Avast WEBforum

Other => Viruses and worms => Topic started by: rfontes on April 18, 2018, 06:52:23 PM

Title: Site Blocked - URL:Phishing
Post by: rfontes on April 18, 2018, 06:52:23 PM
Hello, I'm having problems with my website (www.jetfilm.com.br), whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears.

Excludes all content from the domain (folders / files) and the site is still blocked. Before that I asked Avast support to put the site on the false positive list and the response was as follows: "Detection is correct and will be maintained." That is, it is still being accused as a phishing site.
Title: Re: Site Blocked - URL:Phishing
Post by: LukasJ on April 18, 2018, 08:00:39 PM
Hi,
URL block was disabled.

Lukas
Title: Re: Site Blocked - URL:Phishing
Post by: rfontes on April 18, 2018, 08:11:21 PM
Hello, the URL is still blocked by Avast. Please, could Avast's analysis lab give me more information about my case, if it is a file or form of the site that is causing the problem of "Phishing"?
Title: Re: Site Blocked - URL:Phishing
Post by: rfontes on April 18, 2018, 08:42:15 PM
Hello LukasJ, the URL is unlocked, thank you! Is there still a possibility that the URL will be blocked or the Avast lab made a mistake?
Title: Re: Site Blocked - URL:Phishing
Post by: LukasJ on April 18, 2018, 10:33:54 PM
This URL block was based on phishing feeds eight months ago.
Of course, if there will be malicious content in the site, then the site will be blocked again.
Title: Re: Site Blocked - URL:Phishing
Post by: sissi fanelli on June 04, 2018, 11:58:51 PM
Hi,
I too have the same problem with my site: genesisconsulting.it
despite the RADICAL renewal effort of the website (deletion of all the old server and database folders), it continues to be blocked on all the computers on which the Avast (Internet Security) antivirus has been installed. . In fact, the loading of the pages of the site is automatically canceled and the following message appears as a pop-up ("URL-infected connection: Phishing") --> see Attachment

I have done other research on the most important blacklist sites, but this domain is NOT absolutely infected!
How can I unlock the website to delete these incorrect reports?
Title: Re: Site Blocked - URL:Phishing
Post by: bauerj on June 05, 2018, 09:01:49 AM
Hi,
Thank You for reporting. I removed genesisconsulting[.]it from our blacklist. We are sorry for any inconvenience You may have experienced.
Jirka
Title: Re: Site Blocked - URL:Phishing
Post by: educateurs on August 27, 2018, 09:44:10 AM
hello i have the same problem with my Website:
http://www.st-antoine-ste-sophie.fr
Can you unlock URL?
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on August 27, 2018, 09:51:16 AM
-> https://sitecheck.sucuri.net/results/www.st-antoine-ste-sophie.fr/
-> http://labs.sucuri.net/db/malware/spam-seo.spammy_keywords?1.158
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on August 27, 2018, 06:19:53 PM
As Asyn stated spammy looking link there:
A link with funky anchor text? Yes there is. affirmed:

<a style="color: #000000" href="htxp://edmedforsale.com">generic viagra</a>  in line 362 of the website code
-> https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3LnN0LXxudF1bbnstc3R7LXNdcGhbey5mfQ%3D%3D~enc

3 vulnerable jQuery libraries flagged: https://retire.insecurity.today/#!/scan/a74fec90c9c30e12fad38114dcb4e5c009d4fc1fbe0e90734f7a0498280c9461

Web rep OK - Reputation Check
PASSED
Google Safe Browse: OK
Spamhaus Check: OK
Compromised Hosts: OK
Dshield Blocklist: OK
Shadowserver C&C: OK
Web Server:
Apache
X-Powered-By:
None
IP Address:
213.186.33.50
Hosting Provider:
OVH SAS 
Shared Hosting:
20511 sites found on 213.186.33.50

Multiple PHP vulnerabilities: https://www.cvedetails.com/version/194835/PHP-PHP-5.4.45.html

Word Press CMS - Site is Outdated
(using WordPress version from source: 4.2.21)

Warning on configuration: Directory Indexing Enabled

In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Not observed: https://urlscan.io/domain/www.st-antoine-ste-sophie.fr  (Is there something hosted on this domain?).

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: savcin on August 28, 2018, 10:26:26 AM
URL detection disabled.
Title: Re: Site Blocked - URL:Phishing
Post by: JoJa15 on September 02, 2018, 07:57:41 AM
My site https://warbrokers[.]io is also blocked. I did a URL scan and nothing is wrong with it:
https://sitecheck.sucuri.net/results/warbrokers.io

Can you please unblock it?

How do these things happen also? Does someone need to report the site or does it get caught up in automated detection?
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 02, 2018, 03:08:50 PM
Only hick-up I see there is for
Quote
www.googletagmanager.com/gtm.js?id=GTM-MPHTW35 benign
[nothing detected] (element) -www.googletagmanager.com/gtm.js?id=GTM-MPHTW35
     status: (referer=-www.google-analytics.com/)saved 93124 bytes d535765a4a69fc481830680d0fca6e66da01685f
     info: [decodingLevel=0] found JavaScript
     suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
     file: d535765a4a69fc481830680d0fca6e66da01685f: 93124 bytes
     file: e0cdc6fc6cf34166af42a4c766ecc265a08a3cf0: 93370 bytes
     file: ae87146e8240a533ad6f2d7f6dbbbae90abc1e93: 93376 bytes
     file: f30e864604f4ddebdcccaa703029008d6e20332f: 93585 bytes
     file: c122d8be06c7ef5e9af3a08cb6a59ab2e0f0ac34: 93777 bytes
     file: 3f0b9cad1c1856ebf81276a6c3f2c6a96070707f: 93491 bytes
     file: bbd1d90f184e60d65e057de0a26f4eb677f7bf2e: 93615 bytes
&
Quote
-www.google-analytics.com/static/js/index.min.js (not a vulnerable library)...
     info: [decodingLevel=0] found JavaScript
     error: undefined variable f 

That's all -> https://urlquery.net/report/dbb091bd-f423-4ec5-8254-c032c4dfa70a   (no alerts)
Also consider scan results here: https://sitecheck.sucuri.net/results/www.googletagmanager.com#

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: JoJa15 on September 03, 2018, 01:07:12 AM
Hi Polonus,

Thank you for the response. So based on what you showed the site shouldn't be blocked for URL:Phishing right?

Do you know how sites end up getting caught as false positive for something like this? Is it some accidental auto thing or is someone being malicious against my site and reporting it when it is fine?

Thank you for your help and your response.

Best Regards,
JoJa15
Title: Re: Site Blocked - URL:Phishing
Post by: HonzaZ on September 03, 2018, 07:54:56 AM
Hi,
warbrokers[.]io doesn't seem to be blocked now – if you still have trouble accessing it, please let us know.
Title: Re: Site Blocked - URL:Phishing
Post by: mindeeforman on September 04, 2018, 04:11:56 PM
Hi Avast Team,

My sites are doing the same thing. They're using too much CPU bandwidth at the moment, but it's a known issue and I'm fixing it now. There's no phishing going on with either site:

coloradochoir[.]org
coloradochoir[.]com

Could you please fix/unblock that for me?

Thank you!
Title: Re: Site Blocked - URL:Phishing
Post by: HonzaZ on September 04, 2018, 04:47:46 PM
I am not sure what you mean by "using too much CPU"  :o
Anyway, there is this (and similar) URL: coloradochoir[.]org/si0zx/linkedin%20secure/d3e808897dc94238200097dc79b1c597 which doesn't seem ok...?
Title: Re: Site Blocked - URL:Phishing
Post by: mindeeforman on September 06, 2018, 04:26:20 PM
Thanks, HonzaZ. The site wasn't optimized well - it's better now.

I figured it out, actually... We just added SSL to our website and I hadn't updated all the URLs. We also switched from using .com to using .org as our main site. So I used a WordPress plugin to change all the http://coloradochoir.com URLs to https://coloradochoir.org URLs and now it works fine - no phishing alert popping up. Just an FYI for others...
Title: Re: Site Blocked - URL:Phishing
Post by: Iro.345 on September 06, 2018, 09:10:50 PM
I have similar problem with my page.
All links workc correcly except one category :  https://bit.ly/2M4KaQw
Could you  let me know what is wrong on this blocked page ?

Thanks Iro
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 06, 2018, 11:39:57 PM
Witam Iro.345,

Probably a redirect from that uri
Quote
URLs that redirect found in: -http://www.rzeszowiak.pl/Praca-Zatrudnie-3040011155

1: -http://hospicjum-podkarpackie.pl/images/pomoc_dla_hospicjum.gif -> -http://www.hospicjum-podkarpackie.pl/images/pomoc_dla_hospicjum.gif 

Probably not this SEO link being flagged: -https://kryogenix.org/code/browser/searchhi/

Likely it is a blocking for some porn sites that share that same IP you have.

Wait for an avast team member to reconsider the blocking, as we here are just volunteers with relevant knowledge.
Only avast team members can come and unblock, so wait for their final verdict on the website.

pozdrawiam,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: savcin on September 07, 2018, 02:30:23 PM
Will be fixed.
Title: Re: Site Blocked - URL:Phishing
Post by: coinstravelfaq on October 17, 2018, 04:03:41 AM
Hi there!
It seems our website is also being blocked at app.coins.ph for URL:Phishing.

Can I ask for this page to be removed from the list as well?
Title: Re: Site Blocked - URL:Phishing
Post by: bauerj on October 18, 2018, 08:31:57 AM
Hi,
detections on Your domain have been disabled, so Your domain should not been blocked anymore.
Jirka
Title: Re: Site Blocked - URL:Phishing
Post by: Rico Liao on October 19, 2018, 06:15:07 AM
Hi there,

We encounter the same issue. We are going to run a company campaign and we just setup a new web site . https://meow.pre-order.marscatgames.com.tw/
However , it was been detected as "url phishing" and block user access.  Please help .

Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: Milos on October 19, 2018, 10:14:04 AM
Hello,
use https://www.avast.com/false-positive-file-form.php, please.

Milos
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on October 19, 2018, 11:16:38 AM
Seems OK: https://www.virustotal.com/#/domain/meow.pre-order.marscatgames.com.tw
and https://meow.pre-order.marscatgames.com.tw/
Quote
Suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
-www.facebook.com/plugins/like.php?action=like&amp;amp;amp;amp;width=202&amp;amp;amp;amp;href=-https:/www.facebook.com/MEOW.MarsCat/&amp;amp;amp;amp;layout=count&amp;amp;amp;amp;locale=TW&amp;amp;amp;amp;sdk=joey&amp;amp;amp;amp;share=false&amp;amp;amp;amp;faces=false&amp;amp;amp;amp;size=large&amp;amp;amp;amp;width=70&amp;amp;amp;_noscript=1&amp;amp;_noscript=1&amp;_noscript=1 benign & -[script]
-static.xx.fbcdn.net/rsrc.php/v3/yl/r/yeLhlKrAIjX.js
     file: 77346df08951068e505377ec2c9f8b719ed5247f: 988639 bytes
and exceeded runtime for -(script) -meow.pre-order.marscatgames.com.tw/./js/jquery-3.3.1.min.js
No vuln. libraries for
Scanner output:
Scanning -https://meow.pre-order.marscatgames.com.tw/ ...
Script loaded: -https://connect.facebook.net/zh_TW/sdk.js#xfbml=1&version=v3.1
Script loaded: -https://meow.pre-order.marscatgames.com.tw/js/index.js?v=17
Script loaded: -https://meow.pre-order.marscatgames.com.tw/js/jquery-3.3.1.min.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v3iUNC4/ym/l/zh_TW/mzW5OhTjqjp.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v3iUNC4/ym/l/zh_TW/mzW5OhTjqjp.js
Status: success

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: bauerj on October 22, 2018, 09:06:00 AM
Hi,
domain meow.pre-order.marscatgames.com[.]tw was removed from our blacklist on 19th October.
Jirka
Title: Re: Site Blocked - URL:Phishing
Post by: Hrytseliak Bohdan on October 23, 2018, 09:47:12 AM
Hello, dear developers and support team!

We are using LMS moodle as online e-learning in our Borys Grinchenko Kyiv University.
And from yesterday many of our students and teachers, who has AVAST antivirus got an error while working or studying at website http://elearning.kubg.edu.ua.
When they login, they get and error URL:Phishing. Can you advice what to do or remove this website http://elearning.kubg.edu.ua from your blacklist?

Thank you!
Title: Re: Site Blocked - URL:Phishing
Post by: caroline.baujard on October 23, 2018, 09:47:25 AM
Since yesterday, our client cannot connect anymore to our web site https://prod3.ubicentrex.net/v173/pages/espaceperso.php.
They got a "URL fishing infection" error.
I am suspecting that the problem come to the client access iframe : https:// ubicentrex.fr/fr/acces-client/
Can you unblock it?
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on October 23, 2018, 10:06:01 AM
How to report to avast lab
https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438


Title: Re: Site Blocked - URL:Phishing
Post by: omayab on October 23, 2018, 10:59:35 AM
Hola,

esta url:  https://app.clinic-cloud.com/ me la marca como phising cuando no es así, también he contactado con los administradores y me dicen que todo está bien. Por favor, arreglad este error, ya que es un falso positivo.

Gracias.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on October 23, 2018, 11:04:59 AM
Please post English here, else use the forum section for your language.
-> https://forum.avast.com/index.php?board=21.0
Title: Re: Site Blocked - URL:Phishing
Post by: amir39 on October 31, 2018, 11:54:14 AM
Hi,
Our client portal https://www.opusvirtualoffices.com/portal is being incorrectly identified as phishing, can you check this and advise?

Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on October 31, 2018, 12:28:58 PM
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on October 31, 2018, 02:00:55 PM
Submitting your site to phishcheck.me I get an affirmative response: "{"sid": 134080, "is_success": true}".

Well, your Word Press version does not seem to be the latest, Version does not appear to be latest 4.9.8 - update now.
See the redirect here: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Ll1wdXN2W310dXxsXWZmW157cy5eXW1gcF19dHxs~enc

2 vulnerable libraries detected: https://retire.insecurity.today/#!/scan/1e6ca5b7c2c1903f3150cf291d9e7ac73761acf0dbd91cf4a7951569fb2edb4e

security hints: https://webhint.io/scanner/b83394ed-e3f2-4931-9c25-99b81c5cdd38

F-grade security status: https://observatory.mozilla.org/analyze/www.opusvirtualoffices.com

See recent detections for your domain: https://www.virustotal.com/#/domain/www.opusvirtualoffices.com
with generic trojans, like Trojan-Downloader.JS.Iframe
and a PHISHING detection on -https://www.youtube.com/paypal

No longer detected or IDS flagged here: https://urlquery.net/report/31ab48af-d6b6-4f30-837b-a11968c5c988

Wait for an avast team member to give the final verdict, as we are just volunteers with relevant knowledge
as only avast team members can come and unblock detections.

polonus (volunteer website security analyst and website error-hunter)

Title: Re: Site Blocked - URL:Phishing
Post by: Scott353 on November 01, 2018, 10:44:26 AM
OK - I excluded chinesewatchwiki.net to stop the erroneous url:phishing block, only to have Avast Online Security pop up a warning that the site could have already harmed my computer.  Bullpucky! There doesn't seem to be a way to dismiss or exclude the pop-up rendering the site unusable.

I have visited this site before with no problems, but now that I have been granted an editors account and login, Avast blocks me from using the website.

How do we get this problem corrected?

(https://i.imgur.com/glgocP5.jpg)
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 01, 2018, 12:02:35 PM
Nothing to do with avast however, site cannot be scanned as it has an issue: https://sitecheck.sucuri.net/results/chinesewatchwiki.net
and serves up a redirect to: -http://chinesewatchwiki.net/Main_Page
and then you get an avast alert like "The site you are about to enter contains malicious content".

Re: traceroute to -chinesewatchwiki.net (-167.88.115.174), 30 hops max, 28 byte packets
Quote
1  hosted-by.2is.nl (62.221.192.2)  0.249 ms  0.233 ms  0.225 ms
 2  ae0-cr01.ams04.astralus.net (185.187.12.64)  5.265 ms ae0-cr02.ams05.astralus.net (185.187.12.66)  0.541 ms  0.543 ms
 3  ae0-cr02.ams05.astralus.net (185.187.12.35)  0.670 ms xe-3-3-0.cr0-ams6.ip4.gtt.net (46.33.81.81)  19.943 ms ae0-cr02.ams05.astralus.net (185.187.12.38)  0.594 ms
 4  ae-8.r25.amstnl02.nl.bb.gin.ntt.net (129.250.3.229)  0.721 ms xe-3-3-0.cr0-ams6.ip4.gtt.net (46.33.81.81)  19.934 ms  19.928 ms
 5  ae-5.r23.asbnva02.us.bb.gin.ntt.net (129.250.6.162)  85.464 ms ae-8.r25.amstnl02.nl.bb.gin.ntt.net (129.250.3.229)  0.699 ms  0.849 ms
 6  * ae-10.r22.snjsca04.us.bb.gin.ntt.net (129.250.6.237)  164.131 ms ae-5.r23.asbnva02.us.bb.gin.ntt.net (129.250.6.162)  93.749 ms
 7  * * *
 8  * * ae-3.r23.sttlwa01.us.bb.gin.ntt.net (129.250.3.125)  177.602 ms
 9  * ae-3.r23.sttlwa01.us.bb.gin.ntt.net (129.250.3.125)  176.261 ms  176.464 ms
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *

Re: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Xmhbbntze3d8dF5od1trWy5ue3Q%3D~enc

Wait for a final verdict by an avast team member as they are the only ones to come and eventually unblock,
we here are just volunteers with relevant knowledge.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on November 01, 2018, 12:07:13 PM
-> https://sitecheck.sucuri.net/results/chinesewatchwiki.net
-> https://zulu.zscaler.com/submission/37cf2e8c-3928-4ca0-a53e-7209a3b82d88
-> https://www.virustotal.com/#/url/fceacd58081b227d773f05684f2e619fbcdac95bdaf266c452649183b0490199/detection

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: Sirmer on November 01, 2018, 05:13:13 PM
Hello,

detection will be turned off in next stream update.
Title: Re: Site Blocked - URL:Phishing
Post by: Hennaboy on November 06, 2018, 04:20:54 PM
Just had this reported by a customer.

www.henna-boy.co.uk

URL:Phishing

Where? On my logo apparently, as it points to www.henna-boy.co.uk and the customer is using henna-boy.co.uk

Is this some kind of joke? I expect more from a company such as Avast.

Have they started employing children with no idea what they are doing?

Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on November 06, 2018, 04:23:34 PM
Just had this reported by a customer.

www.henna-boy.co.uk

URL:Phishing

Where? On my logo apparently, as it points to www.henna-boy.co.uk and the customer is using henna-boy.co.uk

Is this some kind of joke? I expect more from a company such as Avast.

Have they started employing children with no idea what they are doing?
Sucuri site check  >>  https://sitecheck.sucuri.net/results/www.henna-boy.co.uk

Norton SafeWeb  >>  https://safeweb.norton.com/report/show?url=henna-boy.co.uk


if you think it is wrong, report it  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Title: Re: Site Blocked - URL:Phishing
Post by: Hennaboy on November 06, 2018, 04:31:36 PM
Yes, I had already looked at those sites. However, I should have had too as its pretty damn clear that this is a mistake. Do they just use badly written bots to determine what should be listed or not?

Absolute joke.

I have reported it and I doubt I will get any kind of reply or apology. Meanwhile, I am having to contact customers to inform them of incompetence.

How long does it take for it to be evaluated?
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on November 06, 2018, 04:47:53 PM
Quote
Do they just use badly written bots to determine what should be listed or not?
If you know how to detect/block this amount of malware/URLs evry day with no False Positives then evry security vendor in the world would like to know how

No security program have 100% detection or zero false positives

https://www.webarxsecurity.com/website-hacking-statistics-2018-february/

https://www.av-test.org/en/statistics/malware/





Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 06, 2018, 04:55:37 PM
Well this is making some frown at that code, maybe it was responsible for that detection, being a FP or not. ;):
Quote
587:  < /body> < /html> Content after the < /html> tag should be considered suspicious.

589:  < !-- WITHOUT CACHE: 0.10239195823669 -->
590:  < !-- WITH CACHE: 0.00049901008605957 -->
see: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Lmh7bm58LWJdeS5eXS51aw%3D%3D~enc

See also 27 security recommendations here: https://webhint.io/scanner/dcc05974-b44e-4994-8c92-7e7780738957#Security

But where the URL=PHISHING is concerned I am at the end of my thether finding that out.
So wait for a final verdict from an avast team member,
as they are the ones to eventually come & unblock,
as we are just volunteers with relative knowledge about general website security.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: bauerj on November 07, 2018, 07:48:25 AM
Hi,
I disabled detection causing your site not being accessible. It should be OK after next streaming update. We are sorry for your inconvenience.
Jirka
Title: Re: Site Blocked - URL:Phishing
Post by: Hennaboy on November 07, 2018, 08:41:27 AM
Thanks. Streaming occurs when? daily or more frequent.
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on November 07, 2018, 08:45:17 AM
Thanks. Streaming occurs when? daily or more frequent.
Evry 5-15 minutes

You may run a manual Update and reboot


Info from 2012.   https://press.avast.com/avast-software-streaming-updates-for-all-with-the-newa-avast-7

Title: Re: Site Blocked - URL:Phishing
Post by: Hennaboy on November 07, 2018, 09:56:49 AM
I dont use avast or norton products so unable to check. Thanks for the information and that cache text has also been removed.

Norton state that it takes up to a week to remove their block which is it looks this whole mess has stemmed from. How it takes a week to update their users I have no idea but I am thankful for the quick response from Avast on this.
Title: Re: Site Blocked - URL:Phishing
Post by: Kame-style on November 08, 2018, 11:44:38 AM
Hello,

My website www.my-footmania.com is often blocked by Avast for no reason. The website is hosted by Shopify, with a secured structure.

https://screenshot.click/07-57-r2fcf-uzqof.jpg

Would you please remove it from your blacklist?

Thank you
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on November 08, 2018, 11:48:43 AM
-> https://sitecheck.sucuri.net/results/www.my-footmania.com
-> https://www.virustotal.com/#/url/c3269c862e4b83818624075654cd4a468dc7fadaaf9ac0be9c9f99c3501610ed/detection

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 08, 2018, 03:22:28 PM
Hi Kame-style,

Detection is most likely because of IP driven malware: https://ransomwaretracker.abuse.ch/ip/23.227.38.64/
and maybe through other domains' abuse, which are sharing that same IP, like you:
https://cymon.io/23.227.38.64
See comment and reports here: https://www.abuseipdb.com/check/23.227.38.64

Consider: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Lm15LWZdXXRtfG5bfC5eXW1g~enc

No response as shown here: https://urlquery.net/report/e3fddf63-1124-4ef4-b077-543679fd0d8f
resolving to 0.0.0.0
Netcraft risk grade = 1 red out of 10: https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fwww.my-footmania.com+

84 security related recommendations to be found here: https://webhint.io/scanner/902082f2-7142-409a-9327-710d3eea72ed#Security

Wait for an avast team member to give a final verdict on your website as they are the only ones to come and unblock. We here are just volunteers with relevant knowledge on website security.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Fernando427 on November 14, 2018, 08:25:42 PM
Hello,

My site http://orquidea.trensu.com is being reported as Phishing, but I can't find anything that's wrong with it.
Could you please unblock it?

Thanks!
Title: Re: Site Blocked - URL:Phishing
Post by: mchain on November 14, 2018, 08:55:31 PM
Hello,

My site http://orquidea.trensu.com is being reported as Phishing, but I can't find anything that's wrong with it.
Could you please unblock it?

Thanks!
https://www.virustotal.com/#/url/185af2168e2b4e507983e72843d9032fa69fde7b07c7dd4da55873f2ad4fbc97/detection (https://www.virustotal.com/#/url/185af2168e2b4e507983e72843d9032fa69fde7b07c7dd4da55873f2ad4fbc97/detection)
https://zulu.zscaler.com/submission/7ef8096b-d747-4631-9683-0896bb3b1a5c (https://zulu.zscaler.com/submission/7ef8096b-d747-4631-9683-0896bb3b1a5c)
https://checkphish.ai/ (https://checkphish.ai/)
http://urlquery.net/report/8733159a-cc51-4057-b44b-729ddd34635a (http://urlquery.net/report/8733159a-cc51-4057-b44b-729ddd34635a)
https://quttera.com/detailed_report/orquidea.trensu.com (https://quttera.com/detailed_report/orquidea.trensu.com)
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 14, 2018, 10:28:23 PM
Location of the PHISHing: -Location: -http://trensu.com/htm/costumer-verifiacation-reviews-logins
See: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=dH17bnN1Ll5dbWBodG1gXl1zdHVte30tdnt9W2ZbfF58dFtdbi19e3Zbe3dzLWxdZ1tucw%3D%3D~enc
On IP you share: https://www.threatcrowd.org/ip.php?ip=198.38.82.159
SOPHOS & Spamhaus and fortinet's flag your site: https://www.virustotal.com/#/url/185af2168e2b4e507983e72843d9032fa69fde7b07c7dd4da55873f2ad4fbc97/detection  Domain is being studied.

Wait for an avast team member to give a final verdict on their detection, as we are just volunteers with relevant knowledge, but cannot come and unblock.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Hennaboy on November 24, 2018, 04:01:20 PM
Back again. Customer has reported that my site is still flagged as url phishing by her avast software.

So was cleared just over 2 weeks ago.

Could another user as I do not use this software check please.

https://www.henna-boy.co.uk



Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 24, 2018, 06:48:29 PM
Hi Hennaboy,

Given green but with open cart recommendations:
https://webscan.foregenix.com/webscan_results.html?scanid=857b64dc_56ba_40d0_85a7_99341cd9f74b

The server sent a Server header, this may leak server technology and version information.
Consider: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Lmh7bm58LWJdeS5eXS51aw%3D%3D~enc
C-grade scan results here: https://observatory.mozilla.org/analyze/www.henna-boy.co.uk
E-mails can be fraudulently sent: Lenient SPF filtering
Sender Policy   Framework (SPF) record is too lenient as to which domains are allowed to send email on the domain's behalf. This record should definitely not contain (+all) or (?all) mechanisms, as these allow any domain to send email posing as this domain. This record should preferably not use the (~all) mechanism, as this will still allow emails flagged as being from an invalid domain, but will still allow the message to be delivered. Best practice is to use (-all).
EXPECTED:
contains -all
FOUND:
contains ~all
DMARC not enabled
DMARC record is not present. This may allow spammers to send messages with forged addresses from this domain. The DNS record for the domain should be modified to include a DMARC record.
EXPECTED:
v=DMARC1...
FOUND:
[not set]

Open to MiM attacks DNSSec not set.  Also consider: https://dnsspy.io/scan/henna-boy.co.uk

Coming up as green here: https://www.phishcheck.me/146588/details
No issues here: http://www.isithacked.com/check/https%3A%2F%2Fwww.henna-boy.co.uk%2F

Low risk (one red out of 10 Netcraft risk-grade): https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fwww.henna-boy.co.uk%2F

25 security related recommendations here: https://webhint.io/scanner/ab9875d5-fc48-479d-8185-7f6f6f5d4b79#Security

Wait for an avast team member here to give a final verdict and eventually unblock,
as we here are just volunteers with relative knowledge. One of them might be in after the week-end.

regards,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Hennaboy on November 25, 2018, 12:07:27 AM
Hi Hennaboy,

Given green but with open cart recommendations:
https://webscan.foregenix.com/webscan_results.html?scanid=857b64dc_56ba_40d0_85a7_99341cd9f74b

The server sent a Server header, this may leak server technology and version information.
Consider: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Lmh7bm58LWJdeS5eXS51aw%3D%3D~enc
C-grade scan results here: https://observatory.mozilla.org/analyze/www.henna-boy.co.uk
E-mails can be fraudulently sent: Lenient SPF filtering
Sender Policy   Framework (SPF) record is too lenient as to which domains are allowed to send email on the domain's behalf. This record should definitely not contain (+all) or (?all) mechanisms, as these allow any domain to send email posing as this domain. This record should preferably not use the (~all) mechanism, as this will still allow emails flagged as being from an invalid domain, but will still allow the message to be delivered. Best practice is to use (-all).
EXPECTED:
contains -all
FOUND:
contains ~all
DMARC not enabled
DMARC record is not present. This may allow spammers to send messages with forged addresses from this domain. The DNS record for the domain should be modified to include a DMARC record.
EXPECTED:
v=DMARC1...
FOUND:
[not set]

Open to MiM attacks DNSSec not set.  Also consider: https://dnsspy.io/scan/henna-boy.co.uk

Coming up as green here: https://www.phishcheck.me/146588/details
No issues here: http://www.isithacked.com/check/https%3A%2F%2Fwww.henna-boy.co.uk%2F

Low risk (one red out of 10 Netcraft risk-grade): https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fwww.henna-boy.co.uk%2F

25 security related recommendations here: https://webhint.io/scanner/ab9875d5-fc48-479d-8185-7f6f6f5d4b79#Security

Wait for an avast team member here to give a final verdict and eventually unblock,
as we here are just volunteers with relative knowledge. One of them might be in after the week-end.

regards,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

Thanks but none of these point to the url phishing flagged which is a link back to the home page on the very same website. Just makes me think that this software is written by a bunch of 5yr olds.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 25, 2018, 02:38:33 PM
Hi Henna-boy,

I haven't a clue what 5-years old may be  capable of doing with PHP-based software and jQuery on a website  ;). Either they have build it up from the ground or developed it as a drill-down.

Little old me just reported here for security weaknesses, I stumbled upon, and it is up to you to take this info into account or not or inform your hoster and/or web-admin of such facts. I from my side just thank avast webforums for creating a platform for me to do this.
If it helps just towards a slightly more secure website I am happy to do so.

Then again I am no clairvoyant and cannot say why avast should block the site and where they have based this blockage upon. You should hear that from the "zebra's mouth" as only avast team members could tell you and also inform you that they will unblock your site. Wait for one to appear after the week-end.

polonus (volunteer third party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: arpege92 on November 25, 2018, 03:32:45 PM
Hi,

Since a few days, Avast is bloquing the access to https://ing.ingdirect.es/pfm/#login/

Could you please see what is happening?

Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on November 25, 2018, 03:36:02 PM
-> https://forum.avast.com/index.php?topic=223475.0
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on November 25, 2018, 03:36:43 PM
Hi,

Since a few days, Avast is bloquing the access to https://ing.ingdirect.es/pfm/#login/

Could you please see what is happening?

Thanks
See >> https://forum.avast.com/index.php?topic=223475.0


Title: Re: Site Blocked - URL:Phishing
Post by: Hennaboy on November 25, 2018, 04:10:05 PM
Funny, however, I was referring to the writers of the avast software being the bunch of 5yr olds. Blocking a site for url phishing based on a logo hosted at the site linking back to the homepage of the same site is hardly grounds for something suspicious.

I never got a reply from a member of staff the first time I reported this so I wont hold my breath for one this time either.

Hi Henna-boy,

I haven't a clue what 5-years old may be  capable of doing with PHP-based software and jQuery on a website  ;). Either they have build it up from the ground or developed it as a drill-down.

Little old me just reported here for security weaknesses, I stumbled upon, and it is up to you to take this info into account or not or inform your hoster and/or web-admin of such facts. I from my side just thank avast webforums for creating a platform for me to do this.
If it helps just towards a slightly more secure website I am happy to do so.

Then again I am no clairvoyant and cannot say why avast should block the site and where they have based this blockage upon. You should hear that from the "zebra's mouth" as only avast team members could tell you and also inform you that they will unblock your site. Wait for one to appear after the week-end.

polonus (volunteer third party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on November 25, 2018, 04:43:28 PM
I never got a reply from a member of staff the first time I reported this so I wont hold my breath for one this time either.
In fact, you did - see Reply #44.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 25, 2018, 05:11:39 PM
Hi Asyn,

It could also be that reporting avast user has not updated definitions and that is why OP still get alerts from visitor's of his site.

Fully upgrade, update and patch always and under all circumstances  is a general wise word to literally everyone online.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: uedmawml on November 25, 2018, 08:20:49 PM
Hi,
I disabled detection causing your site not being accessible. It should be OK after next streaming update. We are sorry for your inconvenience.
Jirka

Hello could You check why https://biolifechain.io AVAST detect as Phishing?
Regards
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 25, 2018, 11:29:31 PM
Site has many security related issues, re:
https://webscan.upguard.com/#/https://biolifechain.io/
71 security related issues to be tackled:
https://webhint.io/scanner/bec80d57-e960-4edd-b516-dac1e4398bdc#Security
Given as OK here: https://sitecheck.sucuri.net/results/https/www.biolifechain.io
and here: http://www.isithacked.com/check/https%3A%2F%2Fwww.biolifechain.io
Loaded resources seems OK from Google Safebrowsing's point of view.

Given as malicious here: https://zulu.zscaler.com/submission/8a1fa44d-f583-4401-b57c-05c5f723ad07
A 100% PHISH!

Wait for an avast team member to give a final verdict on the website, as they are the only ones to come and unblock. We here are just volunteers with relative knowledge.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: savcin on November 26, 2018, 11:04:22 AM
Already fixed
Title: Re: Site Blocked - URL:Phishing
Post by: shaon016 on November 28, 2018, 05:36:39 AM
Hi, my site www.avijatrik,org is blocked by Avast. I've resolved all the problems and including the ones showing in Google Webmaster. My website is completely secure. Please unlock the site.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on November 28, 2018, 07:07:43 AM
-> https://sitecheck.sucuri.net/results/www.avijatrik.org
-> https://zulu.zscaler.com/submission/c8e6d320-c94b-417d-9755-83ebd10c7904
-> https://www.virustotal.com/#/url/068ad5956837baaf89e6c75be9a750493051463c2488ada3fee978946f37810c/detection

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: Hennaboy on November 30, 2018, 10:02:41 AM
Hi Asyn,

It could also be that reporting avast user has not updated definitions and that is why OP still get alerts from visitor's of his site.

Fully upgrade, update and patch always and under all circumstances  is a general wise word to literally everyone online.

polonus

The customer reporting it has updated avast. Website still apparently blocked so they had to disable avast to place an order.

Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on November 30, 2018, 10:15:05 AM
See my post about how to report  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438


Title: Re: Site Blocked - URL:Phishing
Post by: Stanislaff on December 06, 2018, 06:39:27 PM
Hello i have the same problems with my domains:

wallet.mandarinbank.com and my.mandarin.life

please unlock them.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 09, 2018, 05:23:48 PM
3 vulnerable jQuery libraries detected: https://retire.insecurity.today/#!/scan/bd4693f596b0b415bd52a18b3281d6426e50a389ef323414e46833d1025965b7
Recommendations: https://webhint.io/scanner/c6c7d276-6948-4482-a073-04d49e9faf16
& C- scan grade: https://observatory.mozilla.org/analyze/my.mandarin.life

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Kennef on December 11, 2018, 02:37:00 PM
Hi, I keep getting this message "We've safely aborted connection on thepirate.party because it was infected with URL:Phishing"

I want to BLOCK this message from appearing on my screen. How do I stop it from happening?

Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on December 11, 2018, 02:48:43 PM
Quote
I want to BLOCK this message from appearing on my screen. How do I stop it from happening?
options:
1. dont go  to that site
2: report it to avast lab as possible false positive


Title: Re: Site Blocked - URL:Phishing
Post by: Mick40 on December 12, 2018, 12:27:34 AM
Hi, I can't reach my website - www.moloneyarchitects.com.au. Avast is giving the following message. "We've safely aborted connection on www.moloneyarchitects.com.au because it was infected with URL:Phishing"

Can you please look into this for me?  I've tried reporting it as a false positive, but no response.  Thanks!

Title: Re: Site Blocked - URL:Phishing
Post by: francekj1 on December 12, 2018, 04:25:09 AM
Hello,

I am receiving this same message when trying to access my website https://www.woothosting.com/pulse/heartbeat or https://www.woothosting.com. Please help me in getting this resolved.

Thanks in advance!

Jeff
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 12, 2018, 05:53:46 PM
Hi francekj1,

Site is blacklisted for phishing: https://sitecheck.sucuri.net/results/https/www.woothosting.com
See: https://urlscan.io/ip/67.225.188.84 -> https://urlscan.io/domain/www.woothosting.com
102 recommendations: https://webhint.io/scanner/a5e2fc09-624d-4a99-97b4-50c356c10650
Re: https://toolbar.netcraft.com/site_report?url=www.woothosting.com
Consider: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3LnddXXRoXXN0W25nLl5dbQ%3D%3D~enc
2 vulnerable libraries detected: https://retire.insecurity.today/#!/scan/3375b64798bd957ceb8440005fd8c91425e56805a6822d6eb569e8da6b1b5d9e
F-grade scan results: https://www.htbridge.com/websec/?id=EbDHyVG2

polonus (volunteer website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 12, 2018, 06:59:55 PM
Hi Mick40,

Your domain shares an IP with bad bots and many PHISHes: https://checkphish.ai/ip/173.203.204.123
See: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Lm1dbF1ue3l8fV5oW3R7XnRzLl5dbS58dWA%3D~enc
224 recommendations: https://webhint.io/scanner/5f3c69ab-a1b7-48f7-a425-a59c1197a93a

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: Multi4 on December 15, 2018, 03:40:49 AM
Please remove my site www.bagmatiplastics.com from url:phissing mode. The site is clean but blocked by avast
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on December 15, 2018, 05:11:31 AM
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 15, 2018, 01:22:49 PM
Your site won't resolve: https://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fwww.bagmatiplastics.com%2F
How can you block a yet unregistered domain?   nxdomain cannot be resolved.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: assessoria on December 17, 2018, 04:54:34 PM
eu site está limpo mas o avast bloqueou.

www.h2oambiental.com.br

como resolver?
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 17, 2018, 05:27:13 PM
A scan found some potential problems in the code, the links below should pop you down to the line.

line 487:
Quote
< div style="position: absolute; top: Opx; left: -65OOpx;"> Onlain < a target="_blank" rel="dofollow" href="htxp://gbetting.co.uk/"> free bet offers< /a> here.< /div> 
Site blacklisted: https://sitecheck.sucuri.net/results/www.h2oambiental.com.br

Wait for an avast team member to give the final verdict as we here are just volunteers with relevant knowledge,
as avast team members are the one to come and unblock.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: assessoria on December 17, 2018, 07:22:56 PM
Será que demora muito para desbloquear?

Em qual arquivo conseguirei ver esse código suspeito da line 487 ?

Obrigado.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 17, 2018, 10:46:20 PM
You can find it at line 420 now here: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3LmgyXXxtYlt7bnR8bC5eXW0uYn1gc1t0e2A%3D~enc
Quote
< /footer>
< div style="position: absolute; top: Opx; left: -65OOpx;"> Onlain < a target="_blank" rel="dofollow" href="htxp://gbetting.co.uk/"> free bet offers< /a> here.< /div>
Note: The display properties for the link(s) look suspicious, looks like they are positioned off screen?
This looks like a hidden code from your template or one of your extensions. This kind of hidden code is often located in one of your .php-files, but you probably won't find the code pasted above. Try looking for base64_decode in /templates/YOURTEMPLATE/index.php, followed by a series of seemingly random characters. That's a common way to hide code in your .php-files. (info credits for "Note etc." go to stackexchange dot com).

Retirable jQuery library detected: https://retire.insecurity.today/#!/scan/16f3401ca61b3e5e4a194d76ef6000e2cb05d2a51c0adad8233d63d6e4caba04

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: assessoria on December 18, 2018, 10:24:27 AM
Bom dia. No index do meu template eu encontrei e apaguei o seguinte código:

   <?php $xml='PGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyB0b3A6IDBweDsgbGVmdDogLTY1MDBweDsiPk9ubGFpbiA8YSB0YXJnZXQ9Il9ibGFuayIgcmVsPSJkb2ZvbGxvdyIgaHJlZj0iaHR0cDovL2diZXR0aW5nLmNvLnVrLyI+ZnJlZSBiZXQgb2ZmZXJzPC9hPiBoZXJlLjwvZGl2Pg=='; echo base64_decode($xml);?></div>

Existe algo mais que eu possa fazer para que meu site não apareça mais como plishing?

Obrigado
Title: Re: Site Blocked - URL:Phishing
Post by: marcin1sz on December 18, 2018, 11:19:43 AM
I have a problem with the site. Avast blocks her all the time due to phising. can I ask you to check if it is being blocked correctly and can you fix it? Please help.
www.ecosoul.ch
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on December 18, 2018, 11:25:34 AM
-> https://sitecheck.sucuri.net/results/www.ecosoul.ch
-> https://www.virustotal.com/#/url/1c77f444a29e97ba7ff997d1288d80ca8f446bb9cb21c699932fa57ee709f226/detection

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 18, 2018, 06:46:41 PM
Hi marcin1sz, Witam,

If the blocking is IP related you should ask for an exclusion from an Avast team member,
they should give a final verdict as they are the only ones to unblock,
we here are just volunteers with relevant knowledge.

Consider your code here: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3LnteXXNddWwuXmg%3D~enc

A word press security scan came up with some outdated plug-ins: The following plugins were detected by reading the HTML source of the WordPress sites front page.

cookie-notice 1.2.44   latest release (1.2.45) Update required
http://www.dfactory.eu/plugins/cookie-notice/
woocommerce 3.5.1   latest release (3.5.2) Update required
https://woocommerce.com/
   contact-form-7 5.0.5   latest release (5.1) Update required
https://contactform7.com/

Misconfiguration: Warning  User Enumeration is possible
The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   None   szczepanowski
2   None   None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

3 vulnerable retirable libraries detected here: https://retire.insecurity.today/#!/scan/4594f8f50a13fb980c91490774b5d3bc9f264e0133fc83f77b76e63bdd1123ba

1060 recommendations of improvement for that site given here:
https://webhint.io/scanner/e288298c-e2da-4021-bacc-4e150eb67306  with hundreds of them security related.

Cloaking detected:
There is a difference of 82 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that's trying to hide from browsers but make Google think there's something else on the page. show.
Quote
<link rel='stylesheet' id='mac_stylesheet-css'  href='hxtps://www.ecosoul.ch/wp-content/themes/bridge/css/mac_stylesheet.css?ver=4.9.9' type='text/css' media='all' />
<link rel='stylesheet' id='webkit-css'  href='htxps://www.ecosoul.ch/wp-content/themes/bridge/css/webkit_stylesheet.css?ver=4.9.9' type='text/css' media='all' />
<script type='text/javascript' src='htxps://www.ecosoul.ch/wp-content/themes/bridge/js/plugins/TweenLite.min.js?ver=4.9.9'></script>
<script type='text/javascript' src='htxps://www.ecosoul.ch/wp-content/themes/bridge/js/plugins/ScrollToPlugin.min.js?ver=4.9.9'></script>
<script type='text/javascript' src='htxps://www.ecosoul.ch/wp-content/themes/bridge/js/plugins/smoothPageScroll.min.js?ver=4.9.9'></script>

pozdrawiam,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Fernando427 on December 18, 2018, 10:16:16 PM
Please remove my site http://orquidea.trensu.com from url:phishing mode. The site is clean but blocked by avast
Title: Re: Site Blocked - URL:Phishing
Post by: =Snake= on December 18, 2018, 10:37:57 PM
Hi, I can't reach my website - www.moloneyarchitects.com.au. Avast is giving the following message. "We've safely aborted connection on www.moloneyarchitects.com.au because it was infected with URL:Phishing".
Maybe my screenshot helps a little bit?

Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 18, 2018, 11:10:46 PM
Hi Fernando427,

Critical Zoom vulnerability allows series of malicious actions.
Site came under webapp attack via net/intrusion/via controlled grecaptcha/different versions of captcha displayed, see:
https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=XX1xdVsje3wudH17bnN1Ll5dbWA%3D~enc

Mick40,

Confirmed at https://phishcheck.me submitted we get:
Quote
{"sid": 159075, "is_success": true}

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: =Snake= on December 18, 2018, 11:41:34 PM
Hi pol,

Thanks for your help.

Merry Xmas and a happy new 2019!

=Snake=
Title: Re: Site Blocked - URL:Phishing
Post by: brandonfarrell2743 on December 19, 2018, 06:04:34 AM
Hello,

My site acataactivewear.com is blocked for phishing and I believe it is a false positive.
I have reported the issue, but am looking for insight.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on December 19, 2018, 06:17:52 AM
-> https://sitecheck.sucuri.net/results/acataactivewear.com
-> https://www.virustotal.com/#/url/050cbc77c5dec3c1c7e140373210ccac22da5457899f08d2d4dc388c881950e8/detection
Title: Re: Site Blocked - URL:Phishing
Post by: mchain on December 19, 2018, 06:24:43 AM
https://quttera.com/detailed_report/acataactivewear.com (https://quttera.com/detailed_report/acataactivewear.com)
http://urlquery.net/report/432de36c-b6d5-4359-a088-d9f9a09d5bb2 (http://urlquery.net/report/432de36c-b6d5-4359-a088-d9f9a09d5bb2)
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 19, 2018, 12:09:51 PM
Hi brandonfarrall2743,

Susceptible to man-in-the-middle attacks
SSL not available
Vulnerabilities can be uncovered more easily
X-Powered-By header exposed
Vulnerable to cross-site attacks
HttpOnly cookies not used
Emails can be fraudulently sent
SPF not enabled

207 recommendations: https://webhint.io/scanner/cb185613-eaea-4da6-90ed-5e840fecea56

You return a 301 error.
shotify spamvertiser eralier detected?...redirecting -
Quote
Server IP(s):
0.0.0.0 -> https://www.abuseipdb.com/check/23.227.38.32  also involved in ransomeware abuse.
Confidence of Abuse is 36%: -> https://cymon.io/23.227.38.32
=========================
HTTP headers:

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 19 Dec 2018 10:58:16 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-Sorting-Hat-PodId: 99
X-Sorting-Hat-PodId-Cached: 0
X-Sorting-Hat-ShopId: 10704453732
X-Sorting-Hat-PrivacyLevel: default
X-Sorting-Hat-FeatureSet: default
X-Sorting-Hat-Section: pod
X-Sorting-Hat-ShopId-Cached: 0
X-Frame-Options: DENY
X-ShopId: 10704453732
X-ShardId: 99
Content-Language: en
Location:- https://acataactivewear.com/
X-Request-Id: a3b7f046-591a-410e-8ce7-a41dd10bb672
X-Shopify-Stage: production
Content-Security-Policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=a3b7f046-591a-410e-8ce7-a41dd10bb672
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block; report=/xss-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=a3b7f046-591a-410e-8ce7-a41dd10bb672
X-Dc: ash,gcp-us-east1
X-Content-Type-Options: nosniff

=========================
Server IP(s):
0.0.0.0

=========================
HTTP headers:

GET / HTTP/1.0
Host: -acataactivewear.com:443
User-Agent: Mozilla/7.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.2) Gecko/20010726 Netscape/7.0
Referer: -http://acataactivewear.com
Accept-Encoding: gzip
Given as benign here: https://zulu.zscaler.com/submission/6ce47014-588d-4631-a589-007197a00e70

Wait for an avast team member to give a final verdict, we are just volunteers here with relative knowledge,
but only avast team members can come and unblock.

polonus (volunteer website security analyst and website error-hunter)

Title: Re: Site Blocked - URL:Phishing
Post by: rubistyle on December 21, 2018, 04:27:52 PM
Hi there, my website www.rubistyle.com has been blocked for phishing but is scanning clean by sucuri so I believe this to be flasely flagged. Can this be unblocked asap please as it is seriously affecting my business. Much appreciated, thank you!
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on December 21, 2018, 04:47:54 PM
Hi there, my website www.rubistyle.com has been blocked for phishing but is scanning clean by sucuri so I believe this to be flasely flagged. Can this be unblocked asap please as it is seriously affecting my business. Much appreciated, thank you!
have you reported it to avast lab ?

Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php


Something you may fix  >>  https://retire.insecurity.today/#!/scan/0e71eb1533b0dea67791e2117c34849715a2c2166ec520e73071f5350826f631


Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 21, 2018, 05:35:05 PM
There is more, some 388 recommendations to improve the website: https://webhint.io/scanner/7d891db1-49ef-4da0-97ba-495a34e186d6  and also including 57 security hints: https://webhint.io/scanner/7d891db1-49ef-4da0-97ba-495a34e186d6#Security

Outdated plug-ins: WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

wp-super-cache 1.4.9   latest release (1.6.4) Update required
https://wordpress.org/plugins/wp-super-cache/
flo-shortcodes   
contact-form-7-datepicker 2.6.0   latest release (2.6.0)
https://github.com/relu/contact-form-7-datepicker/
recent-facebook-posts 2.0.3   latest release (2.0.13) Update required
https://dannyvankooten.com/donate/
sb-popular-posts-tabbed-widget   latest release (1.1)
http://scottbolinger.com/
contact-form-7 5.0.4   latest release (5.1.1) Update required
https://contactform7.com/
flo-instagram 1.4.6   latest release (1.4.6)
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

Warning  User Enumeration is possible
The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   Amy French   amy-french
2   tandrewlynd   tandrewlynd
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

See: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Ln11YltzdHlsey5eXW0%3D~enc

IP is part of a PHISH: https://checkphish.ai/ip/77.104.133.125

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: LukasJ on December 21, 2018, 06:54:55 PM
Hey guys,
sites acataactivewear and rubistyle.com were unblocked.

Regards
Lukas
Title: Re: Site Blocked - URL:Phishing
Post by: Alex840 on January 03, 2019, 11:55:33 AM
Hello! Avast blocks the connection to the telegra.ph site, as it is infected with the URL ^ Phishing. How to solve this problem? What can be wrong?
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on January 03, 2019, 12:03:56 PM
-> https://sitecheck.sucuri.net/results/telegra.ph
Title: Re: Site Blocked - URL:Phishing
Post by: arni.gx on January 03, 2019, 02:58:42 PM
since yesterday, i have got this .....

(https://i.imgur.com/ZqFwMau.jpg)

...... are those false alarms, or what ?? :(

and how to fix those malware?
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on January 03, 2019, 04:01:36 PM
Hi arni.gx

This is "brandal" injection code, read background info-> https://gist.github.com/donnykurnia/2356dad4119ce85d18d18708914c60e3

ESET now also flags at VT: https://www.virustotal.com/pl/url/1a03f8b8845c617cc09bddb61be8e7ba6c58576aa9435a1cd4ce079ded8d27cb/analysis/

Blacklisted site: https://sitecheck.sucuri.net/results/p01.notifa.info

See the obfuscated code and what it injects here: http://ddecode.com/hexdecoder/?results=8d7ce702e150b7b84926e9b0a929022c
going to and considering: https://urlscan.io/result/283f261b-8f3c-481c-9618-efc9c1d9b207/content/
IP also seen as PHISHING thrice: https://checkphish.ai/ip/118.97.116.2

Seen: 3 times in last 30 days

ASN: AS17974

ISP: TELKOMNET-AS2-AP PT Telekomunikasi Indonesia

Selamat Tahun Baru 2019,

polonus  (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: arni.gx on January 03, 2019, 05:38:38 PM
Hi arni.gx

This is "brandal" injection code, read background info-> https://gist.github.com/donnykurnia/2356dad4119ce85d18d18708914c60e3

ESET now also flags at VT: https://www.virustotal.com/pl/url/1a03f8b8845c617cc09bddb61be8e7ba6c58576aa9435a1cd4ce079ded8d27cb/analysis/

Blacklisted site: https://sitecheck.sucuri.net/results/p01.notifa.info

See the obfuscated code and what it injects here: http://ddecode.com/hexdecoder/?results=8d7ce702e150b7b84926e9b0a929022c
going to and considering: https://urlscan.io/result/283f261b-8f3c-481c-9618-efc9c1d9b207/content/
IP also seen as PHISHING thrice: https://checkphish.ai/ip/118.97.116.2

Seen: 3 times in last 30 days

ASN: AS17974

ISP: TELKOMNET-AS2-AP PT Telekomunikasi Indonesia

Selamat Tahun Baru 2019,

polonus  (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

so, how to block those ip address in avast firewall or avast antivirus free ??

because everytime iam open firefox or chrome, those phising alarm still there....
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on January 04, 2019, 10:26:40 AM
Start a new topic and post your logs there: https://forum.avast.com/index.php?action=post;board=4
Instructions (basic diagnostic logs): https://forum.avast.com/index.php?topic=194892.0
Title: Re: Site Blocked - URL:Phishing
Post by: dzenan2 on January 15, 2019, 09:05:13 AM
Hello,

My site empanda.info is blocked for phishing and I believe it is a false positive.
Do I report issue here or there is another place to do it?
Other malware check tools report no malware:
http://urlquery.net/report/48cf3e86-8984-45d6-bf65-c47c4980446b
https://sitecheck.sucuri.net/results/https/empanda.info
Title: Re: Site Blocked - URL:Phishing
Post by: Milos on January 15, 2019, 09:11:51 AM
Hello,
the best way to report it is https://www.avast.com/false-positive-file-form.php

Milos
Title: Re: Site Blocked - URL:Phishing
Post by: dzenan2 on January 15, 2019, 09:32:52 AM
Thank you Milos. I reported the issue. Any idea how fast I could expect reaction? I have clients depending on the resources from the web application at this location. This situation is most unfortunate.
Best
Title: Re: Site Blocked - URL:Phishing
Post by: Milos on January 15, 2019, 10:22:35 AM
IIRC less in 24 hours.

Milos
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on January 15, 2019, 04:20:58 PM
Witam zdenan2,

Re: https://urlquery.net/report/9eaae1b3-3c05-4895-8795-46570da46c2c
No retirable code detected. That is OK.

The website is still accessible over http is the main threat here.
Interference from -http://jingaster.host/index.php?a=stats&u=christalhargrove
& -http://jacknichlson.mihanblog.com/post/5/
as
Quote
<meta http-equiv="REFRESH" content="0;url=httxs://www.empanda.info/Members/Default.aspx" />
This all via http - on https 0 sinks and 0 sources for DOM-XSS vulnerabilities.

F-grade results here: https://observatory.mozilla.org/analyze/www.empanda.info
A mere 6 hints here: https://webhint.io/scanner/3d2d065a-5769-45dd-9b1a-7b66fa86b28a#Security
12 security issues: https://webscan.upguard.com/#/https://www.empanda.info

pozdravi,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: JewelsR on January 26, 2019, 03:36:12 AM
I am having the same issue on fortwayneppd.org.  I can't get in to work on the website or even see it.  We had a phishing issue, but scorch-earthed the site and put in some heavy software to keep out spammers.  Is there a way to get my website off the blacklist?
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on January 26, 2019, 05:17:44 AM
-> https://sitecheck.sucuri.net/results/fortwayneppd.org
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on January 26, 2019, 01:44:24 PM
Hi  JewelsR,

Start with updating your PHP version (Outdated and therefore vulnerable), then try to get rid of McAfee's blacklisting.
Start to use best policies: 82 hints -> https://webhint.io/scanner/5a1ff50f-c40a-4f40-8d12-c3192dde6ecb
of which 30 security related: https://webhint.io/scanner/5a1ff50f-c40a-4f40-8d12-c3192dde6ecb#Security

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: spgopinath18 on January 29, 2019, 04:59:26 PM
Hello, I'm having problems with my website (http://www.learninfinity.info/), whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears.
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on January 29, 2019, 05:05:36 PM
Hello, I'm having problems with my website (http://www.learninfinity.info/), whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears.
What attachment popup ?

This is what TrendMicro say > Sites whose addresses have been found in spam messages


Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php



Title: Re: Site Blocked - URL:Phishing
Post by: =Snake= on January 29, 2019, 06:04:54 PM
Hello, I'm having problems with my website (http://www.learninfinity.info/), whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears.
What attachment popup ?
Maybe my screenshots can help.
 ;)
Title: Re: Site Blocked - URL:Phishing
Post by: AstucesWordpress on January 30, 2019, 03:41:32 PM
I also have a problem with Avast and my website : https://www.astuceswordpress.fr  :'(

URL:pishing with my favicon (https://www.astuceswordpress.fr/favicon.ico) detected by Avast
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on January 30, 2019, 03:56:27 PM
I also have a problem with Avast and my website : https://www.astuceswordpress.fr  :'(

URL:pishing with my favicon (https://www.astuceswordpress.fr/favicon.ico) detected by Avast
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php


Title: Re: Site Blocked - URL:Phishing
Post by: AstucesWordpress on January 30, 2019, 04:56:23 PM
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php

Of course, i already reported the false positive ;)
Title: Re: Site Blocked - URL:Phishing
Post by: spgopinath18 on January 30, 2019, 05:50:31 PM
Hello, I'm having problems with my website (http://www.learninfinity.info/), whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears.
What attachment popup ?
Maybe my screenshots can help.
 ;)


when i will get update for my query
 
it will reduce my user visit for my blog

thanks,
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on January 30, 2019, 06:17:32 PM
Quote
when i will get update for my query
Did you report it to avast lab?



Site seems to be offline?  i can not access it and i dont use avast

see screenshot at top right corner here (click to enlarge)  https://urlquery.net/report/bc40ca74-392a-441f-b2ff-c73c788b7220


Title: Re: Site Blocked - URL:Phishing
Post by: spgopinath18 on January 30, 2019, 06:20:39 PM
Quote
when i will get update for my query
Did you report it to avast lab?


No how to report to avast lab
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on January 30, 2019, 06:28:22 PM
Posted several times in this topic including in reply to your first post. see reply Reply #117


Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php


Title: Re: Site Blocked - URL:Phishing
Post by: spgopinath18 on January 30, 2019, 06:36:01 PM
Posted several times in this topic including in reply to your first post. see reply Reply #117


Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php

i raised request to avast lab

Thank you :) :)
Title: Re: Site Blocked - URL:Phishing
Post by: Autocrowd on January 31, 2019, 11:55:38 AM
Hi,

My site has been blocked by Avast it has been checked and cleaned how do I get it unblocked by Avast .... http://levismotorcyclecompany.com .

Thanks Dave
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on January 31, 2019, 02:18:21 PM
-> https://sitecheck.sucuri.net/results/levismotorcyclecompany.com
Title: Re: Site Blocked - URL:Phishing
Post by: delphine_tlse on February 05, 2019, 11:13:40 AM
Hello,
I have problem to access to my website admin (URL Pishing)
www.delphinegardin.com
 (http://www.delphinegardin.com)
https://sitecheck.sucuri.net/results/www.delphinegardin.com/wp-admin (https://sitecheck.sucuri.net/results/www.delphinegardin.com/wp-admin)

Thank you
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on February 06, 2019, 06:01:53 AM
-> https://sitecheck.sucuri.net/results/www.delphinegardin.com
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on February 06, 2019, 01:39:42 PM

Security improvement that could be amde to this website:
https://webhint.io/scanner/c73cf45f-fc7e-404b-b7ff-e8a56012a465
&
https://webscan.upguard.com/#/www.delphinegardin.com

Main blocking is for IP, because it is mentioned in a ransomeware tracking report:
https://www.abuseipdb.com/check/87.98.154.146
Recent reports: https://www.abuseipdb.com/check/87.98.154.146

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: Daniel1489 on February 08, 2019, 08:21:58 AM
Hello !

I have problem with my site : https://www.cerames.pl - URL:Phishing

I checked the page through such tools:
- www.virustotal.com --> Clean
- https://sitecheck.sucuri.net/results/https/www.cerames.pl ---> Domain blacklisted by Norton Safe Web: www.cerames.pl

As it turned out, there were some remnants of the virus. I created an account on the Norton website and asked to check. The page has been removed from the blacklist catalog --> https://safeweb.norton.com/report/show?url=cerames.pl

I am asking for help, what else can I do to prevent the site being blocked by Avast.

Thank you and best regards !
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on February 08, 2019, 08:24:51 AM
Quote
I am asking for help, what else can I do to prevent the site being blocked by Avast.
Report it to avast lab


Title: Re: Site Blocked - URL:Phishing
Post by: polonus on February 09, 2019, 05:23:02 PM
Witam Daniel1489,

Website is outdated (PHP) -> https://sitecheck.sucuri.net/results/https/www.cerames.pl
F-grade scan results: https://sitecheck.sucuri.net/results/https/www.cerames.pl
Security checks: https://webscan.upguard.com/#/https://www.cerames.pl

pozdrawiam,

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: Fernando Lopes on March 04, 2019, 10:45:23 AM
hello i have the same problem with my Website:
https://www.nghd.pt/
Can you unlock URL?
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on March 04, 2019, 10:49:59 AM
-> https://sitecheck.sucuri.net/results/https/www.nghd.pt
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 04, 2019, 01:04:15 PM
Hi Fernando Lopes,

This was why it was actually blacklisted originally:
Threat Report
small-caution Viruses Threats found: 3 
Here is a complete list: (for more information about a specific threat, click on the Threat Name below)

Threat Name: Trojan.Gen.NPE
Location: -https://nghd.pt/editor*/create/

Threat Name: Trojan.Gen.NPE
Location: -https://nghd.pt/editor*/create/index_files/adv_m10006_de.htm

Threat Name: Direct Link To Trojan.Gen.NPE
Location: -https://nghd.pt/editor*/create/

small-caution Phishing Attacks Threats found: 1 
Here is a complete list: (for more information about a specific threat, click on the Threat Name below)

Location: -http://nghd.pt/public_    according to Norton Safe Web report info...

191 implementations for improvement: https://webhint.io/scanner/69fe8de4-be9a-406a-8a51-9ac81b716620

Scumware had it 3 months ago. Now urlvoid does not flag any longer.
Wait for an avast team member to give the final verdict, as they are the only ones to come and unblock.
We here are just volunteers with relevant knowledge. Your site still seems infested with malcode.

4 still flag  Trojan.Gen.NPE  here: https://www.virustotal.com/#/url/4075d7ea8a427ee721bf10a90a092aeca828b3f7a85d4b6345dad9c53e3e7876/detection

Seen recent (yesterdays') detections: https://www.virustotal.com/#/domain/nghd.pt
Only fortinet's here to flag: https://urlquery.net/report/b32667c7-31e9-4892-ab5e-744ddc8b2556

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: romano.riondino on March 04, 2019, 01:36:30 PM
Hi, I'm having problems with my website www.rndwss.com.
It seems recognize a phishing situation. Can you check it, please.
I can connect to it without any problem using the dedicated personal url provided by 1&1.

Regards,
Romano.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 04, 2019, 02:32:08 PM
Block more than likely because of the same IP you share with a flagged domain:
https://www.virustotal.com/#/ip-address/74.208.236.102

Ask an avast team member for an exclusion of your domain,
as we here are volunteers with relevant knowledge but cannot come and unblock or exclude.

16 recommendations here: https://webhint.io/scanner/a66c2f7b-ffa3-46e7-88f0-8ee4399b6691
Vulnerabilities: Security Checks for -http://www.rndwss.com
(2) Susceptible to man-in-the-middle attacks
(2) Vulnerabilities can be uncovered more easily
Emails can be fraudulently sent
(3) Unnecessary open ports

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Ser518 on March 05, 2019, 10:16:36 AM
Hello, the site is blocked by the https://bankrot.fedresurs.ru/ antivirus program, please remove it from the database of infected sites.
I can not download the document at https://bankrot.fedresurs.ru/Download/file.fo?id=1950738&type=MessageDocument
from the message https://bankrot.fedresurs.ru/MessageWindow.aspx?ID=2355C7E8F2E418F8C624CE12E4FA884C
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on March 05, 2019, 10:27:42 AM
-> https://sitecheck.sucuri.net/results/https/bankrot.fedresurs.ru
-> https://www.virustotal.com/#/url/cd1ee6bc52e012999760b59546fe3531858dcffaa62962c9f42fe4d762e977e7/detection

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: Youssef27 on March 05, 2019, 11:54:49 AM
Hello i have the same problem with my Website:
https://www.selektimmo.com/

(https://www.selektimmo.com/selektimmo.jpg)

Can you unlock URL?

Genially
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on March 05, 2019, 12:06:26 PM
-> https://sitecheck.sucuri.net/results/https/www.selektimmo.com
Title: Re: Site Blocked - URL:Phishing
Post by: savcin on March 05, 2019, 12:13:44 PM
Fixed
Title: Re: Site Blocked - URL:Phishing
Post by: Youssef27 on March 05, 2019, 12:31:53 PM
thank you
Title: Re: Site Blocked - URL:Phishing
Post by: Ser518 on March 05, 2019, 12:53:33 PM
Fixed

Please tell me the reason for hitting the site in the blacklist.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 05, 2019, 06:27:15 PM
Hi

Here you can make an ascertained guess: https://www.virustotal.com/#/domain/bankrot.fedresurs.ru
Probably the Express.exe folders
Attack analysis: https://www.reverse.it/sample/483be61bcee0b7fef9773ec27cc28fcafa89ecfc8752f4b61762fbdf6101bf33?environmentId=100

Whether this is an old or a persistent question can only be answered by avast team members, as we are just volunteers with relevant knowledge, but cannot come and unblock or explain the avast detection policy/decisions. That is completely and utterly their cup of tea.

Security Checks for -https://bankrot.fedresurs.ru
(2) Susceptible to man-in-the-middle attacks SSL is not available.
(2) Vulnerabilities can be uncovered more easily
The X-Powered-By header reveals information about specific technology used on the server. This information can be used to exploit vunerabilities. The server configuration should be changed to remove this header.
Vulnerable to cross-side attacks
HttpOnly cookies not used
Emails can be fraudulently sent
SPF not enabled

Further website recommendations: https://webhint.io/scanner/84be7d8e-9dc0-4240-baf6-f1d881307ea5
Cannot be scanned properly:
Scan Failed
-http://bankrot.fedresurs.ru/

 
Unable to properly scan your site. Connection closed (your webhosting is probably blocking us)

Site Issue Detected
-http://bankrot.fedresurs.ru/404javascript.js

 
Unable to scan the page. Connection closed (your webhosting is probably blocking us)

Site Issue Detected
[http://bankrot.fedresurs.ru/404testpage4525d2fdc

 
Unable to scan the page. Connection closed (your webhosting is probably blocking us)
Why see: https://toolbar.netcraft.com/site_report?url=https://bankrot.fedresurs.ru

This still there? Re: https://www.virustotal.com/#/file/fecef91acc63413f4656be7c43b38298872fce85aa7530f1564d4cf0153496b3/detection

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: tomahawk6759 on March 06, 2019, 06:01:37 PM
Getting same error intermittently for www.currenrv.com

can this site be removed from list as well please
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on March 06, 2019, 06:50:29 PM
Getting same error intermittently for www.currenrv.com

can this site be removed from list as well please
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php

Things to fix
Sucuri  https://sitecheck.sucuri.net/results/www.currenrv.com

https://retire.insecurity.today/#!/scan/12f67b7b947116aa6b6f82380247abfe25c78c913a122f2e534a12c1bef32761

1 suspicious inline script found. https://www.UnmaskParasites.com/security-report/?page=www.currenrv.com


Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 06, 2019, 07:18:02 PM
Site now responds with a 301: https://urlquery.net/report/4f6ed2e1-59e4-4bc8-9587-4f0e1ca2e385
also consider: https://toolbar.netcraft.com/site_report?url=www.currenrv.com+

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: bd1234 on March 07, 2019, 08:17:43 AM
Hello. When i try to download files from site: bankrot.fedresurs.ru - it is blocked with "URL:Blacklist". Can you fix it ?
(for example: http://bankrot.fedresurs.ru/Download/file.fo?id=1604182&type=MessageDocument)

or how can i add this site to my avast exclusions ?
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 07, 2019, 01:30:13 PM
Dr. Web flags the site as a known infection source.
VirusTotal has following detections https://www.virustotal.com/#/domain/bankrot.fedresurs.ru
Most recent detection flag a Win32 EXE Express detection.
But wait for a reaction from an avast team member, to really know why they block it in the first place.
Scan won't finalize for me: https://urlquery.net/queue/04c4a750-ff33-4231-9977-f84f22954bb2
Also consider: https://otx.alienvault.com/indicator/domain/bankrot.fedresurs.ru
Detection: https://www.virustotal.com/en/file/eaa8f35c214908ae74a903a916b325b4d42b9703a1b4a49aad376a164f27f9bc/analysis/

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on March 07, 2019, 10:31:19 PM
hello i have the same problem with my Website:
https://www.nghd.pt/
Can you unlock URL?

I submitted the URL and now the detection was removed today 07.03.19 at 10:33

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on March 07, 2019, 10:33:48 PM
Hi, I'm having problems with my website www.rndwss.com.
It seems recognize a phishing situation. Can you check it, please.
I can connect to it without any problem using the dedicated personal url provided by 1&1.
Regards,
Romano.

Detection was removed today 07.03.19 at 10:54

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on March 08, 2019, 02:25:06 PM
Hello. When i try to download files from site: bankrot.fedresurs.ru - it is blocked with "URL:Blacklist". Can you fix it ?
(for example: http://bankrot.fedresurs.ru/Download/file.fo?id=1604182&type=MessageDocument)

or how can i add this site to my avast exclusions ?

Detection was removed today 08.03.2019 at 07:20

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: Andrew570 on March 08, 2019, 11:32:30 PM
Hi, Avast thinks my website, www.flyfriendservice.com is phishing.

Can you tell me what I can do to either correct the problem, or have it removed from the blacklist?

Thanks!
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on March 09, 2019, 05:12:00 AM
-> https://sitecheck.sucuri.net/results/www.flyfriendservice.com
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 09, 2019, 02:15:13 PM
Could also be through some of the domains you share on that same IP.
https://www.ip-adress.com/ip-address/ipv4/162.241.253.90
See Bluehost hosting vulnerabilities here: https://www.shodan.io/host/162.241.253.90

Here you will find 361 recommendations for improvement for your website:
https://webhint.io/scanner/c4e48809-06ba-403b-8904-81f4fc7271c8
of which various recommendations touch security improvement:
https://webhint.io/scanner/c4e48809-06ba-403b-8904-81f4fc7271c8#Security

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 09, 2019, 03:16:04 PM
Re: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3c2LnB9XWp7XnRieXB8c3MuXl1tYDx6~enc

Why this site has been blocked. And why Google let me fill out a captcha to prove I am human, tryuing to go there,
e.g. to htxp://ww6.projectbypass.com/?z   trying to use to evade Google's geo-targeting, read: http://search.lores.eu/geotargeting.html

Anyone, why Google chrome browser blocks it or is it an ad-blocker of sorts?

