Re: HTML:RedirME-inf-trj False-Positive?

system · 2017-06-04T21:54:02.000Z

Hello,

i have the same problem as truebluecj. I get a warning for a client of mine, for RedirME-inf-trj for url hxxps://www.siblondelegandesc[.]ro
The page is clean, i have scanned with various tools and I believe is a false positive. If I try to access any site hosted on 148.251.160.108 I get a warning despite the fact that the rest of domains hosted on that IP have no files or have never been used. For example mirunaioani.ro has never been used (is registered less than 1 year ago) and has no history.
Virus Total report here https://virustotal.com/en/url/a1e65682f3a1706ee08b63e48467849eef69ba3108e2a27abcb5bea6e85711d2/analysis/1496612645/

Please can a Avast team member take a look at this?

Thank you.

PS. Verification code is bunk. Is almost unreadable…

Pondus · 2017-06-04T22:19:07.000Z

@ valeriu.costea when asking for help, always start your own topic

PS. Verification code is bunk. Is almost unreadable...

Good, it means that forum spammers have the same problem ;)

RedirME-inf-trj means there is a redirect to a blacklisted URL, probably this
https://virustotal.com/nb/url/434bc5d3f9ea99e69e3b1e7832571cf27af0a373f5a6b0b9e0c8aaaeb5fe7220/analysis/1496614833/

system · 2017-06-04T22:24:46.000Z

Pondus post:2:

@ valeriu.costea when asking for help, always start your own topic

PS. Verification code is bunk. Is almost unreadable...
Good, it means that forum spammers have the same problem ;)

Should I start a new topic now?

Pondus · 2017-06-04T22:33:33.000Z

valeriu.costea post:3:

Pondus post:2:

@ valeriu.costea when asking for help, always start your own topic

PS. Verification code is bunk. Is almost unreadable...
Good, it means that forum spammers have the same problem ;)

Should I start a new topic now?

Nope, next time

Remove the link above and see if avast detection stop

system · 2017-06-04T23:01:36.000Z

Remove the link above and see if avast detection stop

Removing that link was useless. tag is present by default in many WordPress themes including those issued by default with the original installation of WP, like Twelve Eleven. I can believe that this is is the problem. I have removed the link (present in three header.php files) and i receive the same error. In the mean time i have other sites that have the same tag and link for witch Avast does not report any errors. Please see here http://www.laimpingetava.ro/ Ctrl+U and search for the link. I get no Avast warning and i have a dozen sites with this link and no problems with them.
I have moved the files from www.siblondelegandesc.ro to another server / domain and tested there, no warning. On 148.251.160.108 are hosted 4 domains, siblondelegandesc.ro / mirunaioani.ro / junioroutlet.ro / excelsior-traduceri.ro beside siblondelegandesc.ro the rest are not in use and have no files on them.

Any ideas?

Thanks.

Pondus · 2017-06-04T23:08:27.000Z

Any ideas?

Have PMd somone at avast, check back tomorrow for possible reply

Eddy · 2017-06-05T00:12:06.000Z

This show the (very likely) culprit :
https://quttera.com/detailed_report/www.siblondelegandesc.ro

And here is another problem :
http://retire.insecurity.today/#!/scan/a74c1881cf1bf6fd04f27fa04d3f44b89f24ad9893201b18308c67fa19cdfd3a

HonzaZ · 2017-06-05T07:30:58.000Z

Hi,
We have spotted these URLs at the beginning of this month:

