Re: avast blocking my website (URL:MAL

system · 2017-01-10T06:50:46.000Z

Please help same problems the Avast has blocked my website URL:Mal www.rynantech.com/block.jpg
Thanks,

Asyn · 2017-01-10T07:17:32.000Z

Mylan2 post:1:

Please help same problems the Avast has blocked my website URL:Mal wxw.rynantech.com/block.jpg
Thanks,

→ http://zulu.zscaler.com/submission/show/e5f1194b25a9c66e3f3bd61ec227e2f0-1484032006

system · 2017-01-10T07:20:50.000Z

Hi Asyn,
I just replace new files, but same problems, please help unblocked domain on database Avast. Have many partner are using Avast antivirus, it’s blocked our partner can not access.
Thanks,

Asyn · 2017-01-10T07:22:52.000Z

You can report a URL here: https://www.avast.com/report-a-url.php

system · 2017-01-10T07:30:24.000Z

Thank you for help.

Asyn · 2017-01-10T07:57:17.000Z

You’re welcome.

polonus · 2017-01-10T08:09:03.000Z

It is the IP being blocked and not only by AOS, but also by Bitdefender TrafficLight.
See: https://www.virustotal.com/nl/ip-address/185.62.237.29/information/
and https://www.virustotal.com/nl/file/32c4987dcc0d649c725e20b82483600748da7a56fbb4b5610fd868ff53e4c9ed/analysis/
Isues: http://retire.insecurity.today/#!/scan/23901184534bc5b448494c60492ec3903a3a890f12a4168a616712e39012de56

polonus

system · 2017-01-10T09:59:13.000Z

Hi Polonus,
Please help, how to unblocked.
Thanks,

system · 2017-01-10T13:13:32.000Z

Hello Sir,
Our technical report, please check.
Thank you for the update that shed some light on the issue.

In the reports I can see that this jquery (1.11.3) library is vulnerable - http://rynantech.com/wp-includes/js/jquery/jquery.js?ver=1.12.4. Even though your WP instance and its plugins are up-to-date the library appears to be an older version:
Code:
mnbcc066@c22605 [~/public_html/rynantech.com]# wp core version
4.7
mnbcc066@c22605 [~/public_html/rynantech.com]# wp plugin status
12 installed plugins:
A ajax-search-lite 4.7.0
I akismet 3.2
A contact-form-7 4.6
A custom-sidebars 2.1.1.9
A disable-comments 1.6
A exploit-scanner 1.5.1
A polylang 2.0.12
A total-security 3.4.4
A wp-antivirus-site-protection 7.0.1
A wp-authenticity-checker-wac 1.0
A wp-google-map-plugin 3.1.9
A wordpress-seo 4.0.2

Legend: A = Active, I = Inactive

Thus I renamed the file from jquery.js to jquery.js_SUSPICIOUS

As for the error on the report https://www.virustotal.com/nl/file/32c4987dcc0d649c725e20b82483600748da7a56fbb4b5610fd868ff53e4c9ed/analysis/, it is related to a file named 00d3d5a3cf133.png that is not present on your account:
Code:
root@c22605 [/home/mnbcc066]# find . -name 00d3d5a3cf133.png
root@c22605 [/home/mnbcc066]#

You should check your local computer for such file and remove it.

What is strange is that every URL that does not exist redirects to this page with the posts:

http://nimb.ws/CY5g0t

I have added an .htaccess rule to redirect non-existent pages to the home of the site. Thus the URL http://rynantech.com/counter/?ad=13t6hujdkw85vwuzk5ipc1c7rxwf1dp6xi will now redirect to the home page. These are the rules in question:
Code:
root@c22605 [/home/mnbcc066/public_html/rynantech.com]# tail -n3 .htaccess
ErrorDocument 404 http://rynantech.com
Redirect 404 /counter/?ad=13t6hujdkw85vwuzk5ipc1c7rxwf1dp6xi/
Redirect 404 /counter/

Hence the above mentioned reports should not be an issue anymore. Still it would be best to consult with a security specialist regarding the issue. The reported issue is an applicaiton related one, rather than a server-side issue.

You can check if the site can be rescanned now and see if there are any other links reported.

Best Regards,

Georgi L.
Technical Support Supervisor

HonzaZ · 2017-01-10T13:24:14.000Z

It was blocked because of spreading locky infection: rynantech[.]com/counter/?ad=13t6hujdkw85vwuzk5ipc1c7rxwf1dp6xi&id=lzr9amyreccv4mvkjfijeljz4grviml9enyrlowvgnlc4rj8uconzpgwhqvj6wdldojxmvyq9m4lxivqakpdpyaz4bvb&rnd=21
Glad to hear you removed the malicious files, I unblocked the domain just now

system · 2017-01-10T14:48:21.000Z

Hi HonzaZ,
There is no such file among your account’s files and folders. The link is now redirecting to the home page so the issue should not reoccur. In order to check your application for suspicious locky/ransomware infections, you might consult with the site’s developer.
Thanks,

polonus · 2017-01-10T16:02:56.000Z

A very fortunate conclusion and outcome of this thread.

Every single website that gets safer and more secure through what we do,
is just what we all like to achieve.

polonus

TrueIndian · 2017-01-10T16:18:45.000Z

It’s great to see all these reports about locky infected sites being cleaned out.It’s also a indication avast labs are giving locky a tough fight.

Announcements