Our sites are blocked by Avast!

Viruses and worms
1

Hello,

Our site http://www.motorcomponents.ro/ is blocked by Avast! with an HTML:Script-url (no other info?) message. The site is a fresh Wordpress install. (Also http://shuffled-digits.com is blocked from the same address).

https://sitecheck.sucuri.net/results/www.motorcomponents.ro/
https://www.virustotal.com/en/url/1a9a9f317439664746b9f4504aa64536792dfe6995af162488ac775a15e7ff0f/analysis/1443205230/

What is happening?

PS: Captcha images are very hard to read :frowning:

2

motorcomponents.ro/
https://www.virustotal.com/nb/file/d9dd4cf46025dbd547f6f568d499dee46ef9adc6b0058e37466902d28fac8f51/analysis/1443208445/

shuffled-digits.com
https://www.virustotal.com/nb/file/ac7fafb2aad1df654d0c83fec0d28a311882bbe18e06afdd0ac01c7fa0d24e31/analysis/1443208624/

you may report your issue here https://support.avast.com → avast virus lab

PS: Captcha images are very hard to read
good, then the spammers have problem also ;D only first 3 posts
3

Dear elektronok,

Your sites are OK and you probably will be unblocked by an Avast Team Member when you change being hosted at -ns1.afraid.org and steer away from them. Avast blocks all websites hosted there because of continuous abuse. Your site can no longer be considered yours :wink: We cannot do this as we are volunteers with relevant knowledge, but not Avast Team Members. I hope one of the Avast Team Members comes to confirm your situation in this thread.

Webbug renders

Server: Apache/2.4.7 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 591
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.7 (Ubuntu) Server at ec2-54-247-181-126.eu-west-1.compute.amazonaws.com Port 80</address>
</body></html>

Takes this up with hoster → http://toolbar.netcraft.com/site_report?url=http://ec2-54-247-181-126.eu-west-1.compute.amazonaws.com
For the second website:

HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 21:32:41 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 591
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.7 (Ubuntu) Server at ec2-54-247-181-126.eu-west-1.compute.amazonaws.com Port 80</address>
</body></html>

See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fshuffled-digits.com%2F
Site under construction - Nameserver ns1.afraid.org

polonus

P.S. There is a SPOF issue, Possible Frontend SPOF from:

fonts.googleapis.com - Whitelist
(64%) -

Damian

4

Thank you for your very quick answers!

I already sent a request to the support. I try to move my DNS records then and see what happens

5

And I have alerted one of the Avast Team Members to this very thread.
He may reply here over the weekend.

polonus (volunteer website security analyst and website error-hunter)

6

Hi guys,
I just now unblocked motorcomponents.ro. Domain shuffled-digits.com was not blocked. If you still have trouble accessing shuffled-digits.com, can you post a printscreen of the Avast detection, please?

Just a couple of clarifications on what Damian said:

We only block those that we spotted malware on - those abused by the bad guys. Not all hosted on afraid.org, although it would be much easier for us ;D You are right that there is a countinuous abuse, which stems from terms and conditions of afraid.org.

His domain is still his own, but any subdomains (those that were not registered already) can be (ab)used by the bad guys, without any specific knowledge. Anyone can legally create any subdomain on a domain hosted on afraid.org.

Thank you both,
Honza

7

Hello Honza,

I moved the DNS to amazon route 53 now.
I took the screenshot right now (for edge the error is the same). When I add the site to the webshield exceptions, the first page loads but with no pictures and a lot of HTML:script.inf errors.

Thank you for your response!

PS: Modified this post and added the second screenshot

8

HI,
some time back somebody hacked into my wordpress blog at nesd.in Avast immediately blocked it .
after that i did i complete new install and checked it online . the site is now cleant but avast still blocks nesd.in from my pc!

9

Hi elektronok,

Most likely you are a victim of optimization in Avast - it remembers that it blocked it last time, and does not bother to recheck. If you try disabling shields and enabling them, everything should work just fine.

Please do let me know if the issue still persists after restarting shields / Avast / PC.
Honza

10

Hi shyam.shrivastav,
I can visit nesd.in from my PC with Avast on without any problem. Can you post a printscreen of the detection, please?
Thanks for your cooperation!

11

Thank you all for your very fast response and fix!

The webshield off then on trick worked like a charm.

BTW: You are the best support guys I met so far. Other big/large companies let us wait for ages till their (mostly) useless and annoying responses.

Keep up the good work and thx again!

12

Thanks for the feedback.
If you can, share your opinion. Word of mouth is the best way for us to help internet to be safer :slight_smile: