OK
Content-Length: 32483
Content-Type: text/html

htxp://www.embroidershoppe.com/includes/includes/includes/includes/smooth.pack.js
200 OK
Content-Length: 32560
Content-Type: text/html

htxp://www.embroidershoppe.com/includes/includes/includes/includes/includes/smooth.pack.js
200 OK
Content-Length: 32637
Content-Type: text/html

htxp://www.embroidershoppe.com/includes/includes/includes/includes/includes/includes/smooth.pack.js
200 OK
Content-Length: 32714
Content-Type: text/html

htxp://www.embroidershoppe.com/includes/includes/includes/includes/includes/includes/includes/smooth.pack.js
200 OK
Content-Length: 32791
Content-Type: text/html

htxp://www.embroidershoppe.com/includes/includes/includes/includes/includes/includes/includes/includes/smooth.pack.js
200 OK
Content-Length: 32868
Content-Type: text/html

htxp://www.embroidershoppe.com/includes/includes/includes/includes/includes/includes/includes/includes/includes/smooth.pack.js
200 OK
Content-Length: 32945
Content-Type: text/html

htxp://www.embroidershoppe.com/includes/includes/includes/includes/includes/includes/includes/includes/includes/includes/smooth.pack.js
200 OK
Content-Length: 33022
Content-Type: text/html

htxp://www.embroidershoppe.com/includes/includes/includes/includes/includes/includes/includes/includes/includes/includes/includes/smooth.pack.js
200 OK
Content-Length: 33099
Content-Type: text/html

htxp://www.embroidershoppe.com/includes/includes/includes/includes/includes/includes/includes/includes/includes/includes/includes/includes/smooth.pack.js
200 OK
Content-Length: 33176
Content-Type: text/html

htxp://www.embroidershoppe.com/includes/includes/includes/includes/includes/includes/includes/includes/includes/includes/includes/includes/includes/smooth.pack.js

Strange this multifold includes uris!

See: http://jsunpack.jeek.org/?report=074f1d2b00b21be7c8b0c742cdc6cc29dabc72fa and https://urlquery.net/report.php?id=8095670
amd

Definitely the site is not as it should be and should be cleansed.
Going into denial and bump your postings in new threads won’t let this detection go away.

What for instance is ssl-cert: Subject: commonName=wXw.nhug.org ?

polonus

I did another scan and there were the following issues flagged:
iFrame check:
Suspicious javascript:false’ javascript:false’
This means that you have a HTML page that has a frame or a iframe where the URL of this iframe/frame is a javascript code that probably is “javascript:false;”
These requests are from user agents mindlessly following a or similar. They are bots faking a browser user agent. The bots are interpreting the javascript URL as a relative URL because they are buggy or their human owners don’t care.

Browser Difference Scan: Not identical

Google: 89443 bytes Firefox: 92796 bytes
Diff: 3353 bytes

First difference:
form1">

<input type=“hidden” name=“__eventargument” id=“__eventargument”…

polonus

http://www.quttera.com/detailed_report/embroidershoppe.com
https://urlquery.net/report.php?id=8096568

That is not what I see Polonus, but OK I guess Avast is right, Microsoft Ajax Controls are wrong and developers are the pisspots.
Truth of matter is: there is no virus, never has been one and Avast is the very only scanner who sees ghosts. Your server version doesn’t even see it.

Never mind, I’m done and tired of this.

Dutchie.

Hi Dutchie,

Cannot help you here, the final word is with one of the avast team members that is responsible for the URL:Mal blocking.

Your AS does not have a super clean bill either with 544 Blacklisted URLs
This badness is going on from that Autonomous System malicious URLs?
…badware? Yes
…exploit servers? Yes
…Current Events? Yes
…spam activity? Yes

Historical badness saw a deep peak during the last months of 2013 (75%), this all according to Sitevet’s report.

polonus

Sitevets? never heard off. I research and I see a website in Beta development.
Spam? I have never spammed in my life. What’s the purpose? To get in trouble?
Badware? what is that now?
Current Events? Don’t know what you mean.
Exploit servers? I mind my own business, not interested in anything else.

