I have a website client who received a email from a site user with a message that the site contained a link to a site known to distribute malware. I went and searched the site from top to bottom and could not find the link though I received the same message upon my first visit to the page. I no longer get that message but avast tells me that dashboard.kazemobile.com is a malicious url.
The problem is, kazemobile.com is a legitimate site offering mobile services used by my client customers. We have temporarily removed the link but I am trying to find out why avast says they are malicious and how to stop it.
The site kazemobile.com does not cause any alerts but dashboard.kazemobile.com does. When I click on the more details button it takes me to a page that basically just tells me I “dodged a bullet” and avast “has my back” but doesn’t tell me anything about exactly what in that url makes avast think it is malicious.
Could have been a IP block as you got the general URL:Mal flag. The IP that domain is on has been infected with Banload and heuristically suspicious files, now dead.
Thanks Polonus,
Out of curiosity since this is all a little over my head, what do you mean by “now dead” and do you mean that at some point something somewhere on the server with that IP must have been infected and not nessesarily the website it’s self? Also what is Banload?
Sorry, one more question. In what typical ways would the suspected file or link have ended up on a web server that is on it’s own dedicated server? Can these type of things come through the web site it’s self via customer comments, contact forms, etc?
Try to give an answer to your questions one by one. Malware that is actually being spread from a site is called active. When it is no longer responding when requested by a browser from a server we called it no longer responding or “dead”. Some malware stays 3 and 1/2 hours active before being detected, some stays on for 1775 hrs before being closed. Some launch ever changing new versions and are not willing to comply, they come on an “eternal” blacklist.
Then banload is a form of malware. It is a name for a family of trojans that downloads other malware, so-called banker trojans, trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.
Most attacks onto websites are performed automattically via specifical software bugs. All input should be checked. For examples see some logfiles here: http://sakrare.ikyon.se/ (click on log at the end of the line) - these are all attacks on Swedish sites, malware, viruses, serp-hijacking (click fraud) etc.
the greens there are attempts, the reds resulted in infection.
To enhance website security update and patch your website software to the latest available versions, Do not show the full server version number by default,
because you making it quite easy for attackers to know what the low hanging fruit is out there. See: http://www.cyberciti.biz/faq/rhel-centos-hide-httpd-version/ article author Vitek Gite. I see: System Details: Running on: Apache/2.2.3 System info: (CentOS) check for bugs here: http://bugs.centos.org/main_page.php
Ok Polonus, I understand the concepts. Thank you for your explanations.
One last bit of confusion.
I am a little confused as to how malware exists and then doesn’t exist when it’s a Linux box with no AV scanner/removal software. Is it not actual code written in a file somewhere on the site that needs to be detected and removed?
What is important there is to have security configured away from the default settings, all software needs to upgrades and been fullt patched. You could also consider to install a form of IDS like snort, suricata etc. to be aware of what is going over the wires and what is being logged,
