Not me, in fact; and I’m a bit disappointed with them. Suddenly Avast said that the website http://wxw.NameOfMySite.org (over Joomla) has a virus and is very dangerous. Well, I designed and programmed this site; so I check all the things in the server, and realize that everything seems to be alright, although Avast persisted to pointed the index of my template as infected.
More in details, what Avast (and no other anti virus) identify as a virus is the following jquery script:
$(“#logo”).click(function(){window.location.href=“http://wxw.NameOfMySite.org”})
The same if I change the base url of my site for a joomla request “<?php echo $this->baseurl;?>”
I could understand that a javascript function that redirects you after click on an image could be suspicious; but, please, it redirects you TO THE SAME SITE. Although the problem here is that I informed to Avast about this false positive, many times, and never received an answer. Avast continues considering my site as URL:Mal infected.
Anyone in the Avast team read this kind of things? This Forum? What do you think about it?
Hi, mikaelrask, thanks for your welcome, and for your suggestions.
Here are the results from zulu’s analysis of my real website (I could share the real name if you want):
-External elements (up to 10): scripts, iframes, links are ALL BENIGN
-Content checks (0/100): without impact on the overall risk score
-URL checks (0/100): without impact on the overall risk score
-Host checks (22/100): IP address has been identified as risky by one/more sources
FOR A TOTAL SCORE OF 27/100
Well, if you made the same analysis with similar tools (sucuri, norton, webcheck, mcafee siteadvisor, google savebrowsing, avg threatslab, scanurl, webinspector and others), 100% of them say the website is not infected at all and it’s secure. Only virustotal (and presumably zulu) say that THE DOMAIN NAME are blacklisted by bitdefender.
I know my site and server are clean. I know in the past (on another server) the site was compromised; that’s why the client decided to move to my VPS.
Anyway, I opened an email ticket to bitdefender- THEY answer to me, with an analysis of the site. They said the site has no malware, but inviting me to buy it’s antivirus (because with it, they can search more deeper on my site). Yes, you’ve heard it clearly. I’m still managing with them to erase my site from their blacklist.
But the real problem to me is with AVAST. (By the way, I’m using Avast free version from twelve years ago and suggesting their use to my friends since that date; probably that is about to change).
Hi, Pondus; thanks for your reply. As you can see in my previous answer to mikaelrask, the site is listed at bitdefender. A false positive in only one blacklist (as in this case) can be one of those “whatever reason”; so Avast could be more careful.
But I downloaded the entire site to my local server (on my personal computer), analyze it with AVASt and voilà! A virus was detected (the message was not URL:Mail but other, in red and threatening) in the index.php file of the template (as I said, the site is built over Joomla). I do not remember the exact message (I’m not from my PC right now); but I can tell you later.
At the end, I cut my index.php file into pieces, analyzed each one of them with Avast; put aside the clean parts, and continued cutting into smaller pieces the “infested” piece; and thus, recursively, finally I got to know what was considered by Avast as a danger virus: just the script I mentioned on my first message.
So, I wondering myself if anyone from Avast team has an answer to this?
You should wait for a final verdict from an Avast Team Member, as we are volunteers with relevant knowledge.
So in the mean time consider the results of my third party cold reconnaissance scanning of your website.
Towards cloaking site looks fine, GoogleBot and Google Chrome return similar status code, there are no spammy looking links,
No iFrames and no blacklinks to worry about.
BitDefender Traffic Light flags your website as malware site.
Your site is being hosted with 41 other websites on that same IP address, so whenever you have bad neighbors you could suffer the consequences. In that case ask your hoster to move you out to a more secure IP. There are current events going on there and there is spam activity from 16 blacklisted URLs: http://sitevet.com/db/asn/AS54641
Looking at your CMS: Web application version:
Joomla Version 2.5.28 found at: -http://damasdeblanco.org/administrator/manifests/files/joomla.xml
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 3.4.5
Joomla Modules, Components and Plugins
The following modules were detected from the HTML source of the Joomla front page.
No modules were found passively in HTML source
The following components were detected from the HTML source of the Joomla front page.
mailto
The following plugins were detected from the HTML source of the Joomla front page.
jatypo
jckeditor
Adding Modules, Components and Plugins to a Joomla site expands your attack surface. These addons are a source of many security vulnerabilities, it is important to always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes. Using the Joomscan scanner you are able to test more aggressively for plugins and modules installed within a Joomla installation.
I see no vulnerable jQuery libraries. Some script links may come blocked by adblocker or scriptblocker tools,
but you should check there are no problems created while
var $j = jQuery.noConflict(); $j(document).ready(function($) {
Inspecting the DNS: Issue with Name Servers Versions
WARNING: Name servers software versions are exposed:
70.39.150.2: “9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.6”
74.124.210.242: “9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.6”
Exposing name server’s versions may be risky, when a new vulnerability is found your name servers may be automatically exploited by script kiddies until you patch the system. Learn how to hide version.
You should mitigate the issues I reported for your site. Where Avast flags I think you have to take that up with your hoster,
as from exposing the name server versions I fear that this is not particularly a proactive hoster with security as a first priority.
Better consider to move to dedicated hosting, because there you would not have such bulk-hosting problems.
Joomla 2.5.28 is secure, isn’t? Outdated is not the same as infected.
Also neither of the plugins used are insecure.
Althought, you are right, I found a hidden link in the four articles listed by scumware.org (yes, only four, although with slight different URLs each time). And I cleaned them weeks ago; is strange that one of them is still listed (or not, who knows?)
Anyway, I just reviewed it again, reviewed and cleaned the database (and found nothing strange). For me is strange that scumware found a URL which is the URL that appears in database plus a ‘.4’ at the end. Anyone knows what this could mean? I tested that you can add at the end of the URL ‘.anything’ or ‘=anything’ and still Joomla recognizes this as your real URL. And real URL is just simple text with no more Hidden Links.
Please, Pondus, note that no one of the other websites on that IP are blacklisted, as long as I could see. Only damasdeblanco.org.
As I told before, after a request, BitDefender answered that they found the site clean, but was necessarily a partial revision unless I buy they antivirus. I will insists with them. With the other who blacklisted damasdeblanco (scumware) I will report them also about what I consider a false positive.
I’m in debt of gratitude with all of you; for taking the time with my troubles. Thanks.
Good tools, Polonus. Please, note that only 14 sites are sharing the IP (41 if you count the parked domain names). And I do not found any of them (except for damasdeblanco.org) blacklisted. So I feel I have no solid arguments to ask the server hoster to change my IP (which, by the way, I do not see as a solution for the current problem)
It was quite busy working on a project, so I had not even visited the site, until today that I could access it without Avast interference. So I came here to say thank you; especially to HonzaZ, from Avast Team.
See you ;-).