My Website and Norton Antivirus.

The machines we love to hate

Moderator: Wiz Feinberg

Post Reply
User avatar
Richard Sinkler
Posts: 17067
Joined: 15 Aug 1998 12:01 am
Location: aka: Rusty Strings -- Missoula, Montana

My Website and Norton Antivirus.

Post by Richard Sinkler »

A forum member PM'd me saying:
Did you know that your website is being blocked by Norton?
"This is a known dangerous website. It is recommended that you do NOT visit this site." is what appears when I attempt access. What up?
I use McAffee and Trend on my 2 computers. I don't get any alerts. My girlfriend runs Norton and has no problems. Any idea as to what might be the problem?

Norton Users: CAn you try going to my website, and let me know what you get, whether it is no problem or you get the error above.

http://www.richardsinkler.net/

I would like to try to fix this if it is a problem, although I don't know how.

Thanks for the help.
Carter D10 8p/8k, Dekley S10 3p/4k C6 setup,Regal RD40 Dobro, NV400, NV112 . Playing for 53 years and still counting.
User avatar
Scott Duckworth
Posts: 3470
Joined: 6 Apr 2013 8:41 am
Location: Etowah, TN Western Foothills of the Smokies
Contact:

Post by Scott Duckworth »

No problem here Richard. Running Linux Mint 13 and Firefox sans anti-virus.
Amateur Radio Operator NA4IT (Extra)
http://www.qsl.net/na4it

I may, in fact, be nuts. However, I am screwed onto the right bolt... Jesus!
User avatar
Dale Rottacker
Posts: 3513
Joined: 3 Aug 2010 6:49 pm
Location: Walla Walla Washington, USA
Contact:

Post by Dale Rottacker »

I had no problem the other day when I went to your site Richard, and didn’t just now either :)
Dale Rottacker, Steelinatune™
*2021 MSA Legend, "Jolly Rancher" D10 10x9
*2021 Rittenberry, "The Concord" D10 9x9
*1977 Blue Sho-Bud Pro 3 Custom 8x6
https://msapedalsteels.com
http://rittenberrysteelguitars.com
https://www.telonics.com/index.php
https://www.p2pamps.com
https://www.quilterlabs.com
User avatar
Wiz Feinberg
Posts: 6091
Joined: 8 Jan 1999 1:01 am
Location: Mid-Michigan, USA
Contact:

Post by Wiz Feinberg »

Richard;
Trend Micro Internet Security is also blocking your website. I will try to view the source code in a safe browser and let you know if or what I find. In the meantime, anybody going to your website should do so using NoScript for now.
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
User avatar
Wiz Feinberg
Posts: 6091
Joined: 8 Jan 1999 1:01 am
Location: Mid-Michigan, USA
Contact:

Post by Wiz Feinberg »

Okay. I have reviewed the source code, using Wget, and found nothing bad or dangerous in any way. Unless Richard's website was previously infected with an exploit code, the only other reason would be an exploit affecting another web account on his shared server.

I viewed the entire website with scripting both allowed and disallowed and found no threats.

So, unless something changes, you can safely add Richard's website to your anti-virus' exceptions list.
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
User avatar
Richard Sinkler
Posts: 17067
Joined: 15 Aug 1998 12:01 am
Location: aka: Rusty Strings -- Missoula, Montana

Post by Richard Sinkler »

Thanks Wiz. I'll also contact my web host and let them know too.
Carter D10 8p/8k, Dekley S10 3p/4k C6 setup,Regal RD40 Dobro, NV400, NV112 . Playing for 53 years and still counting.
Dave Potter
Posts: 1564
Joined: 15 Apr 2003 12:01 am
Location: Texas

Post by Dave Potter »

Just as another data point, here's something interesting. I clicked on your website url in your first post, and got something I've never seen before:

Image

The reference to "RT-AC3200" is my router - that's its model number. The router itself intercepted my attempt to open your url and opened a new window with this in it. First time it's ever done that - ever. Consulting the router manual, I see that it includes a feature that uses real-time malware and malicious website monitoring through Trend Micro. I hadn't been aware of that feature until now.

