How do I get whitelisted?

system · April 25, 2012, 3:53pm

How do I whitelist my websites and software so they do not trigger a hit?

Lisandro · April 25, 2012, 4:01pm

Get them clean
Well, I mean, it would be good if you post your website url and we can check if (why) your products are marked as false positives

system · May 21, 2013, 5:18pm

Not sure what the policy is of bumping topics here, but I would like to have my domain, oldiesmann.us, whitelisted again. It appears someone got hold of the FTP/cPanel password for that domain and went to town with it - uploading a “NeW0nE.exe” file (no idea what that is), a botnet script and a MySQL backup script. I deleted the files in question, changed the password and blocked the entire range of IP addresses involved at the server level (it’s a VPS, so I can blacklist them on the firewall to prevent them from accessing anything on that server).

Pondus · May 21, 2013, 6:44pm

urlvoid report
http://www.urlvoid.com/scan/oldiesmann.us/

if you think this is wrong, report it here. http://www.avast.com/contact-form.php

Simion · May 22, 2013, 12:00am

The site currently scans clean with Dr.Web, but is on Dr.Web’s malicious sites list.

SpeedyPC · May 22, 2013, 12:28am

http://app.webinspector.com/public/reports/14230090#

http://my.jetscreenshot.com/18514/m_20130522-pyhl-52kb.jpg

system · May 22, 2013, 10:13pm

Sent a message via the contact form. The one file reported by scumware doesn’t exist on the server (and hasn’t for some time). I can’t find out what Dr.Web is complaining about, nor can I fin a contact form to get them to whitelist the site.

system · May 22, 2013, 10:31pm

https://support.drweb.com/new/urlfilter/?lng=en
Hi, hope this helps.

polonus · May 22, 2013, 10:41pm

See here: http://www.senderbase.org/lookup?search_string=72.44.88.18 (status OK)
also here: http://urlquery.net/report.php?id=2621800
code hick up for lavalamp-1.3.5.js
Blacklists here: http://www.urlvoid.com/ip/72.44.88.18/ DrWeb URL check - send a FP here!
htxp://oldiesmann.usredirects tohttp://www.oldiesmann.us/index.php?PHPSESSID=eb3661107117d8749e58654f300f2354;wwwRedirect
(rewrite this like given here: http://www.seomoz.org/ugc/removing-phpsessid-from-an-url (link posting author = tehtjo)
htxp://oldiesmann.us is in Dr.Web malicious sites list!
hxtp://www.oldiesmann.us/index.php?PHPSESSID=eb3661107117d8749e58654f300f2354;wwwRedirect is in Dr.Web malicious sites list!

Checking:htxp://www.oldiesmann.us/Themes/default/scripts/portal.js?235
File size:9999 bytes
File MD5:fb78e2cb1f9a819865b53fb032be6610

htxp://www.oldiesmann.us/Themes/default/scripts/portal.js?235 - archive JS-HTML

htxp://www.oldiesmann.us/Themes/default/scripts/portal.js?235/JSFile_1[0][270f] - Ok
htxp://www.oldiesmann.us/Themes/default/scripts/portal.js?235 - Ok

Checking:htxp://www.oldiesmann.us/Themes/Vertex-Theme2-0-2-v1-2/scripts/theme.js?fin20
File size:3688 bytes
File MD5:3ee2d743cd3208f4715c73fa024e63ae

htxp://www.oldiesmann.us/Themes/Vertex-Theme2-0-2-v1-2/scripts/theme.js?fin20 - Ok

Checking:htxp://www.oldiesmann.us/Themes/Vertex-Theme2-0-2-v1-2/scripts/jquery.easing.1.3.js
File size:8301 bytes
File MD5:a6f75e0c043a2a087837e5c113cc6f7a

htxp://www.oldiesmann.us/Themes/Vertex-Theme2-0-2-v1-2/scripts/jquery.easing.1.3.js - archive JS-HTML

htxp://www.oldiesmann.us/Themes/Vertex-Theme2-0-2-v1-2/scripts/jquery.easing.1.3.js/JSFile_1[0][206d] - Ok
htxp://www.oldiesmann.us/Themes/Vertex-Theme2-0-2-v1-2/scripts/jquery.easing.1.3.js - Ok

Checking:htxp://www.oldiesmann.us/Themes/default/scripts/script.js?fin20
File size:46.47 KB
File MD5:361e0f1f5f96387d19649d9ec56e524e

htxp://www.oldiesmann.us/Themes/default/scripts/script.js?fin20 - archive JS-HTML

htxp://www.oldiesmann.us/Themes/default/scripts/script.js?fin20/JSEvent_1[5f] - Ok
htxp://www.oldiesmann.us/Themes/default/scripts/script.js?fin20/JSEvent_2[62] - Ok
htxp://www.oldiesmann.us/Themes/default/scripts/script.js?fin20 - Ok

Checking:htxp://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js
File size:89.20 KB
File MD5:459076b536e7df0411c5a265fcce3600

htxp://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js - archive JS-HTML

htxp://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js/JSTag_1[11530][4f9d] - Ok
htxp://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js - Ok

Checking:htxp://www.oldiesmann.us/Themes/default/scripts/sha1.js
File size:5451 bytes
File MD5:e83257a6ddccc609576df4b4a0f4fb6c

htxp://www.oldiesmann.us/Themes/default/scripts/sha1.js - archive JS-HTML

htxp://www.oldiesmann.us/Themes/default/scripts/sha1.js/JSFile_1[0][154b] - Ok
hxtp://www.oldiesmann.us/Themes/default/scripts/sha1.js - Ok

