system
October 20, 2016, 1:46pm
1
Hi,
I have a website builder tool at www.sitepx.com , after the new Avast update, all users using Avast can’t access any site in my plataform.
We are trying to figure out what the problem is, but we just can’t understand the following erros:
HTML:Script-inf on object:http://adm.sitepx.com/login|{gzip}
I know what HTML:Script is, that http call returns 200 on a machine without Avast.
Another error:http://119.syscall.ws/img/119/guiavila-cases-5573.jpg
And the same case here, that http call returns 200.
We can’t find any problem or virus in several tools, like:virustotal.com , multirbl.valli.org , pcthreatskiller.com , zulu.zscaler.com and others.
Anybody can help me?
Eddy
October 20, 2016, 1:49pm
2
There was a problem with the detection of things, but they have been solved in the latest update.
system
October 20, 2016, 1:58pm
3
We have two machines with this error on both we updated the virus definitions.
The problem can be on my domain: syscall.ws, Looks like Avast started blocking this domain.
Eddy
October 20, 2016, 2:07pm
4
I’ve just checked and avast is not blocking or flagging www.sitepx.com
system
October 20, 2016, 2:10pm
5
Ok, and the domain http://syscall.ws and subdomains (*.syscall.ws)
All images on the site builder are served on this domain, like this image:
http://119.syscall.ws/img/119/guiavila-cases-5573.jpg
If i try to access that image on a machine with Avast i get the error URL:Mal.
Eddy
October 20, 2016, 2:18pm
6
system
October 20, 2016, 2:56pm
7
We don’t know this domain: cc-staging.net
All images are served from syscall.ws that is under a load balance on AWS Webservices, for that reason we don’t control the IPs.
We fixed a redirect when syscall.ws is access on path “/”, he was redirecting to AWS, where there is 2 malicious files.
system
October 20, 2016, 7:04pm
8
Hi,
I manage to remove the domain syscall.ws on all sites.
Now i got another error, when i try do loggin on http://adm.sitepx.com i got:
JS:ScriptIP-inf[Trj]http://adm.sitepx.com/core
All my customers are complaining, they can’t edit their sites.
Eddy
October 20, 2016, 7:13pm
9
No alerts with the latest updates installed when I try to access the site.
Rednose
October 20, 2016, 7:18pm
10
No problems except for http://adm.sitepx.com/core
Greetz, Red.
system
October 20, 2016, 7:22pm
11
I think the problem is when the user access with his credentials, i made a single sign-on (it’s a test account for testing purpose)
Please, try access this url:
http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4
Here we always get the error:http://adm.sitepx.com/core
HonzaZ
October 21, 2016, 7:35am
12
wget "http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4"
--2016-10-21 09:31:52-- http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4
Resolving adm.sitepx.com... 52.203.64.224, 52.204.166.252
Connecting to adm.sitepx.com|52.203.64.224|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: /core/#sys/_inc_site-menu,id:NDcyZGUx [following]
--2016-10-21 09:31:52-- http://adm.sitepx.com/core/
Reusing existing connection to adm.sitepx.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `index.html'
2016-10-21 09:31:53 (199 MB/s) - `index.html' saved [9703]
The file I am getting still contains reference to syscall[.]ws.
system
October 21, 2016, 11:17am
13
True,
There was a reference in javascript variable, but not anymore:
$ wget “http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4 ”http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4 adm.sitepx.com (adm.sitepx.com )… 52.204.166.252, 52.203.64.224adm.sitepx.com (adm.sitepx.com )|52.204.166.252|:80… connected.#sys /_inc_site-menu,id:NDcyZGUx [following]http://adm.sitepx.com/core/ adm.sitepx.com:80 .
TmpnJTNEXy5weC5fTWpFMUxqT [ <=> ] 9,43K --.-KB/s in 0s
2016-10-21 09:15:59 (37,9 MB/s) - ‘TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4’ saved [9657]
$ cat TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4 | grep syscall.ws
HonzaZ
October 21, 2016, 11:32am
14
What I mean is if you get “JS:ScriptIP-inf [Trj]” detection, it means there is a blocked URL in a JS. No mention of a blocked URL → no Avast popup.
polonus
October 21, 2016, 11:53am
15
The “URL-Mal” on object link you gave is also given at Sucuri’s as blacklisted by McAfee’s. On an IP blacklist?
Also AmazonS3 SSL Certificate listed here: https://www.threatminer.org/ssls.php?q=thawte%20sha256%20ssl%20ca&t=16
Only find this GradeSaver image to reside there:
DOMAIN##119 dot syscall dot ws AmazonS3 Fri, 21 Oct 2016 11:45:31 GMT 2 80 52.4.30.251 1 0#_index_defaultpage .html 0 0 0 1 1 0 0 0 -1 0 0 0 0 0 1 #_index_defaultpage .html 0 0 0 1 1 0 0 0 -1 0 0 0 0 0 1 #_index_defaultpage .html 339 application/xml 301 429 1 0 0 1 1 -1 429 0 0 0 0 1 #guiavila-cases-5573 .jpg 451 image/jpg 200 Thu, 10 Oct 2013 03:35:11 GMT 0 0 0 0 1 0 -1 0 0 0 0 0 0
polonus
system
October 21, 2016, 1:16pm
16
Tks!
Now everything is ok, i just remove all references of syscall.ws.
Hi, lateley I receive this message from avast every time I log in my yahoo mail account:
the threat was shielded
we safely declined the connection toel.tripsandtricks.com
how can I fix that?
Thank you!
Asyn
May 1, 2022, 10:08am
18
Hi, lateley I receive this message from avast every time I log in my yahoo mail account:
the threat was shielded
we safely declined the connection toel.tripsandtricks.com
how can I fix that?
Thank you!
Hi,https://www.avast.com/false-positive-file-form.php