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 09, 2019, 05:19:59 PM
Interesting, it may probably be this http://opay.in.siteindexed.com/
Opay.in on the search engines

Google Yahoo Bing

Example: http://foresttrailacademy.com.siteindexed.com/

Given as OK: https://www.virustotal.com/#/url/38c32e119aeee672c8cc37fc5fd68948f68f12cb60023731eed81f02436f0428/detection

Running - see: https://www.shodan.io/host/199.59.242.151
PORT   STATE SERVICE VERSION
80/tcp open  http    OpenResty web app server
|_http-server-header: openresty
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-trane-info: Problem with XML parsing of /evox/about

So we seem to have localised it as an website indexing service  ;D

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: bauerj on March 11, 2019, 07:45:13 AM
Hi,
I removed both flyfriendservice[.]com and currenrv[.]com from our blacklist. Domains should not be blocked anymore.
Jirka
Title: Re: Site Blocked - URL:Phishing
Post by: tammi6 on March 11, 2019, 02:51:47 PM
Hi :-)

We're also having an issue with our site https://travel-information.org/ (https://travel-information.org/)

It was previously hacked in 2018, but the site was recovered over 5 months ago. We've added an SSL certificate to the site to make it more secure, but it's still showing up as a phishing risk on avast.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on March 11, 2019, 02:57:18 PM
-> https://sitecheck.sucuri.net/results/https/travel-information.org
-> https://www.virustotal.com/#/url/76a11484dbf9d6505c52bb827822e18dfa5aca17235e3cd0e6b1dbbdf3915366/detection
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 11, 2019, 04:43:43 PM
Classified as a PHISH: http://trafficlight.bitdefender.com/info?url=http://travel-information.org
Look what it found here: https://fortiguard.com/search?q=http%3A%2F%2Ftravel-information.org&engine=1 (normal)
Just 181 recommendation towards website improvement:
https://webhint.io/scanner/215d7f5c-1591-425a-af09-3604320dc7c9

Wait for an avast team member to give the final verdict on your website
as we here are just volunteers with relevant knowledge
and only avast team members can come and unblock your website.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: bauerj on March 12, 2019, 09:10:30 AM
Hi,
I removed travel-information[.]org from our blacklist. It was infected with phishing site in the past.
Jirka
Title: Re: Site Blocked - URL:Phishing
Post by: info2188 on March 12, 2019, 10:22:05 AM
My site is blocked, but this is not phishing site. Please help me remove blacklist.

My site is: https://charmxinh.com/

Thanks you!
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on March 12, 2019, 10:32:10 AM
-> https://sitecheck.sucuri.net/results/https/charmxinh.com
-> https://www.virustotal.com/#/url/6d61cb131a6a7df4d20929cc766e8c97baddb1b619a49fee0ba55f841a7e0f92/detection

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 12, 2019, 01:00:45 PM
Strange redirect loop detected: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Xmh8fW14W25oLl5dbWA%3D~enc
Some room for improvement with 553 recommendations:
https://webhint.io/scanner/17810bb7-e57d-4e96-b8da-fc2753d0d9ea
When IP related, it was being reported as a PHISH 34 times over the last 30 days:
https://checkphish.ai/ip/123.30.249.16
Re: hxtps://urlquery.net/queue/0189999c-34f8-41e6-b264-1483d5efba64
seems this link will download tmp files that are INFESTED
Re: https://www.virustotal.com/#/url/fc312bb946b53489a717c351d292e86b1b7bc0637ced5967b52661175f09e59c/detection

Wait for an avast team member to give a final verdict as they are the ones to unblock,
we here are just volunteers with relevant knowledge.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: bauerj on March 13, 2019, 09:32:06 AM
Hi,
domain charmxinh[.]com was removed from our phishing list yesterday. It should not be blocked anymore.
Jirka
Title: Re: Site Blocked - URL:Phishing
Post by: roy117 on March 18, 2019, 04:29:09 AM
Hey there - I work for the company that runs surveys.gobranded.com.

Our users have been complaining their access has been blocked due to this site for phishing attempts. Could you please clarify what the issue is here, or remove the block?

Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on March 18, 2019, 05:18:07 AM
-> https://sitecheck.sucuri.net/results/surveys.gobranded.com
-> https://www.virustotal.com/#/url/1ccb21ec26216f06b9472704cda149256b2e9dea1355cefe7c9130e673e156e7/detection
Title: Re: Site Blocked - URL:Phishing
Post by: roy117 on March 18, 2019, 08:39:29 AM
Thanks for the response. I swore I checked both of those sites prior to posting - the first link didn't seem to indicate much (we use CentOS, so while the versions look older, they backport fixes).

I'll follow-up with Clean MX directly. If I clear that issue, this will resolve itself for users of Avast?


Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on March 18, 2019, 08:51:06 AM
I'll follow-up with Clean MX directly. If I clear that issue, this will resolve itself for users of Avast?
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: roy117 on March 18, 2019, 10:20:01 AM
Thank you for your help. I've reported the FP.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on March 18, 2019, 10:30:31 AM
You're welcome.
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on March 18, 2019, 10:41:05 AM
Thanks for the response. I swore I checked both of those sites prior to posting - the first link didn't seem to indicate much (we use CentOS, so while the versions look older, they backport fixes).

I'll follow-up with Clean MX directly. If I clear that issue, this will resolve itself for users of Avast?


Thanks
When looking at VT scan results, always check the scan date at top of the result
If old (a cashed result from previous scan) click the blue button at top right and refresh scan result


Title: Re: Site Blocked - URL:Phishing
Post by: manticoregroup on March 29, 2019, 06:13:07 AM
I am going through the same problem. Our Web site not blocked but our subscriptions page which simply takes our members to PayPal is: https://www.veritasradio.com/subscribe.php

There is absolutely nothing but the PayPal code within this page and we would really appreciate your attention to remove this link from the list as it is affecting our memberships. This is a subscriber based podcast with over 10 years of experience.

Thank you,
Tyler
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on March 29, 2019, 06:24:11 AM
-> https://sitecheck.sucuri.net/results/https/www.veritasradio.com/subscribe.php
-> https://www.virustotal.com/gui/url/de01fdcbd624f57c1903ef8e6c99632ce81a9f0c01f8beefe950b0da19164266/detection
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 29, 2019, 02:18:41 PM
Flagged for PHISHing - IP on hp blocklist, Paypal Phishing: https://forum.avast.com/index.php?action=post;topic=218384.165;last_msg=1499808

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on March 29, 2019, 02:22:49 PM
also blocked by TrendMicro and F-Secure


Title: Re: Site Blocked - URL:Phishing
Post by: mchain on March 29, 2019, 05:00:54 PM
Not just Avast:
Title: Re: Site Blocked - URL:Phishing
Post by: CacitOrg on March 31, 2019, 01:46:45 PM
Hello

My website www.cacit[.]org is flagged as URL:Phishing

Could you please double check and at least provide us the reason of the blacklisting?

Thank you
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 31, 2019, 02:11:08 PM
Vulnerable CMS, i.e. outdated vulnerable PHP. 
Website blacklisted: https://sitecheck.sucuri.net/results/www.cacit.org
Site is listed in PHISHING DB's, however not given at PHISH-Tank.
See: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Ll58Xlt0Ll19Zw%3D%3D~enc

Most likely the hupso share.toolbar script is being flagged...  olark & namescheap abuse.
Once adblocked for me.
Consider: https://urlscan.io/result/7ed75995-4beb-4a6e-bdda-9e28353f3803

To be sure, wait for an avast team member to give a final verdict,
as they are the only ones to come and unblock.
We are just volunteers with relevant knowledge.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: HonzaZ on April 01, 2019, 10:45:01 AM
Paypal login screen at this location, is this intentional?: cacit[.]org/bye/?country.x=us&locale.x=en_us%3e&client=23b2b53e55c5d5c701804613c0731247
Title: Re: Site Blocked - URL:Phishing
Post by: wks.ahmed on April 02, 2019, 08:35:28 AM
My site www.latestlifestyles[.]com also blocked by Avast Antivirus. Whenever I try to access it from any computer that has Avast installed it does not allow access and popup avast phishing error message appears. I have done scanning my hosted files 3 times. Kindly resolve this issue and unblock my site from the blacklist. Thanks.
Title: Re: Site Blocked - URL:Phishing
Post by: HonzaZ on April 02, 2019, 08:55:14 AM
Hi,
Phishing here: latestlifestyles[.]com/folders/login.yahoo.com/zlcdbc0bg8o0ipg6m2s7tutm.php?rand=13inboxlightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13inboxlight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&
What have you done to clean phishing and what have you done to prevent it from happening again?
Title: Re: Site Blocked - URL:Phishing
Post by: wks.ahmed on April 02, 2019, 01:51:49 PM
Hello HonzaZ!

Kindly guide me how to clean my site from phishing and what things I can do to prevent my sites from phishing attacks again. Thnaks
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 02, 2019, 02:57:20 PM
Start with the hints here: https://webhint.io/scanner/8d83f03c-beb4-423a-b49a-e00b381a7c20
See directs threats: https://app.upguard.com/webscan#/latestlifestyles.com
F-grade status here: https://observatory.mozilla.org/analyze/latestlifestyles.com
Word Press CMS - Version does not appear to be latest
-> https://sitecheck.sucuri.net/results/www.latestlifestyles.com

XSS-DOM issues: Results from scanning URL: -http://www.latestlifestyles.com/wp-includes/js/wp-embed.min.js?ver=5.1
Number of sources found: 41 ; number of sinks found: 39
&
Results from scanning URL: -http://latestlifestyles.com
Number of sources found: 5 ; number of sinks found: 269

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: lisbar on April 02, 2019, 07:03:41 PM
hi,my site www.bitrue.com is blocked by avast,could you unblock it or maybe tell me why it is blocked
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on April 02, 2019, 07:12:46 PM
hi,my site www.bitrue.com is blocked by avast,could you unblock it or maybe tell me why it is blocked
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php



Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 02, 2019, 11:15:08 PM
It is probably a link to mfesecure - consider the info here: https://pastebin.com/6PDKw6Vw
Links like: -//s3-us-west-2.amazonaws.com/mfesecure-public/host/"+a+"/client.json
like on : -https://cdn.ywxi.net/js/1.js  while this is on the main page
Quote
</script>

<script src='htxps://cdn.ywxi.net/js/1.js' async></script>
</body>
Also connected to: -https://d3ss0gp3e5d7m3.cloudfront.net/assets/route~e38c9536012f_route.2561e.js
& -https://d3ss0gp3e5d7m3.cloudfront.net/assets/route~e38c9536012f_route.2561e.js
& -https://d3ss0gp3e5d7m3.cloudfront.net/assets/route~men_route~women_route.68c02.js

For on Android, considering classes.dex read: https://www.b4x.com/android/forum/threads/classes-dex-and-virus-scan.18172/
while sometimes this delivers: Andr.Trojan.Locker, sometimes seems compiling code that is a FP.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: CacitOrg on April 02, 2019, 11:58:07 PM
Paypal login screen at this location, is this intentional?: cacit[.]org/bye/?country.x=us&locale.x=en_us%3e&client=23b2b53e55c5d5c701804613c0731247

Hello,

No, it wasn't because there are some continuous brute force attack on the website.

(may be you can help) : an injected code is altering wordpress php files, allowing attacker to execute  their code.

I'll be working to prevent those and get back to you.

Thank you


Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on April 03, 2019, 12:01:46 AM
Quote
(may be you can help) : an injected code is altering wordpress php files, allowing attacker to execute  their code
Sucuri can help  >>  https://sucuri.net/

Title: Re: Site Blocked - URL:Phishing
Post by: CacitOrg on April 03, 2019, 12:31:50 AM
Quote
(may be you can help) : an injected code is altering wordpress php files, allowing attacker to execute  their code
Sucuri can help  >>  https://sucuri.net/

Even after upgrading my Wordpress version and PHP version,

site is always flagged as outdated by https://sitecheck.sucuri.net/results/www.cacit.org

What am I doing wrong?
Title: Re: Site Blocked - URL:Phishing
Post by: Michael (alan1998) on April 03, 2019, 02:27:52 AM
You have PHP 7.3, not 7.3.3

You can download the latest PHP Patch here (https://www.php.net/downloads.php).
Title: Re: Site Blocked - URL:Phishing
Post by: Jonathan408 on April 05, 2019, 04:17:01 AM
Hello, My web site is marked as URL:Phishing on Avast.
I tried scaning my web https://sitecheck.sucuri.net/results/geoingenieria.org.pe but cant find any error.
If all is OK could be it removed from blacklist?
geoingenieria.org.pe
Thanks.
Title: Re: Site Blocked - URL:Phishing
Post by: mchain on April 05, 2019, 04:31:20 AM
Check https://quttera.com/detailed_report/geoingenieria.org.pe (https://quttera.com/detailed_report/geoingenieria.org.pe)
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 05, 2019, 01:37:27 PM
VT flagged website earlier, but now gives domain the all green: https://www.virustotal.com/nl/url/301ee82b7a1aee4bbec0865f49af856953fbc9a45782ae780f463e36c7061d85/analysis/1554463820/

Has been blacklisted , probably because of being a PHISH, reported 312 times during last 30 days:
https://checkphish.ai/ip/69.167.175.216

With so many apples in that same IP basket, some baddies can be expected: https://www.threatcrowd.org/ip.php?ip=69.167.175.216

Ask for an exclusion from an avast team member, as we are just volunteers with relevant knowledge,
but only avast team members can come and unblock,

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: italiangm on April 06, 2019, 12:18:17 AM
Hello. Opening Yahoo emails via webmail interface starting at 3:52p CST today gets threat pop-up (see image for one example).

Default settings for my Yahoo webmail account: Don't display images; Email preview window is off. The threat pop-up occurs only when "Show images" is selected.

Please advise if this is a false positive. Thanks.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on April 06, 2019, 12:24:57 AM
Hello italiangm.

thanks for the screenshot.I do not have yahoo email, this image should help.

I reported this problem to Virus Lab~


I am going through the same problem. Our Web site not blocked but our subscriptions page which simply takes our members to PayPal is: hxxps://www[.]veritasradio[.]com/subscribe.php

There is absolutely nothing but the PayPal code within this page and we would really appreciate your attention to remove this link from the list as it is affecting our memberships. This is a subscriber based podcast with over 10 years of experience.

Thank you,
Tyler

Hi manticoregroup.

Detection was disabled yesterday 10.04.2019 at 06:13 min

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: rhbrand on April 06, 2019, 01:57:42 AM
OMG!  I just started getting these pop ups myself.  I can't see any pictures from Yahoo mail now.
Title: Re: Site Blocked - URL:Phishing
Post by: Sirmer on April 06, 2019, 05:12:43 AM
Hello, this will be fixed in  next stream update, in less then 10 minutes
Title: Re: Site Blocked - URL:Phishing
Post by: italiangm on April 06, 2019, 01:26:34 PM
Fix confirmed. No further threat popups when 'show images' is activated. Thanks to the team.  :)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on April 10, 2019, 01:49:14 AM
Hello, My web site is marked as URL:Phishing on Avast.
I tried scaning my web https://sitecheck.sucuri.net/results/geoingenieria.org.pe but cant find any error.
If all is OK could be it removed from blacklist?
geoingenieria.org.pe
Thanks.

Hello Jonathan408.

Site Blacklisted by Google Safe Browsing

https://transparencyreport.google.com/safe-browsing/search?url=http:%2F%2Fgeoingenieria.org.pe%2F&hl=en

Phishing is "hxxps: //geoingenieria.org.pe/support" found in Phishtank. (https://www.phishtank.com/phish_detail.php?phish_id=5829522)

Phishing detected:
hxxp://geoingenieria.org.pe/support/165493a1358f6ba42407fa50f74df08c/konto
hxxp://geoingenieria.org.pe/support/503897d45372b34a8b1e64994abad8b8/cuenta/info/update.php
hxxp://geoingenieria.org.pe/support/165493a1358f6ba42407fa50f74df08c/konto/info/update.php
hxxp://geoingenieria.org.pe/support/1e608cd072e715b5e69941e1f8921bfc/account/
Title: Re: Site Blocked - URL:Phishing
Post by: cwala on April 11, 2019, 03:17:56 PM
Hi. I believe a site is being blocked in error.

"We've safely aborted connection on accounts.jobmi.com because it was infected with URL:Phishing" Apr 11th 2:09pm

edit: reported to false positive form.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 11, 2019, 05:45:33 PM
Jobmi Account error detected: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=fF5eXXVudHMual1ibVsuXl1tYGxdZ1tuPHNbZ25bbj0wIzE1Yl5mezF7XjY2NHwzZnxeXmIjMjgwMCMyI15mIw%3D%3D~enc
Consider: Results from scanning URL: -https://accounts.jobmi.com/Scripts/app-is3.js
Number of sources found: 31 ; number of sinks found: 10

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: wavef0rm on April 11, 2019, 06:24:39 PM
Good morning,

Our production business site for our customers is being listed as phishing by Avast!  https://spa.cryoinnovations.com

I need you to whitelist this site immediately.  Thank you.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 11, 2019, 06:42:14 PM
Outdated server software, update a.s.a.p.: https://sitecheck.sucuri.net/results/spa.cryoinnovations.com

Wait for an avast team member to come an unblock, we are just volunteers with relevant knowledge.
VT gives your site the all green: https://www.virustotal.com/en/url/7e9cad268152670edc10ff8cd2f78a55f00b80047ba4d04255f258002b2d14de/analysis/1555000797/

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: Yohanes Adhi Nugraha on April 12, 2019, 08:42:21 AM
Hi Avast,

Kindly check my website: https://dashboard.lakon.id, it's blocked as phishing.  Kindly unblock it, or let me know if any code that triggering the threat. Fyi we're using Cloudflare DNS and Crypto service to this site, and maybe threat triggered because of error 500 and/or 403 when we're testing it, I don't know.

This site supposed limited access to our member.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on April 12, 2019, 08:44:39 AM
-> https://sitecheck.sucuri.net/results/https/dashboard.lakon.id
Title: Re: Site Blocked - URL:Phishing
Post by: Amit37 on April 12, 2019, 01:16:59 PM
Hi,

   I am having same issue. I removed malicious code but still avast gives url phishing issue. Could you please unblock below url.
https://secure-research-payment.com/writer/user/login.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on April 12, 2019, 01:20:21 PM
-> https://sitecheck.sucuri.net/results/https/secure-research-payment.com/writer/user/login
Title: Re: Site Blocked - URL:Phishing
Post by: nels5 on April 13, 2019, 02:31:38 PM
Same issue, please unblock
https://mail.pnmresources.com/owa

So I can get to my corporate email

Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on April 13, 2019, 04:15:27 PM
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 13, 2019, 06:02:19 PM
Nothing detected at VT: https://www.virustotal.com/en/url/09755c1a471cc1699206ab56e1c35e6fc9fb872ec97d8908f698246557a56e91/analysis/1555170180/
Scan results all green: https://sitecheck.sucuri.net/results/https/mail.pnmresources.com/owa
DOM-XSS scan results from scanning URL: -https://mail.pnmresources.com/owa
Number of sources found: 18 ; number of sinks found: 31
Is redirecting to: -https://mail.pnmresources.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.pnmresources.com%2fowa&reason=0
Re: https://www.shodan.io/host/192.147.68.85
Re: https://www.shodan.io/host/192.147.68.85  various 302 redirects found.
Connection to site is not secure, website won't resolve...

Wait  for an avast team member to give a final verdict on that detection.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: R50 on April 13, 2019, 08:20:46 PM
Now I am not one of the admins on the site but I am a long time user but I got on this morning to a blank page on the Marvel Fandom site. Oh yeah the Ad blocker would not allow me to access it. checked out adblocker extension and it wasn't a trusted site anymore...I think some one (or ones) used the Adblocker to lock others out of the site.  I did a site check and it came back clean.

https://sitecheck.sucuri.net/results/https/marvel.fandom.com
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on April 13, 2019, 08:29:08 PM
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 14, 2019, 01:03:52 AM
This is found there:  -https://slot1-images.wikia.nocookie.net/__am/8410038410012/groups/-/abtesting,oasis_blocking,universal_analytics_js,adengine3_top_js,tracking_opt_in_js,qualaroo_blocking_js
Number of sources found: 21 ; number of sinks found: 13
&
Results from scanning URL: -https://slot1-images.wikia.nocookie.net/__am/8410038410012/groups/-/oasis_shared_core_js,oasis_shared_js,oasis_anon_js,toc_js,recirculation_js,qualaroo_js
Number of sources found: 238 ; number of sinks found: 76

17 known trackers on page, vulnerable to sweet32 attack:  https://privacyscore.org/site/133362/

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: Huy17 on April 19, 2019, 08:17:47 AM
Hi all,

My Avast always shows this (image) popup even though I never access this website. How do I turn it off?

https://imgur.com/fFvgIbN  - Capture

(I can't find upload image funtion on this post)
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 19, 2019, 11:31:30 AM
Avast is not alone here: https://www.virustotal.com/#/url/1604f39f06cb9a4dcb934bd395b57d6edff3fbb97c72d7a8a8d3ec5eabe814d1/detection
When Delphi is involved there is always room for a FP, so wait for a final verdict:
https://www.virustotal.com/#/file/3025a401f1e164dd52488ac1497face4291c622473c4890ac8dabcfc9c3a79f3/details

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on April 19, 2019, 11:41:36 PM
We see that the detection is not on the website from 15.04.2019 :

http://accounts.jobmi.com
http://www.cacit.org
https://spa.cryoinnovations.com
https://dashboard.lakon.id
https://mail.pnmresources.com/owa


Detection was removed on 16.04.2019 at 06:42 min

https://secure-research-payment.com/writer/user/login

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 20, 2019, 12:41:09 AM
These sort of executables have earlier led to quite an amount of false positives, this isn't a new thing,
as this one here: Basic Properties
Quote
MD5   9f9bd677046f193d2b2bfb10e99886b5
SHA-1   9d85469aded933cd62ee439066dd4d9b21346403
Authentihash   2e7b3fee50a64738bbbd13080f1da5cb2d5b32da9adca3f52fef8402da6cf6bd
Imphash   48aa5c8931746a9655524f67b25a47ef
File Type   Win32 EXE
Magic   PE32 executable for MS Windows (GUI) Intel 80386 32-bit
SSDeep   393216:LUxB09/nu88j4i5aBq2v0t0ddLQNPFjzlJHiG3:LUxB0lu8cDoBuTNPDhii
TRiD   Win32 Executable Delphi generic (52.9%)
Win32 Executable (generic) (16.8%)
Win16/32 Executable Delphi generic (7.7%)
OS/2 Executable (generic) (7.5%)
Generic Win/DOS Executable (7.4%)
File Size   14.58 MB


A search-query like -https://www.google.com/search?q=esc_setup.exe&oq=esc_setup.exe&sourceid=chrome&ie=UTF-8
will give you many an example...see heuristical matches by hybrid-analysis in this case: https://www.virustotal.com/#/file/3025a401f1e164dd52488ac1497face4291c622473c4890ac8dabcfc9c3a79f3/community

Problem here often is a missing digital signature in the case of such executable in Delphi.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Jonathan408 on April 22, 2019, 09:40:28 PM
Hello, my Site is marked as url:phishing.
I scanned it at
Complete zip site
https://www.virustotal.com/en/file/baae97423b1024cdb0a41613f7cbbbd95b05efca2e565dd3fa86ab9445043b39/analysis/1555961542/
Url site
https://www.virustotal.com/en/url/87076758495fddc36ba5e872739182f02d78e995d2cd31f8532fb7e0eff00071/analysis/

And show all clean.
If there arent any problem then can be my site removed from blackSite? thanks.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 22, 2019, 11:00:33 PM
Google Safe Browsing alert:
Quote
Note! The scan has detected URL(s) from your site and/or IP in Phishing DBs -
This link Flagged URL(s)? will open a utility that will list out any URL(s) from your domain that are listed in Phishing DBs and tell you if Google is currently flagging the URL.
For some tips on clearing a Phishing hack see: Remove a phishing or web forgery warning
Also consider analysis here: https://any.run/report/8f0262f7c2a5417223869aae4d2137fcb24b664d52bb7430fc891dad6f0cd837/a6fea7e4-53a3-43c8-afef-4193197b5ee1  -> https://app.any.run/tasks/a6fea7e4-53a3-43c8-afef-4193197b5ee1   no threats detected.

Wait for an avast team member to give a final verdict, they are the only ones to unblock,
as we here are just volunteers with relevant knwledge.

Quttera flags your site as malicious: https://www.virustotal.com/en/url/6594612ff2efe3202b00db1ad168ac387ebd385bde029a739b553e4e586f9d14/analysis/
as abuse was now two weeks ago
but now gives it as clean: https://quttera.com/detailed_report/geoingenieria.org.pe

vulnerabilities still on IP: https://www.shodan.io/host/192.185.105.88
Insecure website
Quote
Website is insecure by default
100% of the trackers on this site could be protecting you from NSA snooping. Tell -geoingenieria.org.pe to fix it.

 All trackers
At least 4 third parties know you are on this webpage.

 -Google
 -geoingenieria.org.pe
 -Facebook
-www.google-analytics.com Google

 Tracker could be tracking safely if this site was secure.

 Tracker does not support secure transmission.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on April 26, 2019, 04:57:29 AM
Hi all,

My Avast always shows this (image) popup even though I never access this website. How do I turn it off?

https://imgur.com/fFvgIbN  - Capture

(I can't find upload image funtion on this post)

Detection was disabled yesterday.

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on April 26, 2019, 05:02:18 AM
Hello, my Site is marked as url:phishing.
I scanned it at
Complete zip site
https://www.virustotal.com/en/file/baae97423b1024cdb0a41613f7cbbbd95b05efca2e565dd3fa86ab9445043b39/analysis/1555961542/
Url site
https://www.virustotal.com/en/url/87076758495fddc36ba5e872739182f02d78e995d2cd31f8532fb7e0eff00071/analysis/

And show all clean.
If there arent any problem then can be my site removed from blackSite? thanks.

Detection was removed yesterday 25.04.2019 at 12:00.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.
With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: Alpian Noor on April 29, 2019, 05:36:38 AM
hi, ask for our website has been blocked by avast url phishing
website : www.pn-batulicin.go.id
Title: Re: Site Blocked - URL:Phishing
Post by: mchain on April 29, 2019, 06:00:58 AM
https://sitecheck.sucuri.net/results/www.pn-batulicin.go.id (https://sitecheck.sucuri.net/results/www.pn-batulicin.go.id)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on May 01, 2019, 01:47:32 AM
hi, ask for our website has been blocked by avast url phishing
website : www[.]pn-batulicin[.]go.id

Detection was removed on 30.04.2019.

Phishing where

https://www.virustotal.com/gui/url/aa989250c8a546a87fe3557d445bfb94fc7e7087bb58da35e67582e4c27ae89e/detection

http://www.siteadvisor.com/sitereport.html?url=http://pn-batulicin.go.id/cache

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.
With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: devilmanozzy on May 05, 2019, 06:03:28 AM
Fandom Community Central has been being labelled a Phishing site the last few days. I'm not a tech. 

https://sitecheck.sucuri.net/results/www.community.fandom.com (https://sitecheck.sucuri.net/results/www.community.fandom.com)

Why is it a threat now? Did I miss something here?

Title: Re: Site Blocked - URL:Phishing
Post by: polonus on May 05, 2019, 03:22:58 PM
Also a former AVG threat detection:
https://www.virustotal.com/pl/url/a7414127e577b0c89ed130c3f7e79af0800110d40ea7fc149b22b818357ef4fd/analysis/

What about a link to -https://slot1-images.wikia.nocookie.net/__load/-/cb%3D1556562431137%26debug%3Dfalse%26lang%3Den%26only%3Dscripts%26skin%3Doasis/amd|wikia.tracker.stub,stub|wikia.abTest,cache,cookies,document,geo,instantGlobals,location,log,querystring,window

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on May 09, 2019, 10:18:27 PM
Fandom Community Central has been being labelled a Phishing site the last few days. I'm not a tech. 

https://sitecheck.sucuri.net/results/www.community.fandom.com (https://sitecheck.sucuri.net/results/www.community.fandom.com)

Why is it a threat now? Did I miss something here?

Check URL and  the detection was fixed same date on 05.05.2019.

Quote from: Avast
Our virus specialists have been working on this problem and it has been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: Rafael390 on May 11, 2019, 01:11:33 AM
Hi there,
Could yo please check why my web site marked as url:phishing.
The address is https://www.accountsplusservices.co.nz/
The web-site build and hosted on Wix.com platform and doesn't contain any third party scripts.


Thanks in advance.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on May 11, 2019, 11:53:37 AM
Once there could have been an intrusion attempt from 130.211.46.196 as a MultiHost/MultiPort Probe, Scan, Hack -

Threats for that address - mails can be fraudulously sent - SPF not enabled - DMARC not enabled;
DNS is susceptible to M-i-M attacks.
No abuse reports for Wix.com, Ashburn  ;)
Could be avast flags this script on your site: results from scanning URL: -https://static.parastorage.com/unpkg/requirejs-bolt@2.3.6/requirejs.min.js
Number of sources found: 7 ; number of sinks found: 2  and the connection DOM-XSS scan link to : //cdn-rtb.sape.ru/teasers/ there.

Hosting: https://toolbar.netcraft.com/site_report?url=https://static.parastorage.com
But wait for a final verdict from an avast team member after this weekend, as they are the only ones to come and unblock..
We are just volunteers with relevant knowledge.

Some improvement recommendations you could implement anyways, just 3, very, very good results for the included scripts:
https://webhint.io/scanner/0afa232f-0551-4104-8b68-a575e8dcd3f2   ;)

Given clean here, no alerts: https://urlquery.net/report/cbea3ecc-9526-4fca-a759-2df231ae7749

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on May 11, 2019, 12:31:55 PM
About the scanning via 130.211.46.196 -196.46.211.130.bc.googleusercontent.com   a.k.a. https://www.shodan.io/search?query=parastorage.com (GoDaddy),
Quote
Full Name:
                  URI:-http://crl.godaddy.com/gdig2s1-848.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: -http://certificates.godaddy.com/repository/
                Policy: 2.23.140.1.2.1

            Authority Information Access:
                OCSP - URI:-http://ocsp.godaddy.com/
                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt

            X509v3 Authority Key Identifier:
                keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE

            X509v3 Subject Alternative Name:
                DNS:*-.parastorage.com, DNS:-parastorage.com
            X509v3 Subject Key Identifier:
                7D:9F:A9:69:69:B4:B0:F6:9C:F4:F2:2B:AF:0B:26:3E:39:ED:4C:9F
            1.3.6.1.4.1.11129.2.4.2:
                ...j.h.v.......X......gp

pol
Title: Re: Site Blocked - URL:Phishing
Post by: Dastel on May 11, 2019, 09:03:22 PM
Hello i have the same problem with my Website:
https://www.envases-riviere.com.ar
Can you unlock URL?
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on May 11, 2019, 09:04:50 PM
-> https://sitecheck.sucuri.net/results/https/www.envases-riviere.com.ar
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on May 11, 2019, 11:55:08 PM
Site has been blacklisted by certain parties. You are with 134 other domains on that same Ip address.
165 Website improvement tips: https://webhint.io/scanner/530fbc69-1d2c-46d5-8e95-03c7f9c1f338
Service temporarily unavailable: https://www.shodan.io/host/181.88.192.108
Re: https://toolbar.netcraft.com/site_report?url=http://host108.181-88-192.telecom.net.ar/
DOM-XSS issues: Results from scanning URL: -https://www.envases-riviere.com.ar/js/jquery-ui.min.js
Number of sources found: 286 ; number of sinks found: 14
Consider JQuery vuln. listed here: https://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003
and
Results from scanning URL: -https://www.envases-riviere.com.ar/js/bootstrap.js
Number of sources found: 33 ; number of sinks found: 10

jQuery library retirables: Retire.js
jquery-ui-dialog   1.10.4   Found in -https://www.envases-riviere.com.ar/js/jquery-ui.min.js
Vulnerability info:
High   CVE-2016-7103 281 XSS Vulnerability on closeText option   
jquery   2.2.0.min   Found in -https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   

Found with JavaScript error notifier:
Quote
SyntaxError: Invalid or unexpected token
 /js/jquery-2.2.0.min.js:3

Bootstrap's JavaScript requires jQuery
 /js/bootstrap.js:1

ReferenceError: jQuery is not defined
 /js/main.js:1

SyntaxError: Invalid or unexpected token
 /js/jquery-ui.min.js:6

ReferenceError: $ is not defined
 /:275

issues like security headers not set: content-security-policy upgrade-insecure-requests

x-content-type-options Header not returned

x-xss-protection Header not returned

x-frame-options Header not returned

Issue:
Quote
Loaded script with known vulnerabilities: -https://www.envases-riviere.com.ar/js/jquery-ui.min.js
 - jquery-ui-dialog 1.10.4 - Info: -https://github.com/jquery/api.jqueryui.com/issues/281 https://nvd.nist.gov/vuln/detail/CVE-2016-7103 https://snyk.io/vuln/npm:jquery-ui:20160721
 - jquery-ui-autocomplete 1.10.4 - Info:
 - jquery-ui-tooltip 1.10.4 - Info:

Ask for an avast team member to give a final verdict, we here are just volunteers with relevant knowledge,
but only avast team members can come and unblock.

