Hi…
I have a problem with my website and online www.r-x0.com avast especially with the size of the site and do not fully know what the reason
Draws a large number of fans of the site to complain about the presence of virus were examined more than once we did not find any virus
Were examined Site + ip and what do we do Analm
Please please please help me, because I initiated lose Republican
Checking with DrWeb’s url checker the site seems fine.
Sucuri does not find anything either: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.r-x0.com%2F
Finding this: htxp://www.r-x0.com/test404page.js gives me a strong indication site has been compromised.
Avast! detects: HTML:RedirME-inf[Trj] there, so there must be a server redirect somewhere, apparently a cloudflare related issue
or because this is wXw.r-x0.com,108.162.199.179,Multiple IPs,
There were 6 connections seen from that IP, last seen 3 days ago both with AlienVault and AlienVaultScan Spam threats, respective danger levels: 4 and 2.
See what we detected here and this is what avast flags: http://urlquery.net/report.php?id=9550798
IDS alert for ET CNC Zeus Tracker Reported CnC Server group 1 → https://zeustracker.abuse.ch/monitor.php?search=108.162.199.179
Anyway you are free to report a FP here: www.avast.com/contact-form.php
polonus
urlQuery http://urlquery.net/report.php?id=9551175
Suricata filter say ET CNC Zeus Tracker Reported CnC Server group 1
Hi Pondus,
Beaten me by a sec. Funny that abuse.ch Zeus tracker did not have that domain.
Cybercriminal IPs and sites are often missed by the “run of the mill” scanners, IDS gets them, even Sucuri and see: http://zulu.zscaler.com/submission/show/dcf8f4390531ec8089228dfeac17069b-1392909153 (it is a shame really)
also read this: http://comments.gmane.org/gmane.network.dns.operations/577
and our friend gmane certainly has a point there. Why they need 34 nameservers with multiple IP addresses? ???
pol
from the picture in urlQuery it seems the site want to load some java stuff ?
Re: translation of Arabic here: problem on my website.
If the actions are like here on that same IP number, you could be right:
https://zeustracker.abuse.ch/monitor.php?host=zukkoshop.su -
Not much here: http://jsunpack.jeek.org/?report=2b79b3b4e34d708bd39e44d2ab2a60ff39f21ad2
does show some iFrame hick-ups in this code:
ads2.hsoub dot com/ benign
[nothing detected] (iframe) ads2.hsoub dot com/
status: (referer=ads2.hsoub dot com/market.js)saved 8747 bytes c607ab4d253bec8a6a6e175644f86e24c0ac6ba1
info: [script] ads2.hsoub dot com/js/language/ar.js?140114
info: [script] ads2.hsoub dot com/js/application.js?140114
info: [img] ads2.hsoub dot com/images/logo-ar.png
info: [iframe] ads2.hsoub dot com/map
info: [iframe] wXw.youtube.com/embed/0fbe54JXjHI?rel=0&showinfo=0&autohide=1&controls=0
info: [decodingLevel=0] found JavaScript
error: undefined variable s
suspicious:
What is spamming from an external link and where you are right is: http://jsunpack.jeek.org/?report=0e80c48448fce2f4107c0e8440f4c3b8a59625d1
see: <APPLET NAME=“Chat” CODEBASE=“htxp:/198.50.156.4:9932/Spilka/Classes/” CODE="com.spilka.client.ClientApplet
blacklisted on two occasions: http://cleantalk.org/blacklists/198.50.156.4
comment spammer: https://www.projecthoneypot.org/ip_198.50.156.4
and in Stop forum spam (now offline): http://webcache.googleusercontent.com/search?q=cache:http://www.stopforumspam.com/ipcheck/198.50.156.4
Pondus, you could check on the original creative commons Applet code here: http://www.dev-point.com/vb/t268027.html → Chat Applet By Ahmad
pol
What is to be done to lift the ban on the site
Because the site free of viruses after an internal examination
And no on-site materials are suspicious of outsiders have been removed
What is required to lift the ban?
Hi DeeNooz,
That is for avast team members to decide.
We are just volunteers that do scanning.
When you are on such an IP flagged by Zeus tracker
you are likely getting blocked or blacklisted elsewhere too.
There was SEO spamming from the site.
I would have my website hosted somewhere else and
not be associated with such a threatIP from a Zeus server.
see http://threatstop.com/checkip
108.162.198.179 5 connections first seen 4 months ago last seen 4 days ago Threat name AlienVault Danger level 4
first seen 8 months ago last seen 4 days ago Threat name AlienvaultScanSpam Danger level 2
IDS alert ET CNC Zeus Tracker Reported CnC Server group 1
and what about this external link: https://www.mywot.com/en/scorecard/spyrush.com?utm_source=addon&utm_content=popup-donuts
→ spamming spammers spamming spamtraps
polonus
The chat plug-in that the site loads does not seem to be malicious, as is being confirmed.
You could file a FP report here: www.avast.com/contact-form.php
As in how far you were hit by a general IP ban because of the IDS alerts, I cannot verify from here.
Anyway that is up for avast team members to decide,
Be good
polonus