i have the same problem as truebluecj. I get a warning for a client of mine, for RedirME-inf-trj for url hxxps://www.siblondelegandesc[.]ro
The page is clean, i have scanned with various tools and I believe is a false positive. If I try to access any site hosted on 148.251.160.108 I get a warning despite the fact that the rest of domains hosted on that IP have no files or have never been used. For example mirunaioani.ro has never been used (is registered less than 1 year ago) and has no history.
Virus Total report here https://virustotal.com/en/url/a1e65682f3a1706ee08b63e48467849eef69ba3108e2a27abcb5bea6e85711d2/analysis/1496612645/
Please can a Avast team member take a look at this?
Thank you.
PS. Verification code is bunk. Is almost unreadable…
Remove the link above and see if avast detection stop
Removing that link was useless. tag is present by default in many WordPress themes including those issued by default with the original installation of WP, like Twelve Eleven. I can believe that this is is the problem. I have removed the link (present in three header.php files) and i receive the same error. In the mean time i have other sites that have the same tag and link for witch Avast does not report any errors. Please see here http://www.laimpingetava.ro/ Ctrl+U and search for the link. I get no Avast warning and i have a dozen sites with this link and no problems with them.
I have moved the files from www.siblondelegandesc.ro to another server / domain and tested there, no warning. On 148.251.160.108 are hosted 4 domains, siblondelegandesc.ro / mirunaioani.ro / junioroutlet.ro / excelsior-traduceri.ro beside siblondelegandesc.ro the rest are not in use and have no files on them.
Please can you tell me where did you spotted these links?
I have searched all the files and in the db and I can’t find any reference to such links.
Are you sure that the links are from May 2017 and not May 2016. I had some problems EXACTLY a year ago with this kind of links and removed them and recovered just the bare text from the former blog. Since then i had no problems with them and also if the links where from 2017 they must be with https not http like i had last year.
Hello Eddy, thanks for your efforts but I think that those links are also false positives. In the first case (Quttera) first link is to a script used by https://onesignal.com/ for push nottifications. This push notification script is used by major internet sites, again i think this is not a real issue. One Signal itself uses this script and i get no warning from Avast.
I have other sites that use this push notification script a I get no warning. For example this https://www.cetateaberarilor.ro/ and this https://www.codulrutier.tk
Also, the site does not appear to be blacklisted on any major list, but it is ‘malicious’ itself because it links to another so called malicious domain which is potentially malicious…
This is a sort of malicious daisy chain of death. Soon Quttera will list Google as malicious and offer them to clean up their site for a fee!
For the second issue i have replaced http://www.siblondelegandesc.ro/wp-includes/js/jquery/jquery.js with a file from a fresh installation kit of WordPress and the warning remains. I have compared the files and they are exactly the same. That means that all WordPress installations must have this problem which is not the case, again i have dozens of sites that run wordpress and i get no warning.
Hi,
Whole chunks of spam code appeared on pastebin.falz.net. Also note that I am not talking about May, but about June. siblondelegandesc[.]ro is blocked for just 3 days now.
Also note that I can (with Avast disabled) access http://www.siblondelegandesc[.]ro, so http is clearly enabled.
Please help me understand how this pastebin.falz.net thing works. How come i can’t find any of those links in my files but someone pasted them in that pastebin?
Regarding the months, yes i made a confusion… sorry about that.
any more suggestions? I’m stuck with this problem and I need some more info from Avast team. They said they found some suspicious links, but that’s all no info no specific information.
Please can anybody from Avast team can give me some more info on this problem.
Well, i can’t explain how they got there. But if you follow them you will get a 404, not found.
I don’t have any such links on my page.
How do i know if they where not put there by a good fellow?
Practically anybody can create such links for any page on the internet this does not mean that they are real. I can paste all day links like https://www.avast.com/xyz this does not mean that Avast really hosts those links.
If you can please show me the links in the source code of my page (load the page + ctrl-u) and highlight the suspect links?
I have searched the db and all the files and i can’t find any suspect links. I have scanned the site with various tools both online and plugins. No major issues.
I think that your colleagues at Avast did not declared this issue as a false positive for nothing.
In any case, i really appreciate your answers and time spent for this problem.