Here Dr.Web gives the site the all green:
Checking: -https://www.envases-riviere.com.ar/js/jquery-ui.min.js
File size: 223.19 KB
File MD5: e13b62d667cbfc5665579e7b57962f61

-https://www.envases-riviere.com.ar/js/jquery-ui.min.js - archive JS-HTML
-https://www.envases-riviere.com.ar/js/jquery-ui.min.js - Ok

Checking: -https://www.google.com/recaptcha/api.js
File size: 762 bytes
File MD5: 1b7fbf87773cb1fd579adc8e30af340c

-https://www.google.com/recaptcha/api.js - archive JS-HTML
>-https://www.google.com/recaptcha/api.js/JSFile_1[0][2fa] - Ok
-https://www.google.com/recaptcha/api.js - Ok

Checking: -https://www.envases-riviere.com.ar/js/bootstrap-slider.js
File size: 33.13 KB
File MD5: 2f03afee2a8e39461e6110eb708f2d09

-https://www.envases-riviere.com.ar/js/bootstrap-slider.js - Ok

Checking: -https://www.envases-riviere.com.ar/js/bootstrap.js
File size: 35.79 KB
File MD5: 64763807038d13f7e33cdac2d2bcbdaa

-https://www.envases-riviere.com.ar/js/bootstrap.js - Ok

Checking: -https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js
File size: 83.58 KB
File MD5: 4f4791cfd0bda7f2e54452ce76be60b1

-https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js - archive JS-HTML
>-https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js/JSTag_1[ab2e][a327] - Ok
>-https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js/JSTag_2[ba0f][9446] - Ok
>-https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js/JSTag_3[13a0f][1446] - Ok
-https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js - Ok

Checking: -https://www.envases-riviere.com.ar/js/main.js
File size: 5022 bytes
File MD5: c44e2777229dc5a6e92d35068e450759

-https://www.envases-riviere.com.ar/js/main.js - Ok

Checking: -https://www.envases-riviere.com.ar/
Engine version: 7.0.34.11020
Total virus-finding records: 7658532
File size: 29.32 KB
File MD5: 054b738f1f38e3311bedbae2b911bad4

-https://www.envases-riviere.com.ar/ - archive JS-HTML
>-https://www.envases-riviere.com.ar//JSTAG_1[e][189] - Ok
>-https://www.envases-riviere.com.ar//JSTAG_2[3c57][11e] - Ok
>-https://www.envases-riviere.com.ar//JSTAG_3[6ace][5ca] - Ok
>-https://www.envases-riviere.com.ar//JSTAG_4[70cf][2f8] - Ok
>-https://www.envases-riviere.com.ar//JSTAG_5[73f9][131] - Ok
-https://www.envases-riviere.com.ar/ - Ok

confirmed here: https://www.virustotal.com/en/url/955885af59c7308e4cd1aca4caa7ec453be1e0c1fe9bd488c0c30f79d93c8efc/analysis/

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Rafael390 on May 12, 2019, 04:40:23 AM
Some improvement recommendations you could implement anyways, just 3, very, very good results for the included scripts:
https://webhint.io/scanner/0afa232f-0551-4104-8b68-a575e8dcd3f2   ;)

Re: https://www.accountsplusservices.co.nz/ blacklist

This web-site was built by my friend for her little company and who knows nothing about software development and cyber security as same as an obvious Wix.com user.
She asked me to check why it doesn't work just 2 days ago.
I found that there were some incorrectness in Name zone records on Wix.com and in the service where she bought domain name at the same time.
Finally I fixed that and her email became working.
Thanks for recommendations, but as I said the web-site built totally on Wix.com platform and we don't have to understand how their scripts work on that site and on thousands others sites where those features are enabled.
Moreover, I don't think we are able to fix them.
I can just re-address your recommendations to the Wix.com developers and ask money back for the time while site was blocked.
Surprisingly the web-site blacklisted only in Avast.
So I would prefer to hear verdict from Avast team as from first instance  and then contact Wix.com if it won't help.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on May 12, 2019, 08:43:54 AM
Hi Rafael390,

Very wise decision on your behalf. Just wait for an avast team member to give a final explanation as to what they flagged there.
"Wysiwyg"-website CMS can be a minefield in the hands of the unaware, but again also the avast detection can be an FP, temporarily correct or just for another domain that shares that IP. Wait for an avast member to appear as this will most likely be after the weekend, I presume,

Stay safe and secure both online and offline, is the wish of,

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: EnRaMy on May 12, 2019, 09:39:22 AM
Hi there,
Could yo please check why my web site marked as url:phishing.
The address is https://www.Qawafil.Org
The web-site Is a charity organization located in Kuwait and I tested the site on the following sites :
https://sitecheck.sucuri.net/
https://rescan.pro
https://www.virustotal.com
Title: Re: Site Blocked - URL:Phishing
Post by: mchain on May 12, 2019, 05:52:24 PM
Hi there,
Could yo please check why my web site marked as url:phishing.
The address is hxxps://www.Qawafil.Org
The web-site Is a charity organization located in Kuwait and I tested the site on the following sites :
https://sitecheck.sucuri.net/
https://rescan.pro
https://www.virustotal.com
Well, if your links were actual test results you would've seen this: 
https://www.virustotal.com/#/url/aa77b132c4edf00f71386c6f12e1d08c52ba238d51a74dc8183b96664fdc4727/detection (https://www.virustotal.com/#/url/aa77b132c4edf00f71386c6f12e1d08c52ba238d51a74dc8183b96664fdc4727/detection)
https://rescan.pro/go.php (https://rescan.pro/go.php)
https://sitecheck.sucuri.net/results/https/www.qawafil.org (https://sitecheck.sucuri.net/results/https/www.qawafil.org)
So, not just Avast blocking.
More:
https://quttera.com/detailed_report/www.qawafil.org (https://quttera.com/detailed_report/www.qawafil.org)
https://zulu.zscaler.com/submission/0dbb7e3a-7629-4f60-a267-e3fa403e5132 (https://zulu.zscaler.com/submission/0dbb7e3a-7629-4f60-a267-e3fa403e5132)
http://urlquery.net/report/55c1897a-48ae-4957-89b8-f43ab8be78d3 (http://urlquery.net/report/55c1897a-48ae-4957-89b8-f43ab8be78d3)
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on May 12, 2019, 05:55:45 PM
Hi there,
Could yo please check why my web site marked as url:phishing.
The address is hxxps://www.Qawafil.Org
The web-site Is a charity organization located in Kuwait and I tested the site on the following sites :
https://sitecheck.sucuri.net/
https://rescan.pro
https://www.virustotal.com

Break link (as I have in the quoted text) to suspect site to prevent accidental exposure.
Title: Re: Site Blocked - URL:Phishing
Post by: Ser518 on May 13, 2019, 03:21:33 PM
Hello. When i try to download files from site: bankrot.fedresurs.ru - it is blocked with "URL:Blacklist". Can you fix it ?
(for example: https://bankrot.fedresurs.ru/Download/file.fo?id=2044491&type=MessageDocument)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on May 14, 2019, 03:23:13 AM
Hello i have the same problem with my Website:
hxxps://www.envases-riviere[.]com.ar
Can you unlock URL?

Hello.
Detection was removed on 13.05.2019.

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on May 14, 2019, 11:21:33 AM
Re: -http://bankrot.fedresurs.ru/brasdocument.aspx/index.html?id=4167503
Re: https://www.virustotal.com/#/url/05c63b35cd0e8c58336427e700d409edb7bb1cb57c1c4b8777476175d7c0cd2d/detection

Wait for an avast team member to give a final verdict, Dr. Web does not seem to detect it any longer.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: seo10 on May 15, 2019, 10:33:10 PM
Why Avast block https://baxov.net
How can fix this ?
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on May 15, 2019, 10:42:26 PM
Why Avast block https://baxov.net
How can fix this ?
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php


https://www.virustotal.com/#/url/d763a043e1f287e61adbf085e25af6fa3c8356d9b16f38d3791f2be886d38e8b/detection


Title: Re: Site Blocked - URL:Phishing
Post by: seo10 on May 15, 2019, 11:14:22 PM
Why Avast block https://baxov.net
How can fix this ?
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php


https://www.virustotal.com/#/url/d763a043e1f287e61adbf085e25af6fa3c8356d9b16f38d3791f2be886d38e8b/detection

Thank you

We see a lot of fake abuse.
We will try to contact other AV. PhishTank has already deleted from its list.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on May 16, 2019, 01:22:20 PM
Hi there,
Could yo please check why my web site marked as url:phishing.
The address is htxps://www.Qawafil[.]Org
The web-site Is a charity organization located in Kuwait and I tested the site on the following sites :
https://sitecheck.sucuri.net/
https://rescan.pro
https://www.virustotal.com

Detection was removed on 16.05.2019 at 04:29.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on May 17, 2019, 04:49:04 AM
Hi there,
Could yo please check why my web site marked as url:phishing.
The address is htxps://www.accountsplusservices.co[.]nz/
The web-site build and hosted on Wix.com platform and doesn't contain any third party scripts.

Thanks in advance.

Detection was removed 16.05.2019.

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: mudoo on May 20, 2019, 05:21:22 AM
Site: https://www.streamcraft.com
VirusTotal: https://www.virustotal.com/#/url/a9293cdb375a068cb58d54e2ddeadd381b65cd0c89d5f62d55f49c0a88808f0a/detection
https://www.virustotal.com/#/url/8844e56eca1b4bf8db6d8b3daf3744d4f80ecb555cf2427bcc6c199ef18c7728/detection

Avast blocked https://webapi.streamcraft.com/,it's juest a API domain. How to fix it?
Title: Re: Site Blocked - URL:Phishing
Post by: mchain on May 20, 2019, 07:11:57 AM
https://sitecheck.sucuri.net/results/www.streamcraft.com (https://sitecheck.sucuri.net/results/www.streamcraft.com)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on May 21, 2019, 02:39:43 AM
Hello. When i try to download files from site: bankrot.fedresurs.ru - it is blocked with "URL:Blacklist". Can you fix it ?
(for example: hxxps://bankrot.fedresurs[.]ru/Download/file.fo?id=2044491&type=MessageDocument)

Detection was removed 20.05.2019 12:28 PM

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided URL is not detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on May 21, 2019, 02:47:51 AM
Site: hxxps://www.streamcraft[.]com
VirusTotal: https://www.virustotal.com/#/url/a9293cdb375a068cb58d54e2ddeadd381b65cd0c89d5f62d55f49c0a88808f0a/detection
https://www.virustotal.com/#/url/8844e56eca1b4bf8db6d8b3daf3744d4f80ecb555cf2427bcc6c199ef18c7728/detection

Avast blocked hxxps://webapi.streamcraft[.]com/,it's juest a API domain. How to fix it?

Detection was removed on 20.05.2019 at 11:52 AM

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided URL is not detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on May 22, 2019, 02:08:41 AM
Why Avast block hxxps://baxov[.]net
How can fix this ?

Detection has been removed 21.05.2019 at 05:19 in the morning.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.
With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: EnRaMy on May 22, 2019, 03:06:13 PM
Well, if your links were actual test results you would've seen this: 
https://www.virustotal.com/#/url/aa77b132c4edf00f71386c6f12e1d08c52ba238d51a74dc8183b96664fdc4727/detection (https://www.virustotal.com/#/url/aa77b132c4edf00f71386c6f12e1d08c52ba238d51a74dc8183b96664fdc4727/detection)
https://rescan.pro/go.php (https://rescan.pro/go.php)
https://sitecheck.sucuri.net/results/https/www.qawafil.org (https://sitecheck.sucuri.net/results/https/www.qawafil.org)
So, not just Avast blocking.
More:
https://quttera.com/detailed_report/www.qawafil.org (https://quttera.com/detailed_report/www.qawafil.org)
https://zulu.zscaler.com/submission/0dbb7e3a-7629-4f60-a267-e3fa403e5132 (https://zulu.zscaler.com/submission/0dbb7e3a-7629-4f60-a267-e3fa403e5132)
http://urlquery.net/report/55c1897a-48ae-4957-89b8-f43ab8be78d3 (http://urlquery.net/report/55c1897a-48ae-4957-89b8-f43ab8be78d3)

Thanks for your answer , I've rechecked all the site and Installed Web Application Firewall on server , now all sites give clean results , but Avast still showing phising site
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on May 22, 2019, 03:44:42 PM
Well, if your links were actual test results you would've seen this: 
https://www.virustotal.com/#/url/aa77b132c4edf00f71386c6f12e1d08c52ba238d51a74dc8183b96664fdc4727/detection (https://www.virustotal.com/#/url/aa77b132c4edf00f71386c6f12e1d08c52ba238d51a74dc8183b96664fdc4727/detection)
https://rescan.pro/go.php (https://rescan.pro/go.php)
https://sitecheck.sucuri.net/results/https/www.qawafil.org (https://sitecheck.sucuri.net/results/https/www.qawafil.org)
So, not just Avast blocking.
More:
https://quttera.com/detailed_report/www.qawafil.org (https://quttera.com/detailed_report/www.qawafil.org)
https://zulu.zscaler.com/submission/0dbb7e3a-7629-4f60-a267-e3fa403e5132 (https://zulu.zscaler.com/submission/0dbb7e3a-7629-4f60-a267-e3fa403e5132)
http://urlquery.net/report/55c1897a-48ae-4957-89b8-f43ab8be78d3 (http://urlquery.net/report/55c1897a-48ae-4957-89b8-f43ab8be78d3)

Thanks for your answer , I've rechecked all the site and Installed Web Application Firewall on server , now all sites give clean results , but Avast still showing phising site

Have you actually submitted the URL to avast for analysis ?
If not use the https://www.avast.com/false-positive-file-form.php (https://www.avast.com/false-positive-file-form.php).
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on May 26, 2019, 12:26:58 AM
Well, if your links were actual test results you would've seen this: 
https://www.virustotal.com/#/url/aa77b132c4edf00f71386c6f12e1d08c52ba238d51a74dc8183b96664fdc4727/detection (https://www.virustotal.com/#/url/aa77b132c4edf00f71386c6f12e1d08c52ba238d51a74dc8183b96664fdc4727/detection)
https://rescan.pro/go.php (https://rescan.pro/go.php)
https://sitecheck.sucuri.net/results/https/www.qawafil.org (https://sitecheck.sucuri.net/results/https/www.qawafil.org)
So, not just Avast blocking.
More:
https://quttera.com/detailed_report/www.qawafil.org (https://quttera.com/detailed_report/www.qawafil.org)
https://zulu.zscaler.com/submission/0dbb7e3a-7629-4f60-a267-e3fa403e5132 (https://zulu.zscaler.com/submission/0dbb7e3a-7629-4f60-a267-e3fa403e5132)
http://urlquery.net/report/55c1897a-48ae-4957-89b8-f43ab8be78d3 (http://urlquery.net/report/55c1897a-48ae-4957-89b8-f43ab8be78d3)

Thanks for your answer , I've rechecked all the site and Installed Web Application Firewall on server , now all sites give clean results , but Avast still showing phising site

There really was a problem, they corrected, did not do the complete job.

Quote from: Avast
We submitted the data for review again.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on May 26, 2019, 09:22:49 AM
I get a 301 Moved Permanently for 192.124.249.168, see https://urlquery.net/report/bfd037e8-179a-4c4c-a369-9de5cf2a4a0c
The site you are visiting is using Sucuri Website Firewall. And for some reason it is not configured properly. If you are the site owner, please open a ticket here asap for us to look at it for you: https://support.sucuri.net. If you are visiting the site please try again in a few minutes.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: antoine.db99 on May 26, 2019, 12:46:10 PM
Hello, it looks like avast prevents any access on my website because of Phishing and I don't see any reason it is acting that way.
Could you please unlock the access to http://www.gite-les-tilleuls-saint-romain-en-jarez.com/ ?
Thank you.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on May 26, 2019, 12:55:14 PM
-> https://sitecheck.sucuri.net/results/www.gite-les-tilleuls-saint-romain-en-jarez.com
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on May 26, 2019, 01:10:55 PM
Last alerted 2017: https://urlquery.net/report/ee12d2f8-0d93-467b-93a2-25e5d099e4b5

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on May 29, 2019, 03:07:39 AM
Hello, it looks like avast prevents any access on my website because of Phishing and I don't see any reason it is acting that way.
Could you please unlock the access to hxxp://www.gite-les-tilleuls-saint-romain-en-jarez[.]com/ ?
Thank you.

Detection has been removed 28.05.2019 in 04:38 AM

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.
With URLs this change should be instant, but it might take up to 24 hours with files
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on May 29, 2019, 11:01:36 PM
Thanks for your answer , I've rechecked all the site and Installed Web Application Firewall on server , now all sites give clean results , but Avast still showing phising site

The plugin was updated in 1 July 2019 and removed the detection.
Title: Re: Site Blocked - URL:Phishing
Post by: okapii on May 31, 2019, 09:51:57 PM
Hi, please remove caballoscriollos.com from the blacklist
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on May 31, 2019, 09:54:12 PM
Hi, please remove caballoscriollos.com from the blacklist
Sucuri  INFECTED   https://sitecheck.sucuri.net/results/caballoscriollos.com

https://www.virustotal.com/gui/url/e1d328e2393e29243847ca33fcf7dd12c03407f752a8c78618675bf794994e2b/detection


Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php



Title: Re: Site Blocked - URL:Phishing
Post by: EnRaMy on June 01, 2019, 12:29:22 AM
Well, if your links were actual test results you would've seen this: 
https://www.virustotal.com/#/url/aa77b132c4edf00f71386c6f12e1d08c52ba238d51a74dc8183b96664fdc4727/detection (https://www.virustotal.com/#/url/aa77b132c4edf00f71386c6f12e1d08c52ba238d51a74dc8183b96664fdc4727/detection)
https://rescan.pro/go.php (https://rescan.pro/go.php)
https://sitecheck.sucuri.net/results/https/www.qawafil.org (https://sitecheck.sucuri.net/results/https/www.qawafil.org)
So, not just Avast blocking.
More:
https://quttera.com/detailed_report/www.qawafil.org (https://quttera.com/detailed_report/www.qawafil.org)
https://zulu.zscaler.com/submission/0dbb7e3a-7629-4f60-a267-e3fa403e5132 (https://zulu.zscaler.com/submission/0dbb7e3a-7629-4f60-a267-e3fa403e5132)
http://urlquery.net/report/55c1897a-48ae-4957-89b8-f43ab8be78d3 (http://urlquery.net/report/55c1897a-48ae-4957-89b8-f43ab8be78d3)

Thanks for your answer , I've rechecked all the site and Installed Web Application Firewall on server , now all sites give clean results , but Avast still showing phising site

Have you actually submitted the URL to avast for analysis ?
If not use the https://www.avast.com/false-positive-file-form.php (https://www.avast.com/false-positive-file-form.php).

I've submitted the URL and received this answer :
"Our virus specialists have now cleared its reputation in our database.
With URLs this change should be instant, but it might take up to 24 hours with files."

but till now still the same
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on June 01, 2019, 01:36:25 AM
<snip quotes>
Have you actually submitted the URL to avast for analysis ?
If not use the https://www.avast.com/false-positive-file-form.php (https://www.avast.com/false-positive-file-form.php).

I've submitted the URL and received this answer :
"Our virus specialists have now cleared its reputation in our database.
With URLs this change should be instant, but it might take up to 24 hours with files."

but till now still the same

I've just visited the site (hxxps://qawafil[.]org/)and no alert.

First ensure that you have the latest virus definitions, it may be worth clearing your browser cache (though that shouldn't really impact the detection if cleared).
Title: Re: Site Blocked - URL:Phishing
Post by: Emilio55 on June 01, 2019, 01:41:16 AM
Estimado Avast,

Tengo un sitio web seraser.pe, este sitio anteriormente estaba infectado con phishing pero hemos trabajo en limpiarlo, ahora escaneamos nuestros archivos y el resultado es favorable, no contamos con mas archivos infectados.
Pero el antivirus avast detecta nuestro sitio malicioso, http://prntscr.com/nw4h5o

Por favor deseamos saber porque, sudece esto.
Pensamos que podria ser que ustede no han actulizado su base de datos despues que nuestro sitio fue limpiado.
Por favor pedimos su ayuda.

Saludos
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on June 01, 2019, 03:20:03 AM
Estimado Avast,

Tengo un sitio web seraser.pe, este sitio anteriormente estaba infectado con phishing pero hemos trabajo en limpiarlo, ahora escaneamos nuestros archivos y el resultado es favorable, no contamos con mas archivos infectados.
Pero el antivirus avast detecta nuestro sitio malicioso, http://prntscr.com/nw4h5o

Por favor deseamos saber porque, sudece esto.
Pensamos que podria ser que ustede no han actulizado su base de datos despues que nuestro sitio fue limpiado.
Por favor pedimos su ayuda.

Saludos

Have you actually submitted the URL to avast for analysis ?
If not use the report form.

¿Has enviado la URL a avast para su análisis?
Si no utiliza el formulario de informe.

https://www.avast.com/false-positive-file-form.php.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on June 01, 2019, 06:32:37 PM
No detection here: https://www.virustotal.com/gui/url/ccec016a3c910bc2aac90f757d2a38fd4073baba197c4265d0f263f541f2da6a/detection
Cloudflare abuse? https://www.shodan.io/host/104.20.14.105
Re: https://www.abuseipdb.com/check/104.20.14.105
No content:
Quote
Content that was returned by your request for the URL: https://prntscr.com/nw4h5o
Note: Content displayed is from the redirect location, the URL https://prnt.sc/nw4h5o
Quote
1:  < html>
2:  < head> < title> 301 Moved Permanently< /title> < /head>
3:  < body bgcolor="white">
4:  < center> < h1> 301 Moved Permanently< /h1> < /center>
5:  < hr> < center> nginx< /center>
6:  < /body>
7:  < /html>
Advertencia Marked as phishing site..flagged https://sitecheck.sucuri.net/results/https/prntscr.com/nw4h5o

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on June 04, 2019, 05:00:42 AM
Estimado Avast,

Tengo un sitio web seraser.pe, este sitio anteriormente estaba infectado con phishing pero hemos trabajo en limpiarlo, ahora escaneamos nuestros archivos y el resultado es favorable, no contamos con mas archivos infectados.
Pero el antivirus avast detecta nuestro sitio malicioso, http://prntscr.com/nw4h5o

Por favor deseamos saber porque, sudece esto.
Pensamos que podria ser que ustede no han actulizado su base de datos despues que nuestro sitio fue limpiado.
Por favor pedimos su ayuda.

Saludos

Detection was removed 03.06.2019 at 08:44 am

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.
With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: recordplay on June 04, 2019, 07:54:21 PM
In the past week, every time I go to the web site studio51music.com I get blocked by Avast with the message, infected with URL:Phishing.  I know the site is good, I've talked with the owner and no one else has had any problems with it.  Can you please unblock?
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on June 04, 2019, 08:35:33 PM
In the past week, every time I go to the web site studio51music.com I get blocked by Avast with the message, infected with URL:Phishing.  I know the site is good, I've talked with the owner and no one else has had any problems with it.  Can you please unblock?

It would appear that it isn't only Avast that finds it suspect, McAfee  also.

https://sitecheck.sucuri.net/results/studio51music.com (https://sitecheck.sucuri.net/results/studio51music.com)

I suggest that at the very least you use the https://www.avast.com/false-positive-file-form.php report form.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on June 04, 2019, 09:46:57 PM
According to this scan the site is still PHISHING
https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=c3R1I1tdNTFtdXNbXi5eXW0%3D~enc
vuln. jQuery libraries: https://retire.insecurity.today/#!/scan/5e2c3ba337c68a84c699f43e3737aa6ba2a35747d81b3d819f03e6387c58ea16
This seems OK: http://www.isithacked.com/check/studio51music.com
Site is blacklisted. Web authorities are blocking traffic because your website is unsafe for visitors.
DOM-XSS issues: Results from scanning URL: -http://studio51music.com/js/S51Content.js
Number of sources found: 263
Number of sinks found: 17
recommendations to improve website: https://webhint.io/scanner/9e2e97bc-9640-4ca8-af21-115ca2ad1496

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Guillaume B on June 05, 2019, 11:48:08 AM
Hello,
My site www.my-skybar.com is blocked by Avast for a "URL:Phishing" reason. I don't understand since I developed it using embedded features of a big CMS, so I guess it is clean...

Based on what I read on this forum, I have just submitted it to Avast for false positive analysis. I double checked on sucuri as well and my site seems clean (minimal security risk).

Do I have anything more to do ?

Thank you for your help.
Best,
GB
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on June 06, 2019, 01:04:37 PM
In the past week, every time I go to the web site studio51music.com I get blocked by Avast with the message, infected with URL:Phishing.  I know the site is good, I've talked with the owner and no one else has had any problems with it.  Can you please unblock?

Detection was removed 06.06.2019 at 05:38.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on June 06, 2019, 01:07:52 PM
Hello,
My site www[.]my-skybar[.]com is blocked by Avast for a "URL:Phishing" reason. I don't understand since I developed it using embedded features of a big CMS, so I guess it is clean...

Based on what I read on this forum, I have just submitted it to Avast for false positive analysis. I double checked on sucuri as well and my site seems clean (minimal security risk).

Do I have anything more to do ?

Thank you for your help.
Best,
GB

Detection already removed 06.06.2019.

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided URL is not detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: whil on June 11, 2019, 06:43:38 AM
Hello,

I'm also having the same problem with a site I'm working on https://celebritypublishers.com. it is being blocked for "URL:Phishing", but it is a relatively new site and a clean install. I also tried to scan it thoroughly, this is clearly a false positive.

Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on June 11, 2019, 07:37:32 PM
Hi whil,

Checking for cloaking
There is a difference of 1 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot.
This probably means some code is running on your site that's trying to hide from browsers
but make Google think there's something else on the page. show.
Quote
var tve_dash_front = {"ajaxurl":"-https:\/\/celebritypublishers.com\/wp-admin\/admin-ajax.php","force_ajax_send":"","is_crawler":""};
var tve_dash_front = {"ajaxurl":"-https:\/\/celebritypublishers.com\/wp-admin\/admin-ajax.php","force_ajax_send":"","is_crawler":"1"};

27 improvement suggestions, some security related: https://webhint.io/scanner/787f748a-b7e8-414d-9e54-73292270cab6

1 vuln. jQuery library detected: https://retire.insecurity.today/#!/scan/c2ac8916a761d187351573daca1c2b3c32273c7a59bef31962d47f758eafd297

Quite some vuln. on the Houston hoster, where you share your address with 137 others:
https://www.shodan.io/host/192.185.163.130  a.o. Exim smtpdVersion: 4.91 vuln. version, recently in the news,
hopefully they patched that server with F-grade scan results: https://observatory.mozilla.org/analyze/unifiedlayer.com

15 immediate potential threats: https://app.upguard.com/#/https://celebritypublishers.com

probably your detection is IP related (trojan finds): https://www.virustotal.com/gui/ip-address/192.185.163.130/relations

Reputation Check
PASSED
Google Safe Browse: OK
Spamhaus Check: OK
Abuse CC: OK
Dshield Blocklist: OK
Cisco Talos Blacklist: OK
Web Server:
nginx/1.15.10
X-Powered-By:
None
IP Address:
-192.185.163.130
Hosting Provider:
Unified Layer 
Shared Hosting:
138 sites found on 192.185.163.130

Protection Recommendations
Directory Listing is enabled on your site. This can lead to information leakage. We recommend disabling Directory Listing.
a.k.a.  Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/      enabled (should be set disabled)
/wp-content/plugins/      disabled

Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.
Check for latest updates: The following plugins were detected by reading the HTML source of the WordPress sites front page.

thrive-visual-editor   
google-analytics-for-wordpress   latest release (7.6.0)
https://www.monsterinsights.com/
the-grid   
gtranslate   latest release (2.8.47)
https://gtranslate.io/
smart-slider-3   latest release (3.3.20)
https://smartslider3.com/

Wait for an avast team member to give a final verdict, we are just volunteers with relevant expertise.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on June 11, 2019, 11:55:45 PM
Hello,

I'm also having the same problem with a site I'm working on hxxps://celebritypublishers.com. it is being blocked for "URL:Phishing", but it is a relatively new site and a clean install. I also tried to scan it thoroughly, this is clearly a false positive.

Thanks

Detection was removed in the morning on 11.06.2019.

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on June 12, 2019, 12:50:29 AM
In the past week, every time I go to the web site studio51music.com I get blocked by Avast with the message, infected with URL:Phishing.  I know the site is good, I've talked with the owner and no one else has had any problems with it.  Can you please unblock?

Site continues to be classified by the plugin Avast Online Security (Phishing) should be cleaned by the owner who is saying that the site is good.

https://transparencyreport.google.com/safe-browsing/search?url=http:%2F%2Fstudio51music.com%2F&hl=en

https://www.phishtank.com/phish_detail.php?phish_id=6051287

When Google Safe Browsing report show up no unsafe content was found then avast can cleanup the reputation
use  https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: Milin Shah on June 17, 2019, 02:13:46 PM
Hello,

I have the same problem with my Website:
https://appraisermatch.com
Can you unlock URL?
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on June 17, 2019, 02:16:56 PM
Hello,

I have the same problem with my Website:
hxxps://appraisermatch.com
Can you unlock URL?
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on June 17, 2019, 04:51:11 PM
There was an error executing your search, please adjust your search-term and try again. Message:

[token_mgr_error] token_mgr_error: Lexical error at line 1, column 32. Encountered: <EOF> after : ""
OK: https://www.virustotal.com/gui/url/2101fabb785aad5893f6b68acc2c9f009b266767bb38d990d4d38646c4d1154e/detection

linting results: https://webhint.io/scanner/6576ead2-659b-4463-b445-0e1ef7529685

dom-xss in modernizr: Results from scanning URL: -https://www.appraisermatch.com/static/63u8YyfqWyKm0q2DD3lRBpOzLnZhQjSmWhPELGnxS68.js
Number of sources found: 55
Number of sinks found: 17

Re: https://urlscan.io/result/2393f7fb-8b30-44e3-b187-a946e668d9f8/loading
& https://observatory.mozilla.org/analyze/appraisermatch.com
Re: https://www.appraisermatch.com/static/5yP0mGjB8MlfyypmQCf4Yk9feM8vLYBJnYjSAaDKikp.json

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on June 19, 2019, 05:33:16 PM
Hello,
I have the same problem with my Website:
hxxps://appraisermatch.com
Can you unlock URL?

Detection was removed in 19.06.2019 08:33

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: pavleta.taseva on June 24, 2019, 02:05:00 PM
Hello, I am having the same issue with my shopify store (password protected for the moment), namely:
https://www.my-little-store.com/password
Since today it says that the website can harm my pc and it is blocled, saying URL: Phishing. I included it in my exceptions lists of trusted sites but what about my future customers? Why my site is listed as scammy? Please, help me and unblock it or you could also give me directions what to remove from it in order to be able to be white listed again.
Thanks in advance!
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on June 24, 2019, 02:30:08 PM
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php

Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on June 26, 2019, 03:16:48 AM
Hello, I am having the same issue with my shopify store (password protected for the moment), namely:
hxxps://www.my-little-store.com/password
Since today it says that the website can harm my pc and it is blocled, saying URL: Phishing. I included it in my exceptions lists of trusted sites but what about my future customers? Why my site is listed as scammy? Please, help me and unblock it or you could also give me directions what to remove from it in order to be able to be white listed again.
Thanks in advance!

Detection was removed 25.06.2019

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: ivakhasashahacker on June 26, 2019, 07:16:57 PM
Сайт блокирует антивирус AVSST https://fingid-olimp.com.ua/

Можете поправить этот глюк

С ув, Алексайндр
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on June 26, 2019, 09:43:12 PM
Witam ivakhasashahacker,

I do not see problems for your site, as many other domains on that same IP address are being flagged,
that might be the cause of that FP.

One should ask an avast team member to exclude your particular site.
Only avast team members can do that, so wait for their final verdict.

We here are just volunteers with relevant knowledge in the field of 3rd party cold reconnaissance website security.

Consider the following results.

Re: https://urlquery.net/report/1003ac1a-eae6-4e6d-a839-3d0680bce768
Given OK: https://www.virustotal.com/gui/url/731242651cec57b39ee7dd6521232d405ebb13c0c2f798f9950306081a9832fa/detection
Some improvement tips found through linting: https://webhint.io/scanner/504f3289-2dc5-4c8a-954d-19141d5615dc
Pay special attention to the security section there.

Check plug-ins for latest versions:    wp-rocket   & team-showcase

Reputation Check
Quote
PASSED
Google Safe Browse: OK
Spamhaus Check: OK
Abuse CC: OK
Dshield Blocklist: OK

Wszystkiego dobrego,
pozdrawiam,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on June 28, 2019, 02:32:04 PM
Сайт блокирует антивирус AVSST hxxps://fingid-olimp.com.ua/

Можете поправить этот глюк

С ув, Алексайндр

Detection was removed on 28.06.2019

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: Nimesh3 on July 02, 2019, 05:18:46 AM
Hello, I am having a problem with my website www.wikye.com  it is reported as phishing website by avast.

I checked everything including files and found nothing is malicious.

https://sitecheck.sucuri.net/results/https/www.wikye.com

Please unblock my website asap.

I am having problems with it.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on July 02, 2019, 05:22:22 AM
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on July 03, 2019, 12:43:02 AM
Hello, I am having a problem with my website wxw.wikye[.]com  it is reported as phishing website by avast.

I checked everything including files and found nothing is malicious.

https://sitecheck.sucuri.net/results/https/www.wikye.com

Please unblock my website asap.

I am having problems with it.

Detection was removed 02.07.2019

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: hembat99 on July 05, 2019, 07:30:07 PM
Pls unblock my website too...It's a false detection

-www.repelmos.in

Pls unblock it.
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on July 05, 2019, 08:12:32 PM
Pls unblock my website too...It's a false detection

repelmos.in

Pls unblock it.

False positive or not (we don't know that as yet) please modify the url so it isn't active to avoid accidental exposure.

As has been mentioned in this topic report it:
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on July 05, 2019, 10:30:57 PM
Hi hembat99,

DavidR is right here. Until an avast team member has given a final verdict, the policy here on the forums is to break links to potentially suspicious or malicious url. So -repelmos.in or -http or -https etc. or hxtp or hxtps etc.

The website is not flagged here: https://www.virustotal.com/gui/url/077dc95d60f28f07bf2f3b390695feb26afa785268ee5afbb15726988aaf24f6/details

But it has outdated WordPress CMS version and outdated PHP software and other issues as described here: https://sitecheck.sucuri.net/results/www.repelmos.in   and has a reputation check warning...

Quote
Note: It looks like your site has returned a 403 Forbidden. In some cases the firewall or a bad bot utility will block the use of this tool as a "fake Googlebot", the primary reason for this is the tool is a "fake Googlebot". With a 403 response you should use the Fetch as Goolgebot utility in Webmaster Tools to verify your site is returning a 403.


Private exploit filetype.php HAXPLORER detected in source.code...https://support.clean-mx.com/clean-mx/md5.php?Antiy_AVL=Backdoor/PHP.WebShell   re: line 199 -> https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Ln17cHtsbV1zLltuYA%3D%3D~enc

Avast would detect PHP-Agent-AM or likewise for this backdoor.....

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Joanna49 on July 09, 2019, 11:00:51 AM
We have a password protected wordpress site where we keep some internal documents and it is blacked by AVAST as a phishing site
https://ops.pushmerchandising.com

Please can it be un-blacklisted
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on July 09, 2019, 01:10:23 PM
We have a password protected wordpress site where we keep some internal documents and it is blacked by AVAST as a phishing site
https://ops.pushmerchandising.com

Please can it be un-blacklisted
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php

https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438





Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on July 09, 2019, 01:14:19 PM
Please break active link.

htxtps://ops.pushmerchandising.com

You should report this via the - Reporting Possible False Positive File or Website link.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on July 09, 2019, 04:27:59 PM
Low security risk - site not blacklisted.
VT gives it as clean, also relations: https://www.virustotal.com/gui/domain/ops.pushmerchandising.com/relations
Google Chrome returned code 0
GoogleBot returned code 0
Re: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=XXBzLnB1c2hte31eaHxuI1tzW25nLl5dbQ%3D%3D~enc

Any bad neighbours on that same IP?

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on July 09, 2019, 11:22:01 PM
Pls unblock my website too...It's a false detection

-www.repelmos.in

Pls unblock it.

Detection has been removed in 09.07.2019

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: LukasJ on July 12, 2019, 08:41:57 AM
Hi,
URL block (pushmerchandising[.]com) has been disabled.

Lukas
Title: Re: Site Blocked - URL:Phishing
Post by: rluzzi on July 15, 2019, 08:22:56 PM
Hello,

We have the same problem with our Website:
hxxp://congresoaapresid.org.ar
Can you unlock URL?

Thank you so much!

Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on July 15, 2019, 08:36:26 PM
Hello,

We have the same problem with our Website:
hxxp://congresoaapresid.org.ar
Can you unlock URL?

Thank you so much!
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php

https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438


Website is blacklisted by many (also Trend Micro not listed here)
https://www.virustotal.com/gui/url/c3dd095d5f13c63afd3c3aa35fb0864459b0b1e334e95854b694043a3888acd9/detection

IP history  https://www.virustotal.com/gui/ip-address/179.43.114.70/relations

Sucuri  https://sitecheck.sucuri.net/results/congresoaapresid.org.ar



Title: Re: Site Blocked - URL:Phishing
Post by: mchain on July 15, 2019, 08:39:29 PM
Hello,

We have the same problem with our Website:
hXXp://congresoaapresid.org.ar
Can you unlock URL?