hxxp://www.siblondelegandesc[.]ro/best-place-to-buy-baclofen-online.pptx#pantry
hxxp://www.siblondelegandesc[.]ro/best-place-to-buy-baclofen-online.pptx#prefix
hxxp://www.siblondelegandesc[.]ro/buy-arcoxia-canada.pptx
hxxp://www.siblondelegandesc[.]ro/buy-arcoxia-canada.pptx#threatening
hxxp://www.siblondelegandesc[.]ro/buy-cefixime-online-uk.pptx
hxxp://www.siblondelegandesc[.]ro/buy-cefixime-online-uk.pptx#cord
hxxp://www.siblondelegandesc[.]ro/buy-cefixime-online.pptx
hxxp://www.siblondelegandesc[.]ro/buy-online-valtrex.pptx#guessing
hxxp://www.siblondelegandesc[.]ro/buy-remeron.pptx
hxxp://www.siblondelegandesc[.]ro/can-i-buy-clomid-online.pptx
hxxp://www.siblondelegandesc[.]ro/can-i-buy-clomid-online.pptx#attentions
hxxp://www.siblondelegandesc[.]ro/can-i-buy-clomid-online.pptx#solve
hxxp://www.siblondelegandesc[.]ro/can-i-buy-clomid-online.pptx#waspish
hxxp://www.siblondelegandesc[.]ro/can-you-buy-metformin-over-the-counter-in-dubai.pptx#taxi
hxxp://www.siblondelegandesc[.]ro/lasix-buy-uk.pptx
hxxp://www.siblondelegandesc[.]ro/lasix-buy-uk.pptx#stealing
hxxp://www.siblondelegandesc[.]ro/levothyroxine-tablets-buy-uk.pptx
hxxp://www.siblondelegandesc[.]ro/prilosec-buy-2-get-25.pptx
hxxp://www.siblondelegandesc[.]ro/prilosec-buy-2-get-25.pptx#europe
hxxp://www.siblondelegandesc[.]ro/prilosec-buy-2-get-25.pptx#mexican
hxxp://www.siblondelegandesc[.]ro/prilosec-buy-2-get-25.pptx#thinking

system · 2017-06-05T08:33:35.000Z

HonzaZ post:8:

Hi,
We have spotted these URLs at the beginning of this month:

hxxp://www.siblondelegandesc[.]ro/best-place-to-buy-baclofen-online.pptx#pantry
hxxp://www.siblondelegandesc[.]ro/best-place-to-buy-baclofen-online.pptx#prefix
hxxp://www.siblondelegandesc[.]ro/buy-arcoxia-canada.pptx
hxxp://www.siblondelegandesc[.]ro/buy-arcoxia-canada.pptx#threatening
hxxp://www.siblondelegandesc[.]ro/buy-cefixime-online-uk.pptx
hxxp://www.siblondelegandesc[.]ro/buy-cefixime-online-uk.pptx#cord
hxxp://www.siblondelegandesc[.]ro/buy-cefixime-online.pptx
hxxp://www.siblondelegandesc[.]ro/buy-online-valtrex.pptx#guessing
hxxp://www.siblondelegandesc[.]ro/buy-remeron.pptx
hxxp://www.siblondelegandesc[.]ro/can-i-buy-clomid-online.pptx
hxxp://www.siblondelegandesc[.]ro/can-i-buy-clomid-online.pptx#attentions
hxxp://www.siblondelegandesc[.]ro/can-i-buy-clomid-online.pptx#solve
hxxp://www.siblondelegandesc[.]ro/can-i-buy-clomid-online.pptx#waspish
hxxp://www.siblondelegandesc[.]ro/can-you-buy-metformin-over-the-counter-in-dubai.pptx#taxi
hxxp://www.siblondelegandesc[.]ro/lasix-buy-uk.pptx
hxxp://www.siblondelegandesc[.]ro/lasix-buy-uk.pptx#stealing
hxxp://www.siblondelegandesc[.]ro/levothyroxine-tablets-buy-uk.pptx
hxxp://www.siblondelegandesc[.]ro/prilosec-buy-2-get-25.pptx
hxxp://www.siblondelegandesc[.]ro/prilosec-buy-2-get-25.pptx#europe
hxxp://www.siblondelegandesc[.]ro/prilosec-buy-2-get-25.pptx#mexican
hxxp://www.siblondelegandesc[.]ro/prilosec-buy-2-get-25.pptx#thinking

Please can you tell me where did you spotted these links?
I have searched all the files and in the db and I can’t find any reference to such links.

