Please stop blocking the my site's

Dear AVAST
Please stop blocking the my site’s
Block exposes us to the very large losses,
It was hacking into our server files have been deleted, downloaded from the server brought avast antivirus and other programs, there are no errors and threats.

the block sites:
hxxp://mamajakty.pl/
hxxp://personalart.pl/

https://www.virustotal.com/url/a3435a2c7bf553b89e559d755d07ff68b026d4e30b84c9f7c60fb7daf1bb8398/analysis/1331808519/

https://www.virustotal.com/url/49d8c7b69e89cfa0e0afaaf46ecdab992c61037b2a5382a8dc93764971235b00/analysis/1331808609/

thank you I already check if something is yet, but it was all checked avast and it was purely

Trend Micro antivirus software is

BitDefender also

http://sitecheck.sucuri.net/results/personalart.pl
http://sitecheck.sucuri.net/results/mamajakty.pl

I checked and it is purely
What can I do to unlock the page by avast ?

regrads

The following sees it as clean now:
http://sitecheck.sucuri.net/results/http://mamajakty.pl/
http://sitecheck.sucuri.net/results/http://personalart.pl/

These don’t:
http://www.urlvoid.com/scan/mamajakty.pl
http://www.urlvoid.com/scan/personalart.pl

So it may be your HOST (s35-www.ogicom.net) that is responsible for your site being blocked as the block (If Network Shield) may be on the IP address not domain name.

There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

  • If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review (Network Shield), etc. A link to this topic also wouldn’t hurt.

Thank you already sent and also the server administrator to OGICOM

Hello,
your sites were hacked. But I check it and it looks clean for now. I removed our detection but you should to check your computer for password stealers viruses and change all your passwords, expecially to FTP including website scripts. Another thing you should to do is keep all your website tools up to date.
Regards,
Jan

everything had scanned,

site was hacked probably the ftp program,

computer was scanned files downloaded from the server, scanned and sent back ,

thanks for the advice

To: DavidR

[i]These don’t:
http://www.urlvoid.com/scan/mamajakty.pl
http://www.urlvoid.com/scan/personalart.pl[/i]

on these sites also does not show the error

Status: CLEAN
http://www.urlvoid.com/scan/personalart.pl
http://www.urlvoid.com/scan/mamajakty.pl

There is also suspicious code found here:
wXw.facebook.com/common/browser.php suspicious on /personalart dot pl/
[suspicious:2] (ipaddr:69.171.224.13) (metarefresh) wXw.facebook.com/common/browser.php
status: (referer=wXw.facebook.com/plugins/likebox.php?href=http:/wXw.facebook.com/)saved 15267 bytes 18c218e7eb8e732199865b75282b3d3cb115e982
info: [meta refresh] URL=wXw.facebook.com/common/browser.php?_noscript=1
info: [script] static.ak.fbcdn dot net/rsrc.php/v1/y5/r/lv-mu7kxrY8.js
info: [decodingLevel=0] found JavaScript
error: undefined variable Bootloader
error: undefined function Bootloader.done
suspicious,

polonus

VirusTotal HTML scan
https://www.virustotal.com/file/543393acd73bddfe516c74ef567c03ae12032150eaccd62b4dcbeb8e5c09c2b2/analysis/1331820799/
https://www.virustotal.com/file/0cd9f5e8e4125e1c1eb56f336fd191756e9ec849c3cd927a0acce87316272f0a/analysis/1331820809/

@ pablo77
URL Void doesn’t go into much detail as it is just referring to database listings I believe. At the moment I can’t connect to urlvoid, it is very slow right now. But that matters not, what does is you have submitted it for review and Sirmer from the avast virus labs has reviewed it and will be removed from the avast detections.

Thank you, but if it was something else, please write, as I wrote I’ve downloaded page and checked antivirus avast and it was clean,

polonus: if those files are in code personalart?

These are files Facebook.