Thank you so much!
https://sitecheck.sucuri.net/results/congresoaapresid.org.ar (https://sitecheck.sucuri.net/results/congresoaapresid.org.ar)
Please change your url to deactivate it to protect other users here against harm:  hXXp://congresoaapresid.org.ar

[EDIT:]  Thank you DavidR for pointing this out (See reply #310 & #312.)  Link is now broken in quote.
Title: Re: Site Blocked - URL:Phishing
Post by: rluzzi on July 15, 2019, 08:59:50 PM
Hello,

We have the same problem with our Website:
hxxp://congresoaapresid.org.ar
Can you unlock URL?

Thank you so much!

Hello,

We have the same problem with our Website:
hxxp://congresoaapresid.org.ar
Can you unlock URL?

Thank you so much!
https://sitecheck.sucuri.net/results/congresoaapresid.org.ar (https://sitecheck.sucuri.net/results/congresoaapresid.org.ar)
Please change your url to deactivate it to protect other users here against harm:  hXXp://congresoaapresid.org.ar

Thank you. I change the url


-----------------------------------------------------


Hello,

We have the same problem with our Website:
hxxp://congresoaapresid.org.ar
Can you unlock URL?

Thank you so much!


-------------------------------------------------------------------------------------------

-We send a report today https://www.avast.com/false-positive-file-form.php
--------------------------------------------------------------------------------------------

The website was attacked a while ago, since we cleaned all the files, the database and placed the site in a new hosting. We report the problem in the google console and it is solved but the site is on the blacklist. What we can do?

Thank you for the quick anserws!
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on July 15, 2019, 09:05:58 PM
Hello,

We have the same problem with our Website:
hxxp://congresoaapresid.org.ar
Can you unlock URL?

Thank you so much!
https://sitecheck.sucuri.net/results/congresoaapresid.org.ar (https://sitecheck.sucuri.net/results/congresoaapresid.org.ar)
Please change your url to deactivate it to protect other users here against harm:  hXXp://congresoaapresid.org.ar

Nice that you asked for the URL to be deactivated, but don't forget to deactivate your quoted text with the url in it ;)

As I have here.
Title: Re: Site Blocked - URL:Phishing
Post by: rluzzi on July 15, 2019, 09:23:49 PM
Hello,

We have the same problem with our Website:
hxxp://congresoaapresid.org.ar
Can you unlock URL?

Thank you so much!
https://sitecheck.sucuri.net/results/congresoaapresid.org.ar (https://sitecheck.sucuri.net/results/congresoaapresid.org.ar)
Please change your url to deactivate it to protect other users here against harm:  hXXp://congresoaapresid.org.ar

Nice that you asked for the URL to be deactivated, but don't forget to deactivate your quoted text with the url in it ;)

As I have here.

Done :)

Thanks!!
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on July 15, 2019, 10:01:25 PM
@  rluzzi
You did what was asked of you thanks.

My post was directed at mchain, as in his quote of your post (asking for you to modify yours) he forgot to modify the URL in his quoted text  :)
Title: Re: Site Blocked - URL:Phishing
Post by: adebo4all on July 16, 2019, 03:16:56 AM
Hello,

I had this type of problem on this Nigerian news site (https://nnn.com.ng) some long time ago and all I did was to fix the infected file everything becomes fine but on https://morningmail.com.ng, even after moving every file from the server, Avast is still blocking every URL for "URL phishing", please can anyone advise on how to fix this? It is really giving me serious concern.
Title: Re: Site Blocked - URL:Phishing
Post by: mchain on July 16, 2019, 04:02:32 AM
Hello,

I had this type of problem on this Nigerian news site (http://hXXps://nnn.com.ng) some long time ago and all I did was to fix the infected file everything becomes fine but on hXXps://morningmail.com.ng, even after moving every file from the server, Avast is still blocking every URL for "URL phishing", please can anyone advise on how to fix this? It is really giving me serious concern.

Please break both links in quoted text above in your original post as hXXp.  Thank you.

https://quttera.com/detailed_report/nnn.com.ng (https://quttera.com/detailed_report/nnn.com.ng)
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on July 17, 2019, 12:25:08 PM
Wait for a final verdict from an avast team member as they are the only ones that can come and unblock.

Flagged was a detected hidden CSS declaration as suspicious, but the reason for avast detection might be other abuse on that IP,
so you should ask for a domain exclusion as you share that IP with 30 others.

It is not flagged at zulu zscaler nor at Virus Total,
but the IP has been reported for various abuse:
see: https://www.abuseipdb.com/check/74.208.156.171
Quote
Reputation Check
PASSED
Google Safe Browse: OK
Spamhaus Check: OK
Abuse CC: OK
Dshield Blocklist: OK
Cisco Talos Blacklist: OK
Web Server:
nginx
X-Powered-By:
PleskLin
IP Address:
-74.208.156.171
Hosting Provider:
1&1 Internet SE 
Shared Hosting:
30 sites found on -74.208.156.171

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Milos on July 18, 2019, 01:29:11 PM
Hello,

I had this type of problem on this Nigerian news site (https://nnn.com.ng) some long time ago and all I did was to fix the infected file everything becomes fine but on https://morningmail.com.ng, even after moving every file from the server, Avast is still blocking every URL for "URL phishing", please can anyone advise on how to fix this? It is really giving me serious concern.
Hello,
report it through https://www.avast.com/false-positive-file-form.php

Milos
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on July 19, 2019, 02:49:07 AM
Hello,

We have the same problem with our Website:
hxxp://congresoaapresid.org.ar
Can you unlock URL?

Thank you so much!

Detection was removed on 18.07.2019 at 15:47 PM.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: bogdan64 on July 19, 2019, 11:46:15 AM
Hello,

My site (http://www.automate-nova.ro/) still apears as blocked for URL:Phising  although the site was cleaned. Please help me with this situation.

Thank you.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on July 19, 2019, 12:10:58 PM
Site was blacklisted because of PHISHING at
location: -https://automate-nova.ro/app/access

Both McAfee and Norton have it blacklisted. Whether the PHISH is still actual, is for an avast team member to decide,
we here are just volunteers with relative knowledge, but cannot come and unblock.
So wait for a final verdict.
Title: Re: Site Blocked - URL:Phishing
Post by: bogdan64 on July 19, 2019, 12:29:35 PM
Is there a way to request a reevaluation of the website?
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on July 19, 2019, 12:32:17 PM
Is there a way to request a reevaluation of the website?
Posted many times in this topic .....


Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php

https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438


Blacklist check
https://www.virustotal.com/gui/url/50a726a8ea30262489fc60f2d530adb43733be8ea0cb50a437512b8b0cf33efd/detection






Title: Re: Site Blocked - URL:Phishing
Post by: Nicolas285 on August 02, 2019, 02:53:32 PM

My site www.elembudoweb.com.ar is blocked by Avast. It informs me that it is a url pishing. I did several analyzes and did not detect any anomaly.

I enclose the tests performed.

https://www.virustotal.com/gui/url/ae43eeb8f36e57f02813753c16d34f68ecfb924d0fc80799617e2d240671ad5c/detection

https://sitecheck.sucuri.net/results/elembudoweb.com.ar

Can you  help me?

Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on August 02, 2019, 03:24:32 PM
Quote
Can you  help me?
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php

https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438



Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on August 02, 2019, 03:34:14 PM
Hello,

My site (hxxp://www.automate-nova.ro/) still apears as blocked for URL:Phising  although the site was cleaned. Please help me with this situation.

Thank you.

Detection was cleared on 02.08.2019 at 10:09 AM.

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: Nicolas285 on August 02, 2019, 04:15:15 PM

I had already informed him but he was still the same. Mysteriously I just received an email and it was fixed. Thank you!
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on August 02, 2019, 05:27:49 PM
Some recommendations for the site-developer/maintainer
Retire.js
bootstrap   3.3.2   Found in http://www.automate-nova.ro/static/js/bootstrap.min.js
Vulnerability info:
High   28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331   
Medium   20184 XSS in data-target property of scrollspy CVE-2018-14041   
Medium   20184 XSS in collapse data-parent attribute CVE-2018-14040   
Medium   20184 XSS in data-container property of tooltip CVE-2018-14042

Javascript errors: Bootstrap's JavaScript requires jQuery
 /static/js/bootstrap.min.js:11

ReferenceError: jQuery is not defined
 /static/js/responsiveslides.min.js:8

ReferenceError: $ is not defined
 /static/js/main.js:1

linting results: https://webhint.io/scanner/a8d79c0d-2107-49f9-ac99-601801225df3  - 126 recommendations.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: AbhiWebSoft on August 13, 2019, 08:59:06 PM
Sir, i can't find any phishing or malware in my website www.nirmalateacherstrainingcollege.com. Why you have blocked my website in your antivirus, kindly remove from your phishing URL list, Thanks.
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on August 13, 2019, 09:35:19 PM
Sir, i can't find any phishing or malware in my website www.nirmalateacherstrainingcollege.com. Why you have blocked my website in your antivirus, kindly remove from your phishing URL list, Thanks.

As mentioned several times in this topic, your starting point really should be:
Quote
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on August 14, 2019, 08:03:12 AM
Older McAfee blacklisting, 0-iFrame - <iframe style="border: 0;" src="-htxps://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d3597.0374821073747!2d81.38312911501839!3d25.63688148369367!2m3!1f0!2f0!3f0!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0x0%3A0xb83364cc3c64920b!2sNirmala+Teachers+Training+College!5e0!3m2!1sen!2sin!4v1531576938119" width="400" height="300" frameborder="0" allowfullscreen="allowfullscreen"></iframe> when social button OK.
Not only avast detect, also Bitdefender & Fortinet's (spam):
https://www.virustotal.com/gui/url/a1e1cdf4e0b7175bf1a8149ee56fab265120532bc4ec6c94dac2da0a0c8c23f2/detection

Wait for a final verdict from an avast team member as the only ones to come and unblock.
Detection probably because of IP abuse: https://www.virustotal.com/gui/ip-address/173.208.173.98/details

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on August 15, 2019, 03:18:18 PM
Sir, i can't find any phishing or malware in my website wxw.nirmalateacherstrainingcollege.com. Why you have blocked my website in your antivirus, kindly remove from your phishing URL list, Thanks.

Detection was removed in 15.08.2019 at  07:18 AM.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: bellarmine16 on August 17, 2019, 07:55:20 PM
This URL block was based on phishing feeds eight months ago.
Of course, if there will be malicious content in the site, then the site will be blocked again.

My site staqpesa.com is also blocked??? Please assist.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on August 17, 2019, 08:00:49 PM
-> https://sitecheck.sucuri.net/results/staqpesa.com
-> https://www.virustotal.com/gui/url/23b5b9ff2682c913566877c57d7024684b86b67231f56914534c013c51294776/detection

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: big.olomofe on August 19, 2019, 07:31:42 PM
Please unblock https://yudimy.com. it is currently blocked for url:phishing. we do not have malware. Please resolve as soon as possible.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on August 19, 2019, 07:37:31 PM
-> https://www.virustotal.com/gui/url/5f0c8c8e72b8f9a4028febdeff0c5ab2455b3361949f7634c71c51bfaa27fe9a/detection
Title: Re: Site Blocked - URL:Phishing
Post by: snasisi on August 20, 2019, 12:21:26 AM
Hello,

Our site Booksie.com was flagged for phishing. We do not have phishing on the site. Please unblock asap. Thank you.

Thank you.
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on August 20, 2019, 12:26:24 AM
Hello,

Our site Booksie.com was flagged for phishing. We do not have phishing on the site. Please unblock asap. Thank you.

Thank you.

As mentioned several times in this topic, your starting point really should be:
Quote
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on August 20, 2019, 07:00:49 AM
Hello,

Our site Booksie.com was flagged for phishing. We do not have phishing on the site. Please unblock asap. Thank you.

Thank you.
-> https://sitecheck.sucuri.net/results/booksie.com
Title: Re: Site Blocked - URL:Phishing
Post by: jwl2019 on August 20, 2019, 02:39:55 PM
Same problem with the payment page on our website.

https://secure.datingpaymentservices.com/payment/auth

Falsely flagged. On Virustotal.com is comes up clean.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on August 20, 2019, 03:06:43 PM
-> https://sitecheck.sucuri.net/results/https/secure.datingpaymentservices.com/payment/auth
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on August 21, 2019, 12:20:30 AM
My site staqpesa.com is also blocked??? Please assist.

Detection was removed in 20.08.2019  04:44 AM.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on August 21, 2019, 12:31:23 AM
Please unblock hxxps://yudimy.com. it is currently blocked for url:phishing. we do not have malware. Please resolve as soon as possible.

Detection has been removed in 20.08.2019 04:47 AM

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.

Hello,

Our site Booksie.com was flagged for phishing. We do not have phishing on the site. Please unblock asap. Thank you.

Thank you.

URL not blocked.

Quote from: Avast
Could you please send us a screenshot of the detection message you're getting? https://support.avast.com/en-ww/article/100/
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on August 21, 2019, 12:35:59 AM
Same problem with the payment page on our website.

hxxps://secure.datingpaymentservices.com/payment/auth

Falsely flagged. On Virustotal.com is comes up clean.

Detection removed

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: LarsSwart on August 23, 2019, 11:50:29 AM
Hi there,

Could you please unblock/remove www.mijnsantanderconsumerfinance.nl from the 'phishing' list? This is the portal for our customers to login to their account and avast is blocking it for at least a portion of the users..

Thanks in advance.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on August 23, 2019, 11:52:37 AM
-> https://sitecheck.sucuri.net/results/www.mijnsantanderconsumerfinance.nl

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on August 23, 2019, 11:23:07 PM
Hi there,

Could you please unblock/remove wxw.mijnsantanderconsumerfinance.nl from the 'phishing' list? This is the portal for our customers to login to their account and avast is blocking it for at least a portion of the users..

Thanks in advance.

Detection has been removed in 23.08.2019 10:54 AM

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: alvinmalan69 on August 24, 2019, 09:16:58 PM
Good day,

My website (nixieactive.com) has been classified as phishing and after running malware security tools it still shows the same message. I have access to the website when I use any other computer that does not have avast secure browsing.

Would you please help resolve this issue.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on August 24, 2019, 09:37:15 PM
Hallo alvinmalan69,

Threat risk evaluation: https://app.upguard.com/webscan#/nixieactive.com
Best wait for a review from an avast team member, they are the ones to come and unblock.
we are just volunteers but with years and years of relative knowledge.

Re: https://urlscan.io/result/2683c6d1-ccdb-4416-8da2-39bce392a368#iocs
No actual detections: https://www.virustotal.com/gui/url/a36bb3c3d3996ea3ebfb8955e27a2fb26550a2dd66d47beb088b470cc2c46e38/detection

F-grade results here: https://observatory.mozilla.org/analyze/nixieactive.com
218 website recommendations for improvement: https://webhint.io/scanner/31d10f6e-5f17-49f0-91da-f59199fa2248

met vriendelike groete,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: kurtpatent on August 25, 2019, 05:20:42 AM
I keep getting this message and getting blocked from a doctor's website:

www.docsdermgroup.com

Why?  Can this be fixed??

Thanks.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on August 25, 2019, 07:00:26 AM
-> https://sitecheck.sucuri.net/results/www.docsdermgroup.com
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on August 25, 2019, 01:22:54 PM
Outdated plug-ins form a risk here:
The following plugins were detected by reading the HTML source of the WordPress sites front page.

addthis 6.1.8   latest release (6.2.6)
https://wordpress.org/plugins/addthis/
am_testimonials   
am-sticky-nav   
am-social-buttons   
wp-views   
wordpress-seo 9.5   latest release (11.9)
https://yoa.st/1uj
gravityforms   
layouts 1.0   
types 2.3.5   
duracelltomi-google-tag-manager 1.9.2   latest release (1.10.1)
https://gtm4wp.com/

Directory listing enabled for uploads, a bad security setting.

Many improvement recommendations from linting: https://webhint.io/scanner/07084470-ded6-4498-9de3-da035c97e6c5

Wait for an avast team member to give a final verdict, as
Reputation Check
PASSED
Google Safe Browse: OK
Spamhaus Check: OK
Abuse CC: OK
Dshield Blocklist: OK
Cisco Talos Blacklist: OK

polonus (volunteer 3rd part cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on August 26, 2019, 03:41:22 PM
Good day,

My website (nixieactive.com) has been classified as phishing and after running malware security tools it still shows the same message. I have access to the website when I use any other computer that does not have avast secure browsing.

Would you please help resolve this issue.

Detection was removed in 16.08.2019 08:41 AM.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on August 26, 2019, 03:47:17 PM
I keep getting this message and getting blocked from a doctor's website:

wxw.docsdermgroup.com

Why?  Can this be fixed??

Thanks.

Detection has been removed 26.08.2019 07:57 AM.

Blocked due is listed 2 found in phistank

http://www.phishtank.com/phish_detail.php?phish_id=5999471

http://www.phishtank.com/phish_detail.php?phish_id=5999470

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: karen229 on August 28, 2019, 05:39:45 AM
Another website that Avast says has phishing but other security methods says it's fine.

Please can you let me know why it's been marked as phishing.

http://countrywidesecurity.com.au/

If it's clear then please can you fix this.
Thanks,
Karen
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on August 28, 2019, 05:51:38 AM
-> https://sitecheck.sucuri.net/results/countrywidesecurity.com.au
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on August 28, 2019, 11:32:40 AM
Website is not being blocked by avast: http://countrywidesecurity.com.au
Retirable code: Retire.js
jquery-ui-dialog   1.10.2   Found in https://ajax.googleapis.com/ajax/libs/jqueryui/1.10.2/jquery-ui.min.js
Vulnerability info:
High   CVE-2016-7103 281 XSS Vulnerability on closeText option   
jquery   1.12.4   Found in http://www.countrywidesecurity.com.au/wp-includes/js/jquery/jquery.js?ver=1.12.4
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: christian.dornhoff on August 28, 2019, 06:57:07 PM
Hi there,
can you please remove our CDN from the Phishing List - https://mma-mp-de-production-cdn.prod.de.metro-marketplace.cloud/

Thx
Chris
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on August 28, 2019, 07:00:47 PM
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php

https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438


Title: Re: Site Blocked - URL:Phishing
Post by: christian.dornhoff on August 28, 2019, 07:38:20 PM
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php

https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Thx
Title: Re: Site Blocked - URL:Phishing
Post by: touficy on August 29, 2019, 02:52:00 PM
my domain https://www.weservio.com is blocked by your database please unblock it since the code is clean


https://sitecheck.sucuri.net/results/www.weservio.com
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on August 29, 2019, 05:29:33 PM
Fortinet;s flags this site: https://www.virustotal.com/gui/url/2be2941a581f127318cf0156979c018c9b1ca733886b82e9482adc1c09a2a28e/detection
IP is listed as a dictionnairy attacker - phish: https://checkphish.ai/ip/5.189.136.124  reported 20 times over recent times.
Error: File not found: -https://weservio.com/social-share-kit-1.0.8/social-share-kit-1.0.8/dist/css/social-share-kit.css
Also see VT relations report: https://www.virustotal.com/gui/ip-address/5.189.136.124/details

Wait for an avast team member to give a final verdict. They are the only ones to come and unblock,
as we here are just volunteers with years of relevant knowledge,

polonus (volunteer 3rd party cold recon website security analyst & website error-hunter)

Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on September 03, 2019, 03:37:53 AM
my domain hxxps://www.weservio.com is blocked by your database please unblock it since the code is clean
https://sitecheck.sucuri.net/results/www.weservio.com

Detection has been removed 30.08.2019

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: caseydehle on September 03, 2019, 05:19:54 PM
My website www.atlastcservices.com won't display. I've added it to an exception on my own devices, but I'm worried customers won't be able to get to it. Avast, can you please tell me how to fix this? It's a squarespace website.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on September 03, 2019, 05:28:11 PM
-> https://sitecheck.sucuri.net/results/www.atlastcservices.com

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 04, 2019, 03:29:39 PM
More than likely the IP that has been blocked:
https://ransomwaretracker.abuse.ch/ip/198.49.23.144/
https://www.abuseipdb.com/check/198.49.23.144
https://otx.alienvault.com/indicator/ip/198.49.23.144

You should ask for an exclusion of your domain from the general IP blocking,

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on September 05, 2019, 03:12:09 PM
My website www.atlastcservices.com won't display. I've added it to an exception on my own devices, but I'm worried customers won't be able to get to it. Avast, can you please tell me how to fix this? It's a squarespace website.

Detection was removed 05.09.2019 10:04 AM

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: Leonard50 on September 09, 2019, 04:08:15 AM
My site square1recovery.com is being blocked for URL Phishing. I have scanned it on multiple platforms and it comes back clean. Could you please check and remove it from the blocked list. Thank you.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on September 09, 2019, 06:27:51 AM
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 09, 2019, 04:14:13 PM
PHISHING detection is for thre IP your site is on: https://checkphish.ai/ip/173.82.115.222

Word Press Issues with this site: Version does not appear to be latest.
Directory listing seems now disabled, that's OK.
F-grade status: https://observatory.mozilla.org/analyze/square1recovery.com
873 recommendations to improve site: https://webhint.io/scanner/7d6f93bb-599b-4706-8f63-1c36543d793f
of which 157 of these are security related: https://webhint.io/scanner/7d6f93bb-599b-4706-8f63-1c36543d793f#category-Security

Also consider: https://urlscan.io/result/0cbd1465-3865-43dc-a1a8-ab0d9ef59271
Indicators of compromise: https://urlscan.io/result/0cbd1465-3865-43dc-a1a8-ab0d9ef59271#iocs
Privacy scan: https://privacyscore.org/site/144608/  (see -http://yt3.ggpht.com/ tracking BHO search engine).
How to get rid of that: https://otx.alienvault.com/indicator/hostname/yt3.ggpht.com
Consider: https://computervirusremovaltips.blogspot.com/2014/03/what-is-yt3ggphtcom-how-to-remove.html

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on September 10, 2019, 01:54:58 AM
My site square1recovery.com is being blocked for URL Phishing. I have scanned it on multiple platforms and it comes back clean. Could you please check and remove it from the blocked list. Thank you.

Detection was removed in 09.09.2019

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website is not detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: helva on September 11, 2019, 07:02:43 PM
Hello there,

My website https://www.sertifier.com/ is being listed as one of phishing sites to Avast users.

Can you please enlighten me on this issuse? I hace checked my website for many times about malware issues but sees none. Can you please fix this issue?
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on September 11, 2019, 07:08:32 PM
-> https://sitecheck.sucuri.net/results/https/www.sertifier.com

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on September 13, 2019, 03:21:25 PM
Hello there,

My website hxxps://www.sertifier.com/ is being listed as one of phishing sites to Avast users.

Can you please enlighten me on this issuse? I hace checked my website for many times about malware issues but sees none. Can you please fix this issue?

Detection will be removed

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.
With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: bearing_666 on September 14, 2019, 04:17:01 AM
please unblock 4ce.ca and its subdomains.....

There was never any phishing and as the ite is a url shortener, i would like if you apply the same rules you do for sites like bit.ly to this one.

https://safeweb.norton.com/report/show?url=4ce.ca
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on September 14, 2019, 08:17:25 AM
-> https://sitecheck.sucuri.net/results/4ce.ca

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on September 18, 2019, 03:04:32 AM
Hello there,

My website hxxps://www.sertifier.com/ is being listed as one of phishing sites to Avast users.

Can you please enlighten me on this issuse? I hace checked my website for many times about malware issues but sees none. Can you please fix this issue?

The detection of the removed by AVG today 17.09.2019 at 09:27 in the morning

Quote from: AVG
The detection by AVG was incorrect and was removed in a recent AVG update, please wait at least 24 hours.

Avast has been confirmed that it is no longer being blocked.

please unblock 4ce.ca and its subdomains.....

There was never any phishing and as the ite is a url shortener, i would like if you apply the same rules you do for sites like bit.ly to this one.

https://safeweb.norton.com/report/show?url=4ce.ca

Detection was removed yesterday
Title: Re: Site Blocked - URL:Phishing
Post by: Anon5 on September 24, 2019, 05:32:22 AM
Our site is being listed as one of phishing sites http://zero400photo.com.au/

Could you please remove it from the blocked list.
Title: Re: Site Blocked - URL:Phishing
Post by: Shabbir Ahmad on September 24, 2019, 05:37:04 AM
URL detection disabled.

My site still blocked: as there is not phishing things in it, its cleaned.

http://connect.brooklynmusicfactory.com/

Please unblock it.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on September 24, 2019, 09:20:48 AM
Our site is being listed as one of phishing sites hxxp://zero400photo.com.au/

Could you please remove it from the blocked list.
-> https://sitecheck.sucuri.net/results/zero400photo.com.au
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 24, 2019, 03:44:49 PM
@Shabbir Ahmad,

There is code after html that is suspicious anyways: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Xl1ubntedC5ifV1da2x5bm11c1teZnxedF19eS5eXW1g~enc

VT does not flag: https://www.virustotal.com/gui/url/00c35e15a2926244f6b6e0c648c6098cd21f5292fe643415662484f2610ebf8a/detection

Wait for an avast team member to give a final verdict, they are the only ones to come and unblock,

xJavaScript error: File not found: hxtp://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js

ReferenceError: $ is not defined
 /login.php:53

Quote
C+ privacy grade: This website is insecure.
66% of the trackers on this site could be protecting you from NSA snooping. Tell -brooklynmusicfactory.com to fix it.

Identifiers | All Trackers
 Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.

 -cdnjs.cloudflare.com__cfduid
-3r8vm6njnjptpou6lkglh50dr7 connect.brooklynmusicfactory.comphpsessid

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

P.S. Seems to me that website is no longer flagged by avast's.
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on September 25, 2019, 01:11:33 AM
You have got your answer, use the process of reporting what you consider an FP in the link that I provided.  That goes directly to avast and the avast virus team.  Only they can deal with it.

Making multiple posts on the same issue how it is done, it just means multiple people end up responding and as mentioned above isn't going to get the direct attention you require. 

Most respondents in the forums are Avast Users, not Avast Team (seen in the info to the left of posts) so can't remove your site without it being investigated by avast.

Sites are only flagged by Avast (not by being reported by anyone) so only they can remove it.
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on September 25, 2019, 02:20:37 AM
Quote
The link provided only gives the option of giving a link with almost no info, so what can be said there? Nothing.
You can when they reply to your mail





Title: Re: Site Blocked - URL:Phishing
Post by: Anon5 on September 25, 2019, 04:13:07 AM
Our site is being listed as one of phishing sites hxxp://zero400photo.com.au/

Could you please remove it from the blocked list.
-> https://sitecheck.sucuri.net/results/zero400photo.com.au

My site still blocked and also our site is cleaned.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on September 25, 2019, 04:14:15 AM
Our site is being listed as one of phishing sites hxxp://zero400photo.com.au/

Could you please remove it from the blocked list.
-> https://sitecheck.sucuri.net/results/zero400photo.com.au

My site still blocked and also our site is cleaned.

Detection will be removed tomorrow
Already submitted to virus lab
Title: Re: Site Blocked - URL:Phishing
Post by: Arsalan6 on September 25, 2019, 10:54:58 AM
I am having similar problem for my domain www.pakarmoring.com/  kindly remove the block
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on September 25, 2019, 01:01:11 PM
I am having similar problem for my domain www.pakarmoring.com/  kindly remove the block

As has been mentioned before, several times in this topic.

You can report it - Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php and it will be investigated.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on September 26, 2019, 04:20:45 AM
Our site is being listed as one of phishing sites hxxp://zero400photo.com.au/

Could you please remove it from the blocked list.
-> https://sitecheck.sucuri.net/results/zero400photo.com.au

My site still blocked and also our site is cleaned.

Detection was removed on 25.09.2019 at 06:49 AM

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on September 26, 2019, 04:22:37 AM

My site still blocked: as there is not phishing things in it, its cleaned.

hxxp://connect.brooklynmusicfactory.com/

Please unblock it.

Detection was removed on 25.09.2019 at 07:11 AM.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 26, 2019, 11:50:29 AM
Site has been reported for PHISHing at: -http://pakarmoring.com/wp-content/upd/gdoc/yahoo.php

Wrong settings enabled for User Enumeration in CMS:
 User Enumeration
  The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   arsalan   arsalan
2   None   None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Wrong settings for Directory Listing set:
  Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/      enabled
/wp-content/plugins/      disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Website had at one moment: Threat Name:Web Attack: Ransomlock Website
Location:-http://pakarmoring.com/wp-includes/jx/newp/ii.php

Threat Name:Web Attack: Ransomlock Website
Location:-http://pakarmoring.com/wp-includes/cx/gdoc/

Retirable jQuery libraries detected: https://retire.insecurity.today/#!/scan/49e7ed2f336379e4b9c4a8e4fc495cb96687dfafea9196345c2bb56f4ac61f8f

147 Linting recommendations: https://webhint.io/scanner/4b692cee-d349-4fc9-9ef1-a07d145c558f

4 engines that detect: https://www.virustotal.com/gui/url/db0596f2296e8135e788862827f9cce9a75cfab997e862b9d43bf7568f22d92f/detection
IP blocklisted and various detections on your website: https://www.virustotal.com/gui/ip-address/69.73.184.160/relations

Seems no longer blocked by avast's, as website coming soon.  ;)


polonus (3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on September 27, 2019, 04:06:59 AM
I am having similar problem for my domain wxw.pakarmoring.com/  kindly remove the block

Detection has been removed in 26.09.2019 at 04:20 AM.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: Amy D on September 28, 2019, 04:17:19 PM
https://goo.gle/gocc_01_sea
Whit this link I get the same pop up message from avast. Could anyone unlock this for me?
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on September 28, 2019, 04:25:32 PM
https://goo.gle/gocc_01_sea
Whit this link I get the same pop up message from avast. Could anyone unlock this for me?
If you think it is wrong then report it .... looks suspicious since it ask for your google password ?


Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php





Title: Re: Site Blocked - URL:Phishing
Post by: Amy D on September 28, 2019, 04:44:35 PM
https://goo.gle/gocc_01_sea
Whit this link I get the same pop up message from avast. Could anyone unlock this for me?
If you think it is wrong then report it .... looks suspicious since it ask for your google password ?


Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php

Thank you!
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 28, 2019, 05:52:20 PM
Here you can see that that address you give is redirecting to:
 -https://prismatic-age-179203.appspot.com/gprep_tech1/register *

See at: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Z11dLmdse2BnXV5eXzAxX3N7fA%3D%3D~enc

* this redirected address seems OK, when scanned for at VT: https://www.virustotal.com/gui/url/80eaf94a693eff0787e1bb09a5f45ac2cc20a93e06d65e7240bdc08c23a26adf/details
while associated relations affiliates will kick up quite some flags, also at VT (when we dig a little deeper):
https://www.virustotal.com/gui/ip-address/172.217.212.153/relations

Wait for a final verdict by an avast team member, they are the ones to come and unblock,
whenever that should be appropriate.

By the way the redirect address complete uri just kicks up an error.,
while the general domain address opens up to Google Online Challenge,
wit a hostname as -iad23s69-in-f20.1e100.net 
There we come to encounter a "404 not found", nothing to do with avast detection, I assume.
So you are probably barking at the wrong tree, and it is an internal hick-up at Goggle's.  ;)

Just for the record some scan results on that redirecting domain address.

DOM-XSS issues Results from scanning URL: -https://prismatic-age-179203.appspot.com/
Number of sources found: 0
Number of sinks found: 22

Scan also opens up to: -https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js
Number of sources found: 43
Number of sinks found: 0  (bootstrap.min.js Is it really needed, read the diacussion at StackOverflow's:
-> https://stackoverflow.com/questions/48738305/jquery-min-js-is-it-needed-bootstrap-4-0-0-alpha-6  )
   &
Results from scanning URL: -https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js
Number of sources found: 33
Number of sinks found: 10
   &
Results from scanning URL: -https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js
Number of sources found: 33
Number of sinks found: 10

2 vulnerable libraries with retrable jQuery library code:
https://retire.insecurity.today/#!/scan/29241cb52ddcbce0960ccbec1d7e624aaa73d4855946a407918867b6c81e65f4
scan info credits go to Erlend Oftedal

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)



Title: Re: Site Blocked - URL:Phishing
Post by: martineli_martineli on October 05, 2019, 07:24:06 AM
Same here for
Autods.com
Can u please unblock it?
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on October 05, 2019, 07:26:06 AM
-> https://sitecheck.sucuri.net/results/Autods.com
Title: Re: Site Blocked - URL:Phishing
Post by: martineli_martineli on October 05, 2019, 01:56:58 PM
 Well avast blocked the site becouse of phishing. What to do than, when the site is secure?


Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on October 05, 2019, 02:13:56 PM
Well avast blocked the site becouse of phishing. What to do than, when the site is secure?
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on October 05, 2019, 07:21:50 PM
VT gives the site as clean: https://www.virustotal.com/gui/url/3f9278444a9f00bf4dada6d52cad059e626103f84c533e9b911390740ef29d0c/details
Probable reason for detection is malware on other domains on that same IP:
https://www.virustotal.com/gui/ip-address/104.24.102.175/relations

CMS Word Press version is outdated. Site issue and outdated software PHP: https://sitecheck.sucuri.net/results/Autods.com
Also consider: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=fHV0XSNzLl5dbQ%3D%3D~enc

DOM-XSS issues: Results from scanning URL: -https://Autods.com
Number of sources found: 162
Number of sinks found: 513
&
Results from scanning URL: -https://code.jquery.com/ui/1.11.4/jquery-ui.min.js
Number of sources found: 27
Number of sinks found: 8
&
Results from scanning URL:-https://autods.com/wp-content/cache/busting/1/wp-content/themes/Avada/includes/lib/assets/min/js/library/packery-2.0.0.js
Number of sources found: 4
Number of sinks found: 2
&
Results from scanning URL: -https://autods.com/wp-content/cache/busting/1/wp-content/plugins/fusion-builder/assets/js/min/general/fusion-column-1.js
Number of sources found: 5
Number of sinks found: 2  Stating congratulations you have reached the end of the Internet  ::)
&
Results from scanning URL: -https://autods.com/wp-content/cache/busting/1/wp-content/themes/Avada/includes/lib/assets/min/js/general/fusion-responsive-typography-1.js
Number of sources found: 27
Number of sinks found: 5
&
Results from scanning URL: -https://www.googletagmanager.com/gtag/js?id=UA-125371527-2
Number of sources found: 33
Number of sinks found: 12
&
Results from scanning URL: -https://autods.com/wp-content/cache/busting/1/wp-content/plugins/heateor-facebook-comments-moderation/js/front/front-1.2.10.js
Number of sources found: 23
Number of sinks found: 24
&
Results from scanning URL: -https://autods.com/wp-content/cache/busting/1/wp-content/themes/Avada/includes/lib/assets/min/js/library/packery-2.0.0.js
Number of sources found: 79
Number of sinks found: 16
& last but not least
Results from scanning URL: -https://code.jquery.com/ui/1.11.4/jquery-ui.min.js
Number of sources found: 294
Number of sinks found: 14

See the vulnerabilities on the CloudFlare server for that IP: https://www.shodan.io/host/104.24.102.175
Note: the device may not be impacted by all of these issues. The vulnerabilities are implied based on the software and version.
linux-gnu-SF.

polonus (3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on October 07, 2019, 02:14:19 PM
Same here for
Autods.com
Can u please unblock it?