Are you sure that the links are from May 2017 and not May 2016. I had some problems EXACTLY a year ago with this kind of links and removed them and recovered just the bare text from the former blog. Since then i had no problems with them and also if the links where from 2017 they must be with https not http like i had last year.

system · 2017-06-05T08:35:41.000Z

Eddy post:7:

This show the (very likely) culprit :
https://quttera.com/detailed_report/www.siblondelegandesc.ro

And here is another problem :
http://retire.insecurity.today/#!/scan/a74c1881cf1bf6fd04f27fa04d3f44b89f24ad9893201b18308c67fa19cdfd3a

Eddy post:7:

This show the (very likely) culprit :
https://quttera.com/detailed_report/www.siblondelegandesc.ro

And here is another problem :
http://retire.insecurity.today/#!/scan/a74c1881cf1bf6fd04f27fa04d3f44b89f24ad9893201b18308c67fa19cdfd3a

Hello Eddy, thanks for your efforts but I think that those links are also false positives. In the first case (Quttera) first link is to a script used by https://onesignal.com/ for push nottifications. This push notification script is used by major internet sites, again i think this is not a real issue. One Signal itself uses this script and i get no warning from Avast.
I have other sites that use this push notification script a I get no warning. For example this https://www.cetateaberarilor.ro/ and this https://www.codulrutier.tk

The second issue link to the blacklisted domain, i removed the link (was a link left in comments section, link for comment author) and the warning remains active. Besides, i can access the site directly and i get no warning and the site is not blocked by Avast. How come i can access the blacklisted domain but i get a warning for a site that links to it? http://laurabucur.ro/
https://virustotal.com/en/url/3ed0e7f7b4f62118786a2aad6eb0a8ad9b078ae049fb0d8ee8ec8193636fba5c/analysis/1496644955/

Also, the site does not appear to be blacklisted on any major list, but it is ‘malicious’ itself because it links to another so called malicious domain which is potentially malicious…
This is a sort of malicious daisy chain of death. Soon Quttera will list Google as malicious and offer them to clean up their site for a fee!

For the second issue i have replaced http://www.siblondelegandesc.ro/wp-includes/js/jquery/jquery.js with a file from a fresh installation kit of WordPress and the warning remains. I have compared the files and they are exactly the same. That means that all WordPress installations must have this problem which is not the case, again i have dozens of sites that run wordpress and i get no warning.

Thanks again for your efforts.

HonzaZ · 2017-06-05T08:44:35.000Z

valeriu.costea post:9:

HonzaZ post:8:

Hi,
We have spotted these URLs at the beginning of this month:

hxxp://www.siblondelegandesc[.]ro/best-place-to-buy-baclofen-online.pptx#pantry
…
hxxp://www.siblondelegandesc[.]ro/prilosec-buy-2-get-25.pptx#thinking

Please can you tell me where did you spotted these links?
I have searched all the files and in the db and I can’t find any reference to such links.

Are you sure that the links are from May 2017 and not May 2016. I had some problems EXACTLY a year ago with this kind of links and removed them and recovered just the bare text from the former blog. Since then i had no problems with them and also if the links where from 2017 they must be with https not http like i had last year.

Hi,
Whole chunks of spam code appeared on pastebin.falz.net. Also note that I am not talking about May, but about June. siblondelegandesc[.]ro is blocked for just 3 days now.
Also note that I can (with Avast disabled) access http://www.siblondelegandesc[.]ro, so http is clearly enabled.

Eddy · 2017-06-05T08:45:07.000Z

Quttera doesn’t say the domain/IP is blacklisted by avast, it just says it is found in one or more blacklists and that is true.
And Fortinet for sure is a major list.
https://virustotal.com/en/ip-address/89.40.36.81/information/

Using the “replacing kit” method is not working as WP does’t come with the latest jquery libraries.
jQuery 3.2.1 is the latest version.