@polonus

This script is from Facebook ( like box, slider ) was already removed

Can you re-check if there is something wrong

Regards

Ok, first site…

urlQuery : http://urlquery.net/report.php?id=32015

  • Make sure you know all the sites in the HTTP Transactions.

Zulu URL Risk Analyzer : http://zulu.zscaler.com/submission/show/e53313865d7f8632c90d02527347ed60-1331849019

  • The “SURBL Block” appears to be having some issues with your site. Follow the following steps to remove blacklisting.

[ol] - Please follow this link: http://www.surbl.org/surbl-analysis
- Type in your URL into the Domain or IP textbox, Then click Check button.
- It will generate the results of your page, in this case, it is blacklisted by AB and WS.
- Follow The SURBL Blacklist Removal Request instructions carefully.
- When you are done, click the Request Removal button.[/ol]

I also have a feeling that this is what is causing the Iframer alert by avast. See attachment #1.

And now for the other one…

urlQuery : http://urlquery.net/report.php?id=32019

  • Make sure you know all the sites in the HTTP Transactions on this site too.

Zulu URL Risk Analyzer : http://zulu.zscaler.com/submission/show/8ed536c1174916644e3f5d31689c5399-1331850077

  • The “SURBL Block” appears to be having some issues with your other site as well. Please repeat the steps provided above on how to remove blacklisting.

I also see the same iframe in your other site too. See attachment #2.

Do you have a close bond with this stat-counter thing of some sort?
If not, I recommend you remove it and see if the iframe alert continues.

Hope this helps you of some sort. :wink:

@!Donovan,

Thanks for that analysis. Also see: hxtp://zulu.zscaler.com/submission/show/7d042410f7a38e95551e0e21d0ff2b38-1331853456
conflicting with this: hxtp://www.malware-control.com/statics-pages/4d4995179defadb4e356fb42919ee57e.php
supported by this info from another site analysis: hxtp://wepawet.iseclab.org/view.php?type=js&hash=d718b67ca40d1d2ce38a2b861bc7f762&t=1252927957 (susicious involved in Liberty malware campaign)

@pablo77,

What you could do to make the site more secure? The website gives away that content is being generated dynamically through the"X-Powered-By" HTTP Header, It is advized to remove this header. Spam check, Safe browsing check OK. Reconsider what iDonovan said about used tracking graphics, IP is not listed in Offensive IP Database, according to the Bizimbal.report,
Site had HTML:Script-inf on it since 2012-03-15 17:50:11 https://www.virustotal.com/file/4f3e923015ab3922ab98cdb44d849b65cd3f5d836a1a50402a44b64cf8c2bd1f/analysis/
So only flagged by avast and Gdata, which could make a false positive more likely,
Going to the site now is no longer flagged by avast, but Bitdefender TrafficLight stops me from going there (malware found),

polonus

@Polonus

I was just suspicious about that line, hence they did the general <scr + ipt> + etc… method. :wink:

Hi !Donovan,

And rightly so, you stumbled upon some evidence according to the malware-control dot com list. These malware connexion points are all for polish domains and probably part of that specific malware campaign, e.g.specifically given: htxp://s1.hit.stat24.com/cachedscriptxy.js & htxp://s1.hit.stat24.com/_1203017760781/script.js?id=1wCbieMFZF9fwlrRKi.PRXXWj_5BGOd8d5fRxb.cFQP.S7/l=11 which is redirecting to st.hit.gemius dot pl and also goes via htxp://s1.hit.stat24.com/cachedscriptxy.js , avast would detects that malcode as Win32:Dropper-FZW [Drp] ,

polonus

Good news AVAST unlocked my page!
Thank you all for your help.

@Donovan
These scripts are stat24.com statistics taken from the web site. http://www.stat24.com/en/

@Polonus
I question whether is it possible that BitDefender retrieves data from AVAST, and they has outdated data?

Best Regards pablo77