Always somethin', ain't it? :whoa:
User avatar
Richard Sinkler
Posts: 17067
Joined: 15 Aug 1998 12:01 am
Location: aka: Rusty Strings -- Missoula, Montana

Post by Richard Sinkler »

I run the paid version of Malwarsbytes in realtime. Nothing shows up. Not sure what to do. Maybe just pull my site down.
Carter D10 8p/8k, Dekley S10 3p/4k C6 setup,Regal RD40 Dobro, NV400, NV112 . Playing for 53 years and still counting.
User avatar
Scott Duckworth
Posts: 3470
Joined: 6 Apr 2013 8:41 am
Location: Etowah, TN Western Foothills of the Smokies
Contact:

Post by Scott Duckworth »

Richard, I also tried it in Win XP with Avira Anti-Virus, and it worked fine.
Amateur Radio Operator NA4IT (Extra)
http://www.qsl.net/na4it

I may, in fact, be nuts. However, I am screwed onto the right bolt... Jesus!
User avatar
Richard Sinkler
Posts: 17067
Joined: 15 Aug 1998 12:01 am
Location: aka: Rusty Strings -- Missoula, Montana

Post by Richard Sinkler »

Thanks Scott.

Wiz and Dave, could the files I have on there for guitar map have malware? The guitar map program is a downloadable exe file, that I have never had any problems with in the past, using different AV programs and OS. Malwarebytes doesn't flag it. How about the Mickey Adams videos? They are all Mp4 files. Just trying to brainstorm the problem. Maybe I'll delete the Guitarmap page and see if it still happens.

For now, I have removed the links to my website from here (except the one above for testing) until I get this solved. The last thing I want to do is pass on a virus or malware.
Carter D10 8p/8k, Dekley S10 3p/4k C6 setup,Regal RD40 Dobro, NV400, NV112 . Playing for 53 years and still counting.
Dave Potter
Posts: 1564
Joined: 15 Apr 2003 12:01 am
Location: Texas

Post by Dave Potter »

Richard Sinkler wrote:Wiz and Dave, could the files I have on there for guitar map have malware?
Richard, I defer to Wiz, our resident expert.

It is true, however, that false positives do happen occasionally with the commercial anti-malware products - maybe there's a temporary glitch in the Trend Micro system. What does puzzle me is that you're not getting an alert from your Trend Micro software, but both Wiz and I are. That's a stumper to me. I assume your Trend software communicates with the Trend cloud, like mine does. Seems like the result should be the same, but it's not.

I'll be watching this to see how it resolves. Have you contacted your website people to see if they know anything?

EDIT: FWIW, I ran several free online malware scans on your url, and they all came back clean.

http://www.quttera.com/detailed_report/ ... inkler.net
http://scanner.pcrisk.com/detailed_repo ... et#details
https://www.virustotal.com/en/url/c2789 ... 463422424/
User avatar
Jeff Bollettino
Posts: 64
Joined: 7 Dec 2015 7:33 am
Location: Virginia, USA
Contact:

Post by Jeff Bollettino »

Just a thought, the issue might be that another website on your server (this is assuming you are using some sort of shared hosting plan) that has been identified for malware or something like it, and all sites on that host are getting this notice. If you are on a shared host you might try calling their tech support to see if they know anything about it.
User avatar
Richard Sinkler
Posts: 17067
Joined: 15 Aug 1998 12:01 am
Location: aka: Rusty Strings -- Missoula, Montana

Post by Richard Sinkler »

Thanks. I plan on emailing their tech support today with the info above with the screen shots. It's definitely strange. In the meantime, I have removed any links to my site from the forum as a precaution, until I figure it out. I may just end up pulling my site down altogether.
Carter D10 8p/8k, Dekley S10 3p/4k C6 setup,Regal RD40 Dobro, NV400, NV112 . Playing for 53 years and still counting.
User avatar
Wiz Feinberg
Posts: 6091
Joined: 8 Jan 1999 1:01 am
Location: Mid-Michigan, USA
Contact:

