Ok… second time of typing as my “captcha” didn’t match.
My website has been blocked by a large number of Avast users for over a week. I have been right through the files via FTP. I have also run it through online scanners, both of which (Sucuri and webinspector) agree that it is clean.
No other virus/malware checkers seem to be flagging anything.
I am now spending a considerable amount of time defending my hardearned business reputation across various social networks against trolls who have nothing better to do than slate people and things they know nothing about.
We have to check on these redirects from that site:
URLs that redirect found in: http://spainbuddy.com/
1: htxp://www.gandy-draper.com/openx/www/delivery/avw.php?zoneid=24&cb=INSERT_RANDOM_NUMBER_HERE&n=ab826f56 → htxp://www.gandy-draper.com/openx/www/images/46c3fd36def631da4ac2480821857606.jpg
2: htxp://www.booking.com/?aid=357636&tmpl=searchbox&width=685&calendar=1& → htxp://www.booking.com/
and this in line 07:shr.src = ‘htxps://dsms0mj1bbhn4.cloudfront.net/assets/pub/shareaholic.js?ver=7.0.3.6’;
flagged as potentially suspicious by Quttera’s → htxps://shareaholic.com")}.call(this),/*! as dsms0mj1bbhn4.cloudfront.net/assets/pub/shareaholic.js?ver=7.0.3.6
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [[‘=%26=%26=%260=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=’]] of length 344 which may point to obfuscation or shellcode.
Thanks Pondus - IP Blocking I can get around - I can pay my hosts for a dedicated IP on that server. I shall look into that in the morning. Alternatively, if I flag that site up to the hosts… they may be able to do something at their end to it.
Thanks for the feedback Polonus.
I don’t understand how the ads are bad in openx? Gandy-Draper is our own company by the way… and that’s where the openx is hosted. .com is the website and .net is the hosting account. We’ve been using it for organising our advertising for a few years now, and never with any issues until recently.
[ol]- The first one is a banner that invites people to advertise on the same website
The second one - Booking.com is well… booking.com - a vacation booking website. Well established respected etc etc etc
The line 7 is a Shareaholic plugin… which although have been causing issues for many of us this week… are standard sharing tools on 100,000s of websites. Mind you after this week, they can go jump of a tall building. Their plugin has stopped working in Firefox. I’m looking for a decent alternative as we speak.[/ol]
So… if I delete those 3 items from my site - will that mean it is clean for Avast purposes? Even though it’s testing clean anyway? Or does Avast simply dislike the way that openx redirects links?
Oh God I’m so confused… and so frustrated and upset after all the hassles. I do appreciate the help and time you are putting into this - so thank you all so much… Pondus, Polonus and Steven.
Think the site is clean, if there is a block it is a general IP block, see what Pondus gave us to ponder on.
So report the false positive to Avast at: http://www.avast.com/contact-form.ph
and see whether they will unblock your domain from that general IP block,
but again that is up to the avast team members responsible for blocking, e.g. Milos et all.
We are into this scanning and evaluation “just for the good of our souls”
and to improve on the security awareness of users and website owners alike,