Like you said: I’m in Avast hands. No other scanner sees ghosts like Avast does. Doesn’t that tell you anything?

Thanks for your help.
Dutchie

Hi dutchie,

But your mailserver points to this domain: http://www.reversemx.com/domain/hatchedinafrica.com/
US, Arizona, Phoenix
And there I see no alerts and I can go there without any ado: http://hatchedinafrica.com/
Registrant Name: S Nuss

polonus

OP Deleted it.

Alan1998, I have not done anything else but fixing. I took out all fancy clutter javascript that is not necessary. I took out Microsoft Ajax Controls and rewrote the iFrames, it’s using JQuery popups now. I have googled all of Polonus his lingo. Some makes sense, some doesn’t.

Last year I moved from Colocrossing Chicago to Phoenix Nap. Colocrossing had a very bad reputation as well. So now Phoenix has one too obviously. Where am I supposed to host my business to be safe and more over … to be affordable?

Like I said, I learned a great deal, this is a experience. I know what to do.

my post was mad at out anger so I aplogize. I shouldn’t have been outright rude to you.

I’m not into Sites myself, I usually let Polonus take a look when I have questions. I can ask polonus to take a look again, but it seems something is still wrong as Avast! for me is still flagging it down.

Again I am sorry for the rude post, I have taken it down.

I didn’t see it as rude but trying to see all this in the right context. I have a hard time understanding all this. A company like Avast with the power to shut down websites based on a few incomprehendable factors is the same as Hitler sending Jews to the camps. I agree I don’t see a threat in an Ajax postback but that is not my job. My job is to lead a handful of embroidery businesses and make sure they can survive. I understand the severity of javascript injections and I understand how important all this is, but at least Hitler told the Jews he hated them but Avast shuts me down without a warning or cause. If you don’t know what is troubling me, how am I supposed to know? More over; I have 25 of those websites all using the same logic and controls. A while back I did a gig for a GOV contractor, their security system approved the code but according to Avast they are not and that security is very very tight. What are they supposed to think? What are you guys doing? You are like cops taking people off the streets because they wear a yellow shirt. I am not begging you, you will know what you are doing but I tend to believe you are stepping out of your boundaries by doing what you do.

I suggest you watch your comparisons. :frowning:
Staying civil will always get better and faster results than being rude.

Hi dutchie,

What are the facts, Quttera sees a script as suspicious and apparently avast! flags that. The avast detection is URL:Mal, that means a general malware detection of some sort.
This could be of some blacklisting, some others on the same IP launching malware and a lot of other issues.
I went with the site code through Redleg’s FileViewer and stumbled upon this big chunk of response page source code on line 68,
is that what avast! is flagging? The suspicious bit is the broken

“hid den” name="
characteristic of suspicious or malicious code injection!
see attached image!

To cleanse whatever avast! flags is a matter between you and the appropriate avast! team member.

We are just volunteers with a particular interest and some expertise that try to assist on the forums, but we are just volunteers and have no no relation with the avast product than the fact that we were chosen to be evangelists and in my case Überevangelist.

I hope the code hick-ups with your site will soon be sorted out,

polonus

http://www.websicherheit.at/en/website-security-check/
Not only the IFrame is flagged as suspicious.

Eddy, I took out the items found in websicherheit. Not sure what to think about Browser Vergleich. How can it be suspicious when 2 different browsers render the same page to different file sizes? And what can one do about it.

Polonus, I truly appreciate your help. This morning I had a bad morning. I’m feeling the steam from my clients in my neck. I didn’t find anywhere a ‘hid den’ name. I don’t know where you see this. Line 68 is what the Framework renders. This you will see in all framework webforms. I can’t get away with that.

Thanks,
Dutchie