Post by Wiz Feinberg »

Richard Sinkler wrote:Thanks. I plan on emailing their tech support today with the info above with the screen shots. It's definitely strange. In the meantime, I have removed any links to my site from the forum as a precaution, until I figure it out. I may just end up pulling my site down altogether.
Why do that? You have a static website, based upon html 5, CSS3 and JavaScript. The only ways that your pages can be infected/compromised are:
  • A keylogger on your computer that watches for you to log into an ftp location or cpanel website;
  • Socially Engineering your login credentials from you through trickery;
  • A rogue employee/partner/Webmaster with your login credentials;
  • The innocent use of a 3rd party script, cms, cart or active app that has a XXS flaw known to hackers;
  • Malvertising exploits on an ad platform targeting visitors running outdated plug-ins (and 0-day exploits);
  • Server compromise you have no control over.
Most of these vulnerabilities are within your control. If you don't have 3rd party ads on your pages, that is removed from the equation. Note that these attacks target your visitors browsers, not your actual web pages. They are few and far between. Those that exist only run against certain browsers and are short lived before being taken down by the ad network.

Vulnerabilities in 3rd party apps, like WordPress, Joomla, Magento, Zen Cart and the like, are usually discovered/reported to the maintainers who release patched versions very quickly. Most of these active apps that are available through 3rd party scripts are automatically updated as problems are discovered.

The last item, server compromise, is outside your control. It's not your server. If you should ever discover that your web host has allowed your shared hosting account to be compromised via a root attack on their server, move to another host who is better protected against these attacks.

Finally, you can sign up with any of the various safety scanning services to check your pages for malware. Securi and Sitelock are two that comes to mind. There are free and paid scanning options. Free is usually good enough for static sites like yours. I use Sitelock, which is offered for free by my web host, Bluehost. They also take care of updating vulnerable scripts that are available to their customers through cPanel.

Most common website compromises happen when the webmaster installs a script that is later discovered to be exploitable, but fails to update it as soon as the patched version is released. Smart webmasters use automatic updates and update notifications from script vendors.
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
User avatar
Richard Sinkler
Posts: 17067
Joined: 15 Aug 1998 12:01 am
Location: aka: Rusty Strings -- Missoula, Montana

Post by Richard Sinkler »

Some clarifications. My Trend subscription expired, so the computer wasn't using Trend. I have both McAfee and Webroot SecureAnywhere, on my laptop, my main computer, And Webroot came pre-installed and can run on 3 or 5 different computers. So both my computers run both McAfee and Webroot. My girlfriend's computer actually has McAfee. She calls that Norton and doesn't know the difference. They should come confiscate her computer. :lol: I had her bring it over last night.

Wiz...

A keylogger on your computer that watches for you to log into an ftp location or cpanel website;
Don't think so, and don't know how to check.

Socially Engineering your login credentials from you through trickery;
Probably not it.

A rogue employee/partner/Webmaster with your login credentials;
N/A

The innocent use of a 3rd party script, cms, cart or active app that has a XXS flaw known to hackers;

I use some 3rd party code. I bought them from Envato (Code Canyon), and include the code, html, css, javascript, and Jquery files. I use them for my picture galleries, audio players, video players. Been using them for awhile though. If I go through all the javascript files, is there anything I should look for?

Malvertising exploits on an ad platform targeting visitors running outdated plug-ins (and 0-day exploits);
No ads

Server compromise you have no control over.

I use eHost as my hosting company.

