My website is blocked

Hi,

It appears that in the last couple days my website has been blocked by Avast. It’s just a personal site, no big deal, but I’m trying to figure out why it has been blocked. After looking over the logs on the server, there has been no suspicious login activity, so I started focusing on the software itself. Apache is up to date, as is simple machines. I looked through the other directories on the webserver and couldn’t find anything suspicious. UnmaskParasites didn’t complain about anything on any of the directories.

I’m really at a loss here as to why my site has been blocked. If it’s infected with something, I’ll fix it - if it hasn’t been, why has it been blocked?

My site is: hxxp://9thlevel.ca/

Thanks.

Try this to scan your site: http://wepawet.iseclab.org/
asyn

Here is the report from that tool, which says no malicious software identified:

http://wepawet.iseclab.org/domain.php?hash=2ae4f61e814577e8159beb3688a9a8e2&type=js

I’m really scratching my head here. ??? ???

Hello dmarkd ,

Not found on hphosts black list.
Neither on mdl.
up returns ok.
wepawet returns ok.

My virtual machine seems to be messed up. Not able to connect to the internet. Will surely post some update here later. Even if I didn’t find anything.

nmb

Well wepawet isn’t really saying anything, but I don’t believe that means there is nothing wrong.

Trying to check your site I find nothing on the home page, see image of the source of the home page.

I too dont believe that wepawet is telling us the right thing. There was a recent attack on apache.org too… may be an apache a related issue… Idk… may be it is not apache problem. my vm is not able to connect to internet.

nmb

Full disclosure, I took down the un-used SMF forums I had on the front page to see if that would help anything, replaced it with the “Sup” page that is there now. I did this AFTER the wepawet scan however.

I have upgraded to the latest apache build, even still, I have a much higher traffic site hosted on the same Apache instance which is not being reported as “bad” by Avast or anything else.

So my question is, is Avast actually detecting something live when I go to the site, or is it just because my URL is in a database somewhere that Avast is complaining?

Since network shield is blocking, it should be in the blacklist of n/w shield.

nmb

So what has triggered it to be there? Can I report to somewhere that I think it’s wrong and have them re-evaluate?

Well you can do it here or send an email to them with the link to this topic in the body. virus[at]avast[dot]com . Idk whether there is any other email id for reporting n/w shield fps. ;D

nmb

Web Shield says the site is blocked because of JS:ScriptPE-inf [Trj] (0)

http://forum.avast.com/index.php?topic=44391.0
http://forum.avast.com/index.php?topic=43970.0
asyn

I really wish there was some more verbosity around these errors. JS:ScriptPE-inf [Trj] apparently is a generic label to any apparently malicious javascript. Except before I removed the forums, I looked, and there wasn’t any there. Anyway, at the very least, there is absolutely NO javascript there now as I replaced the forums with a single static page, and have sent an e-mail to the one nmb mentioned. Hopefully I’ll get some more info.

Asyn, I looked at those topics before writing this, again, no help. The JS just isn’t there, and apparently this is now a blacklist issue not an active detection issue.

I’m using avast 4 and network shield blocks it ???

nmb

To the best of my knowledge, Avast doesn’t use a blacklist.

Once blacklisted it could take some time…
It would be interesting, how long exactly!
So, please could you post back here, if the issue is solved…!??
Thank you! :slight_smile:
asyn

You sure? I dont think so…

nmb

Well, I’m not really sure. But since Avast is actually detecting malware it doesn’t sound like blacklisting.

Also, in Avast 5 the detection is listed in both Web Shield and Network Shield.

From what I remember, a blacklist is (at least) partly how network shield works…

FWIW I also get a network shield block of this site with 5.

-Scott-

Even in avast 5, network shield blocks it, but if you disable network shield, you will then get the trojan error itself. So I’m getting this multi-pronged block against the site and I have no idea why.

If it is not a blacklist, what exactly is it finding wrong with the index.html containing nothing but “Sup” ? Even using a telnet session to the page to inspect the headers shows nothing out of the ordinary.

This is getting pretty frustrating.