Jump to content

My forum blocked by some antiviruses

TAMAN

By TAMAN
in Technical Problems

Recommended Posts

TAMAN Grand Master

TAMAN

Posted
Posted

Its been 3 times happening in the past 8 months 

the last 2 times i reported as false positive and i got removed from block list but today i see again my forum link blocked by 4 antivirus here

https://www.virustotal.com/en/url/4cdbced63ae993b07eb786a204ab4bccb7c54333287444bb1bd0e1a6180ce878/analysis/1464627612/

 

and my main website link is clean https://www.virustotal.com/en/url/c99e00334fd248422e02b2699561b5ac7c38131e96b5278a9b969d4e063cec6f/analysis/1464628189/ 

I have no idea why i get blacklisted by antivirus and im not been hacked at all 

the reason must be forum topics or iframe's i use maybe :/ 

does anyone have any idea what is going on here or to see what exactly is on my forum link that antivirus blocks ??? no idea where to check 

 

Link to comment
Share on other sites
TAMAN Grand Master

TAMAN

Posted
  • Author
Posted

I just got a message about my False Positive report and i got removed from one of the antiviruses list which was  Dr.Web

still 3 blacklisted my website tho no idea why i get blacklisted and no idea where to check or prevent from happening :/ 

 

Link to comment
Share on other sites
Colonel_mortis Proficient

Colonel_mortis

Posted
Posted

Your chatbox script, http://hellshammers.net/applications/bimchatbox/interface/chat/chatbox120.js?v=d54530563a is malicious I think, presumably because the site has been hacked rather than because the distributed version is malicious, but I would recommend checking.

Actually, it looks like that might be just obfuscated, not malicious, but the following tip is still worth doing:

Take your site offline, back up all the files for analysis, then delete most of the files except /uploads/ and /conf_global.php, then reupload everything.

 

The scanners don't seem particularly confident in their conclusion, but it looks like they think the site may have been hacked - see https://csi.websense.com/Report/Index/2800494f-ab34-4fc6-b3c3-a61700415f04. It is possible that they are just seeing that obfuscated file and assuming that it's malicious, but scanning other sites that also have it returns no results. However, I can't find anything malicious myself.

Link to comment
Share on other sites
TAMAN Grand Master

TAMAN

Posted
  • Author
Posted
9 hours ago, Colonel_mortis said:

Your chatbox script, http://hellshammers.net/applications/bimchatbox/interface/chat/chatbox120.js?v=d54530563a is malicious I think, presumably because the site has been hacked rather than because the distributed version is malicious, but I would recommend checking.

Actually, it looks like that might be just obfuscated, not malicious, but the following tip is still worth doing:

Take your site offline, back up all the files for analysis, then delete most of the files except /uploads/ and /conf_global.php, then reupload everything.

 

The scanners don't seem particularly confident in their conclusion, but it looks like they think the site may have been hacked - see https://csi.websense.com/Report/Index/2800494f-ab34-4fc6-b3c3-a61700415f04. It is possible that they are just seeing that obfuscated file and assuming that it's malicious, but scanning other sites that also have it returns no results. However, I can't find anything malicious myself.

mmm I have already looked at https://csi.websense.com/Report/Index/2800494f-ab34-4fc6-b3c3-a61700415f04 it shows some of the topic links :/  and i cant check what topic exactly and this might be possible if they contain some malicious links in it, but i cant go to this topic links to check 

But thanks for the tip i will try to deleted everything even plugins and apps then downloading a fresh files

More info:  I do not think i have anything dangerous but recently been using this http://simplehtmldom.sourceforge.net/ it is in a trusted source anyways but any ideas? 

 

 

1 hour ago, duyfr said:

do you use plugin or application nulled ? 

No i do not 

Link to comment
Share on other sites
TAMAN Grand Master

TAMAN

Posted
  • Author
Posted

never mind now i can see the links that they thinks its malicious url here https://csi.websense.com/Report/Index/2800494f-ab34-4fc6-b3c3-a61700415f04

but i have checked a couple of the links they all seem to be normal and there are no external links used in the topics besides some images 

for example the first link which is this one  

http://hellshammers.net/forums/topic/2181-introducing-myself/?do=getNewComment

no idea why its suspected as malicious url :frantics:

Link to comment
Share on other sites
Colonel_mortis Proficient

Colonel_mortis

Posted
Posted
6 minutes ago, TAMAN said:

never mind now i can see the links that they thinks its malicious url here https://csi.websense.com/Report/Index/2800494f-ab34-4fc6-b3c3-a61700415f04

but i have checked a couple of the links they all seem to be normal and there are no external links used in the topics besides some images 

for example the first link which is this one  

http://hellshammers.net/forums/topic/2181-introducing-myself/?do=getNewComment

no idea why its suspected as malicious url :frantics:

I would be cautious about writing off the issue though - my site has previously been flagged by Avast as being malicious, which we were pretty sure was just a false positive, but about a week later the site was flagged as malicious by Google safebrowsing, and it turned out that it has actually been infected.

Link to comment
Share on other sites
TAMAN Grand Master

TAMAN

Posted
  • Author
Posted

Well i just got removed from avira im pretty sure its just another false positive now only 2 antiviruses left 

https://www.virustotal.com/en/url/4cdbced63ae993b07eb786a204ab4bccb7c54333287444bb1bd0e1a6180ce878/analysis/1464737742/

and i have no idea where to report as false positive for that 

 

its weird the topic links show like this here https://csi.websense.com/Report/Index/2800494f-ab34-4fc6-b3c3-a61700415f04

http://hellshammers.net/forums/topic/2172-preussenbub/?do=getNewComment

http://hellshammers.net/forums/topic/2182-overwatch/?do=getLastComment

http://hellshammers.net/forums/topic/2186-waves-howdy/?do=getNewComment

http://hellshammers.net/forums/topic/2161-new-logo-design/?do=getLastComment

http://hellshammers.net/forums/topic/2182-overwatch/?do=getLastComment

any ideas? 

Link to comment
Share on other sites
Colonel_mortis Proficient

Colonel_mortis

Posted
Posted
1 minute ago, TAMAN said:

Well i just got removed from avira im pretty sure its just another false positive now only 2 antiviruses left 

https://www.virustotal.com/en/url/4cdbced63ae993b07eb786a204ab4bccb7c54333287444bb1bd0e1a6180ce878/analysis/1464737742/

and i have no idea where to report as false positive for that 

 

its weird the links show like this 

http://hellshammers.net/forums/topic/2172-preussenbub/?do=getNewComment

http://hellshammers.net/forums/topic/2182-overwatch/?do=getLastComment

http://hellshammers.net/forums/topic/2186-waves-howdy/?do=getNewComment

http://hellshammers.net/forums/topic/2161-new-logo-design/?do=getLastComment

http://hellshammers.net/forums/topic/2182-overwatch/?do=getLastComment

any ideas? 

That's weird. The only thing I can think of is that perhaps you were hacked, but it only shows up on some pages, though unless you updated IPS between when it was first detected and now, it seems strange that it would have stopped. I would still recommend replacing the files, just in case, or at least running a diff tool (the IPS md5 checker is a good start, and is run if you start the support tool ("something's not working correctly", and it's after clearing caches, but before the upgrade check or disabling adverts)).

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...