On a note, the certificate is about to expire (1 month and 5 days).

system · 2017-06-05T08:51:10.000Z

HonzaZ post:11:

valeriu.costea post:9:

HonzaZ post:8:

Hi,
We have spotted these URLs at the beginning of this month:

hxxp://www.siblondelegandesc[.]ro/best-place-to-buy-baclofen-online.pptx#pantry
…
hxxp://www.siblondelegandesc[.]ro/prilosec-buy-2-get-25.pptx#thinking

Please can you tell me where did you spotted these links?
I have searched all the files and in the db and I can’t find any reference to such links.

Are you sure that the links are from May 2017 and not May 2016. I had some problems EXACTLY a year ago with this kind of links and removed them and recovered just the bare text from the former blog. Since then i had no problems with them and also if the links where from 2017 they must be with https not http like i had last year.

Hi,
Whole chunks of spam code appeared on pastebin.falz.net. Also note that I am not talking about May, but about June. siblondelegandesc[.]ro is blocked for just 3 days now.
Also note that I can (with Avast disabled) access http://www.siblondelegandesc[.]ro, so http is clearly enabled.

Please help me understand how this pastebin.falz.net thing works. How come i can’t find any of those links in my files but someone pasted them in that pastebin?

Regarding the months, yes i made a confusion… sorry about that.

system · 2017-06-05T09:28:30.000Z

Eddy post:12:

Quttera doesn’t say the domain/IP is blacklisted by avast, it just says it is found in one or more blacklists and that is true.
And Fortinet for sure is a major list.
https://virustotal.com/en/ip-address/89.40.36.81/information/

Using the “replacing kit” method is not working as WP does’t come with the latest jquery libraries.
jQuery 3.2.1 is the latest version.

On a note, the certificate is about to expire (1 month and 5 days).

Thanks for your reply.
I have removed all links for that specific domain. For jQuery I will leave the original files as specified by WordPress.

Thanks for the SSL notification, i will take care of that at the end of this month.

system · 2017-06-06T20:48:10.000Z

Hello,

any more suggestions? I’m stuck with this problem and I need some more info from Avast team. They said they found some suspicious links, but that’s all no info no specific information.
Please can anybody from Avast team can give me some more info on this problem.

Thanks.

HonzaZ · 2017-06-07T07:33:16.000Z

Hi, what do you think about these? (All are safe to visit.)
https://gist.github.com/anonymous/9272311c9d425b68f2cce63e8c04ba06
https://gist.github.com/anonymous/c9af668088a2f8a6c7f46c884b8798a7
http://4junkaway.com/blog/testimonials/fjkuapwgvflf/

system · 2017-06-07T19:36:43.000Z

Hi guys,

Avast team had a look at this issue and declared a false positive. Case closed.

Thanks for your time and answers.

system · 2017-06-07T19:48:30.000Z

HonzaZ post:16:

Hi, what do you think about these? (All are safe to visit.)
https://gist.github.com/anonymous/9272311c9d425b68f2cce63e8c04ba06
https://gist.github.com/anonymous/c9af668088a2f8a6c7f46c884b8798a7
http://4junkaway.com/blog/testimonials/fjkuapwgvflf/

Well, i can’t explain how they got there. But if you follow them you will get a 404, not found.
I don’t have any such links on my page.

How do i know if they where not put there by a good fellow?
Practically anybody can create such links for any page on the internet this does not mean that they are real. I can paste all day links like https://www.avast.com/xyz this does not mean that Avast really hosts those links.

If you can please show me the links in the source code of my page (load the page + ctrl-u) and highlight the suspect links?
I have searched the db and all the files and i can’t find any suspect links. I have scanned the site with various tools both online and plugins. No major issues.

I think that your colleagues at Avast did not declared this issue as a false positive for nothing.

In any case, i really appreciate your answers and time spent for this problem.

Thanks again.

Announcements