Hi guys, I have an issue with Avast/Web server/malware.
I have a website, that got infected with malware, some time back. Now, according to MBAM my local pc is clean and malware free (log still included) however visitors to my site report avast is still warning them of malware on the site.
I used to get avast popping up, but it hasn’t done so in a week or so now, yet other visitors are reporting avast is popping up.
Do you guys want the url? Not sure if I am allowed to post it, so will await for further advice.
I have also done a Sucuri scan on the site, and that too comes back 100% clean.
I am really stuck where to go from here. Please advise.
Thanks.
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8062
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
08/11/2011 13:25:36
mbam-log-2011-11-08 (13-25-36).txt
Scan type: Quick scan
Objects scanned: 153866
Time elapsed: 9 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Like I said, I’m not getting the warning now, but when I tested the share function (to facebook) my brother who uses avast told me he had a malware warning, when he clicked on the link (in facebook).
If you need any more info, no worries, just let me know.
Thank you
edit:
Also worth noting this malware issue has been going for well over a month now, yet the site is still indexed in google, so not sure if thats something you guys need to know, just trying to provide as much information as I possibly can.
Well, google says clean: Domain clean by Google Safe Browsing: motorcarsforsale.co.uk
Also no problems with avast… Your site looks clean.
Any problems…??
Yeah, a small problem of avast warning avast users that the site isn’t clean…
My boss (who owns the website) is adamant that is a false positive. We deleted the old hosting package (reseller account with fasthosts) and set up a new hosting package, yet people have reported avast doesn’t think its clean, only today.
Really confused now lol.
I dont want every visitor to the site, using avast to think we are dodgy.
Well, it looks clean to me and I don’t get any avast! warning.
So, if this was a FP, your users will get the updated VPS and shouldn’t have any problems.
I tried it in Firefox and IE, and both used to give me the warning, now neither do. My brother who reported a warning to me when i liked the page to facebook earlier, uses firefox, and back when I used to get warnings, that was also firefox.
As far as I am aware there is nothing using java applets on the site. Its a wordpress.org site, hosted on fasthosts. All plugins are the usual php or javascript (not sure if that would tie in with java applets), I would assume they are two different things, but couldn’t be sure tbh.
Yes JAVA and Javascript are two different things, though the alert window YoKenny posted JS:ADODB-BL [Expl] is a javascript based alert.
Having had a look at the image YoKenny posted - The problem being the alert isn’t on your site but on sytes.net and there are references to that site from your site. So there is a possibility that I didn’t go near those as I also use NOScript and RequestPolicy (firefox security ad-ons), but I selectively allowed them to try and pinpoint any specific site problem.
So I’m at a bit of a loss as the sytes.net (reference by RequestPolicy, image1) disappears after a while.
There is also a reference to no-ip.org and I know they are a legit site for redirecting content from systems that aren’t in a domain. But there appears to be an obfuscated script and when deobfuscated created a hidden iframe (image2), I don’t know if this is what avast is getting concerned with. http://wepawet.iseclab.org/domain.php?hash=c25bd048f776a5b04a73f6fea99be7cb&type=js
@DavidR - Could it maybe be a plugin that is doing that call to sytes.net?
@YoKenny - Works pc. I tried upgrading but neither IE8 OR IE9 allow me to edit our clients ancient web admin area.
I would disable all plugins, then re-activate them one at a time, however, because I am not currently getting any avast popups i wouldnt be able to identify the plugin (should it be a plugin, causing the issue).
Thanks for the help and feedback so far guys, I really appreciate it.
It wouldn’t be a user plug-in as they don’t initiate stuff like this, certainly not any one that I’m using.
Further digging, search on sytes.net, shows a link between this sytes.net and the no-ip.org that was also shown in the RequestPolicy (cross site scripting checker), though right now I can’t see any reference to no-ip.org now and perhaps consequently no reference to sytes.net.
I honestly haven’t the slightest idea what is going on with your site as I can’t see any of the background processing. As I have said I physically haven’t had an alert on the site using firefox.
I can only see what is displayed on the page and in the tools (firefox add-ons) that tell me what data/scripts are on the page or seeking access to another site (cross site scripting), either trying to import data or run a script from that 3rd party site.
You say this is a wordpress based site (I have zero experience of wordpress) and one major thing is to ensure that the host has the latest version of wordpress. There are vulnerabilities in old versions that are being exploited, so I would talk to your webmaster or the host to check out the site and wordpress templates, etc.
ahh that makes more sense. Well, the site is a clean install of both the server, and wordpress, running the latest version. It seems I have a very peculiar issue, and sadly I dont want to start promoting the site, until I know whatever is causing Avast to display the popup is 100% stopped.
Again, Thanks for your time DavidR, I really appreciate it.
edit:
could it be a FP maybe? If the general consensus is that it is a FP, where would I report that?
Proving an FP is just as difficult as proving a good detection, you have to be able to analyse the data.
There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.
If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review, etc. A link to this topic also wouldn’t hurt.