I used to pay for Sitelock on previous sites, but opted not to continue, thinking a static site like mine would probably not be a target for hackers. But I now have downloadable Mickey Adams videos, and a downloadable exe file for Guitar Map. I don't know if Mp4 files can carry malware. I can try taking the Guitar map program off the site and have some of you check again with Norton and Trend. I just want to guarantee a safe site to my visitors.
Carter D10 8p/8k, Dekley S10 3p/4k C6 setup,Regal RD40 Dobro, NV400, NV112 . Playing for 53 years and still counting.
Dave Potter
Posts: 1564
Joined: 15 Apr 2003 12:01 am
Location: Texas

Post by Dave Potter »

Richard Sinkler wrote:Some clarifications. My Trend subscription expired, so the computer wasn't using Trend....My girlfriend's computer actually has McAfee.
Aha! That explains why you didn't get anything from Trend. I still think it's a false alarm from Trend, since Wiz checked things.
I can try taking the Guitar map program off the site and have some of you check again with Norton and Trend. I just want to guarantee a safe site to my visitors.
You can do some checking yourself, Richard. Google "free url malware scan" and you'll get a bunch of hits - just copy/paste your web site url into the box there. I cited a few I tried in my post above.

Keep in mind that, as Wiz pointed out earlier, it could be some other website (aka, IP address) on the same server. According to Whois, there are 733 of them on the same server you're on.
Last edited by Dave Potter on 17 May 2016 11:35 am, edited 2 times in total.
User avatar
Richard Sinkler
Posts: 17067
Joined: 15 Aug 1998 12:01 am
Location: aka: Rusty Strings -- Missoula, Montana

Post by Richard Sinkler »

BTW: before you took out the links on the forum, I noticed that the link down with your profile didn't match the link you still have in the original post. Why is that?
About 3 months ago I changed web hosting companies and got a new url. I thought I changed them all.
Last edited by Richard Sinkler on 18 May 2016 12:37 pm, edited 1 time in total.
Carter D10 8p/8k, Dekley S10 3p/4k C6 setup,Regal RD40 Dobro, NV400, NV112 . Playing for 53 years and still counting.
User avatar
Richard Sinkler
Posts: 17067
Joined: 15 Aug 1998 12:01 am
Location: aka: Rusty Strings -- Missoula, Montana

Post by Richard Sinkler »

I tried to find the annoyances, but had no luck.

Thanks to Wiz, Dave, and Georg for their expertise and kindness for helping me out, and for the others who checked their computers for me. I feel it's safe to put the links back up.

There is no better place for help than right here on the forum.
Carter D10 8p/8k, Dekley S10 3p/4k C6 setup,Regal RD40 Dobro, NV400, NV112 . Playing for 53 years and still counting.
User avatar
Steven Stewart
Posts: 223
Joined: 16 Feb 2009 12:51 pm
Location: Kentucky, USA

Mickey

Post by Steven Stewart »

The videos don't seem to work no problems
User avatar
Richard Sinkler
Posts: 17067
Joined: 15 Aug 1998 12:01 am
Location: aka: Rusty Strings -- Missoula, Montana

Re: Mickey

Post by Richard Sinkler »

Steven Stewart wrote:The videos don't seem to work no problems
Can you give me more info. Like, what browser, phone, tablet or computer. What URL is in the address box at the top.

I have been trying to host all videos on my site instead of having links to YouTube, but have run into some obstacles health wise. I had a mild stroke in early 2016, and that has caused some delays. I am back at the programming now and should be finished soon.
Carter D10 8p/8k, Dekley S10 3p/4k C6 setup,Regal RD40 Dobro, NV400, NV112 . Playing for 53 years and still counting.
User avatar
Steven Stewart
Posts: 223
Joined: 16 Feb 2009 12:51 pm
Location: Kentucky, USA

Google

Post by Steven Stewart »

Zmax. Android
User avatar
Steven Stewart
Posts: 223
Joined: 16 Feb 2009 12:51 pm
Location: Kentucky, USA

It works all the way now

Post by Steven Stewart »

Thanks
User avatar
Richard Sinkler
Posts: 17067
Joined: 15 Aug 1998 12:01 am
Location: aka: Rusty Strings -- Missoula, Montana

Post by Richard Sinkler »

Thanks Steven.
Carter D10 8p/8k, Dekley S10 3p/4k C6 setup,Regal RD40 Dobro, NV400, NV112 . Playing for 53 years and still counting.
Post Reply