Ip still Blacklisted after avast intervention

Hello,

A few month ago we got a malware on one of our website and our ip 217.160.91.5 got blacklisted by avast.
We detected the malware (a w32 file) and removed it within 3 days. We also set up a higher level of security on the server, change every passwords, and installed security softwares to prevent any kind of trouble in the future.

We immediately sent to AVAST the report of the security contractor who cleaned and secured the server.

We received the 28th of June an answer from and Avast ingeneer (Ticket ID: JTA-831143) saying that then IP has been unblocked.

But it is not ! And the ip 217.160.91.5 is still blacklisted after more 40 days !

We tried to send new emails to AVAST but no one would answer or give us a clue of what’s going on !

Could someone of the team give us an answer on how IP Blacklist works here ?

Thanks a lot ! We really hope to find an answer here.

PS: Virustotal report no malware on our websites. Rkhunter doesn’t find anything. And the ip is not blacklisted anywhere else.

Confirmed clean/benign:

http://www.ipvoid.com/scan/217.160.91.5/
http://www.quttera.com/detailed_report/217.160.91.5
http://zulu.zscaler.com/submission/show/0454c9e59fe14f9f40ff925394e3d221-1345462212

The IP was scanned, and the now closed malware was on this url: htxp://www.coachseduction.fr/
This snort rule was triggered: http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
see: http://www.youtube.com/watch?v=uQ7OrxtiAes (video by bardbecket)
see: http://urlquery.net/report.php?id=72703
Going here htxp://www.coachseduction.fr/robots.txt
I get User-agent: *
Disallow:
Sitemap: http://wXw.coachseduction.fr/sitemap.xml.gz
The unknown_html malware has been closed since 2012-06-21 09:52:21
The site is not being blocked by avast, only the IP I get an “out of rule” The server state is: 201 Okay
But the site that is being flagged by avast is htxp://www.orthopass.com/ on that same IP
See: http://wepawet.cs.ucsb.edu/view.php?hash=d157af8c30c89dbab9a2244db4e85010&t=1345466673&type=js
Got a close this block for w1.sndcdn dot com for that site, because of a multifilter upcode detection,
If you think the IP should be unblocked and the site wXw.orthopass.com is clean,
you can use the on-line contact form, http://www.avast.com/contact-form.php?loadStyles for:

  • Sales inquiries; Technical issues; Website issues; Report false virus alert in file;
    Report false virus alert on website; Undetected Malware; Press (Media), issues.
    You could include a link to this thread here,

polonus

Thank you for your answer.
It is true tyhat the malware has been removed since 21/06/2012.

But, I think you are wrong when you say that htxp://www.coachseduction.fr/ is not being blocked by avast ! It is ! Every single vhost I’ve got on this IP is still blocked !
The only reaons why you can access htxp://www.coachseduction.fr/ (with avast) is because I put it behing a CDN (cloudflare). So your browser connect to a different IP that the one blocked by avast. But If i desactivate the CDN, the website will be blocked because of its IP.

Moreover, you told that htxp://www.orthopass.com/ has been flagged ? there is a problmem in the javascript ? The script you reffer to is a script I got on soundcloud website. It looks like everything is fine on htxp://www.orthopass.com/ .

I already sent a request to http://www.avast.com/contact-form.php?loadStyles 2 weeks ago and got no answer. Do you think I should write again ?

Thank you !

Hi thibault87,

You could do that once again adding a link to this thread. When there are no further issues preventing the unblocking this could be as soon as with an upcoming update. I cannot influence that, because that is up to the avast analysts. What I could advise you here is to remove the “X-Powered-By”-http header, as this is giving away to the world that content is being generated dynamically. It is being advised to remove this header. Furthermore everything seems OK at secussl.com -spamcheck and Safebrowsing results tested as OK,

Stay safe and secure,

polonus

Thank you for your help !

I sent a request more than a week ago to the link you gave… and I still got no answer as I expected.

Do you have any idea of what I could do ?

You can also write to: virus(at)avast.com

Ok. I write them and will report here when I get an answer !

Thank you !

You’re welcome.

A quick update,

The IP has been unblocked on yesterday Avast update (28/08/2012). Everyone could access the website without any problem.

But today, one day later (29/08/2012) Avast updated to today VPS and guess what… The IP is blacklisted again and all our website blocked !

Please someone has a clue of what happened ?

PS: Of course I checked the websites and servers logs and found everything clean.

I will check tommorow again ad will keep you updated

Today VPS is still the same. All the websites on our server are beeing blocked !

Please could someone from the team explain us what is going on ?