Still blocked by Avast (only) yet site is testing clean

Ok… second time of typing as my “captcha” didn’t match.

My website has been blocked by a large number of Avast users for over a week. I have been right through the files via FTP. I have also run it through online scanners, both of which (Sucuri and webinspector) agree that it is clean.

No other virus/malware checkers seem to be flagging anything.

I have messages Avast twice now via http://www.avast.com/contact-form.php?loadStyles but have received no reply, or any form of acknowledgement.

I am now spending a considerable amount of time defending my hardearned business reputation across various social networks against trolls who have nothing better to do than slate people and things they know nothing about.

My website is spainbuddy dot com

Can someone please please PLEASE help!

One desperate lady

Elle x

Sucuri: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fspainbuddy.com Clean
URLQuery: http://urlquery.net/report.php?id=5234176
Quettra: http://www.quttera.com/detailed_report/spainbuddy.com Clean
Zulu:http://zulu.zscaler.com/submission/show/98e5401479006605cdc45b41e64c51bd-1379087638 Benign
Virustotal scan is clean.

I will notify polonus about this. :wink:

Steven - thank you for giving me the first positive response I’ve had in a while.

Very much appreciated.

Elle xx

polonus is notified, he will look over the site and the scansi run, and will run scans himself maybe.

But he is offline now, so please wait some time.

When I scanned using Quttera I found nine suspicious files. http://quttera.com/detailed_report/www.spainbuddy.com ???

My search is for htxp://spainbuddy.com, yours is for htxp://www.spainbuddy.com

I think that is the point. ;D

probably a IP Block…

if you looke here http://urlquery.net/report.php?id=5234176 and scroll Down to Recent reports on same IP/ASN/Domain

you find this domains using same IP that have alerts on it, see here detected Detected RedKit exploit kit URL pattern http://urlquery.net/report.php?id=5234545
Sucuri report http://sitecheck.sucuri.net/results/www.dailycruisebargains.com/

And this is why it is being blocked i think…

Thats like bad Advertisements which carry Scripts or something like that.

We have to check on these redirects from that site:
URLs that redirect found in: http://spainbuddy.com/

1: htxp://www.gandy-draper.com/openx/www/delivery/avw.php?zoneid=24&cb=INSERT_RANDOM_NUMBER_HERE&n=ab826f56 → htxp://www.gandy-draper.com/openx/www/images/46c3fd36def631da4ac2480821857606.jpg
2: htxp://www.booking.com/?aid=357636&tmpl=searchbox&width=685&calendar=1& → htxp://www.booking.com/
and this in line 07:shr.src = ‘htxps://dsms0mj1bbhn4.cloudfront.net/assets/pub/shareaholic.js?ver=7.0.3.6’;
flagged as potentially suspicious by Quttera’s → htxps://shareaholic.com")}.call(this),/*! as
dsms0mj1bbhn4.cloudfront.net/assets/pub/shareaholic.js?ver=7.0.3.6
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [[‘=%26=%26=%260=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=’]] of length 344 which may point to obfuscation or shellcode.

polonus

1: Norton: http://safeweb.norton.com/report/show?url=gandy-draper.com CLEAN
AVG: http://www.avgthreatlabs.com/website-safety-reports/domain/gandy-draper.com/ CLEAN
Sucuri: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.gandy-draper.com%2Fopenx%2Fwww%2Fimages%2F46c3fd36def631da4ac2480821857606.jpg
Virustotal: https://www.virustotal.com/de/url/342683c35177c46225a41b98986b44a420694a1c4616f281af6f382fcd9bb91d/analysis/1379092487/ CLEAN

1:

Comodo: http://app.webinspector.com/public/reports/17070505
URLQuery: http://urlquery.net/report.php?id=5237790
Zulu: http://zulu.zscaler.com/submission/show/a4b279961de04f277894fcd239a5f36d-1379092798
Quettra: http://www.quttera.com/detailed_report/www.gandy-draper.com
Wepawet: http://wepawet.iseclab.org/view.php?hash=5a0cc76560daf9bd24a133ce6022e16a&t=1379092845&type=js

Thanks Pondus - IP Blocking I can get around - I can pay my hosts for a dedicated IP on that server. I shall look into that in the morning. Alternatively, if I flag that site up to the hosts… they may be able to do something at their end to it.

