Need help with "MALICIOUS URL BLOCKED"

Hello - I own a site (wxw.southernairboat.com) that Avast has started blocking within the past week and am looking for some help to figure out just what it is that Avast doesn’t like. Avast was initially blocking the entire site, but within the last couple of days appears to be blocking our phpbb3 forum only.

Here’s some details:

  • I access the site with several other computers and antivirus programs with no problem. - I have manually searched site files, with my limited knowledge, looking for recent changes- Sucuri.net constantly monitors the site and I have scanned it with every online site scanner I have found with clean results every time.- I have installed Avast on one of my computers and have been reporting the site as a “false positive” regularly for about a week.

Here’s some scan results:
hxxp://sitecheck.sucuri.net/results/southernairboat.com
hxxp://www.urlvoid.com/scan/southernairboat.com/
hxxps://www.virustotal.com/en/url/a83c4a7fa671abb0f22b749a4db4bd69adc254c3e197ef4d673c21c4bd91746d/analysis/1376489254/

Any help would be greatly appreciated.

URLQuery: hxxp://urlquery.net/report.php?id=4553768
Zulu: hxxp://zulu.zscaler.com/submission/show/08d9e7f010dcc65fe4b70326fa4c7e96-1376492959
Quettra: hxxp://www.quttera.com/detailed_report/southernairboat.com

Quettra reports an potentially suspicious File in the site.

I will notify Polonus about this, he is an website analyst.

I am already getting an Alert when i open this topic and your Screenshot is not working…

This is being blocked:hxxp://www.southernairboat.com/phpBB3/download/file.php?id=10884

To both posters:
Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

Even more so as the links cause avast to alert on its own support forum.

Edited DavidR i forgot that, cause i copied it from the Avast Security Center.

Polonus is notified. :smiley:

There is still something there that is causing avast to alert and I believe it may well be the analysis links, if avast looks further at the links on site it would then hit the suspect URL responsible for what looks like a driveby download.

Every time I open this topic I get the alert.

So all links including analysis ones need to be modified.

Done. No Alert when i open it.

But when i go to answer. Same Alert as before.

Yes, because you weren’t the only one needing to modify the links.

I get it on opening and not when I post a reply as the block has been made initially, don’t know why it would be like that.

Yes, me too now and your 5 green boxes over your Picture arent working :smiley:

And now no alert and they are functioning…

Now again an alert and the Edit Pictures arent working…

weird…

Please 'modify' your post change the URL from http to hXXp or www to wXw

sorry about that

I get a Network Shield alert for http://…/file.php?id=10884 infection URL;Mal which is a generic detection
Code hick up on site info: [javascript variable] URL=wXw.amazon.com/gp/mas/dl/android?p=com.quoord.tapatalkpro.activity
info: [javascript variable] URL=wXw.amazon.com/gp/mas/dl/android?p=com.quoord.tapatalkHD
info: [img] activate.tapatalk.com/i.gif?host=
info: [decodingLevel=0] found JavaScript
suspicious:
Do not see anything here where Quttera flags: http://jsunpack.jeek.org/?report=d41df40646718a2d976d31588ecc68c9fbfac7df
Look here for redirect activity: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fsouthernairboat.com&ref_sel=Google&ua_sel=ff
For insecurities see: http://dazzlepod.com/ip/67.227.138.47/ & https://asafaweb.com/Scan?Url=southernairboat.com%2FphpBB3

polonus

OK. No Alerts.

Polonus, open the link above with Quettra and go to the scanned files analysis tab, under potentially suspicious files you can see
what is flagged.

Hi Steven Winderlich,

Seen that in the Quttera scan results and launched it in jsunpack and there I did not see anything alarming:
http://jsunpack.jeek.org/?report=d41df40646718a2d976d31588ecc68c9fbfac7df
Uses an iframe shim to mask system controls for IE 5.5 and higher up.
Whenever malware is involved with this overLIB/mini.js well it could be BKDR_CIDOX.CH involved →
http://about-threats.trendmicro.com/malware.aspx?language=au&name=BKDR_CIDOX.CH
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

polonus

So he has to remove this. 8)

Yes that is likely to filter through/escalate from a web shield alert to the network shield adding this to the malicious sites list as more and more people get the alerts.

Yes content plug-ins should always be checked as every input should be,
as it can have been grossly modified → http://y6cb.stjohnsrc.net/wp-content/plugins/calendar-press/js/overlib/Mini/overlib_mini.js
for malcode consider: http://about-threats.trendmicro.com/Search.aspx?p=MINI-1&language=au

pol

The file “/calendar/overLIB/overlib_mini.js” does not appear to have been modified since Jan. 2011. I have also compared it to a fresh copy downloaded from the overlib site and found no changes. Also, the main calendar page on our site uses it with no alerts from Avast: hxxp://wxw.southernairboat.com/calendar.php

Would this be possible if “overlib_mini.js” was the file that Avast does not like?

Thanks

Have a look in my image, Reply #2 above, that is alerting on a file in the phpBB3/download folder file.php, now something is triggering that download.

That particular file being blocked (…phpBB3/download/file.php?id=10884) was the image file of the Avast alert that I had just posted in my forum. My initial post here used the img tags to display it…my bad on that move.