Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
TAMAN Posted May 30, 2016 Posted May 30, 2016 Its been 3 times happening in the past 8 months the last 2 times i reported as false positive and i got removed from block list but today i see again my forum link blocked by 4 antivirus here https://www.virustotal.com/en/url/4cdbced63ae993b07eb786a204ab4bccb7c54333287444bb1bd0e1a6180ce878/analysis/1464627612/ and my main website link is clean https://www.virustotal.com/en/url/c99e00334fd248422e02b2699561b5ac7c38131e96b5278a9b969d4e063cec6f/analysis/1464628189/ I have no idea why i get blacklisted by antivirus and im not been hacked at all the reason must be forum topics or iframe's i use maybe :/ does anyone have any idea what is going on here or to see what exactly is on my forum link that antivirus blocks ??? no idea where to check
TAMAN Posted May 30, 2016 Author Posted May 30, 2016 I just got a message about my False Positive report and i got removed from one of the antiviruses list which was Dr.Web still 3 blacklisted my website tho no idea why i get blacklisted and no idea where to check or prevent from happening :/
Colonel_mortis Posted May 31, 2016 Posted May 31, 2016 Your chatbox script, http://hellshammers.net/applications/bimchatbox/interface/chat/chatbox120.js?v=d54530563a is malicious I think, presumably because the site has been hacked rather than because the distributed version is malicious, but I would recommend checking. Actually, it looks like that might be just obfuscated, not malicious, but the following tip is still worth doing: Take your site offline, back up all the files for analysis, then delete most of the files except /uploads/ and /conf_global.php, then reupload everything. The scanners don't seem particularly confident in their conclusion, but it looks like they think the site may have been hacked - see https://csi.websense.com/Report/Index/2800494f-ab34-4fc6-b3c3-a61700415f04. It is possible that they are just seeing that obfuscated file and assuming that it's malicious, but scanning other sites that also have it returns no results. However, I can't find anything malicious myself.
TAMAN Posted May 31, 2016 Author Posted May 31, 2016 9 hours ago, Colonel_mortis said: Your chatbox script, http://hellshammers.net/applications/bimchatbox/interface/chat/chatbox120.js?v=d54530563a is malicious I think, presumably because the site has been hacked rather than because the distributed version is malicious, but I would recommend checking. Actually, it looks like that might be just obfuscated, not malicious, but the following tip is still worth doing: Take your site offline, back up all the files for analysis, then delete most of the files except /uploads/ and /conf_global.php, then reupload everything. The scanners don't seem particularly confident in their conclusion, but it looks like they think the site may have been hacked - see https://csi.websense.com/Report/Index/2800494f-ab34-4fc6-b3c3-a61700415f04. It is possible that they are just seeing that obfuscated file and assuming that it's malicious, but scanning other sites that also have it returns no results. However, I can't find anything malicious myself. mmm I have already looked at https://csi.websense.com/Report/Index/2800494f-ab34-4fc6-b3c3-a61700415f04 it shows some of the topic links :/ and i cant check what topic exactly and this might be possible if they contain some malicious links in it, but i cant go to this topic links to check But thanks for the tip i will try to deleted everything even plugins and apps then downloading a fresh files More info: I do not think i have anything dangerous but recently been using this http://simplehtmldom.sourceforge.net/ it is in a trusted source anyways but any ideas? 1 hour ago, duyfr said: do you use plugin or application nulled ? No i do not
TAMAN Posted May 31, 2016 Author Posted May 31, 2016 never mind now i can see the links that they thinks its malicious url here https://csi.websense.com/Report/Index/2800494f-ab34-4fc6-b3c3-a61700415f04 but i have checked a couple of the links they all seem to be normal and there are no external links used in the topics besides some images for example the first link which is this one http://hellshammers.net/forums/topic/2181-introducing-myself/?do=getNewComment no idea why its suspected as malicious url
Colonel_mortis Posted May 31, 2016 Posted May 31, 2016 6 minutes ago, TAMAN said: never mind now i can see the links that they thinks its malicious url here https://csi.websense.com/Report/Index/2800494f-ab34-4fc6-b3c3-a61700415f04 but i have checked a couple of the links they all seem to be normal and there are no external links used in the topics besides some images for example the first link which is this one http://hellshammers.net/forums/topic/2181-introducing-myself/?do=getNewComment no idea why its suspected as malicious url I would be cautious about writing off the issue though - my site has previously been flagged by Avast as being malicious, which we were pretty sure was just a false positive, but about a week later the site was flagged as malicious by Google safebrowsing, and it turned out that it has actually been infected.
TAMAN Posted May 31, 2016 Author Posted May 31, 2016 Well i just got removed from avira im pretty sure its just another false positive now only 2 antiviruses left https://www.virustotal.com/en/url/4cdbced63ae993b07eb786a204ab4bccb7c54333287444bb1bd0e1a6180ce878/analysis/1464737742/ and i have no idea where to report as false positive for that its weird the topic links show like this here https://csi.websense.com/Report/Index/2800494f-ab34-4fc6-b3c3-a61700415f04 http://hellshammers.net/forums/topic/2172-preussenbub/?do=getNewComment http://hellshammers.net/forums/topic/2182-overwatch/?do=getLastComment http://hellshammers.net/forums/topic/2186-waves-howdy/?do=getNewComment http://hellshammers.net/forums/topic/2161-new-logo-design/?do=getLastComment http://hellshammers.net/forums/topic/2182-overwatch/?do=getLastComment any ideas?
Colonel_mortis Posted May 31, 2016 Posted May 31, 2016 1 minute ago, TAMAN said: Well i just got removed from avira im pretty sure its just another false positive now only 2 antiviruses left https://www.virustotal.com/en/url/4cdbced63ae993b07eb786a204ab4bccb7c54333287444bb1bd0e1a6180ce878/analysis/1464737742/ and i have no idea where to report as false positive for that its weird the links show like this http://hellshammers.net/forums/topic/2172-preussenbub/?do=getNewComment http://hellshammers.net/forums/topic/2182-overwatch/?do=getLastComment http://hellshammers.net/forums/topic/2186-waves-howdy/?do=getNewComment http://hellshammers.net/forums/topic/2161-new-logo-design/?do=getLastComment http://hellshammers.net/forums/topic/2182-overwatch/?do=getLastComment any ideas? That's weird. The only thing I can think of is that perhaps you were hacked, but it only shows up on some pages, though unless you updated IPS between when it was first detected and now, it seems strange that it would have stopped. I would still recommend replacing the files, just in case, or at least running a diff tool (the IPS md5 checker is a good start, and is run if you start the support tool ("something's not working correctly", and it's after clearing caches, but before the upgrade check or disabling adverts)).
TAMAN Posted May 31, 2016 Author Posted May 31, 2016 Thanks man i appreciate your help I will try to do so
Recommended Posts
Archived
This topic is now archived and is closed to further replies.