Thanks for the feedback Polonus.

I don’t understand how the ads are bad in openx? Gandy-Draper is our own company by the way… and that’s where the openx is hosted. .com is the website and .net is the hosting account. We’ve been using it for organising our advertising for a few years now, and never with any issues until recently.

[ol]- The first one is a banner that invites people to advertise on the same website

  • The second one - Booking.com is well… booking.com - a vacation booking website. Well established respected etc etc etc

  • The line 7 is a Shareaholic plugin… which although have been causing issues for many of us this week… are standard sharing tools on 100,000s of websites. Mind you after this week, they can go jump of a tall building. Their plugin has stopped working in Firefox. I’m looking for a decent alternative as we speak.[/ol]

So… if I delete those 3 items from my site - will that mean it is clean for Avast purposes? Even though it’s testing clean anyway? Or does Avast simply dislike the way that openx redirects links?

Oh God I’m so confused… and so frustrated and upset after all the hassles. I do appreciate the help and time you are putting into this - so thank you all so much… Pondus, Polonus and Steven.

Elle x

2: (http://www.booking.com)

Norton: http://safeweb.norton.com/report/show?url=booking.com
AVG: http://www.avgthreatlabs.com/website-safety-reports/domain/booking.com/ (Please read the comments)
Sucuri: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.booking.com
Virutotal: https://www.virustotal.com/de/url/4cd89a208b2758b99a8f2ea32080267680959baf0943315ab5bd1b1e5e7cc536/analysis/1379093164/
TrendMicro: http://global.sitesafety.trendmicro.com/result.php
URLQuery: http://urlquery.net/report.php?id=5238395
Comodo: http://app.webinspector.com/public/reports/17070558
Zulu: http://zulu.zscaler.com/submission/show/4229ca78a6a0ca8f74a229dff5975940-1379093312

So actually Booking.com is safe.

These alerts should be gone when these things will be removed, but please wait for polonus reply. :wink:

These banners could have a bad advertiser or the websites that they are linking to could be hacked or infected.

Polonus is not online now.

You can check back later if you want.

Just save the Thread to your favorites in your browser.

Steven - thanks again. You’re been a proper champ! :-*

Yes, I will bookmark the thread and pop back in the morning. I won’t delete those 3 items out until he lets me know.

Right now I need to step away from the computer… just had enough of it. Wine is calling!!

What I have done in the meantime is purchase a dedicated IP for my account… so that’s one issue removed at least.

… and relax…

Elle x

Hi Elle1971,

Think the site is clean, if there is a block it is a general IP block, see what Pondus gave us to ponder on.
So report the false positive to Avast at: http://www.avast.com/contact-form.ph
and see whether they will unblock your domain from that general IP block,
but again that is up to the avast team members responsible for blocking, e.g. Milos et all.
We are into this scanning and evaluation “just for the good of our souls”
and to improve on the security awareness of users and website owners alike,

Damian aka polonus

Thank you Damian (polonus).

I purchased a dedicated IP this evening from the hosting company I use (Hostmonster)… so that should take care of that bit.

I’ve already submitted it twice via that contact form over the last week or 8 days… but will try again.

Fingers crossed that they unblock it soon!

Elle xx

Get no alert on site now in Google Chrome, script blocker blocked:
<a href=“http://www.gandy-draper.com/openx/www/delivery/ck.php?n=ab826f56&amp;cb=INSERT_RANDOM_NUMBER_HERE” onclick="javascript:_gaq.push([‘_trackEvent’,‘outbound-widget’,'http://www.gandy-draper.com/openx/www/delivery/ck.php?
and

polonus

P.S. Re: http://jsunpack.jeek.org/?report=09faf4737628045d840bacc3471ef97dbec9f32b

D

Just want to thank you all for your help. Got a message from Avast last night and the site is now unblocked. Woot!

Happy site users again xxx