Detection was removed in 07.10.2019 at 04:59 AM

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: jam_jam2 on October 08, 2019, 10:13:15 PM
Hello.
I have problem with my site. The avast has blocked my site. pizzeriananda.fi  could you please unblock my site.
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on October 08, 2019, 10:24:50 PM
Hello.
I have problem with my site. The avast has blocked my site. pizzeriananda.fi  could you please unblock my site.
Sucuri scan  https://sitecheck.sucuri.net/results/pizzeriananda.fi

urlvoid  https://www.urlvoid.com/scan/pizzeriananda.fi/

Virustotal  https://www.virustotal.com/gui/url/85602daec9493010c461d2328744a8e9f105c6b29582c7ccd64aeb7acc0edbb6/detection




Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php





Title: Re: Site Blocked - URL:Phishing
Post by: polonus on October 08, 2019, 11:28:56 PM
Here a phishing test came up undecided: https://www.immuniweb.com/radar/?id=QJnzNkG7

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: kankanyan on October 09, 2019, 09:04:16 AM
Awast started blocking legitimate company web site https://www.nsasoft.us with reason "URL:phishing". This site doesn't have anything related with "URL:phishing". How to fix and remove this alert?
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on October 09, 2019, 09:06:03 AM
Awast started blocking legitimate company web site https://www.nsasoft.us with reason "URL:phishing". This site doesn't have anything related with "URL:phishing". How to fix and remove this alert?

Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php


Sucuri scan  >>  https://sitecheck.sucuri.net/results/https/www.nsasoft.us


Blacklist check  >>  https://www.virustotal.com/gui/url/c60360e150218aced045232a440096a8dbc49880c18fa5377c7d3fefcae6971e/detection




Title: Re: Site Blocked - URL:Phishing
Post by: polonus on October 09, 2019, 11:18:34 AM
4 engines to detect it on the VirusTotal IP relations scan, one of the first to bark at it, is Bitdefender's. (fresh scans).

Redleg\'s File Viewer alerts for:
Quote
URLs that redirect found in: -https://www.nsasoft.us

1: -http://www.wa4y.com/wa.html?wa4y_uid=WA4Y_1_1&wa4y_event=OnPageView&wa4y_js=0 ->
-https://www.wa4y.com/wa4y_api/wahtml.php?wa4y_uid=WA4Y_1_1&wa4y_event=OnPageView&wa4y_js=0

Note: The URLs listed above that were found in the page you are checking are redirecting to other URLs. In many cases the redirects are legitmate so it can be tricky to determine whether or not the redirects are causing a problem. Take a look at the URL that is being redirected to -- Does it look suspicious?? Is the domain being redirected to shown on the malware warning (if you are getting one)?

A moment ago we scanned: https://www.virustotal.com/gui/url/cb0c2bfedad0a9b29edcdb9faa86d8cc5bcb85d17871f9e5aef7486a6027a125/detection
See: https://www.virustotal.com/gui/ip-address/66.206.5.203/relations

So this could well be an FP, wait for an avast team member to give the final verdict. We do not know about the download files?

53
tcp
dns-tcp
-9.11.4-P2-RedHat-9.11.4-9.P2.el7  (with backported security fixes, moderate bind security bug detected).

Excessive server info proliferation is a bad thing however, as malcreants just have to look for existing vuln. & exploits
or create their own code against it.

Resolver name: server.nsasoft.us -> https://toolbar.netcraft.com/site_report?url=http://server.nsasoft.us&refresh=1#history_table

Not found up here: http://isitphishing.org/ -> https://www.bitsdujour.com/software/nsasoft-hardware-software-inventory/virus-scan

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on October 12, 2019, 02:10:38 AM
Hello.
I have problem with my site. The avast has blocked my site. pizzeriananda.fi  could you please unblock my site.

Detection was removed on Wednesday 09.10.2019 at 03:43 AM.

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: mastersoft2 on October 12, 2019, 03:23:59 PM
Hi, I'm having problems with my website (www.mastersoft.com.cy), whenever I try to access it from any computer that has Avast installed it does not allow access.

The site is hosted by bluehost and after a full scanning they tell me the site is clean.

The site is actually still empty, just a wellcome screen.

We mainly use the site's FTP to upload new versions for our clients.

Please advice since we cannot serve our customers anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on October 12, 2019, 04:09:19 PM
Probably a html detection related to that domain's IP:
https://www.virustotal.com/gui/ip-address/74.118.69.26/relations

Wait for a final verdict by an avast team member for a final verdict,
as we cannot come and unblock, only avast team members do.

1. URL: -http://www.mastersoft.com.cy/
  Server response code and content type: 301, text/html; charset=UTF-8
  Elapsed time: 1350.80ms
  Dr.Web not recommended websites database: Clean
  Redirect:-http://mastersoft.com.cy/
2. URL: -http://mastersoft.com.cy/
  Server response code and content type: 200, text/html; charset=UTF-8
  Elapsed time: 862.71ms
  Dr.Web not recommended websites database: Clean
  Size: 8048
  MD5: 9a2851c69f8f0956e85615200a5b20c7
  Scan time: 29.07ms
  Scan result: clean
  Full Dr.Web scan report: *

3. URL: -http://mastersoft.com.cy/wp-includes/js/jquery/jquery.js
  Server response code and content type: 200, application/javascript
  Elapsed time: 456.60ms
  Dr.Web not recommended websites database: Clean
  Size: 96873
  MD5: 49edccea2e7ba985cadc9ba0531cbed1
  Scan time: 150.40ms
  Scan result: clean
  Full Dr.Web scan report: *

2019-10-12 17:05:15

Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist:OK
Web Server:
nginx/1.17.3
X-Powered-By:
None
IP Address:
-162.241.218.145
Hosting Provider:
Unified Layer
Shared Hosting:
8000 sites found on -162.241.218.145

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on October 12, 2019, 04:52:30 PM
-> https://sitecheck.sucuri.net/results/www.mastersoft.com.cy
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on October 15, 2019, 04:02:27 AM
Awast started blocking legitimate company web site hxxps://www.nsasoft.us with reason "URL:phishing". This site doesn't have anything related with "URL:phishing". How to fix and remove this alert?

Detection was removed in 14.10.2019 at 07:50 AM.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on October 15, 2019, 04:03:45 AM
Hi, I'm having problems with my website (wxw.mastersoft.com.cy), whenever I try to access it from any computer that has Avast installed it does not allow access.

The site is hosted by bluehost and after a full scanning they tell me the site is clean.

The site is actually still empty, just a wellcome screen.

We mainly use the site's FTP to upload new versions for our clients.

Please advice since we cannot serve our customers anymore.

Detection was removed in 14.10.2019 at 07:24 AM.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: Mahmoud Ofeisa on October 15, 2019, 03:07:04 PM
Hello,

I have the same issue "URL:Phishing" with my website "www.mahmoud-ofeisa.com".
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on October 15, 2019, 06:02:30 PM
Here the site was not found to be phishing: https://phishcheck.me/47661/details
No indications here: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Lm18aG1ddSMtXWZ7W3N8Ll5dbQ%3D%3D~enc

Your Word Press CMS is outdated, update a.s.a.p.

Again 5 engines detect PHISHING at the IP you share with other domains:
https://www.virustotal.com/gui/url/eeada5a06e596ca581edd0517ecd0efe55f246a02d99235b8d91c75cc1639c93/detection

See: https://www.shodan.io/host/178.128.194.130

2 vulnerable jQuery libraries detected on website: https://retire.insecurity.today/#!/scan/a70ade7b966e00ad73f6050494df1437911a92a65bd32b5cd9ebb0f1b81fd38a

DOM-XSS flaws found: Results from scanning URL: -https://www.mahmoud-ofeisa.com/wp-content/themes/latte/assets/js/parallax.min.js?ver=5.1.3
Number of sources found: 44
Number of sinks found: 2
&
Results from scanning URL: -https://www.googletagmanager.com/gtag/js?id=UA-149912833-1
Number of sources found: 33
Number of sinks found: 12

Wait for a final verdict from an avast team member, as they are the only ones that can come and unblock,
we just advise you through relative knowledge of website security analysis.

Netcraft Risk Rating 10 red out of 10: https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fwww.mahmoud-ofeisa.com
12 immediate threats: https://app.upguard.com/webscan#/www.mahmoud-ofeisa.com

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on October 16, 2019, 11:39:50 PM
Hello,

I have the same issue "URL:Phishing" with my website "wxw.mahmoud-ofeisa.com".

Detection was removed in 16.10.2019 at 12:21 PM.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: omega5 on October 17, 2019, 11:39:00 PM
I also have this problem with http://omegacomputuerservices.ca

1. Please remove this website from your blacklist.

2. Why is this (our) site on your blacklist?

3. Assuming that there was a good reason at one time in the past, why is it still on the list? Don't you guys check these things? Or is it damned once then damned for all time? Not every website that has an issue was designed to be bad. Some could have been attacked and hacked by outside people. Don't you believe that these problems could be eventually found, fixed , and security tightened up?

If you keep reporting a currently good site as bad, it is not the site's problem, it is Avast's. If you are not reliable, then there is no point in using your services, is there?

4. If you don't respond to points 2 and 3, that is an indication of how much you care about customers, which could be reciprocated by how much customers care about your product.


Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on October 17, 2019, 11:47:06 PM
Quote
4. If you don't respond to points 2 and 3, that is an indication of how much you care about customers, which could be reciprocated by how much customers care about your product.
They will not respond unless you report it the correct way .... and how to do that is posted in many reply`s in this topic


Title: Re: Site Blocked - URL:Phishing
Post by: Michael (alan1998) on October 18, 2019, 12:15:37 AM
<Edit>
Got it.

Please ensure you give us the RIGHT url next time --> http://omegacomputerservices.ca
Title: Re: Site Blocked - URL:Phishing
Post by: Michael (alan1998) on October 18, 2019, 12:36:40 AM
Google has you guys listed as a COmputer Consultant company.

This URL >> hxxp://www.omegacomputerservices.ca/

Flagged by BitDefender >> https://www.virustotal.com/gui/url/1ab0119ceaa1f93075a443789b762161b0f972347bbc0dd6df0e574a5178c004/detection
URLVoid reveals 2 bans >> https://www.urlvoid.com/scan/omegacomputerservices.ca/
Sucuri warnings on non-https >> https://sitecheck.sucuri.net/results/omegacomputerservices.ca

You keep referencing an email address to omega@portal.ca. Portal.ca appears to be offline.
Offline >> https://downforeveryoneorjustme.com/portal.ca

Interesting though, because the omega website has MX (Mail eXchange) records on it.
DNS >> https://www.ultratools.com/tools/dnsLookupResult

Polonus will more then likely have more to add.

Volunteer

As for points 2 and 3,

To answer them
Quote
2. Why is this (our) site on your blacklist?
The anti-virus tells you, Phishing.

Quote
3. Assuming that there was a good reason at one time in the past, why is it still on the list? Don't you guys check these things? Or is it damned once then damned for all time? Not every website that has an issue was designed to be bad. Some could have been attacked and hacked by outside people. Don't you believe that these problems could be eventually found, fixed , and security tightened up?
No, you're not damned once, then damned for all time. There are 28 pages (IN THIS THREAD) of people having their respective issues handled. You comment served no purpose other then to annoy people.

Do they check up on domains? Hell. No. There are 324.6 million domains registered. Avast! definitely does not have the time to check them; and for that matter, no company has the time to check that many domains.

Hacked by others: Yes, that's true, domains can be hacked by others. That's your job to fix, whether that means doing it yourself, or contracting someone else is up to you. Here's what Avast! knows, it's doing something bad. That's the bottom line, not "who did it" because that doesn't matter.

Do you believer problems can be found, fixed and security tightened: Yes, obviously. Reference 28 pages in this thread alone of people like Polonus, Jefferson and Pondus pointing out vulnerable jQueries, software of plain stupid oversights.

To respond to point 4.
Quote
If you don't respond to points 2 and 3, that is an indication of how much you care about customers, which could be reciprocated by how much customers care about your product.
It's an indication if you go through official channels maybe. Most of the people on these forums (with exceptions like Milos, VitSU, and others) are all here as volunteers. These forums are not monitoring 24/7, and while Avast! usually keeps tabs around, others usually call Avast!'s attention to updates and responses in threads so they don't get lost.

The OFFICIAL way of documenting a potential false-positive can be found here >> https://www.avast.com/false-positive-file-form.php.

Quote
If you keep reporting a currently good site as bad, it is not the site's problem, it is Avast's. If you are not reliable, then there is no point in using your services, is there?
On the surface, all may appear well and good. Heck, there may not even be a way to get from the homepage to the phishing page. THe phishing page might be buried to avoid detection. I've seen this in the wild, legit websites (hotel in this case) be completely normal on the surface, and then have a full blown Microsoft phishing page buried deep, with no way of accessing unless you have the direct URL (or seriously go hunting for it.)
Title: Re: Site Blocked - URL:Phishing
Post by: omega5 on October 18, 2019, 02:34:40 AM
Quote
The OFFICIAL way of documenting a potential false-positive can be found here >> https://www.avast.com/false-positive-file-form.php.

I started with avast.com. The above looks like the proper place to go but either I did not find a way to get there, (I could have missed the link) or I didn't get a response (It has been a few months since I first started this quest). Google eventually led me to this place but I don't feel up to reading 4000 responses to catch up on the history of this issue.

The website in question is static. It does not ask for any information from the viewer. The most sophisticated thing it does is to use bootstrap to properly display on various devices.

The email address is as it is for historical reasons. The ISP was absorbed by others but the email address domain still exists. The mailbox associated with omegacomputerservices.ca exists but is not being used.

omegacomputerservices.COM is a different company and today that url redirects to ocs.help.

A bit over a year ago, something hacked the site and a separate subdirectory tree was planted. This was ripped out and, currently, nothing that does not belong there is there.

But avast details reports URL:Phishing with the offending URL being
http://omegacomputerservices.ca/bootstrap/css/bootstrap-responsive.css   one time and
http://omegacomputerservices.ca/bootstrap/js/jquery.js                            another time
and eventually just about every file in that directory tree. If there were an actual problem, it would not move around from file to file.

From this forum I did discover  sitecheck.sucri.net  and
https://sitecheck.sucuri.net/results/omegacomputerservices.ca
says the site is clean.

If I were not using Avast, I would not be aware that Avast had a problem with this website. If Avast would continue showing it bad until somebody tells Avast that it is not, the false status could go on forever.

If any of this helps in solving the problem, then thank you all and thank the goddesses. If this does not solve the problem, then the goddesses will need another sacrifice.

Title: Re: Site Blocked - URL:Phishing
Post by: Michael (alan1998) on October 18, 2019, 02:10:49 PM
3. Assuming that there was a good reason at one time in the past, why is it still on the list? Don't you guys check these things? Or is it damned once then damned for all time? Not every website that has an issue was designed to be bad. Some could have been attacked and hacked by outside people. Don't you believe that these problems could be eventually found, fixed , and security tightened up?

A bit over a year ago, something hacked the site and a separate subdirectory tree was planted. This was ripped out and, currently, nothing that does not belong there is there.

See, now we're getting somewhere... Instead of half-assed accusing Avast! of not caring about customers, would it not have been simpler to say "We got hacked a year ago, we cleaned it up, can you check and confirm, and remove our website [from your list] accordingly?"? It's a lot simpler, and a hell of a lot more civil. I would argue that Avast! must care about it's customer's if they've chosen to block a webpage that had been compromised.


Quote
But avast details reports URL:Phishing with the offending URL being
http://omegacomputerservices.ca/bootstrap/css/bootstrap-responsive.css   one time and
http://omegacomputerservices.ca/bootstrap/js/jquery.js                            another time
and eventually just about every file in that directory tree. If there were an actual problem, it would not move around from file to file.
Avast! likely blocked your entire domain, not a specific file. That behaviour is not uncommon on any platform, Avast! or otherwise.


Quote
From this forum I did discover  sitecheck.sucUri.net  and
https://sitecheck.sucuri.net/results/omegacomputerservices.ca
says the site is clean.
OK, that's one check... What about the other half dozen? There are websites that I don't even know about. The basis for a detection is not made solely off one website typically. I have reported your domain to Avast! for re-evaluation. I will draw the attention of Milos to this thread as well.


A note for other platforms that detect you. Be honest, don't beat around the bush - tell them you were hacked a year ago, and cleaned it up (as opposed to saying.. "Maybe their was a reason?" then "Yes, we were hacked"). And be civil, otherwise they may just ignore you.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on October 18, 2019, 02:20:22 PM
Well said Michael..!! :) 8)
Title: Re: Site Blocked - URL:Phishing
Post by: Michael (alan1998) on October 18, 2019, 04:04:57 PM
Well said Michael..!! :) 8)

Ay, cheers! (Asyn is another one of the top helpers around here, Omega). Makes me look like small game :P)

@Omega5; Your domain has been whitelisted. Stay safe out there.

Hello,
if you mean the "omegacomputerservices.ca" it was unblocked today, 09:38 CET

Milos
Title: Re: Site Blocked - URL:Phishing
Post by: lbeslay on October 21, 2019, 09:32:01 AM
Hy,

i have a Website hacked, but i deleted everything, did a new one, everything is clean; Google reviewed the url, but i'm still blacklisted in Avast and McAfee ...

Please can you whitelist it ?

this is the url:

www.mmeruetabaga.org

thank you.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on October 21, 2019, 11:25:28 AM
-> https://sitecheck.sucuri.net/results/www.mmeruetabaga.org
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on October 23, 2019, 02:31:31 AM
Hy,

i have a Website hacked, but i deleted everything, did a new one, everything is clean; Google reviewed the url, but i'm still blacklisted in Avast and McAfee ...

Please can you whitelist it ?

this is the url:

wxw.mmeruetabaga.org

thank you.

Detection was removed in 22.10.2019 at 03:59 AM.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: Danielle11 on October 25, 2019, 09:14:08 PM
I think I have a similar problem trying to login Shoppers' Drug Mart. 
The address is https://accounts.pcid.ca/login

I called Shoppers and they say their site is secured and that there are no problems reported.

Title: Re: Site Blocked - URL:Phishing
Post by: Michael (alan1998) on October 25, 2019, 09:35:04 PM
PC Optimum is owned by Loblaws (who also own Shoppers, Super Store etc).

Do you get the warning on the PC Optimum website? >> https://www.pcoptimum.ca/login
Title: Re: Site Blocked - URL:Phishing
Post by: Danielle11 on October 25, 2019, 09:42:39 PM
Ohhh …. I can login using https://www.pcoptimum.ca/login !
I will change my settings

Many many many thanks !


Title: Re: Site Blocked - URL:Phishing
Post by: Winglio on October 26, 2019, 09:29:39 PM
Hi, could you please unblock https://office.winglio.com/
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on October 26, 2019, 10:07:26 PM
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on October 28, 2019, 10:04:02 PM
Hi, could you please unblock hxtps://office.winglio.com/

Detection was removed in 28.10.2019 at 11:00 AM

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: on October 30, 2019, 02:42:09 AM
Hi, my site https://pyramid-1491.com/ is being detected as url:phishing by avast. Can you help to unblock the site?
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on October 30, 2019, 06:10:02 AM
Hi 皓,

Probably some issue with the proxy VPN server at Linode's at 172.105.195.170

Wait for a final verdict from an avast team member, we have relative knowledge but only avast team members can come and unblock.  Website seems to have a good web rep and no detection at Virus Total at the moment.
Request returned: 您的请求在Web服务器中没有找到对应的站点!(not finding corresponding site!).

See issues: https://www.shodan.io/host/172.105.195.170

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on October 30, 2019, 01:10:00 PM
This is the content code I get
Quote
Content that was returned by your request for the URL: https://pyramid-1491.com/
also see: https://www.virustotal.com/gui/url/b0d3988efc7914ac6d3391354f8e716fdc01045af9913c89def2c2bb953a545e/detection

1:  < html>
2:  < head> < title> 502 Bad Gateway< /title> < /head>
3:  < body>
4:  < center> < h1> 502 Bad Gateway< /h1> < /center>
5:  < hr> < center> nginx< /center>
6:  < /body>
7:  < /html> Content after the < /html> tag should be considered suspicious.

8:  < !-- a padding to disable MSIE and Chrome friendly error page -->
9:  < !-- a padding to disable MSIE and Chrome friendly error page -->
10:  < !-- a padding to disable MSIE and Chrome friendly error page -->
11:  < !-- a padding to disable MSIE and Chrome friendly error page -->
12:  < !-- a padding to disable MSIE and Chrome friendly error page -->
13:  < !-- a padding to disable MSIE and Chrome friendly error page -->
IP = 34.80.130.210 Google Cloud address returned
Quote
Header returned by request for: https://pyramid-1491.com/ -> 34.80.130.210

HTTP/2 502
server: nginx
date: Wed, 30 Oct 2019 12:05:48 GMT
content-type: text/html
content-length: 552

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on October 30, 2019, 03:29:06 PM
Hi, my site hxxps://pyramid-1491.com/ is being detected as url:phishing by avast. Can you help to unblock the site?

Detection was removed in 30.10.2019 at 09:13 AM.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: Jamie131 on November 10, 2019, 12:33:50 PM
Please unblock: https://www.verpakkingenzo.nl/ site is all clear
The phising has been removed a few months ago
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 10, 2019, 01:42:16 PM
Hallo Jamie131,

VirusTotal does give the website as clean: https://www.virustotal.com/gui/file/f730c6185bde492f4eec5364f5cdb212ce0d7a77e77bcfa5bfd6415e511d72aa/behavior/VirusTotal%20Cuckoofork
and https://www.virustotal.com/gui/url/f98d33c625fe20c00a3d6fe54f6bdffc94b6830dd76b61a15eae26eb45ee1aa5/details

There were 2 engines to detect, but that was the previous month:
https://www.virustotal.com/gui/url/45b57651d4d6fcf580d1f39e13d4211c3c320af64e513d73b5ce71ae6ee4d4be/detection
Hopefully that all has been cleansed.

Did some linting for the website, see 49 recommendations there:
https://webhint.io/scanner/a585099b-a1de-4a50-94b4-2701b6174b0b

Wait for a final verdict from an avast team member, they are the only ones to come and unblock.
We here are just volunteers with relevant knowledge for website security improvement advice.

Met vriendelijke groet,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: stalker780 on November 11, 2019, 06:29:39 PM
Hi, what is wrong with https://lovelybunny.com.ua?

Why is it blocked for phishing?  :o

It never had any security problems or viruses.

PS
you captcha blew my mind 100 times till I placed this post :(
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on November 11, 2019, 06:39:12 PM
Hi, what is wrong with hxxps://lovelybunny.com.ua?

Why is it blocked for phishing?  :o

It never had any security problems or viruses.

PS
you captcha blew my mind 100 times till I placed this post :(

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php

Just because you haven't had any security problems or viruses doesn't mean you won't.

That said nothing found at https://sitecheck.sucuri.net/results/lovelybunny.com.ua (https://sitecheck.sucuri.net/results/lovelybunny.com.ua), so use the report a suspected FP site in the link above.

The Captcha, is only for the first three posts, it is an anti spam measure so has to be hard.
Title: Re: Site Blocked - URL:Phishing
Post by: stalker780 on November 11, 2019, 06:58:55 PM


You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php

Just because you haven't had any security problems or viruses doesn't mean you won't.

That said nothing found at https://sitecheck.sucuri.net/results/lovelybunny.com.ua (https://sitecheck.sucuri.net/results/lovelybunny.com.ua), so use the report a suspected FP site in the link above.

The Captcha, is only for the first three posts, it is an anti spam measure so has to be hard.

Already reported. Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on November 11, 2019, 08:01:08 PM
You're welcome.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 11, 2019, 10:10:57 PM
This could well have been an FP because of another domain detected sharing the same IP:
https://www.virustotal.com/gui/ip-address/78.46.204.251/relations

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on November 12, 2019, 03:02:34 AM
Please unblock: hxxps://www.verpakkingenzo.nl/ site is all clear
The phising has been removed a few months ago

Detection was removed in 11.11.2019 at 05:59 AM.

Quote
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: Jamie131 on November 13, 2019, 07:31:00 AM
Hallo Jamie131,

VirusTotal does give the website as clean: https://www.virustotal.com/gui/file/f730c6185bde492f4eec5364f5cdb212ce0d7a77e77bcfa5bfd6415e511d72aa/behavior/VirusTotal%20Cuckoofork
and https://www.virustotal.com/gui/url/f98d33c625fe20c00a3d6fe54f6bdffc94b6830dd76b61a15eae26eb45ee1aa5/details

There were 2 engines to detect, but that was the previous month:
https://www.virustotal.com/gui/url/45b57651d4d6fcf580d1f39e13d4211c3c320af64e513d73b5ce71ae6ee4d4be/detection
Hopefully that all has been cleansed.

Did some linting for the website, see 49 recommendations there:
https://webhint.io/scanner/a585099b-a1de-4a50-94b4-2701b6174b0b

Wait for a final verdict from an avast team member, they are the only ones to come and unblock.
We here are just volunteers with relevant knowledge for website security improvement advice.

Met vriendelijke groet,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Thanks for your reply. Is there a form i need to fill out to let a Avast team member check and unblock, or is this forum the right place.

Thanks again
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on November 13, 2019, 07:33:45 AM
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: RestoPro on November 19, 2019, 03:38:42 PM
You chrome extension declare our websites as phishing !!

We have a big problem with your chrome extension which declare some of our websites as fishing so that they are restaurant official websites. It blocks the visitor completely and prevents him from accessing the restaurant's official site.

Because of you, visitors with your extension cannot access to thoses websites.

Here are some examples of website :

https://www.la-table-du-coin-restaurant-saint-herblain.com/
https://www.la-brasserie-de-la-place-restaurant-aix-en-provence.com
https://www.brasserie-gg-restaurant-la-fare-les-oliviers.com
https://www.le-pacha-du-sloop-restaurant-st-jean-cap-ferrat.com
https://www.la-merenda-de-la-place-restaurant-gattieres.com
https://www.casa-luna-restaurant-saint-laurent-du-var.com
https://www.le-rendez-vous-restaurant-aix-en-provence.com
https://www.le-rendez-vous-aixois-restaurant-aix-en-provence.com
https://www.domaine-de-cocagne-restaurant-cagnes-sur-mer.com
https://www.le-zen-restaurant-plan-de-campagne-cabries.com
https://www.la-voile-bleue-restaurant-mandelieu-la-napoule.com
https://www.les-tables-de-la-fontaine-restaurant-avignon.com
https://www.restaurant-comptoir-des-barons-aix-en-provence.com

This is is not full, it is just a sample.

All thoses websites are restaurant official websites. They receive bookings thanks to thoses websites.

So can you add all our websites to your whitelist (thoses one and the future websites) Or can you explain us why your extension blocks thoses websites.
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on November 19, 2019, 03:55:40 PM
Report a false positive (select file or website)

>>  https://www.avast.com/false-positive-file-form.php



Title: Re: Site Blocked - URL:Phishing
Post by: RestoPro on November 19, 2019, 04:01:49 PM
I launch 40 official restaurant website per month, I can't always report a false positive. I Want to undertsnad why your declare them as phishing.
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on November 19, 2019, 04:03:52 PM
I launch 40 official restaurant website per month, I can't always report a false positive. I Want to undertsnad why your declare them as phishing.
And if you report avast lab will answer you / tell you why








Title: Re: Site Blocked - URL:Phishing
Post by: RestoPro on November 19, 2019, 04:09:05 PM
I reported one website to see their answer and their delays. I hope they will do the necessary otherwhise we'll have to start official process against them.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 19, 2019, 10:27:31 PM
Hi RestoPro,

You should wait for an avast team member to give a final verdict and explanation, why there is no FP.

I for now see no detections elsewhere and a clean blacklist timeline for given domains.

According to me the detection is because of the hosting domain certificate common_name_invalidity.
See: https://toolbar.netcraft.com/site_report?url=mgnt.vixns.net
This site has a certificate error - is flagged by Google Safe Browsing as an unsafe connection
For mgnt.vinxns dot net I get a "NET::ERR_CERT_COMMON_NAME_INVALID".

and https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Lmx8LXR8Ymx7LSN1LV5dW24tfXtzdHx1fXxudC1zfFtudC1oe31ibHxbbi5eXW1g~enc

Nothing out of the ordinairy here: https://webcookies.org/cookies/www.la-table-du-coin-restaurant-saint-herblain.com/28658816?889543

Is the link to MNSocial.ttf above board? Check file for Trojan Agent malcode, could be that was held to be the FP. *

polonus

* Downloaded it and found it to be safe.
Title: Re: Site Blocked - URL:Phishing
Post by: ipstop on November 25, 2019, 03:03:40 PM
hello i have the same problem with my Website:
htxps://mnstat.website
i did few tests and no malware found
take a look
https://rescan.pro/result.php?2338d82766c553fe1731bdc3e986af91
https://scanner.pcrisk.com/detailed_report/mnstat.website#details
https://sitecheck.sucuri.net/results/https/mnstat.website
no malware found...
Can you unlock URL?
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on November 25, 2019, 03:12:37 PM
Report a false positive (select file or website)

>>  https://www.avast.com/false-positive-file-form.php



Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 25, 2019, 04:54:50 PM
Important to make users aware how to report FP to avast team members,
as they are the only ones to unblock.

As we see here for the website mentioned above, as it is made using jQuery, it is important to notice this retirable jQuery library,
see: https://retire.insecurity.today/#!/scan/15375ba00864c7476694919a201a94e3165796e1397bddc9cc74c613c1b6b83e

Recommendations to come to a better website found through linting:
https://webhint.io/scanner/83482881-f961-474a-a36d-731ed8c6aa02  (96 hints).

No present detection on VT: https://www.virustotal.com/gui/ip-address/45.76.182.146/relations

Wait for a final verdict from an avast teeam member for an eventual unblocking.

polonus (volunteer 3rd party cold recon website security analyst & website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on November 25, 2019, 10:17:49 PM
I reported one website to see their answer and their delays. I hope they will do the necessary otherwhise we'll have to start official process against them.

Detection was been removed in 20.11.2019
Title: Re: Site Blocked - URL:Phishing
Post by: ipstop on November 26, 2019, 01:08:00 PM
thanks a lot all of us.
Title: Re: Site Blocked - URL:Phishing
Post by: ipstop on November 26, 2019, 01:08:55 PM
Important to make users aware how to report FP to avast team members,
as they are the only ones to unblock.

As we see here for the website mentioned above, as it is made using jQuery, it is important to notice this retirable jQuery library,
see: https://retire.insecurity.today/#!/scan/15375ba00864c7476694919a201a94e3165796e1397bddc9cc74c613c1b6b83e

Recommendations to come to a better website found through linting:
https://webhint.io/scanner/83482881-f961-474a-a36d-731ed8c6aa02  (96 hints).

No present detection on VT: https://www.virustotal.com/gui/ip-address/45.76.182.146/relations

Wait for a final verdict from an avast teeam member for an eventual unblocking.

polonus (volunteer 3rd party cold recon website security analyst & website error-hunter)

THANKS, IM WORKING ON IT.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 26, 2019, 01:15:54 PM
Hi ipstop,

You're welcome. Thanks for reporting and being responsible.
It is not only you and your website(s) that will get more secure.

That is why we are into it, and you did the right thing.

Have a nice day,

polonus (volunteer 3rd party cold recon website security analyst & website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Paramita3 on December 02, 2019, 09:55:49 AM
Hi,  I have one Website ( niveducation.com), it is not opening all time showing phishing. But it has been checked by GGOGLE SAFE BROWSER,  100% safe, NO MALWARE, NO VIRUS, BUT those computers are having Avast antivirus , always blocking my sites, Please check it, And try to disable the phishing.
 
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on December 02, 2019, 10:03:11 AM
-> https://sitecheck.sucuri.net/results/niveducation.com
-> https://www.virustotal.com/gui/url/5b6bd09c2608c10cc2ec4829172e5109ef5c6ea27b0fd341330c452b0119cb2f/detection
Title: Re: Site Blocked - URL:Phishing
Post by: Paramita3 on December 02, 2019, 11:02:18 AM
hi i have one blog niveducation.com
it is an educational blog
it has nothing phishing in it. it it cleared in all antivirus.google has also cleared.
it is blocked by avast.

kindly review my site and please unblock it.
regards
paramita
email:paramita.dassarma@gmail.com
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 02, 2019, 03:14:15 PM
Hi Paramita3,

Linting produced 435 improvement recommendations:
https://webhint.io/scanner/21b585e5-8019-482c-a925-16d5f63d1396

Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist: OK

Word Press configuration seems OK.

Detected through Retire.Js:
Quote
Retire.js
jquery   1.12.4   Found in https://niveducation.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

IP detection has not changed since two years ago.
For address last detections 4 av engines at 2019-12-02, that is to-day's.
https://www.virustotal.com/gui/url/5b6bd09c2608c10cc2ec4829172e5109ef5c6ea27b0fd341330c452b0119cb2f/detection

Wait for an avast team member to give a final verdict, but be aware other av-vendors have the website also blacklisted.
Privacy grade is a B+ grade's.

polonus (3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Paramita3 on December 03, 2019, 07:04:36 PM
i have sent the application for whitelisting program of Avast, i have attached the whitelisting document. but my sit i.e https://niveducation.com/ is still block in avast, kindly unblock it.
paramita
paramita.dassarma@gmail.com 
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on December 04, 2019, 02:02:45 AM
hi i have one blog niveducation.com
it is an educational blog
it has nothing phishing in it. it it cleared in all antivirus.google has also cleared.
it is blocked by avast.

kindly review my site and please unblock it.
regards
paramita

Detection was removed in 03.12.2019 at 06:53 AM.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: Lycurgue on December 08, 2019, 04:31:51 PM
Hi,

Is it possible not to blocked Microsoft Academic for phishing ?
It is a false positive I think.

Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on December 08, 2019, 07:20:07 PM
Hi,

Is it possible not to blocked hxxps://academic.microsoft.com (http://hxxps://academic.microsoft.com) for phishing ?
It is a false positive I think.

Thanks

There appears to be a redirect going on from that page, whether it is legit is the question.
See attached images.

Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php (https://www.avast.com/false-positive-file-form.php).

Please modify your post to break the live link to what is (currently) a suspect link.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 08, 2019, 07:56:51 PM
Consider detections for that IP: https://www.virustotal.com/gui/ip-address/13.107.246.10/relations
Also the security implications of this scan: https://webcookies.org/cookies/academic.microsoft.com/28731043?840701

No base-uri allows attackers to inject base tags which override the base URI to an attacker-controlled origin.
Set to 'none' unless you need to handle tricky relative URLs scheme.

The page loads 3 third-party JavaScript files and 6 CSS,
but does not employ Sub-Resource Integrity to prevent breach if a third-party CDN is compromised

But wait for an avast team member to give a final verdict as they are the only ones to come and unblock.
We here are just volunteers with relative knowledge.

Here website is not flagged either: https://sitecheck.sucuri.net/results/https/academic.microsoft.com

Maybe this is the info flagged: "This site uses cookies for analytics, personalized content and ads.
By continuing to browse this site, you agree to this use".

polonus (volunteer 3rd party cold reconnaissance website security anlalyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Lycurgue on December 09, 2019, 09:32:04 AM
@polonus

Hi,

Thanks for the details. But, can you tell me what the following message means:

Quote
Set to 'none' unless you need to handle tricky relative URLs scheme.

What do I have to set to non ?

Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 09, 2019, 01:09:08 PM
Hi Lycurgue,

This is all about security header settings to better protect the website.

No Content Security Policy found or implemented unsafely. See rported in the scan results here:
https://webcookies.org/cookies/academic.microsoft.com/28731043?840701

'no base URI (no resource in the file system containing the query), settings are too easy for a scraper to scrape all of the site.
Content Security Policy setting - Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins.

