A few users of my site (411mania.com) who use Avast have told me that they get a warning when trying to access the site. The warning message that comes up for a user of mine is:
“MALICIOUS URL BLOCKED”
avast! Network Shield has blocked a harmful site
Object: http.//cdn.mauiblogger.net/k
Infection: URL:Mal
Target Process: Firefox
As far as I know, no other blocker, nor Google, has marked the site for malware. Google is usually all over me anytime a malware issue comes up, and I have not heard anything from them about this (and this issue has been going on for days on Avast, so it’s not a new issue).
Any help on how I can fix this issue on avast would be appreciated. I feel like it’s a false positive because I cannot find anything about the mauiblogger.net domain, nobody else is marking the site as suspicious, and I can’t find anything unusual in my code. It might be something come through via the ads, but I use only well established ad companies like AdSense, Tribal Fusion, etc.
If anyone has any input on this, I’d appreciate it.
I downloaded Avast for Mac and do not get any warning when accessing the 411mania.com site. So it appears only PC users using Avast get the warning. I also removed all the ads from a test page and had one of the users who is getting the warning access it, and he still got the warning.
Intrusion Detection Systems.
Suricata /w Emerging Threats Pro
2013-08-07 08:09:39 212.124.126.7 urlQuery Client 3 ET RBN Known Russian Business Network IP (162)
Thanks for the reply Pondus. Any idea how I can solve the issue? All my ad companies are claiming that none of their advertisers have anything to do with that domain, and I can’t find anything else in my code that would cause something from that domain to load on my site. It’s really puzzling to me and I’m running out of ideas on how to solve the problem for Avast users.
zulu is not completing scan for 411 site, but downforeveryoneorjustme is reporting site as live.
See attached:
I’d check for nested redirects within your site as this block occurred two seconds after loading the webpage when visiting by using scanned links from zulu.
I get either the server did not accept my request, or an invalid URL was passed. The error code returned was:
Code: -2147012894
Description: The operation timed out
Server Response:
Description: unknown response code
Issue with malicious software includes 12 scripting exploit(s).
Recently MALWARE-OTHER TDS Sutra - redirect received IDS alert.
Malicious software is hosted on 1 domain(s), including luminate.com/.
Thanks again for your help. The code they are labeling as suspicious is the Tribal Fusion ad code. Tribal Fusion is one of the largest and most reputable ad companies in the country and I’ve been using them for 10+ years with no issues. Really strange. So you guys think the source of the issue is the ad code identified here?:
Quttera detects potential suspicious file: tags.expo9.exponential.com/tags/411maniacom/ROS/tags.js Severity: Potentially Suspicious
Reason: Suspicious JavaScript code injection.
Details: Procedure: + has been called with a string containing hidden JavaScript code .
The issue is really weird because Norton and Google have no issues at all with that ad code or anything else on 411mania.com. As far as I know, only users using the PC version of Avast have the issue (Avast on Mac doesn’t give me any warnings).
Thanks mchain. As a test, I’ve removed the Tribal Fusion (expo9) tags entirely from one page. Can you let me know if you still get a warning when visiting this page:
Thanks Steven. Do you still get the alert on 411mania.com? If you get it on 411mania.com but don’t get it on 411mania.com/games, that would confirm the issue is with the ads.
My users who use Avast continue to say that they get the warning. I tested pulling all the ads from the site and still got this issue from urlquery.net:
Intrusion Detection Systems
Suricata /w Emerging Threats Pro No alerts detected
Snort /w Sourcefire VRT
Timestamp Source IP Destination IP Severity Alert
2013-08-09 08:05:02 174.122.149.143 urlQuery Client 1 MALWARE-OTHER TDS Sutra - redirect received
I’ve since put the ads back up since they aren’t the cause. One ad was causing the earlier warning involving the Russian Business Network IP but I removed that.
I’m at a real loss here. I tried contacting Avast directly but nobody replied.
Yeah, most of those are ads, which I tried removing entirely but still got the error. You’ll notice in that chart that cdn.mauiblogger.net, which is what is setting off the issue, loads directly from 411mania.com, not one of the other URLs. I had Rackspace look into the issue and they couldn’t even find anything and said that it must be an issue with Avast since no other antivirus software or Google has any issues with anything on the site. I’m really confused/frustrated here.
polonus, I clicked on the urlquery report you pulled for cdn.mauiblogger.net and it was totally clean with no malware warning. Makes zero sense that urlquery.com gives a malware warning for 411mania.com which they say is coming from 174.122.149.143 (cdn.mauiblogger.net) but that when I do a urlquery report for cdn.mauiblogger.net itself, it comes back totally clean.