Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: REDACTED on April 04, 2016, 08:56:48 PM
-
Hello there,
I just discovered that my website is being blocked (URL:Mal2) by avast! Free Edition.
My website is : http://www.leblogduhacker.fr (http://www.leblogduhacker.fr).
There is no threat on the website and I guess avast is reading a little too fast the "hacker" term.
I help people to protect their computer and privacy and I encourage you to check by yourself in case of any doubt.
Regards.
-
URL:Mal = IP and/or domain is blacklisted.
vulnerable libraries :
http://retire.insecurity.today/#!/scan/b303e907b38c77bcef48ccdfc68ce959be63fd570f4e2ef3808b030174cc3069
Blacklisted :
http://multirbl.valli.org/lookup/104.28.21.53.html
http://zulu.zscaler.com/submission/show/274bf25731b3acf3ea0a150ea82c317a-1459797248
Perhaps the main problem is caused by you using Cloudflare.
-
Thank you for your quick answer Eddy. I disabled CloudFlare but the alert doesn't stop showing up. I also had a "Script:inf" threat alert, do you think it has something to do with the jQuery lib?
@Jakub, it's not just the logo, I also had the favicon.ico and all the other files detected.
-
It can have to do with the JQuery insecurities, but only someone from avast can tell what exactly was detected/why the site is blocked.
I suggest you solve the JQuery problems, it will make the site more safe.
-
I will try to fix the jQuery insecuritites, but the problem is that Wordpress itself load the libraries : http://www.leblogduhacker.fr/wp-includes/js/jquery/jquery.js?ver=681a0fbf01ffa8a1c3226acc958ffdd9
-
There is also WordPress insecurity detected.
Check all: WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.
woocommerce-follow-up-emails
woocommerce 2.5.5 latest release (2.5.5)
http://www.woothemes.com/woocommerce/
jetpack 3.9.6 latest release (3.9.6)
http://jetpack.com
wp-polls 2.72 latest release (2.72)
https://lesterchan.net/portfolio/programming/php/
thrive-visual-editor
jquery-image-lazy-loading 0.21
http://github.com/ayn/wp-jquery-lazy-load/
wysija-newsletters 2.7.1 latest release (2.7.1)
http://www.mailpoet.com/
what-would-seth-godin-do 2.0.6 latest release (2.0.6)
http://richardkmiller.com/wordpress-plugin-what-would-seth-godin-do
Also consider this scan: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.leblogduhacker.fr
But the alert from Avast on the browser executable can only be explained by an Avast Team Member,
and we here are not, just volunteers with relevant knowledge.
polonus
-
You are definitely volunteers with relevent knowledge, and thank you again for that.
Now jQuery is up to date : http://retire.insecurity.today/#!/scan/db6f8b22d96d358b973bd570d68f01522fa89e62444dbec7bd695bf4b84fcd0b
The domain is not blacklisted (as I can see) and VirusTotal doesn't see any problem with my website : https://virustotal.com/fr/url/bb5768e71d616deeb33cbcda95a97a9eb77f073de22593f430a043a6c7efc544/analysis/
I guess thousands and thousands of website are using those plugins...
Is avast really blocking my website because of the term "hacker"??
-
As far as I know, avast doesn't look at domain names for hacker (and other strings like that)
-
I guess that the threat "URL:Mal" means that the domain name is problematic, but I contacted the support to report the false positive anyway. I hope they will be as fast and helpful as you.
For now I don't see anything else that could lead to this alert. Nothing changed on the website, and every single URL is detected by avast, which brings me more than 50 'threat blocked' alerts...
-
The amount of detections comes from the blacklisted domain and/or IP.
There is URL:Mal and URL:Mal2
According to someone from avast the difference is likely what scanner of avast is detecting it.
Both however (as far as avast told me), mean that the IP and/or Domain is blacklisted.
The problem can very well be the use of CloudFlare.
They don't take security, blocking malicious sites and such not exactly serious.
-
I removed leblogduhacker.fr from our blacklist ;)
As others said:
URL:Mal or URL:Mal2 detections both mean the URL (either a domain, subdomain, path, IP, or any combination of these) is on our blacklist.
If the domain is blacklisted, the Avast popup shows the URL entered in the browser (so if the user entered "images.leblogduhacker.fr/logov2.jpg" and "leblogduhacker.fr" was blocked, Avast would show "images.leblogduhacker.fr/logov2.jpg").