See D-status here: https://observatory.mozilla.org/analyze/academic.microsoft.com
CSP - Content Security Policy (CSP) implemented unsafely.

This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.

Looking for help, scan here, as again Google is your best friend in this respect:
https://csp-evaluator.withgoogle.com/?csp=https://academic.microsoft.com (credits go to:  Lukasz Weichselbaum)

On Microsoft Azure as hosting organization: https://www.shodan.io/host/13.107.246.10

And see what was found on IP relations qua detections:
https://www.virustotal.com/gui/ip-address/13.107.246.10/relations

yours respectfully,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on December 10, 2019, 02:14:42 PM
Hi,

Is it possible not to blocked Microsoft Academic for phishing ?
It is a false positive I think.

Thanks

Detection was removed in 10.12.2019 at 06:38 AM

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.

Title: Re: Site Blocked - URL:Phishing
Post by: grimaldi.j on December 10, 2019, 02:23:35 PM
I'm having issues with my website https://truenorthdroneservices.com/ getting reports of phishing scam with Avast & AVG users.  I've been on multiple times and have run every scan imaginable showing my site is clean but the issues still persist.  I'm seeing something called URL block that needs to be disabled on my site.  Please Help! 
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on December 10, 2019, 02:26:50 PM
-> https://sitecheck.sucuri.net/results/https/truenorthdroneservices.com
-> https://www.virustotal.com/gui/url/47050016a3a8437f191fbb3c9bbc33fc4082ef9e3002e616d27352999c18a994/detection

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 11, 2019, 01:52:28 PM
Vuln. libraries: https://retire.insecurity.today/#!/scan/c402bd832bfb421ea391a1c839552bc3af364ddd8be6811d5951a4b68a74e470
Netcraft Risk status 1 red out of 10: https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Ftruenorthdroneservices.com%2F
Not being flagged here: https://www.virustotal.com/gui/ip-address/146.66.109.198/relations
Word Press CMS version does not seem to be the latest, update.
24 hints found through linting: https://webhint.io/scanner/95db2f63-07ef-4323-a9cc-71adc252897d

Strange here we get hosted in Bulgaria: https://www.shodan.io/host/146.66.109.198
Here we get inside USA, Clark Str. , Chicago -> https://dazzlepod.com/ip/?ip_address=146.66.109.198

Website is insecure by default
100% of the trackers on this site could be protecting you from NSA snooping. Tell -truenorthdroneservices.com to fix it.

 All trackers
At least 4 third parties know you are on this webpage.

-truenorthdroneservices.com truenorthdroneservices.com
 -Google
 -static.kuula.io
 -Google

Retirable jQuery library detected:
Quote
jquery   1.12.4   Found in -https://truenorthdroneservices.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   -
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   -
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

Wait for a final verdict from an avast team member as they are the only ones to come and unblock.
It appears to me the site is not being blocked by avast's at all.

polonus (3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: informatique.omf on December 12, 2019, 03:45:54 PM
Hello ,
We have a problem with our site www.o-sge.com, it does not appear on computers that have avast installed, and it shows us a phishing problem.
Apparently our site is save on your blacklist.
Thank you for unlocking us

Our website: www.o-sge.com
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on December 12, 2019, 03:55:48 PM
Hello ,
We have a problem with our site www.o-sge.com, it does not appear on computers that have avast installed, and it shows us a phishing problem.
Apparently our site is save on your blacklist.
Thank you for unlocking us

Our website: www.o-sge.com
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php



Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 12, 2019, 05:14:30 PM
33 instances of malware there: https://quttera.com/detailed_report/www.o-sge.com
Severity:   Malicious
Reason:   Detected encoded JavaScript code commonly used to hide malicious behaviour.
Details:   Detected malicious inserted JavaScript code

WordPress CMS version outdated - update a.s.a.p.

Oudated plug-in detected: WordPress Plugins

The following plugins were detected by reading the HTML source of the WordPress sites front page.
   elementor 2.7.2   latest release (2.8.1)
https://elementor.com/
   CuteSlider    
   revslider    

Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

There are likely more plugins installed than those listed here as the detection method used here is passive. While these results give an indication of the status of plugin updates, a more comprehensive assessment should be undertaken by brute forcing the plugin paths using a dedicated tool.

Misconfigurations
User Enumeration

  The first two user ID's were tested to determine if user enumeration is possible.
ID   User   Login
1   None    osge
2   None    manager

It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Only the first two user ID's were tested with this scan, try the advanced membership options for detailed enumeration of users, themes and plugins.

See recnt flags: https://www.virustotal.com/gui/ip-address/5.153.23.19/relations
Website had smut content? Re: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=XS1zZ3suXl1tYGZdbnRzYF51c3RdbXt9X157bnR7fWB4YnxufG58LW1ddGh7fWZ1Xmt7fTk5OQ%3D%3D~enc
Presently no content returned:     Google Chrome returned code 0      GoogleBot returned code 0

https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=XS1zZ3suXl1t~enc
See: https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fwww.o-sge.com%2F

polonus (volunteer 3rd party cold rec on website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on December 17, 2019, 11:32:44 PM
I'm having issues with my website hxxps://truenorthdroneservices.com/ getting reports of phishing scam with Avast & AVG users.  I've been on multiple times and have run every scan imaginable showing my site is clean but the issues still persist.  I'm seeing something called URL block that needs to be disabled on my site.  Please Help!

URL not is being blocked

Quote from: Avast
The provided URL doesn't seem to be detected by Avast. Could you please send us a screenshot of the detection message you're getting? https://support.avast.com/en-ww/article/100/
Title: Re: Site Blocked - URL:Phishing
Post by: Karno Nur Cahyo on December 31, 2019, 02:52:33 AM
Hello, can our company's site be unblocked or deleted from the blacklist? Our company website is https://braindevs.com, currently there is no phishing link found on our site, here is the proof https://sitecheck.sucuri.net/results/braindevs.com

Please respond, as soon as possible, thank you
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on December 31, 2019, 03:02:42 AM
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php



Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 31, 2019, 12:54:39 PM
3 engines still detect PHISHING: https://www.virustotal.com/gui/url/b6c4df602f6e5c7738684e433ed1638b91e9878426f95fde5d01a22a75b35f8a/detection

CMS issues to be set to disabled!
User Enumeration
  The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   braindevs   braindevs
2   Ondoh   finance
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

 Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/      enabled
/wp-content/plugins/      disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

3 to detect your domain: https://www.virustotal.com/gui/ip-address/181.215.53.109/relations

Recommendations for improving website and website security:
https://webhint.io/scanner/06263b18-a616-471a-b724-e31a6be61128

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on January 02, 2020, 11:21:21 PM
Hello ,
We have a problem with our site wxw.o-sge.com, it does not appear on computers that have avast installed, and it shows us a phishing problem.
Apparently our site is save on your blacklist.
Thank you for unlocking us

Our website: wxw.o-sge.com

Detection was cleared in 02.01.2020 at 07:39 AM

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on January 02, 2020, 11:23:31 PM
Hello, can our company's site be unblocked or deleted from the blacklist? Our company website is hxxps://braindevs.com, currently there is no phishing link found on our site, here is the proof https://sitecheck.sucuri.net/results/braindevs.com

Please respond, as soon as possible, thank you

Detection was removed in 02.01.2020 at 07:00 AM

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: luca-dl on January 04, 2020, 06:28:30 PM
Hello, also my website https://light4.it/  seems blocked by Avast Web Shield ...
Threat: URL: Phishing
Please, anyone knows which improvement I can do for getting visible back again?
Many thanks
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on January 04, 2020, 07:13:41 PM
Hello, also my website hxxps://light4.it/  seems blocked by Avast Web Shield ...
Threat: URL: Phishing
Please, anyone knows which improvement I can do for getting visible back again?
Many thanks

As has been mentioned many times in this topic:
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php

Many sites used for analysis are given in this very large topic, which can give you an idea of the problem, which may or may not resolve the problem.  Only submitting the report directly to avast will have them at least check it again.

https://sitecheck.sucuri.net/results/light4.it (https://sitecheck.sucuri.net/results/light4.it)
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on January 04, 2020, 11:15:12 PM
See the potential problems in the scan here:
https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=bFtnaHQ0Llt0~enc

No major setting problems in Word Press  CMS, just links inside noscript tags can be problematic because they are hidden from most users. You want to make sure they are all legitimate links, no spam.

Wait for a final verdict from avast team members, they are the only ones to come and unblock,
or block when the detection is genuine,

polonus (3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: luca-dl on January 05, 2020, 05:07:46 PM
Thank You DavidR and ginkuie barzo polonus!

(actually noscript tags are generated from the wordpress main theme ... I'll check how to fix it)
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on January 05, 2020, 05:54:28 PM
@luca-dl

Prego! Non c'è di che.  ;)

polonus

P.S. Also take it up with Bitdefender's, as they still block your site through Bitdefender's TrafficLight extension.
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on January 05, 2020, 06:04:23 PM
Thank You DavidR and ginkuie barzo polonus!

(actually noscript tags are generated from the wordpress main theme ... I'll check how to fix it)

You're welcome, hopefully you will find your resolution.
I haven't used NoScript in a very long time, from it wasn't compatible with a new Firefox version add-on scripting code.  I didn't pull it back in when it became compatible. 

I now use uBlock Origin in conjunction with uMatrix and I get an avast web shield alert if I visit the link you gave.  So I'm not sure it has anything to do with NoScript.

If you haven't followed through with the false positive link I would do so https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: Kristian41 on January 23, 2020, 03:58:27 PM
Hi guys, wondering if you could help me out my website http://www.klrrail.co.uk/ will not load due to a problem of phishing how do i fix this?
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on January 23, 2020, 04:46:39 PM
Hi guys, wondering if you could help me out my website http://www.klrrail.co.uk/ will not load due to a problem of phishing how do i fix this?

Use this to report directly:
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on January 24, 2020, 04:58:45 AM
-> https://sitecheck.sucuri.net/results/www.klrrail.co.uk
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on January 24, 2020, 06:11:34 AM
Site has not been flagged here: Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist:OK

WordPress CMS version outdated: Version does not appear to be latest.

Update plug-ins: WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

responsive-lightbox 2.2.2   latest release (2.2.2)
http://www.dfactory.eu/plugins/responsive-lightbox/
woocommerce 3.8.1   latest release (3.9.0)
https://woocommerce.com/
mailchimp-for-woocommerce   latest release (2.3.1)
https://mailchimp.com/connect-your-store/
contact-form-7 5.1.6   latest release (5.1.6)
https://contactform7.com/
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

Wrong configuration setting:
Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/      enabled
/wp-content/plugins/      disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

See other detections from domains on the IP you are on: https://www.virustotal.com/gui/ip-address/69.16.237.104/relations

You were originally blocked for a PHISHING attempt for -https://klrrail.co.uk/01/share.zip by Norton's.
Do not see that there any longer: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=a2x9fXxbbC5eXS51aw%3D%3D~enc

Wait for a final verdict from an avast team member as they are the only ones to come and unblock.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on January 25, 2020, 02:00:41 AM
Hi guys, wondering if you could help me out my website hxxp://www.klrrail.co.uk/ will not load due to a problem of phishing how do i fix this?

Detection was removed in 24.01.2020 at 04:52 AM

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: JohnnyKR on March 04, 2020, 09:30:13 AM
Hello, could you please clear https://felgimomo.pl domain? I have cleaned up the server, virus total shows everything is fine: https://www.virustotal.com/gui/url/cc03c709144d61a7c845956e847251070b0eb6bdc45ae2597f17c5bad7b63194/detection but Avast still marks the domain as phishing
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on March 04, 2020, 09:33:41 AM
-> https://sitecheck.sucuri.net/results/https/felgimomo.pl
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 04, 2020, 11:54:39 AM
Witam JohnnyKR,

Website has outdated software: PHP under 7.3.12
Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist:OK
Web Server:
Apache
X-Powered-By:
PHP/7.3.0
IP Address:
62.212.65.74
Hosting Provider:
LeaseWeb Netherlands B.V.
Shared Hosting:
500 sites found on 62.212.65.74

Security score -3 grade: https://webcookies.org/cookies/felgimomo.pl/29216505?423410

Consider these security recommendations found through linting:
https://webhint.io/scanner/de02d35a-2f34-432a-9169-70ab088d5d8a#category-security

Consider also the hosting at linuxpl dot com here: hxtp://s99.linuxpl.com/  connection insecure...

Wait for a final verdict from an avast team member as they are to only ones to come and unblock,
report website to them here: https://www.avast.com/false-positive-file-form.php

pozdrawiam,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on March 06, 2020, 12:42:46 AM
Hello, could you please clear hxxps://felgimomo.pl domain? I have cleaned up the server, virus total shows everything is fine: https://www.virustotal.com/gui/url/cc03c709144d61a7c845956e847251070b0eb6bdc45ae2597f17c5bad7b63194/detection but Avast still marks the domain as phishing

Detection was removed 05.03.2020 at 10:54 AM.It will continue to be blocked by the Avast Online Security plugin due to this

https://transparencyreport.google.com/safe-browsing/search?url=https:%2F%2Ffelgimomo.pl%2F&hl=en

Quote from: Avast
Our virus specialists have been working on this problem and they informed me that this detection is correct.
Title: Re: Site Blocked - URL:Phishing
Post by: Banu3 on March 11, 2020, 08:01:57 AM
Hello i have the same problem with my Website:
https://www.weddingsutra.com/
Please can you unlock URL?
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on March 11, 2020, 08:22:16 AM
-> https://sitecheck.sucuri.net/results/https/www.weddingsutra.com
Title: Re: Site Blocked - URL:Phishing
Post by: xin7 on March 11, 2020, 11:49:55 AM
hello,
i have a website: https://naptien.shopgiatot.net/
my website meet url phishing and avast auto block.
but i scan on https://sitecheck.sucuri.net/results/naptien.shopgiatot.net
that it's ok.
how can i do.
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on March 11, 2020, 12:02:29 PM
Report a false positive (select file or website)

Click this link >>  https://www.avast.com/false-positive-file-form.php



Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 11, 2020, 01:32:42 PM
Retirable jQuery library:
Quote
jquery   1.12.4   Found in htxps://naptien.shopgiatot.net/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

IP related detections (not your website/domain): https://www.virustotal.com/gui/ip-address/104.28.13.105/relations
-> CloudFlare abuse? see vulnerabilities on host: https://www.shodan.io/host/104.28.13.105

Hints found by linting: https://webhint.io/scanner/4fe90925-70c0-456c-84f4-08757b813ad3

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on March 12, 2020, 03:26:08 AM
Detection was removed 11.03.2020

weddingsutra.com and  naptien.shopgiatot.net is not blocked by Avast

Quote from: Avast
The provided URL doesn't seem to be detected by Avast. Could you please send us a screenshot of the detection message you're getting? https://support.avast.com/en-ww/article/100/
Title: Re: Site Blocked - URL:Phishing
Post by: richdad.tx on March 20, 2020, 10:49:01 AM
Hello,

I'm having problems with my website (evippay[dot]com), whenever I try to access it from any computer that has Avast installed it does not allow access. I do not understand why my website blocked by Avast.

Please help me check and unlock

Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on March 20, 2020, 11:00:36 AM
<snip>
I'm having problems with my website (evippay[dot]com), whenever I try to access it from any computer that has Avast installed it does not allow access. I do not understand why my website blocked by Avast.
<snip>

As mentioned a few posts above yours, report it directly to Avast.
https://sitecheck.sucuri.net/results/evippay.com (https://sitecheck.sucuri.net/results/evippay.com)

Report a false positive (select file or website)

Click this link >>  https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 20, 2020, 01:12:26 PM
Howdy richdad.tx,

Do as DavidR says and wait for a final verdict from avast's.

But on the other hand that pay-site could well do better where website security is being concerned.

That particular IP is not being flagged, but likewise addresses from the same IP are:
https://www.virustotal.com/gui/ip-address/45.32.133.30/relations

See various hints to get that website somewhat more secure:
https://webhint.io/scanner/ab8cd1c0-a875-43d4-81a7-65012ba92c82#category-security

Retirable JQuery libraries detected
Quote
bootstrap   3.3.5   Found in -https://evippay.com/catalog/view/javascript/bootstrap/js/bootstrap.min.js
Vulnerability info:
High   28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331   
Medium   20184 XSS in data-target property of scrollspy CVE-2018-14041   
Medium   20184 XSS in collapse data-parent attribute CVE-2018-14040   
Medium   20184 XSS in data-container property of tooltip CVE-2018-14042   
jquery   2.1.1.min   Found in -https://evippay.com/catalog/view/theme/journal3/lib/jquery/jquery-2.1.1.min.js
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

Gets a -2 security score here: https://webcookies.org/cookies/evippay.com/29958976?542440
No CSP implementation, whatsoever, and that for an online payment site  ???

See for the known vulnerablities at the hosting party: https://www.shodan.io/host/45.32.133.30

Have a nice day,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: richdad.tx on March 22, 2020, 10:47:16 AM
Howdy richdad.tx,

Do as DavidR says and wait for a final verdict from avast's.

But on the other hand that pay-site could well do better where website security is being concerned.

That particular IP is not being flagged, but likewise addresses from the same IP are:
https://www.virustotal.com/gui/ip-address/45.32.133.30/relations

See various hints to get that website somewhat more secure:
https://webhint.io/scanner/ab8cd1c0-a875-43d4-81a7-65012ba92c82#category-security

Retirable JQuery libraries detected
Quote
bootstrap   3.3.5   Found in -https://evippay.com/catalog/view/javascript/bootstrap/js/bootstrap.min.js
Vulnerability info:
High   28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331   
Medium   20184 XSS in data-target property of scrollspy CVE-2018-14041   
Medium   20184 XSS in collapse data-parent attribute CVE-2018-14040   
Medium   20184 XSS in data-container property of tooltip CVE-2018-14042   
jquery   2.1.1.min   Found in -https://evippay.com/catalog/view/theme/journal3/lib/jquery/jquery-2.1.1.min.js
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

Gets a -2 security score here: https://webcookies.org/cookies/evippay.com/29958976?542440
No CSP implementation, whatsoever, and that for an online payment site  ???

See for the known vulnerablities at the hosting party: https://www.shodan.io/host/45.32.133.30

Have a nice day,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Thank you for your information , i make new domain and fix it , Someone is trying to put my website on a blacklist at new domain directpay[dot]vip. Help me remove it on blacklist and how to make my website not in blacklist ? It is affecting my work

Thank you

Title: Re: Site Blocked - URL:Phishing
Post by: polonus on March 22, 2020, 12:57:21 PM
Hi richdad.txt,

Report the abuse to your hosting parties, and when they do not act let your website host somewhere else.
It is a free world, and you should not keep up with such abuse.  Or take a dedicated IP address.

polonus

Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on March 22, 2020, 06:18:54 PM
@ richdad.tx
You're new site is in an even worse state, with more scanners blacklisting it and it is also considered a Critical Security Risk:
https://sitecheck.sucuri.net/results/directpay.vip

I would hazard a guess that the things found by Polonus on the other domain are likely to be replicated with this domain.
This would appear to be the case: https://webhint.io/scanner/f7699e7d-410a-47b2-8fd6-349ab43e2b05
Title: Re: Site Blocked - URL:Phishing
Post by: melody11 on April 06, 2020, 03:43:52 AM
Hi,
Thanks for giving opportunity to resolve my issue. When i saw my site hxtps://celebritiesnewss.com it show unsecured because i installed avast extension that shows me. Please guide me about it.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on April 06, 2020, 05:49:14 AM
-> https://sitecheck.sucuri.net/results/https/celebritiesnewss.com
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 06, 2020, 05:12:48 PM
 Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/      enabled
/wp-content/plugins/      disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on April 11, 2020, 12:32:29 AM
Hi,
Thanks for giving opportunity to resolve my issue. When i saw my site hxtps://celebritiesnewss.com it show unsecured because i installed avast extension that shows me. Please guide me about it.

Site has never was blocked.

Quote from: Avast
The provided URL doesn't seem to be detected by Avast. Could you please send us a screenshot of the detection message you're getting? https://support.avast.com/en-ww/article/100/
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on April 11, 2020, 01:04:59 AM
@  jefferson sant
There are times when I wonder if such reports are more to do with site promotion (a.k.a. link spamming) ran reporting a false positive detection.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 11, 2020, 02:34:54 AM
Hi DavidR,

Some of these postings that serve more or less as an intended platform for link spamming of sorts already have been banned.
Some were being reported to me through PMs.
Where avast does not detect or several others also detect and websites have spam linking and cloaking "aboard"
there certainly exists a possibility that it is the case and such postings better be removed and the link spammer banned.  :P

When there are genuine requests made to reconsider detection of an apparent FP or serious security related questions,
then that's another kettle of PHISH altogether  ;)

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on April 12, 2020, 04:29:40 AM
@  jefferson sant
There are times when I wonder if such reports are more to do with site promotion (a.k.a. link spamming) ran reporting a false positive detection.

Most were clean or certainly redirects also adwares (advertising).Some sites have unknown code or iframes were found malicious and submitted as sample to analyzed and detection was added.

A few days ago e.g JS:CardStealer-BS [Trj] 

https://www.virustotal.com/gui/file/eb4854400a1abd452a09e6952219f6d5263ba89fa3c0479ffb4e713c07b36a4d/detection
Title: Re: Site Blocked - URL:Phishing
Post by: krazylove on April 16, 2020, 08:17:39 PM
Hello! A work website is blocked https://sosvirtual.aldeasinfantilessos.org/. I ran scans with https://www.virustotal.com/ and https://virscan.org/ and results came back clean. Why is it blacklisted? Can someone help me with this? Got work to do! Thanks!
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on April 17, 2020, 06:00:20 AM
-> https://sitecheck.sucuri.net/results/https/sosvirtual.aldeasinfantilessos.org
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 17, 2020, 12:37:59 PM
Outdated CMS and outdated PHP detected.
Quote
User Enumeration
  The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   None   sosvirtual2
2   None   sam-mi
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Externally links OK :    Externally Linked Host   Hosting Provider   Country   
    -cursos.aldeasinfantilessos.org   Microsoft Corporation   United-States    
    -sosvirtualelearning.aldeasinfantilessos.org   GoDaddy.com   United-States    
    -www.facebook.com   Facebook.   Ireland

Recommendations towards improvement: https://webhint.io/scanner/dc81ba0b-3078-40c7-822c-a18af3650847

Avast has found malicious code on website: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=c11zdlt9dHV8bC58bCN7fHNbbmZ8bnRbbHtzc11zLl19Zw%3D%3D~enc   (PUP-detection, slightly malicious)

See malware on IP: https://www.virustotal.com/gui/ip-address/107.180.41.170/relations
GoDaddy abuse: https://www.shodan.io/host/107.180.41.170

Wait for a final verdict from an avast team member, as they are the only ones to come and unblock.
Site now being unblocked, pay attention to retirable code:
Quote
jquery-ui-dialog   1.11.4   Found in -https://sosvirtual.aldeasinfantilessos.org/wp-includes/js/jquery/ui/dialog.min.js?ver=1.11.4
Vulnerability info:
High   CVE-2016-7103 281 XSS Vulnerability on closeText option   
jquery   1.12.4   Found in -https://sosvirtual.aldeasinfantilessos.org/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   123
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
vulnerable PHP, headers - 7.0.33

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on April 17, 2020, 03:18:10 PM
Hello! A work website is blocked hxxps://sosvirtual.aldeasinfantilessos.org/. I ran scans with https://www.virustotal.com/ and https://virscan.org/ and results came back clean. Why is it blacklisted? Can someone help me with this? Got work to do! Thanks!

Detection was removed in 17.04.2020 at 07:16 AM.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: Mikel Media on April 21, 2020, 01:59:18 AM
A client's site has been marked as Phishing when it is not as per https://sitecheck.sucuri.net/results/accountingandtaxgroup.net and Metamask's Cryptonite.

Accountingandtaxgroup.net should not be considered phishing.

Help?
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on April 21, 2020, 05:05:44 AM
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 21, 2020, 01:17:27 PM
Indeed here it is given the all green: https://www.virustotal.com/gui/domain/accountingandtaxgroup.net/relations
InfoSec treat level 0
B-status here: https://webcookies.org/cookies/accountingandtaxgroup.net/30328910?644234
Improvement hints: https://webhint.io/scanner/15335b57-4c50-43d4-a30c-502606c3e499
Verdict clean: https://checkphish.ai/insights/url/1587467710313/2e00691bd69e4623d03a2df402c79e1adb1b5d692ca9b86f9bd26b00751ef17a

Wait for a final verdict from an avast team member, as we are volunteers with relative knowledge,
but avast team members are the only ones to come and unblock.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Eric624 on April 21, 2020, 03:26:24 PM
I am having an issue with my site being blocked as well (activate-payments.com). Can you please help with this?
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 21, 2020, 04:57:43 PM
Hi Eric624,

It is not only avast that flags this site:
https://www.virustotal.com/gui/domain/activate-payments.com/detection
Also even more to detect it here: https://www.virustotal.com/gui/domain/activate-payments.com/relations

Outdated WordPress version detected.
Outdated plug-in: The following plugins were detected by reading the HTML source of the WordPress sites front page.

contact-form-7 5.1.7   latest release (5.1.7)
https://contactform7.com/
wordpress-seo 13.2   latest release (13.5)
https://yoa.st/1uj
js_composer   
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

There are likely more plugins installed than those listed here as the detection method used here is passive. While these results give an indication of the status of plugin updates, a more comprehensive assessment should be undertaken by brute forcing the plugin paths  using a dedicated tool.

CMS Misconfigurations: User Enumeration
  The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   admin   admin
2   activate-payments   activate-payments
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/      enabled
/wp-content/plugins/      disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Improvement hints found by linting: https://webhint.io/scanner/7eea67df-6521-4b2a-928c-09cd02e50d2c
Added while the SNYK scan did not materialize in security, this added scan results: https://retire.insecurity.today/#!/scan/ec72a1190b192398655426afbbb11c2e5538fe782ff355a98b6aca16059fccd5
Moreover this link is blocked for me by an adblocker: hxtps://static.doubleclick.net/instream/ad_status.js

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Guillaume77 on April 22, 2020, 09:12:45 AM
Hi,

I have trouble with my website too (rootstravler.com). I can still check it on my phone, but no way to check it from the computer. Has my website really been hacked or is it an error from Avast?

If you could unlock it, I would really appreciate it.

Best regards,
Guillaume
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on April 22, 2020, 09:30:12 AM
-> https://sitecheck.sucuri.net/results/rootstravler.com
Title: Re: Site Blocked - URL:Phishing
Post by: Guillaume77 on April 22, 2020, 10:25:27 AM
Hey,

Thanks, it seems like the website is back up now.

Wish you the best,
Guillaume
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 22, 2020, 03:06:43 PM
Hints to come to website improvement: https://webhint.io/scanner/f834c9bd-0028-4bc3-93e6-02087e0770a6
& see: https://retire.insecurity.today/#!/scan/ebd0c539e28a2d9eedbae5816f7e8aeb4ca0f583fb9512778ba3a7b24f4d6143

 User Enumeration
  The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   bordg20001407   bordg20001407
2   None   None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist: OK

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jefferson sant on April 23, 2020, 12:00:58 AM
A client's site has been marked as Phishing when it is not as per https://sitecheck.sucuri.net/results/accountingandtaxgroup.net and Metamask's Cryptonite.

Accountingandtaxgroup.net should not be considered phishing.

Help?

Detection was removed in 22.04.2020 at 06:18 AM

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Site Blocked - URL:Phishing
Post by: Guillaume77 on April 23, 2020, 10:17:05 AM
Quote
User Enumeration
  The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   bordg20001407   bordg20001407
2   None   None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Thanks Polonus for the check and for those pieces of advice.

However, it turns out that my website is down with the same error as yesterday. I feel like this could be a fake positive.

Is there any way to put the website (rootstravler.com) back up?

Also, I did a sucuri site check too but did not arrive at the same results: some timeout reach site issues were detected.
https://sitecheck.sucuri.net/results/https/rootstravler.com

I hope we will be able to end this issue,
Guillaume
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 23, 2020, 02:03:45 PM
Hi Guillaume77,

Take it up with your hoster, and also report it here: https://www.avast.com/false-positive-file-form.php
Wait for an avast team member to receive a final verdict as a reaction on what you have reported,
they are the only ones to come and unblock any FP.

See the script from line 871 hence onwards
Quote
< svg style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1"
represented here:  https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=fV1ddHN0fXx2bHt9Ll5dbQ%3D%3D~enc   (which is hxtps://stats.wp.com/e-202017.js and being blocked for me)
-> https://www.shodan.io/host/192.0.76.3 -> https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=c3R8dHMud3AuXl1tYHstMjAyMDE3Lmpz~enc

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: Guillaume77 on April 23, 2020, 08:06:23 PM
Okay, thanks again for your time Polonus. I filled the FP form and I'm waiting for an answer.

Best regards,
Guillaume
Title: Re: Site Blocked - URL:Phishing
Post by: master2020 on April 27, 2020, 01:19:30 PM
Hello, I have problems with my site (elenakarpova.com), whenever I try to open a page from any computer on which Avast is installed, it does not allow access and a pop-up window appears with an attachment.

P.S. Sorry for my English
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on April 27, 2020, 01:41:18 PM
-> https://sitecheck.sucuri.net/results/elenakarpova.com
Title: Re: Site Blocked - URL:Phishing
Post by: master2020 on April 27, 2020, 02:42:33 PM
Thanks for the answer. But I did not understand why avast blocks the pages of my site.
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on April 27, 2020, 03:51:01 PM
Thanks for the answer. But I did not understand why avast blocks the pages of my site.

Well being considered a Medium Security Risk is a start, outdated software is vulnerable and can be exploited.  Not saying that this is the case but certainly possible.  If it happened in the past or linked to an IP (multiple domains on the same IP address) that has been hacked could impact all domains on that IP.

You should certainly address the points in the link given by Asyn and update the outdated software. 

You can use the Reporting Possible False Positive on Website - https://www.avast.com/false-positive-file-form.php (https://www.avast.com/false-positive-file-form.php) form.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on April 27, 2020, 04:10:42 PM
Hi master2020.

Additional to what Asyn and DavidR reported, and where I strongly agree, pay attention to the following glitches,
found through third party cold reconnaissance scanning of the website at hand.

As you can establish and was mentioned to you, you have outdated CMS, outdated Word Press core version.
Update a.s.a.p.

Also oudated plug-in software, there also update a.s.a.p.:

The following plugins were detected by reading the HTML source of the WordPress sites front page.

pageviews 0.11.0   latest release (0.11.0)
https://pageviews.io
js_composer   
all-in-one-seo-pack 3.3.5   latest release (3.4.3)
https://semperplugins.com/all-in-one-seo-pack-pro-version/
gallery-images-ape 2.0.8   latest release (2.0.11)
https://wpape.net/gallery-wordpress
wpfront-scroll-top 2.0.2   latest release (2.0.2)
http://wpfront.com/scroll-top-plugin/
woocommerce 3.9.2   latest release (4.0.1)
https://woocommerce.com/
shortcodes-ultimate 5.7.0   latest release (5.8.1)
https://getshortcodes.com/
mega-addons-for-visual-composer 3.1   latest release (4.0)
https://addons.topdigitaltrends.net/
contact-form-7 5.1.6   latest release (5.1.7)
https://contactform7.com/
widgetize-pages-light 2.6   latest release (2.6)
http://otwthemes.com/
wp_testme   
robokassa 5.3   latest release (1.3.4)
/wp-admin/admin.php

Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

There are likely more plugins installed than those listed here as the detection method used here is passive. While these results give an indication of the status of plugin updates, a more comprehensive assessment should be undertaken by brute forcing the plugin paths  using a dedicated tool.

Vulnerable (non-vulnerable) code
 
Quote
PHP, headers - 7.2.25
6.4
CVE-2019-11047
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
6.4
CVE-2020-7059
When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.
6.4
CVE-2020-7060
When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.
6.4
CVE-2020-7061
In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.
6.4
CVE-2019-11050
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
6.4
CVE-2020-7063
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.
5
CVE-2019-11044
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
5
CVE-2018-19935
ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function.
5
CVE-2019-11046
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.
5
CVE-2020-7062
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash.
4.3
CVE-2019-11045
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
4.3
jQuery, script
Not vulnerable
jQuery, headers - 1.12.4
Not vulnerable
jQuery Migrate, script
Not vulnerable
jQuery UI Core, headers - 1.11.4
7.3
Bootstrap, script
Not vulnerable
All in One SEO Pack, html - 3.3.5
Not vulnerable
Font Awesome, html
Not vulnerable
Wordpress - 5.3.2
Not vulnerable

See vulnerabilities at your hoster: https://www.shodan.io/host/87.236.16.192

Retirable jQuery libraries detected:
Quote
bootstrap   3.3.5   Found in -https://elenakarpova.com/wp-content/themes/nisarg/js/bootstrap.js?ver=5.3.2
Vulnerability info:
High   28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331   
Medium   20184 XSS in data-target property of scrollspy CVE-2018-14041   
Medium   20184 XSS in collapse data-parent attribute CVE-2018-14040   
Medium   20184 XSS in data-container property of tooltip CVE-2018-14042   1
jquery   1.12.4   Found in -https://elenakarpova.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   1234
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   123
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   123
Medium   Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

JavaScript errors - ReferenceError: VK is not defined
 /:551
DOM-XSS sinks and sources: results from scanning URL: -https://elenakarpova.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=3.9.2
Number of sources found: 50
Number of sinks found: 32
- "INJECTED" nodes have been injected to DOM by Javascript after initial page load.

Improvement hints found through linting: https://webhint.io/scanner/217dc635-8e3f-48d8-bc48-20caa9f15aac

kind regards,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: zigainfotech on June 18, 2020, 06:54:59 PM
Hello, I'm having problems with my website (http://thekeoghpractice.ie/), whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears.

Please allow this to load the website for the public.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on June 19, 2020, 12:23:05 AM
2 engines detect this here: https://www.virustotal.com/gui/url/15f856199512ada1d3b1a0110730d22fef94ceb086d302598e30c4ca57483a82/details

Insecure hosting on IP 87.76.23.83 -> Website is insecure by default
100% of the trackers on this site could be protecting you from NSA snooping. Tell -nexcess.net to fix it.

 All trackers
At least 1 third parties know you are on this webpage.

-obpuk1-05.nexcess.net -obpuk1-05.nexcess.net

 Tracker could be tracking safely if this site was secure.

Webpage kicking up a 400 Bad Request error!

Problem with SSL, a problem with the SSL prevented the page from being retrieved!
Server certificate is issued for different domain(s) and does NOT cover -thekeoghpractice.ie!
Server certificate does NOT cover both domains with and without www.

