"Scriptaculous" Threat Detected

Whenever I try to access www.caskers.com, a retail liquor site from which I have ordered many times, I now receive an AVAST threat detected message (att’d). Each time, it seems to reference a different java script name always with “scriptaculous.” I checked WHOIS and the IP address listed maps to www.gameservers.com!

I tried researching this issue and came up with no useful hits. I did run a Malwarebytes scan and came up completely clean.

I wrote to Caskers and they claim I am the only one to have reported this problem; therefore, it must be a false positive.

I am at a loss as to how to proceed. They continue sending me email offers, but I cannot access the site any longer.

Any ideas or help will be appreciated.

Thanks,

KenB

URL:mal means url or ip is blacklisted for whatever reason, there can be many

Checking url and ip i could not find anything so you may report this to avast lab https://support.avast.com

I’m guessing that this happens when you have logged in as I have tried to view the site (using firefox 34.0) and don’t initially get an alert. Basically I’m given a member logon popup screen and can’t get into the site.

That said looking at the Page source there are ton of script calls to run scriptaculous based scripts but those are on the caskers.com site not going out to the URL/IP address in the alert image.

Looking at your image, it isn’t the actual caskers.com that is triggering the alert - there is something making the connection to hxxps://107.191.39.185 on port 443 and running a javascript. I’m always ware of URL that are given as an IP address as it is never obvious where it will take you.

URL:Mal generally means the site or IP is considered malicious. So I would say that IP address in your image is considered malicious.

Basic checking didn’t find anything - but that IP address actually goes back to skin.caskers.com - however, what is interesting is the site is running out of date software. This can make the site vulnerable to exploit.

sitecheck.sucuri.net/results/107.191.39.185

I am still unable to access <caskers.com> as long as AVAST is active. I have written to the company and they report that the problem must be on my end. Last night, I was at a friend’s house who uses AVAST on a Mac (vs. PC) and he had no trouble at all accessing and logging in to Caskers.com. I cleared my cache and tried again this morning and AVAST still reports “Threat Blocked” (see uploaded image) although it is no longer singling out “scriptaculous” but “varien/configurable.js”.

This morning, I checked:

  • Sucuri - shows no blacklistings, only some outdated Apache software (v2.2.22)
  • Virustotal - shows a detection ratio of 0/61 and “Clean site” for everything listed
  • Metascan - shows 0/13 sources found a thread

It appears as though some redirection is occurring, but I am not sure what to do about it. I would like to continue purchasing from this site. Could the problem be on my computer? I checked my wife’s PC, running the same AVAST software, and she is unable to connect to Caskers also.

Any suggestions?

Thanks, Ken

I suspect that the avast for Mac differs from the windows version in different areas.

The area I think where this may differ is in HTTPS scanning by the Web Shield in the windows version of avast - if that isn’t present in the Mac version of avast it wouldn’t be scanning the content.

I don’t know why the site is using an IP address rather than a user friendly URL (often used to obfuscate things). There is a possibility that avast could be blocking the IP address rather than the actual .js file - this could be if other domains are also on this IP that have been infected.

Have you tried a different browser when trying to connect to this site ?

Hi Ken37 & DavidR,

As you can see here: http://jsunpack.jeek.org/?report=fc04ab34108a840ff2fb42da98d69aa44240a521
(Above link for security research only, open up with NoScript extension active and inside a VM/sandbox)
there is something found up while this script is running from site: -js.caskers.com/js/scriptaculous/controls.js

decodingLevel=0] found JavaScript error: line:441: SyntaxError: missing } after property list: error: line:441: nextText: "", error: line:441: .....................................^ error: line:3: SyntaxError: missing = in XML attribute: error: line:3: error: line:3: ..............^ suspicious: maxruntime exceeded 10 seconds (incomplete)
When the spaces become fixed with a beautifier we see what is wrong: a missing comma after rules data object! -caskers.com/js/scriptaculous/effects.js undefined variable Element error: undefined variable Prototype error: undefined variable Class Wp-scriptaculous.js errors can be caused by associated registry keys, corrupt downloads (incomplete see above) and/or virus and malware infection. We had an earlier scriptaculous issue discussion here: https://forum.avast.com/index.php?topic=74911.5

The site IP is blocked because of SPAM bot activity: http://myip.ms/view/blacklist/916829436/Blacklist_IP_54.165.180.252
listed activity from Proximic Web Crawler - Website Extractor with a latest visit recorded at Dec. 14th., for me that is to-day!

Site also did not survive a Spam Check: Suspicion of Spam

…his whisky, which was made to replicate the original 1963 whisky released in the united states, are available worldwide…

As in how far this Outdated Software plays a role is yet unknown to me: Outdated Web Server Apache Found: Apache/2.2.22
PHP issue: http://www.ubuntu.com/usn/usn-2391-1/

I get a “Title 301 Moved Permanently”
[Location] htxps://js.caskers.com/geturl.php?url=js/cdnjs/https:/
→ Suspicious url(NULL)
[script] htxps://js.caskers.com/js/prototype/prototype.js
→ user information check

 The document has moved <a href="htxps://www.caskers.com/">here</a>.</p>

Site could hijack your browser…some warnings: http://www.dnsinspect.com/caskers.com/1418571753
Netcraft Risk Rating red 1 → http://toolbar.netcraft.com/site_report/?url=https%3A%2F%2Fwww.caskers.com

Transaction Protection
Certified SSL is used to encrypt transactions
SSL Issuer: PositiveSSL CA 2
SSL Expires: 2015-04-09 23:59:59 UTC

polonus

Ken,

there is nothing you can do other then telling the site owner to fix the issues.
As long as they keep using outdated software (Apache), they site will stay blocked.

I rather doubt avast is blocking because of outdated server software (which is vulnerable to exploit), as avasts scan (web shield) doesn’t go to this depth.

Thank you, Polonus, DavidR, and Eddy. I copied material from your various posts and sent to my contact at Caskers.com. It is now up to their technical personnel to follow up and take these issues seriously. At least this time I was able to offer them loads of pretty compelling evidence!

I appreciate the assistance and technical research you provided. I will post an update if I hear anything back from Caskers.

Thanks, Ken