How to check web site report

Viruses and worms
1

Hello,

a visitor has reported that our web site (w__.mensway.com) has triggered an alert on his avast anti-virus. We have checked the server and believe it to be clean, but how can we know more about the report and the assumed threat ? We would really like to know if this issue is real or whether it is a FP.

Thanks for your help.

Alain

2

Hello Alain and welcome to the forum. :slight_smile:

You can go to Virus Total (VT): http://www.virustotal.com/ and put the url into the site scanner. You can post the results here in your thread. Often times several hours later, the site will be updated after someone reports something to VT, so you may want to check back if anything positive is reported.

3

Report 2010-10-07 09:21:00 (GMT 1)
Website mensway.com
Domain Hash e80a8d2696d5b4d29eebc63fac3006cf
IP Address 217.16.9.176 [SCAN]
IP Hostname h4.off-sourcing.com
IP Country FR (France)
AS Number 48809
AS Name ABCONNECT AB CONNECT
Detections 2 / 17 (12 %)
Status SUSPICIOUS

Scanning site with: BrowserDefender DETECTED
http://www.browserdefender.com/site/mensway.com/

Scanning site with: Norton SafeWeb DETECTED
http://safeweb.norton.com/report/show?url=mensway.com

4

Hi,

Please check the Google safe browsing diagnostics : http://www.google.com/safebrowsing/diagnostic?site=mensway.com

There is a link at the bottom(in the link given above) on how to proceed further if your website is infected(it is infected).

nmb

5

I have visited the home page using firefox 3.6.10 and no alerts by avast. This however doesn’t mean there is nothing there as there are some exploits that only work on IE and I don’t do any investigation of possibly suspect sites with IE.

So we are going to need more specific information if this is a link other than the home/index page and what the alert is ?

I have checked the page source and can’t see anything obvious, but I do see the script tag for google-analytics.com/ga.js and that uses what could be mistaken for obfuscation of javascript as it is creating a script tag within a script tag to run the google-analytics.com/ga.js (javascript file, see image1).

Now I don’t know if this is what is triggering those last two references (Posted by: Asyn), but it isn’t triggering avast. Because those two other references (really only one as I believe they use the same scanning tool) mentioned in the description:

[b]Description[/b] This signature detects a web pages associated with malicious, encoded content and result in file downloads to additionally compromise the target host.

This could mean that they don’t like one of the URLs that lead off site and the only other one of those is the GeoTrust QuickSSL [tm] Smart Icon tag (image2). So I really don’t know what the two references are picking up on based on this page source.