See: https://sitereport.netcraft.com/?url=http%3A%2F%2Fwww.thekeoghpractice.ie

Wait for a final verdict from an avast team member, as they are the only ones to come and unblock.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jnli931008 on June 22, 2020, 01:53:33 AM
I also have this issue whit my domain which is demo.rla-latamvirtual.com.. i don't know why is this happening please help cause i am doing a virtual event and many people can not get into de web page
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on June 22, 2020, 05:13:04 AM
-> https://sitecheck.sucuri.net/results/demo.rla-latamvirtual.com
-> https://www.virustotal.com/gui/url/7a34c83c3f2da4aa0cd303bf6bcac155127aa505235c5e87c5a0607fb9f00b6c/detection
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on June 22, 2020, 02:43:16 PM
Re: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=I3ttXS59bHwtbHx0fG12W310dXxsLl5dbQ%3D%3D~enc

You should take this up with GoDaddy's -
Quote

1:  < !DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
2:  < html> < head>
3:  < title> 403 Forbidden< /title>
4:  < /head> < body>
5:  < h1> Forbidden< /h1>
6:  < p> You don't have permission to access this resource.< /p>
7:  < p> Additionally, a 403 Forbidden
8:  error was encountered while trying to use an ErrorDocument to handle the request.< /p>
9:  < /body> < /html>


Avast flags the site as with PHISHING.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: Amesimeku on July 16, 2020, 03:32:55 PM
Hello i have the same problem!! My website https://crowdmagna.com/ is being blocked but i have scanned it thoroughly and there is no phishing links!! Kindly assist me by removing it from your list for me.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on July 16, 2020, 04:08:10 PM
-> https://sitecheck.sucuri.net/results/https/crowdmagna.com
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on July 16, 2020, 04:36:47 PM
-> https://sitecheck.sucuri.net/results/https/crowdmagna.com

Not to mention https://webhint.io/scanner/638f2e77-a37d-48e6-b26a-d73364596468 which is even worse 0 from 10 on the security checks.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on July 17, 2020, 12:27:00 AM
Site can be reached for some scanners. Hosted @ 45.133.200.3 that is from -cpanel-host.prohoster.info
Quote
<html><head><META HTTP-EQUIV="Cache-control" CONTENT="no-cache"><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html>

The problem is there and you should take it up with the hoster, MBAM also flags:
Website blocked due to trojan
We strongly recommend you do not visit this site.
Website blocked: hxtp://cpanel-host.prohoster.info/

DOM-XSS issues: Results from scanning URL: -https://crowdmagna.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Number of sources found: 41
Number of sinks found: 17
&
Results from scanning URL: -https://crowdmagna.com/wp-content/plugins/wp-fundraising-donation/assets/public/script/single-page/jquery.magnific-popup.min.js?ver=1.1.16
Number of sources found: 13
Number of sinks found: 18

SERVER DETAILS
Web Server:
nginx
IP Address:
-45.133.200.3
Hosting Provider:
INTERNET-IT, NL
Shared Hosting:
65 sites found (use Reverse IP to download list)
Title:
Index of /wp-includes

DShield    CLEAN
AlienVault OTX      CLEAN
Cisco Talos    CLEAN
abuse.ch (Feodo)    CLEAN
URLhaus    CLEAN
Spamhaus (Drop / eDrop)    CLEAN

0 issues found during a high level analysis at a 3rd party word press security scan.

Wait for a final verdict from an avast team member, as they are the only ones to come and unblock,
or establish we deal with a genuine trojan detection.

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: mgnplay1 on July 30, 2020, 01:30:16 AM
Hi Avast.
I have this website , activegear2go.com, that has been flagged as phishing. The hosting company, bluehost, informed me numerous times the site is ok. I cannot use it due to aborting mechanism built in your code.
Please help me get control over the website.
Thank you.

Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on July 30, 2020, 02:35:49 AM
Hi Avast.
I have this website , activegear2go.com, that has been flagged as phishing. The hosting company, bluehost, informed me numerous times the site is ok. I cannot use it due to aborting mechanism built in your code.
Please help me get control over the website.
Thank you.



It isn't just avast that considers it suspect https://sitecheck.sucuri.net/results/activegear2go.com
Also see https://webhint.io/scanner/46ed5c96-c13e-4b30-b775-8b6410d8d471 for other things that may need to be addressed.

Outside of that - You can use the Reporting Possible False Positive on Website - https://www.avast.com/false-positive-file-form.php form.
That will get a review, but no guarantee that it would be removed as there is some vulnerable software on that site which could place it at risk.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on July 30, 2020, 12:32:07 PM
There are also problems with the security of the Word Press CMS.
Set user enumeration and directory listing on disabled.
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Directory indexing is tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: mgnplay1 on July 31, 2020, 04:06:17 AM
Hi Avast.
I have this website , activegear2go.com, that has been flagged as phishing. The hosting company, bluehost, informed me numerous times the site is ok. I cannot use it due to aborting mechanism built in your code.
Please help me get control over the website.
Thank you.



It isn't just avast that considers it suspect https://sitecheck.sucuri.net/results/activegear2go.com
Also see https://webhint.io/scanner/46ed5c96-c13e-4b30-b775-8b6410d8d471 for other things that may need to be addressed.

Outside of that - You can use the Reporting Possible False Positive on Website - https://www.avast.com/false-positive-file-form.php form.
That will get a review, but no guarantee that it would be removed as there is some vulnerable software on that site which could place it at risk.

Hi,

Thanks for your quick response. I replaced all the wordpres files with good ones . I checked the links and in the first one, only McAfee finds an issue with the site and in regards to the second link , i don't know what to make of it. Can you help me understand what is relevant to my problem?
Thank you in advance.
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on July 31, 2020, 10:26:49 AM
Hi,

Thanks for your quick response. I replaced all the wordpres files with good ones . I checked the links and in the first one, only McAfee finds an issue with the site and in regards to the second link , i don't know what to make of it. Can you help me understand what is relevant to my problem?
Thank you in advance.

As for "Replacing the wordpress files with good ones," I'm not entirely sure what you mean by that. What needs to be done is to ensure that you have the latest wordpress version installed on your website as older versions are vulnerable to attack.

The first link is just to confirm Avast isn't alone in blocking the site and you would also have to try and get that cleared also.

The second link shows details of what areas (in particularly related to security) it didn't do well in.  That would have to be taken up with whomever built the site or help from your Hosting service.  I'm sorry, this isn't something that I can help with, nor something that we undertake in the forums.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on July 31, 2020, 01:08:55 PM
Hi mgnplay1,

Still 2 issues
Issues found during a high level analysis of the target site. It is recommended that further active scanning be undertaken for a more accurate assessment.
Scan can be performed here: https://hackertarget.com/wordpress-security-scan/  then you could see issues for yourself.

1. User Enumeration
The first two user ID's were tested to determine if user enumeration is possible.

Username   Name
ID: 1   not found   
ID: 2   admin1   admin1
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

2. Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

Path Tested   Status
/wp-content/uploads/      enabled
/wp-content/plugins/      disabled
Directory indexing is tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Linked sites OK - javascript resources also OK.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: avast686 on August 03, 2020, 10:40:35 PM
The AVAST WebShield is also blocking the Centurylink webmail link at https://webmail.centurylink.net/mail#1;

I have verified a number of times by disabling the web shield and the site loads.  If enabled, the site does not load.

I have verified this issue on several workstations and with several Centurylink accounts.  Can you remove this URL from the block list?

The notification at the time of the blocked site URL load was that the site was blocked: PHISHING.
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on August 03, 2020, 10:50:15 PM
Report a false positive (select file or website)

Click this link  >>  https://www.avast.com/false-positive-file-form.php



Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on August 03, 2020, 11:23:21 PM
@ avast686
This check considers it a medium security risk, which could potentially lead to hacking, etc.
https://sitecheck.sucuri.net/results/centurylink.net
Title: Re: Site Blocked - URL:Phishing
Post by: michael.ting on September 07, 2020, 04:02:44 AM
hello i have the same problem with my Website:
hxtp://www.zotech.com.tw
I restored and scanned the system, no problems were found
Can you unlock URL?
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on September 07, 2020, 06:22:23 AM
-> https://sitecheck.sucuri.net/results/www.zotech.com.tw
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 07, 2020, 02:09:10 PM
Hi michael.ting,

As you can see from Asyn's reply, your PHP software version is outdated.
Word Press version also is not the latest!

1 vulnerable retirable jQuery library became detected: https://retire.insecurity.today/#!/scan/b96d312272294991fe23d99dd1b3b709c8be1ac24a3c968840da133d7e951e72
See: https://www.shodan.io/host/104.28.26.118

Recommendation to improve website and website's security:
https://webhint.io/scanner/87b441a9-ec50-49ca-8656-3f5d31b47b9c

Wait for a final verdict from avast team, as they are the only ones to come and unblock.
We here are just volunteers with relative knowledge.

Important is you had the all green from here:
DShield    CLEAN
AlienVault OTX      CLEAN
Cisco Talos    CLEAN
abuse.ch (Feodo)    CLEAN
URLhaus    CLEAN
Spamhaus (Drop / eDrop)    CLEAN

So report here: https://www.avast.com/false-positive-file-form.php

Nice greetings to you in Taiwan, keep safe and secure online and offline,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: alikerembalkas on September 10, 2020, 01:15:52 PM
Hi

my website has been blocked by you. Please unblock because my website is OK

www.performancebilisim.com
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on September 10, 2020, 01:25:14 PM
-> https://sitecheck.sucuri.net/results/www.performancebilisim.com
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 10, 2020, 02:16:30 PM
As Asyn showed a Joomla Security Scan produced two major issues with outdated software.
A serious malware threat is also WARNING: PHP 5.6.40 is end of life (no updates).

The template (theme) has been found by examining the path /templates/ *template name* /

dd_engineer_99 1.0   -http://diablodesign.eu
While other addons get a lot of attention when it comes to security vulnerabilities, templates are another source of security vulnerabilities within Joomla installations, always keep them updated to the latest version available and check the developers page for information about security related updates and fixes.

The template listed here is the active template found in the HTML source of the page. It is recommended to remove all unused templates and other code to minimise the attack surface of the Joomla installation.

See some improvement recommendations here: https://webhint.io/scanner/09fb24e5-daac-4308-87ac-3e3c0f6f74a4

49 hints so that is a reasonable amount, also F-Grade scan results here:
https://observatory.mozilla.org/analyze/www.performancebilisim.com

Also consider the vulnerabilities by the hoster where you share your IP with some 500 other domains:
https://www.shodan.io/host/78.31.67.89

The avast detection was probably IP related:
Re: https://ip-46.com/78.31.67.89   and  https://censys.io/ipv4/78.31.67.89  and  https://checkphish.ai/ip/78.31.67.89

CVE-2018-15919   Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'
CVE-2017-15906   The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

Wait for a final verdict by an avast team member, as they are the only ones to come and unblock.
We here are just volunteers with relative knowledge about website security intelligence.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: WK_schnarfl on September 13, 2020, 07:11:10 AM
I am sorry if I put my question into the wrong Topic, as there is no instruction on how to do that correctly,
but here goes:

Avast Premium Security warned me that the usual URL I use to sign into my bank account is
having a problem with  HTML:PhishingBank-Cog [Phish].
The URL is  https://www.onlinebanking.pnc.com/alservlet/EnrollmentInitServlet
Other info:
Browser   C:Program Files\Mozilla Firefox\firefox.exe
Web Shield   
Connection aborted   
An alternative URL there is
https://www.onlinebanking.pnc.com/alservlet/OnlineBankingServlet#

I call customer service at PNC  (A bank located in Pittsburgh, Pennsylvania, USA, with the
general URL  www.pnc.com) and they don't know a thing about it. I can't sign in, can't look at my account
can't pay my bills, or the credit card.  That's a problem.
   
Question:   Is it possible for Avast to determine whether this is a real banking trojan or a false positive? 

Note: Avast scan itself does not find anything on my local computer.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on September 13, 2020, 07:25:58 AM
-> https://www.virustotal.com/gui/url/0df74fa30274a9d6aa83363d432409d1dead9485c2090508a3d08a1fd3995e09/detection

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: j.gibbs2010 on September 13, 2020, 08:29:07 AM
been using this exact website for weeks now and then all of a sudden this morning avast is giving me the threat detected phishing:url warning and canceling my connection.

https://app.uniswap.org/#/swap?inputCurrency=ETH&outputCurrency=0xf911a7ec46a2c6fa49193212fe4a2a9b95851c27
tried different browsers and even when i open up a tab that i was using yesterday the same phishing warning comes up??
is this a false positive ?
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 13, 2020, 12:31:23 PM
Hi j.gibbs2010,

Clean MX is the only engine to flag htxps://app.uniswap.org/  or the link you forwarded as with PHISHING.
Re: https://www.virustotal.com/gui/url/5b20346afda2521e88d0512f6f0ed53d2c1fed6dcedad310c68f74779127c77e/detection

See associated malware via relations on IP: https://www.virustotal.com/gui/ip-address/104.18.64.168/relations
Probably this detection on IP played a role to flag it: https://otx.alienvault.com/indicator/domain/prostovpn.org

While not more engines are to flag this website address (uri), it well could be a false positive.
So wait for a final verdict from an avast team member, as they are the only ones to come and unblock.
We are just volunteers with relative knowledge in the field of website security intelligence.

However there is some DOM-XSS issues on that domain: Results from scanning URL:
-https://app.uniswap.org/static/js/4.0b6f6ccc.chunk.js
Number of sources found: 375
Number of sinks found: 111
&
Results from scanning URL: -https://app.uniswap.org/static/js/4.0b6f6ccc.chunk.js
Number of sources found: 375
Number of sinks found: 111

hxtps://app.uniswap.org
Detected libraries:
No vulnerable libraries found

Scanner output:
Scanning -https://app.uniswap.org ...
Script loaded: -https://app.uniswap.org/static/js/main.ae1ba38b.chunk.js
Script loaded: -https://app.uniswap.org/static/js/4.0b6f6ccc.chunk.js
Status: success

Just wait over the week-end to get an avast reaction,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 13, 2020, 01:06:29 PM
Website has outdated Word Press CMS and lacks hardening measures, but according to Virus Total it is not flagged:
https://www.virustotal.com/gui/url/8ce255baa56782630f8cd8ba4766e4e0bd48acd56df0e0c27bfc81762d32c823/detection

Re: https://sitecheck.sucuri.net/results/https/chevallier.biz/coronavirus-censure-des-declarations-du-pr-luc-montagnier-sur-thana-tv/

Site not found with malware, but MBAM extension blocks it
Website blocked due
to possible suspicious activity
We strongly recommend you do not visit this site.

Website blocked: -https://chevallier.biz/coronavirus-censure-des-declarations-du-pr-luc-montagnier-sur-thana-tv/
Probably because of this https://host.io/chevallier.biz  (Can anybody confirm this? pol)
There is a backlink there that is blocked in the same manner by MBAM-beta extension as with suspicious activity:
We strongly recommend you do not visit this site.
Website blocked: htxp://ismeaa.com/

1 vulnerable jQuery librarie to retire: https://retire.insecurity.today/#!/scan/5be51750f227654e29a8d203583c76fbde2b15d88f092f4a817aee635f5938a1

Is this a FP or just a way to block clickbait?

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: Janet112 on September 14, 2020, 02:02:55 AM
As of yesterday I am having the exact same problem with the same site as WK_schnarfl, except that I tried on Chrome and Bing browsers. I have used the site for years without any issue. Trying to find any information about this issue is extremely difficult. Surely there are many people who bank with PNC who suddenly cannot log on. What steps should I take to regain access to my bank account?

 
I am sorry if I put my question into the wrong Topic, as there is no instruction on how to do that correctly,
but here goes:

Avast Premium Security warned me that the usual URL I use to sign into my bank account is
having a problem with  HTML:PhishingBank-Cog [Phish].
The URL is  https://www.onlinebanking.pnc.com/alservlet/EnrollmentInitServlet
Other info:
Browser   C:Program Files\Mozilla Firefox\firefox.exe
Web Shield   
Connection aborted   
An alternative URL there is
https://www.onlinebanking.pnc.com/alservlet/OnlineBankingServlet#

I call customer service at PNC  (A bank located in Pittsburgh, Pennsylvania, USA, with the
general URL  www.pnc.com) and they don't know a thing about it. I can't sign in, can't look at my account
can't pay my bills, or the credit card.  That's a problem.
   
Question:   Is it possible for Avast to determine whether this is a real banking trojan or a false positive? 

Note: Avast scan itself does not find anything on my local computer.
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on September 14, 2020, 02:37:08 AM
Use the link given by Asyn above.

<snip>
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Title: Re: Site Blocked - URL:Phishing
Post by: Janet112 on September 14, 2020, 02:54:06 AM
@DavidR - I assume the post was directed at me. When I go to that site it asks me to upload a file or enter a website. What file should I upload/website URL? I tried submitting without uploading, but it wouldn't let me.
Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on September 14, 2020, 03:00:19 AM
Yes, as it was directly under your post, other wise I would have quoted your post.

I only quoted Asyn's post after mentioning it to save you finding it.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 14, 2020, 11:16:08 AM
I see errors for the links given (net-work errors, slow responding, could have been an Akamai Technologies Inc hick-up)

Re: https://www.virustotal.com/gui/url/0df74fa30274a9d6aa83363d432409d1dead9485c2090508a3d08a1fd3995e09/detection

Wait for a final verdict from avast team.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: linhvu.vn on September 16, 2020, 10:41:01 PM
Hello I have the same problem with website: https://www.langkingdom.com/
I am learning English here,
And I also want to turn on the web shield
Can you unlock URL?
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on September 16, 2020, 10:46:06 PM
Hello I have the same problem with website: https://www.langkingdom.com/
I am learning English here,
And I also want to turn on the web shield
Can you unlock URL?


Report a false positive (select file or website)

Click this link  >>  https://www.avast.com/false-positive-file-form.php






Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 16, 2020, 11:56:34 PM
Hi linhvu.vn,

I do not see that site blocked by avast's.

Vulnerabilities on website in AngularJS, headers - 1.5.3
5
GHSA-89MQ-4X47-5V83
Prototype Pollution in angular
5
GHSA-MHP6-PXH8-R675
Cross site scripting in Angular
3.5
GHSA-5CP4-XMRW-59WF
XSS via JQLite DOM manipulation functions in AngularJS

JavaScript error
Quote
SyntaxError: Invalid regular expression flags
  eval ()()
  :3:98()
  Object.c [as F_c] (:2:146)()
  Object.E_u (:3:267)()
  la (eval at exec_fn (:1:147), :60:53)()
  Object.create (eval at exec_fn (:1:147), :71:325)()
  d (eval at exec_fn (:1:147), :13:89)()

Retirable library as mentioned earlier:
Quote
angularjs   1.5.3   Found in -https://www.langkingdom.com/js/015c29d6.libs.js<br>Vulnerability info:
Medium   angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676   
Medium   Prototype pollution   
Low   XSS through SVG if enableSvg is set   
Medium   Universal CSP bypass via add-on in Firefox   
Medium   DOS in $sanitize   
Low   XSS in $sanitize in Safari/Firefox

10% tracking blocked in ZenMate.

Source code oversight:
Quote
HTML
-www.langkingdom.com/en
34,384 bytes, 287 nodes

Javascript 21   (external 8, inline 13)
-connect.facebook.net/en_US/​sdk.js
-www.youtube.com/​iframe_api
INLINE: self['tp_sPBfBGPDhmS_func'] = function(frame){ if (frame === null) { co
3,872 bytes

INLINE: self['tp_dwmbwJVRTPx_func'] = function(frame){ if (frame === null) { co
2,226 bytes

INLINE: self['tp_ZJXcuOlAhoA_func'] = function(frame){ if (frame === null) { co
2,614 bytes

INLINE: self['tp_OPsHMEhhPlo_func'] = function(frame){ if (frame === null) { co
2,424 bytes

INLINE: self['tp_rEMdWWaNAOJ_func'] = function(frame){ if (frame === null) { co
5,433 bytes

INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
34,624 bytes

INLINE: function log(msg) { if (typeof window.console == "undefined
424 bytes

INLINE: var html5Mode = true;
21 bytes

INLINE: (function () { if (!navigator.userAgent.match(/IEMobile/))
417 bytes

INLINE: var ENV, FB_ID, BASE_URL, APP_VERSION, NATIVE_APP_VERSION; NATI
4,604 bytes

INLINE: (function (w, d, s, l, i) { w[l] = w[l] || []; w[l].push({
492 bytes

INLINE: var siteLoadingInterval = null; setTimeout(function () {
2,654 bytes

-www.langkingdom.com/js/conditional-resource/howler/​howler.custom.js
-www.langkingdom.com/js/​015c29d6.libs.js
-www.langkingdom.com/js/​d2bcda8f.langkingdom.js
-www.langkingdom.com/js/​dba99705.firechat.js
-www.langkingdom.com/js/conditional-resource/opentip/​opentip-jquery.min.js
-www.google.com/recaptcha/​api.js?render=explicit&onload=vcRecaptchaApiLoaded
INLINE: $(document).ready(function () { angular.bootstrap(document,
430 bytes

CSS 13   (external 3, inline 10)
INLINE: @charset "UTF-8";[ng\:cloak],[ng-cloak],[data-ng-cloak],[x-ng-cloak],.ng-cloak,.
237 bytes INJECTED

INLINE: .video-js { width: 300px; height: 150px; } .
132 bytes INJECTED

-fonts.googleapis.com/​css?family=Roboto&display=swap
INJECTED

INLINE: @-ms-viewport{width:device-width}
33 bytes INJECTED

INLINE: @-webkit-keyframes siteLoading { from { -we
6,493 bytes INJECTED

INLINE: .vjs-youtube .vjs-iframe-blocker { display: none; }.vjs-youtube.vjs-user-inactiv
232 bytes INJECTED

INLINE: .vs-repeat-debug-element { top: 50%; left: 0; right
435 bytes INJECTED

-www.langkingdom.com/css/​fontface.css
INJECTED

INLINE: -a.gootranslink:link {color: #0000FF !important; text-decoration: underline !impo
2,944 bytes INJECTED

INLINE: .BDTLL_icon_ok { background-image: url(data:image/png;base64,iVBORw0KGgoAAAA
26,787 bytes INJECTED

INLINE: .BDTLL_status { cursor: pointer; display: inline; margin-right: 3px;
276 bytes INJECTED

INLINE: -a.gootranslink:link {color: #0000FF !important; text-decoration: underline !impo
2,944 bytes INJECTED

-www.langkingdom.com/css/​45371c49.langkingdom.css
INJECTED

No alerts here: https://www.virustotal.com/gui/ip-address/13.228.173.6/relations

So wait for the final verdict by an avast team member, as they are the only ones to come and unblock,
we here are just volunteers with relative knowledge in website security intelligence.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)


Title: Re: Site Blocked - URL:Phishing
Post by: DavidR on September 17, 2020, 12:51:35 AM
I'm always suspicious when someone posts a link Avast supposedly isn't alerting on it, I'm a trusting sort NOT.  That said Avast is actually alerting on it, an alert on the api. domain auth token, see attached image.

Like my forum friend polonus there are other things at issue with this site.
But this site is considered a Medium Security Risk https://sitecheck.sucuri.net/results/langkingdom.com

Plus other issues here https://webhint.io/scanner/8e75f61b-63e2-40f4-813c-92ae894ca73f

Title: Re: Site Blocked - URL:Phishing
Post by: linhvu.vn on September 17, 2020, 04:14:34 AM
Hi everybody
The first, I sorry because I use google translate
I cannot enter a password from the keyboard after I set up password
My keyboard still works for other things

Let me known what can I do
Title: Re: Site Blocked - URL:Phishing
Post by: rocksteady on September 17, 2020, 10:29:58 AM
Which password do you mean?
Is it the password to lock Avast settings?

Also state which operating system and whether paid or free Avast.
Title: Re: Site Blocked - URL:Phishing
Post by: linhvu.vn on September 17, 2020, 10:33:08 AM
After I update version Avast, I fixed it
Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: mallomar on September 17, 2020, 12:22:55 PM
Hope I'm posting this in the right place.

Avast (I use the free version) is blocking access to my bank's website. I've tried on 2 different computers, and I get this message:

Threat secured

We've safely aborted connection on [secure.bankofamerica.com] because it was infected with HTML:PhishingBank-COV [Phish}


Can someone please tell me what I need to do?

Thanks.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on September 17, 2020, 12:29:10 PM
Hope I'm posting this in the right place.
Avast (I use the free version) is blocking access to my bank's website. I've tried on 2 different computers, and I get this message:
Threat secured
We've safely aborted connection on [secure.bankofamerica.com] because it was infected with HTML:PhishingBank-COV [Phish}

Can someone please tell me what I need to do?
Thanks.
Hi, this has been fixed already, see: https://forum.avast.com/index.php?topic=238078.0
Title: Re: Site Blocked - URL:Phishing
Post by: mallomar on September 17, 2020, 03:13:15 PM
Hope I'm posting this in the right place.
Avast (I use the free version) is blocking access to my bank's website. I've tried on 2 different computers, and I get this message:
Threat secured
We've safely aborted connection on [secure.bankofamerica.com] because it was infected with HTML:PhishingBank-COV [Phish}

Can someone please tell me what I need to do?
Thanks.
Hi, this has been fixed already, see: https://forum.avast.com/index.php?topic=238078.0

Thanks. It does work now.
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on September 17, 2020, 03:15:26 PM
You're welcome.
Title: Re: Site Blocked - URL:Phishing
Post by: thekalakarz on September 23, 2020, 09:14:59 AM
Hello, I'm having problems with my website (manhealth.com.pk)  website is marked url:phishing by Avast
Title: Re: Site Blocked - URL:Phishing
Post by: rocksteady on September 23, 2020, 09:57:12 AM
Report a false positive. (You should not fail to miss this post by Pondus in big Red font):
https://forum.avast.com/index.php?topic=218384.msg1561206#msg1561206

Title: Re: Site Blocked - URL:Phishing
Post by: polonus on September 23, 2020, 05:40:14 PM
Three issues on your Word Press CMS - outdaated plug-in software:
   widget-options 3.6.1   Warning   latest release (3.7.4)
https://widget-options.com/
wp-author-date-and-meta-remover 1.0.4   Warning   latest release (1.0.5)
http://wpadmrproplus.com

Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

Path Tested   Status
/wp-content/uploads/      enabled
/wp-content/plugins/      disabled
Directory indexing is tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Here no alerts: https://sitecheck.sucuri.net/results/manhealth.com.pk  but mentioned insecurity: TLS & protection issues.

Wait for a final verdict from an avast team member, as they are the only ones to come and unblock.

We here are volunteers with relative knowledge,

polonus (volunteer 3rd party cold recon  website security and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: nover on October 02, 2020, 08:51:46 AM
Hello Sir Polonus

Our site a clickfunnel page is being tagged as phishing site. Please remove us on the blacklist or if there's any proof of legitimacy you need we can provide too. Its just our clients are experiencing blockage during a visit to our site.

h[ttp]s://register.thedoersway[.]net/mem-exclusive-membership-access

Please help.

I have already submit our site at the report form.

Thanks
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on October 02, 2020, 12:53:48 PM
There is a detection there, avast holds is genuine. But then you have to take that up with an avast team member,
as they are the only ones to come and unblock. It is their detection and this here is part of their forums.

They just offer us a platform and we here are just volunteers with relative website security intelligence knowledge.

Seems the detection has to do with some CloudFlares anti-bot code obfuscation.

Take it up with your clickfunnel representative, and let them address this issue with someone from avast team,
responsible for blocking the sites involved that apparently are PHISHing in such a manner,
and make use of clickfunnel services.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: porenga on November 07, 2020, 04:34:32 PM
Hola.
Tengo el mismo problema que se señala repetidamente por los compañeros.
La web es https://hea.eus/
¿Podríais mirar si está en la lista y el motivo?
Mil gracias
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on November 08, 2020, 07:28:14 AM
-> https://sitecheck.sucuri.net/results/https/hea.eus
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 08, 2020, 01:06:45 PM
Hola porenga,

Word Press version outdated. Outdated plug-in:    gdpr-cookie-compliance 4.3.8   Warning   latest release (4.3.9)
https://wordpress.org/plugins/gdpr-cookie-compliance/

User Enumeration
The first two user ID's were tested to determine if user enumeration is possible.

Username   Name
ID: 1   pepe   
ID: 2   not found   
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

Path Tested   Status
/wp-content/uploads/      enabled
/wp-content/plugins/      disabled
Directory indexing is tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

There is one more engine that detects this site: https://www.virustotal.com/gui/url/b50451881dcd95beb4abca15d55d71db1538ee23a281f052962ea7e26a47f462/detection
That were the results of 1 month ago, it now seems given as clean:
https://www.virustotal.com/gui/url/b50451881dcd95beb4abca15d55d71db1538ee23a281f052962ea7e26a47f462/detection
Nor here: https://www.virustotal.com/gui/ip-address/5.145.174.10/relations

Detection probably based on older blacklisting reports by McAfee's and here: https://threatminer.org/host.php?q=5.145.174.10

Wait for an official verdict by an avast team member, as they are the only ones to come and unblock,
as we here are just volunteers with relative website security expertise.

Some 463 recommendations for improvement on website, see:
https://webhint.io/scanner/5e6b6723-ec49-4303-ab65-8c6fbee76e1b

Con Dios,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: porenga on November 09, 2020, 11:44:25 AM
Mil gracias, Polonus
La información es extremadamente interesante y comleta
Me pongo a estudiarla con calma.
También he pedido a Avast que revise la clasificación
Saludos
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 09, 2020, 01:34:18 PM
Hola porenga,

You are welcome, muy bien. 

Did you report the site to avast's team? Good to know their final verdict,
as they are the only ones to come and unblock.

Saludos,

polonus

Title: Re: Site Blocked - URL:Phishing
Post by: Ecco Perú on November 09, 2020, 08:54:07 PM
Hi, my name is Andres of Ecco Perú, my website is blocked ecco.pe, please i need help, thanks

my website have more of 3 years. (si hubiera atención en español, lo agradecería)
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 10, 2020, 06:30:09 AM
Hola  Ecco Perú,

Your website CMS is outdated and even worse left, there won't be upgrades to Magento 1.
Magento 1 is end of life!
Read this report: https://www.magereport.com/scan/?s=https://ecco.pe/ *

Your website runs a high risk of being compromised.
Follow instructions from magereport * (for spanish use google translate -> english to spanish).

Con Dios,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: fumachi1 on November 17, 2020, 03:52:21 PM
Dear,

www.audazodontologia.com.br

Avast is showing Phishing in my website.
We already done every check and eliminate all risks.

Please, could you verify and remove this advise fro Avast? 

Thank you in advance!
Regards
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on November 17, 2020, 03:59:51 PM
-> https://sitecheck.sucuri.net/results/www.audazodontologia.com.br
Title: Re: Site Blocked - URL:Phishing
Post by: fumachi1 on November 17, 2020, 07:46:20 PM
Tks for you reply.
In details we can see that is not my site is a link that wa removed today from

www.fohatlux.com.br (who developed my site)

We already removed this link.

I do not know what to do anymore.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 18, 2020, 10:36:34 AM
It is not only avast detecting: https://www.virustotal.com/gui/url/6ebccdcfc5551982eec80b07cd466ac38cc29c47738219daed42182c3365586b/detection

Consider: https://retire.insecurity.today/#!/scan/50f3b9254356eb7341d3d30df5beac0bb0031cdc4efb7eeed5ddc5d8a8b38d0f
and
https://webhint.io/scanner/b7c27f14-f02e-43f7-ab2b-f090a3564222

Or wait for a final verdict from avast team, as they are the only ones to come and unblock,

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: jedrzejevski on November 18, 2020, 04:54:50 PM
Hello,

Apparently, my site was blocked as well. If someone has installed Avast on their notebooks, then error: URL:Phishing pops up. It happens for example on: http://lakp.pl/webpage.php?id=387 or http://lakp.pl/zawodnik.php?playerId=7736.

It is a page built by myself. Can someone help me with detecting why it was blocked? I have run scan: https://retire.insecurity.today/#!/scan/da0c48038c5188f6fa437286968531e736bb98ee851a10362e4148fd295bb489 and it seems that there is 1 vulnerable library (jquery 1.11.3), can it be the cause?

Thanks,
Adrian
Title: Re: Site Blocked - URL:Phishing
Post by: Asyn on November 19, 2020, 07:18:51 AM
-> https://sitecheck.sucuri.net/results/lakp.pl/webpage.php?q=id%3D387
-> https://www.virustotal.com/gui/url/b646788e28b594aed22a569eb97a166130f3d6f7860b90d71ae0ce3b16530cbe/detection
-> https://zulu.zscaler.com/submission/cafd7b5a-66c4-4fa4-8e6d-2fe89be05e83
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 19, 2020, 11:39:36 AM
Witam Panie Adrianie,

I scanned one of the links you gave for recommendations (hints towards improvement e.g. security improvement),
and it came up with some 200 issues: https://webhint.io/scanner/3d28d568-67c6-4138-9d97-805c21231595
See particularly: https://webhint.io/scanner/3d28d568-67c6-4138-9d97-805c21231595#category-security

Certainly that http site has some backlying php problems at the webserver and as you saw it is not only avast to complain about that.
But it is not that the blocking is about.

See:
Quote
<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylXXXXXXXXXXXXXXXXXXXXvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_vgqARs6XTetJ9eDkEAigNmOH0gI5oDHVDcJDA1yqXazCcWPMB7YBiWBbQDicgeQD0aSb9mBSmBlUDES6V4hqeQ==><head><meta charset="utf-8"><title>lak.pl&nbsp;-&nbspThis website is for sale!&nbsp;-&nbspLak Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="This website is for sale! -lak.pl is your first and best source for all of the information you’re looking for. From general topics to more of what you would expect to find here, -lak.pl has it all. We hope you find what you are searching for!"><link
XXXXXX obfuscated by me for obvious reasons  (pol).

"Your site" has been sedo-parked and is earning adclicks for ABP "from the grave" (as it is for sale).
Now a rogue can't just copy someone else's "data-adblockkey" for their own site: -http://img.sedoparking.com","adblockkey":" data-

Spammy looking links: Any links with funky anchor text? Yes there are.

<a href="-http://lakp.pl/wyniki.php?roundId=642">Moore - Git Team 4-3 (3-0)<br> Adampol - Poker 6-1 (2-1)<br> Nexbet - Krupniki 4-3 (0-2)<br> Dywany - APP Energy 5-7 (2-2)<br> Bosko - Tifosi 5-3 (2-1)<br> Czarni - Politechnika 4-2 (1-1)</a>
<a style="text-decoration: none !important; color: #302c7f;" href="-klub.php?teamId=46">Poker</a> To wszystko (pol).

pozdrawiam,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: jedrzejevski on November 23, 2020, 05:30:56 PM
Hi Polonus,

Thanks for your help.
However, I can't find the part of the site that you mentioned, the :
Quote
<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylXXXXXXXXXXXXXXXXXXXXvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_vgqARs6XTetJ9eDkEAigNmOH0gI5oDHVDcJDA1yqXazCcWPMB7YBiWBbQDicgeQD0aSb9mBSmBlUDES6V4hqeQ==><head><meta charset="utf-8"><title>lak.pl&nbsp;-&nbspThis website is for sale!&nbsp;-&nbspLak Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="This website is for sale! -lak.pl is your first and best source for all of the information you’re looking for. From general topics to more of what you would expect to find here, -lak.pl has it all. We hope you find what you are searching for!"><link

My site is lakp.pl, not the lak.pl that this quote points to.
Regarding ? in the links, I know it's not a best way still to use URLs, however it is still used by many websites over the world, do you think it can be a source of the issues?
Thanks,
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on November 24, 2020, 02:43:12 PM
Do not see the website LAKP being blocked by avast now.
Also see: https://urlscan.io/result/16c1e500-62f4-4325-995f-986b639b986e/#links
Detections normally are based on such indicators like: https://urlscan.io/result/16c1e500-62f4-4325-995f-986b639b986e/#indicators

polonus