Recently I have noticed Avast blocking an unusual amount of “URL:Mal” while I am browsing on legitimate websites. The URL avast is blocking is http://54.213.218.227/ Recently it began blocking www.stanford.edu with this same alert (I’m not sure how long it would have been blocking www.stanford.edu as I visited it for the first time two days ago). What is weird is that this is intermittent. Within the past two days Avast sometimes allows me to visit the site without any warnings, and other times blocks the whole site.

Also, when pinging www.stanford.edu I seem to get different results periodically (it alternates back and fourth between different IP addresses regularly). (see attached).

I also don’t seem to get this problem when just accessing stanford.edu - only when I access www.stanford.edu. As I previously said, I recall Avast blocking some other sites that I visit with this same URL:Mal IP address, although I don’t remember what sites those were so I can’t reproduce the problem.

Is www.stanford.edu legitimately infected, is this a false positive, or could I be the victim of some DNS Hijacking (or other malware) on my end? I use OpenDNS (I think). I recently posted on this fourm about my suspicion of a Rootkit on my system. Another member assured me that this isn’t the case, but I’m not so sure any more.

Thanks!

Andrew

both IP seems to be related to stanford
see pic in top right corner
http://urlquery.net/report.php?id=1409425655848
http://urlquery.net/report.php?id=1409425670387

URL:mal means IP or URL is on a blacklist for whatever reason, there can be many, it does not have to be infected

if you think it is wrong, you can report it here http://www.avast.com/contact-form.php
you may give link to this topic in case they want to reply here

if you think this is related to your computer and want a check, see instructions https://forum.avast.com/index.php?topic=53253.0

Thanks for the quick reply. This does look like a False Positive. I contacted Avast using the link you provided so I’ll wait to hear back from them.

Thanks!

Andrew

while I am browsing on legitimate websites

The URL avast is blocking is http://54.213.218.227/

Also, when pinging www.stanford.edu

For me the site is not being blocked by avast!
For reverse DNS results on IP: ec2-54-213-218-227.us-west-2.compute.amazonaws.com
Domain ec2-54-213-218-227.us-west-2.compute.amazonaws.com/IN does not exist.
Failed to find parent of ec2-54-213-218-227.us-west-2.compute.amazonaws.com/IN.
Delegation not found at parent.
Not enough nameserver information was found to test the zone ec2-54-213-218-227.us-west-2.compute.amazonaws.com, but an IP address lookup succeeded in spite of that.
See: http://urlquery.net/report.php?id=1409429863906

polonus

That’s odd. Do you get a warning when accessing: http://54.213.218.227/ or do you just get the Stanford site?

Andrew

avast’s webshield is blocking the url as well as the IP.

Goeiedag Eddy,

Yep, I also get these results now, there is something terribly wrong with standford dot edu nameserver(s). (delegation). Domain doctor comes up with: T+0.24s ERROR: got no DNS servers for STANDFORD.EDU
(criminal DNS redirection??). Good avast! alerts. → https://manage.centralnic.com/support/domain_doctor/www.standford.edu

groetjes,

Damian

Hmm. Well, it appears that www.stanford.edu no longer resolves to 54.213.218.227 as reported by http://cachecheck.opendns.com/. In fact 54.213.218.227 no longer seems to load, and avast gives me no warnings although previously the Stanford site would load when accessing http://54.213.218.227/ directly from my iPod (just to be safe). I never noticed any malicious activity on 54.213.218.227 anyway.

Very odd.

Andrew

dns lookup: Failed to resolve www.standford.edu

They really have serious problems.