URL:Mal2

Hi

Avast is banning this site as being infected with URL:Mal2 .

https://mrtigrashell-vb-dot-0-dot-banded-earth-605.appspot.com/mrtigrashell/ap/locale=en_US/instid=vcr?an=1&uri-locate=https%3A%2F%2Fwww.flirtymania.com%2Fchat%2F%23main

Apparently this is a google site.

What’s going on?

Thanks.

flirtymania is not a site from Google.

Please modify your link, change the https to hXXps to avoid accidental exposure to a suspect link.

What exactly were you doing when this happened ?

Whilst appspot.com may be registered by Google, there appears to be a redirection going on to flirtymania.com (not belonging to Google). I don’t know why this redirection was going on (hence my question above) and it may be that which avast didn’t like.

Avast is banning this site as being [b]infected with[/b] URL:Mal2
Nope ... URL:Mal = url or ip is blacklisted

IP history > https://www.virustotal.com/en/ip-address/74.125.193.141/information/
click more button under list(s) for more info

And yes, Pondus, that IP is blacklisted as an open proxy by IP2Proxy.com.
Malware trackers have reported it up.

polonus

There seems to be a enormus amount of domains on that IP

Yup, I can confirm that the whole IP was blacklisted due to enormous amount of malicious domains. It should be now unblocked, but some clean domains might still remain blocked.
I am now removing mrtigrashell-vb-dot-0-dot-banded-earth-605.appspot.com from our blacklist :wink:

I have smae problem with my domain hxxp://www.iniciagroup.com/ site is clean and my clients report avast blocking

Outdated jomla > https://sitecheck.sucuri.net/results/www.iniciagroup.com

Many domains on same IP and some are blacklisted > https://www.virustotal.com/en/ip-address/192.185.90.86/information/

avast detect a redirect > https://www.virustotal.com/en/file/361c8665219ace7be9ec7dee09718e6b057d482d0434af40bdffe2ebd9190184/analysis/1463145465/

No redirect detected here > http://www.redirect-checker.org/index.php

Reported to avast team, you may see a reply here

Error 403.
Definatly a server problem.

A web server may return a 403 Forbidden HTTP status code in response to a request from a client for a web page or resource to indicate that the server can be reached and understood the request, but refuses to take any further action.

Many problems there (including phishing) :
http://urlquery.net/report.php?id=1463144884625

Insecure headers :
https://securityheaders.io/?q=www.iniciagroup.com

Vulnerable libraries :
http://retire.insecurity.today/#!/scan/7285ebf652b96f6cb4fa15bd1f191eb8dc3ed28e5086fe9f1523b3871112d86a

Bad IP/Domain hostory:
https://www.virustotal.com/en/ip-address/192.185.90.86/information/

SSL/TLS problem :
https://www.ssllabs.com/ssltest/analyze.html?d=www.iniciagroup.com

I do not see anything malicious on iniciagroup.com right now, so I am unblocking it. But please take care of your domain and follow the advice of the experts here, or it will be infected (and blocked) again soon.

Hi HonzaZ,

Agree with your point of view but the security of the site could be improved a little bit in following respects:

There certainly are security issues on the website, no actual threats or suspicion found.

Cloaking for the spam bot protection detected,see : http://isithacked.com/check/www.iniciagroup.com (95 bytes of difference).

Retirable jQuery library code with added inecurity because a SRI hash is missing → https://sritest.io/#report/ca9631c2-98e1-4a0c-8c42-c001dee29e2d
http://retire.insecurity.today/#!/scan/df5353d0d4572d67e147ba227ed9cca880585361e8369f16d535a38beae53dc9

Re: Undefined variable n in the jquery-latest.min.js code does not pose any threat

as it actually is undefined in the jQuery code is actually an undefined parameter of a function wrapping the whole code.
That’s perfectly safe, as the undefined parameter is local to the function,
and nobody except the code in this function can assign to it.

Quote Info credits go to Stack Overflow’s arnaud576875.

Overall there is room for the use of some better and more clear syntax, see what was flagged for the html-code: https://seomon.com/domain/www.iniciagroup.com/html_validator/

OpenSSL vulnerability CVE-2010-4180 for that webserver.

The above was reported by,

polonus (volunteer website security analyst and website error-hunter)