If the domain is not blacklisted, Avast lets your browser check the DNS for the IP, and then tests the IP. If the IP is blacklisted, Avast would show something like "104.28.20.53" when displaying the popup.
This was the old "Network Shield" - checking if the URLs are blacklisted.
Then we have the old "Web Shield", which actually checks the inside of the page (the source code). When Avast sees a suspicious code, it shows a popup with whatever was suspicious: this includes all JS: and HTML: detections.
A strange crossover is the HTML:Iframe-inf, HTML:Script-inf, etc - this means a blacklisted domain is being loaded into an otherwise clean domain.
The old network shield and old web shield were merged into Web Shield, as we know it from the current versions of Avast, as a means of simplification. Deep down there, though, it still works as previously, merging is mostly a GUI issue.
If you guys have more questions, I will be happy to answer them 8)
-
Hello HonzaZ and thank you for your support and the clarifications!
May I know why exactly the domain was blacklisted? And did the alert really come from the insecure jQuery libraries?
Regards.
-
Hard question, as the analyst who blocked it isn't at work today :).
I would say it is possible though!
-
Hello there,
Any news about the blacklisting of my website? I have still sometimes an alert for the subdomains like //images.leblogduhacker.fr.
I have no idea if it comes from my version of Avast or not, but I'm not totally sure the problem is fixed :/
-
Did you try turning your shields off then back on again? Sometimes Avast holds the cache a little too long...
-
Indeed, it looks like the alert stopped showing up after disabling/enabling.
Thank you again!
-
I have the same false positive problem with Avast on my site at rplstoday.com -- I can assure you it is clean, as we constantly monitor and scan it for problems. The only reason I found out was because a few users told me that Avast was blocking them. Both Sucuri and VirusTotal show the site as safe, not infected, and not blacklisted.
https://sitecheck.sucuri.net/results/rplstoday.com
Can you please explain WHY this is happening and remove the site from your blacklist?
-
It is not a false positive.
avast says the Domain and/or IP is blacklisted and that is true.
https://www.virustotal.com/en/url/d2df0bcb11b63f160b6bc857e25cad8d6c02104d347bc1a0f2b040045bb4ec7e/analysis/1460658508/
http://www.urlvoid.com/scan/rplstoday.com/
http://multirbl.valli.org/lookup/67.225.159.47.html
Insecure headers :
https://securityheaders.io/?q=rplstoday.com
No support for TLS 1.2, which is the only secure protocol version
https://www.ssllabs.com/ssltest/analyze.html?d=rplstoday.com
http://urlquery.net/report.php?id=1460658913387
http://urlquery.net/report.php?id=1460658915212
-
Wow, thank you for all that great information. We are looking into it! :-)
I do think the notifications from Avast and BitDefender are misleading though. They both claim malware.
-
avast doesn't say there is malware.
avast says that the Domain and/or IP is blacklisted.
https://forum.avast.com/index.php?topic=185110.msg1304746#msg1304746
-
I think there was (has been?) an infection - we spotted a malicious URL: hxxp://rplstoday.com/5b80fccee94338feae2b90c3a29ea72b/q.php
That is a symptom of Blackhole exploit kit.
-
I am having similar issues with the site - http://notariat-tineretului.net
The site is 100% clean, I don't know why you block it.
https://www.virustotal.com/en/url/af0f9af63badaa9041eceab55ee8eaabc8fc2d9ded7437e095f7dfd0072544f6/analysis/1475016707/
The Virustotal scan and any other scanner like Sucuri etc. shows the site is clean.
Please fix this
-
Virustotal does not scan websites.
Problems on that ASN (including blacklistings) :
http://urlquery.net/report.php?id=1475041648872
Suspicous script :
https://www.websicherheit.at/website-malware-viren-scanner/?url=notariat-tineretului.net
-
I do not have any evidence about notariat-tineretului[.]net being infected in the near past, so I am unblocking it now ;)
-
I do not have any evidence about notariat-tineretului[.]net being infected in the near past, so I am unblocking it now ;)
Great, the false positive was triggered by the javascript in a file with .php extension which *might* seem suspicious, but then it should just scan the file for any malware code. There was only a javascript var containing city name in that file. Anyway, thank you for the quick fix! (even though it seems I have spotted the issue quite late, this will teach me to do more in-depth testing with different AV applications)