Checking:htxp://www.oldiesmann.us/Themes/Vertex-Theme2-0-2-v1-2/scripts/jquery_bits.js
File size:3284 bytes
File MD5:1f24defe6906073c04d5de4a5c79403e

htxp://www.oldiesmann.us/Themes/Vertex-Theme2-0-2-v1-2/scripts/jquery_bits.js - archive JS-HTML

htxp://www.oldiesmann.us/Themes/Vertex-Theme2-0-2-v1-2/scripts/jquery_bits.js/JSFile_1[0][cd4] - Ok
htxp://www.oldiesmann.us/Themes/Vertex-Theme2-0-2-v1-2/scripts/jquery_bits.js - Ok

Checking:htxp://www.oldiesmann.us/Themes/Vertex-Theme2-0-2-v1-2/scripts/jquery.lavalamp-1.3.5.js
File size:17.76 KB
File MD5:cc69b12e052bd255c1203539c139b9db

htxp://www.oldiesmann.us/Themes/Vertex-Theme2-0-2-v1-2/scripts/jquery.lavalamp-1.3.5.js - archive JS-HTML
htxp://www.oldiesmann.us/Themes/Vertex-Theme2-0-2-v1-2/scripts/jquery.lavalamp-1.3.5.js - Ok

Checking:hxtp://www.oldiesmann.us/index.php?PHPSESSID=eb3661107117d8749e58654f300f2354;wwwRedirect
Engine version:7.0.4.9250
Total virus-finding records:4045651
File size:38.29 KB
File MD5:a63d463dd294600aaab8816e58c8827c

httx://www.oldiesmann.us/index.php?PHPSESSID=eb3661107117d8749e58654f300f2354;wwwRedirect - archive JS-HTML

htxp://www.oldiesmann.us/index.php?PHPSESSID=eb3661107117d8749e58654f300f2354;wwwRedirect/JSTAG_1[29e][21c] - Ok
htxp://www.oldiesmann.us/index.php?PHPSESSID=eb3661107117d8749e58654f300f2354;wwwRedirect/JSTAG_2[ad1][41d] - Ok
htxp://www.oldiesmann.us/index.php?PHPSESSID=eb3661107117d8749e58654f300f2354;wwwRedirect/JSTAG_3[816d][1a0] - Ok
htxp://www.oldiesmann.us/index.php?PHPSESSID=eb3661107117d8749e58654f300f2354;wwwRedirect/JSTag_4[2b3][207] - Ok
htxp://www.oldiesmann.us/index.php?PHPSESSID=eb3661107117d8749e58654f300f2354;wwwRedirect/JSTag_5[ae6][408] - Ok
htxp://www.oldiesmann.us/index.php?PHPSESSID=eb3661107117d8749e58654f300f2354;wwwRedirect/JSTag_6[5288][2a] - Ok
htxp://www.oldiesmann.us/index.php?PHPSESSID=eb3661107117d8749e58654f300f2354;wwwRedirect/JSTag_7[8182][18b] - Ok
htxp://www.oldiesmann.us/index.php?PHPSESSID=eb3661107117d8749e58654f300f2354;wwwRedirect - Ok

polonus

system · May 23, 2013, 4:27am

I saw that earlier but didn’t see it as a way to report false alarms for viruses. I see that now though so I’ve submitted it there as well. Hopefully that will help.

polonus · May 23, 2013, 11:49am

This could have been older reports for the IP your on: http://www.scumware.org/report/72.44.88.18
for HTML/ScrInject.B.Gen virus and Win32/PSW.Fareit.A trojan

PWS:Win32/Fareit.A is a trojan that steals sensitive information from the affected user’s computer and sends it to a remote attacker.

The other virus could stem from your computer, not your website as it may be in your Firefox profile or could be resting in IE"administrator/ appdata/local/microsoft/windows/temporary internet files/low IE5/ htm file"

The two following scanners may help to locate it: These are free on demand scanners that may help:

Malwarebytes Antimalware Free - http://www.malwarebytes.org/products/malwarebytes_free
Please note, do not accept the trial version of MBAM Pro as it will conflict with MSE while the free version will not.

Superantispyware Free - http://www.superantispyware.com/downloadfile.html?productid=superantispywarefree

If there are remnants of such adware then you might need the help of a qualified removal expert here…

polonus

system · May 23, 2013, 9:55pm

I don’t think there’s anything on my end - I’ve had Avast Internet Security running for several months and assorted other internet security programs before that. The “result.exe” file that it lists is long gone, and that’s a Linux server anyway so it wouldn’t do much good unless someone downloaded it.

I’m not sure what “HTML/ScrInject.B.Gen” is. I installed clamv and ran a scan with it on the account for that domain. That turned up a few PHP shell scripts which have since been deleted. Another clamv scan now indicates that everything is clean:

[root@server] [/home/.../] # clamvscan -rq public_html ----------- SCAN SUMMARY ----------- Known viruses: 2337066 Engine version: 0.97.8 Scanned directories: 9251 Scanned files: 52044 Infected files: 0 Data scanned: 764.48 MB Data read: 41819.96 MB (ratio 0.02:1) Time: 145.539 sec (2 m 25 s)

polonus · May 23, 2013, 10:26pm

The detection was from 2013-05-22 and in WordPress and it cannot be disinfected just should be deleted,
found in error.php or all.php (object attacks) -
attack could be created via Debug.output via Wget or filesubmit or via other methods…

polonus

system · May 24, 2013, 3:03pm

There’s only one problem with that… I don’t use WordPress nor is it installed anywhere on the (virtual) server.

How do I get whitelisted?

Announcements