URL:Mal false positive detection report

Viruses and worms
1

Hi,
We have a client reporting a URL:Mal infection threat detection from code on their website hosted on one of our domains:
lmknjb1[.]com

This is hosted via a global webfarms with endpoint IP’s: 23.96.83.107, 138.91.156.9, 104.40.215.103
None of the domain or IP’s have been blacklisted on any available blacklist I can find.

Please can this detection be reviewed, and any false positive(s) removed.

Regards
Rich

2

You can report a URL here: https://www.avast.com/report-a-url.php

3

Blacklisted :
https://www.virustotal.com/en/ip-address/138.91.156.9/information/

Unable to scan the site (suspicious) :
https://sitecheck.sucuri.net/results/www.lmknjb1.com

Malware on the site :
http://urlquery.net/report.php?id=1497983998204

Blacklisted and infected :
https://sitecheck.sucuri.net/results/www.leadforensics.com

Blacklisted :
https://www.virustotal.com/en/url/564ea7f013dc2fac2c2b6b4e7791ad1564ded2c63a5c9b9f2fe6895cd16eef46/analysis/1498642188/
https://www.virustotal.com/en/ip-address/185.3.92.181/information/

Blacklisted and malware :
http://urlquery.net/report.php?id=1498640065956

Wordpress issue :
ninja-forms 3.1.5 latest release (3.1.6) Update required

Vulnerable libraries :
http://retire.insecurity.today/#!/scan/e0e799f94ff43d98b13e56da492118cc0000c71f1979c5637dfc77b983bf5d5f

4

I’ve already contact Fortinet for the domain that has been flagged as Malware on the IP listed.
I’ve also got an active ticket open with Securi.

The wordpress issues I’m in discussions with our website developers on.


None of these however explain why Avast has blacklisted the domain lmknjb1[.]com

5

On same IP there is malware here: http://urlquery.net/report.php?id=1497984002929
Custom errors: Fail

Requested URL: hxtp://www.lmknjb1.com/< | Response URL: hxtp://www.lmknjb1.com/< | Page title: Runtime Error | HTTP status code: 400 (Bad request) | Response size: 3,420 bytes | Duration: 19 ms
Overview
Custom errors are used to ensure that internal error messages are not exposed to end users. Instead, a custom error message should be returned which provides a friendlier user experience and keeps potentially sensitive internal implementation information away from public view.

Result
It looks like custom errors are not correctly configured as the requested URL contains the heading “Server Error in”.

Custom errors are easy to enable, just configure the web.config to ensure the mode is either “On” or “RemoteOnly” and ensure there is a valid “defaultRedirect” defined for a custom error page as follows:

https://urlscan.io/result/8601ee12-be43-44e1-8a10-1fe6b64ebbf9/dom/ http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) - Potentially risky methods: TRACE
nameserver salt.master salt.minion using master DNS: zone.easydns.com. . No excessive server info proliferation found. :wink:
Consider PulseSecure for Barracuda… :-X

Certificate error: Wrong certificate installed. 8)
The domain name does not match the certificate common name or SAN.
RC4
Your server’s encryption settings are vulnerable. This server uses the RC4 cipher algorithm which is not secure.
Go Daddy Secure Certificate Authority - G2
This server is vulnerable to a Poodle (SSLv3) attack :cry:

polonus (volunteer website security analyst and website error-hunter)

6

I have unblocked lmknjb1[.]com. It might have been because the domains seems randomly-generated (as are 90 % of the domains on the 3 IPs you mentioned). This is usually a sign of maliciousness, and I strongly advise against it.