Avast WEBforum

Other => Viruses and worms => Topic started by: mabuitragor on December 23, 2018, 12:51:15 PM

Title: Site Blocked - URL:Phishing
Post by: mabuitragor on December 23, 2018, 12:51:15 PM
Hello,
The avast web shield has blocked our website, which does not contain malware or phishing as it is causing us numerous inconveniences.
Website: https://www.concursator.com

Please, help us to solve this.
Thanks in advance.
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on December 23, 2018, 01:56:13 PM
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php


Title: Re: Site Blocked - URL:Phishing
Post by: mabuitragor on December 23, 2018, 02:02:57 PM
Ok. I Did it.
Thank you very much for your reply. In any case, I would like you to give us information about why this has happened. Cause many users can not access the website or lose confidence in it is causing us serious problems.
Title: Re: Site Blocked - URL:Phishing
Post by: LukasJ on December 23, 2018, 03:17:43 PM
Hi,
detection was disabled.

Lukas
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 23, 2018, 03:24:54 PM
Additional info and security recommendations

Adblockers block scripts from htxps://s1.adform.net/ with persistent cookie.
See: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Ll5dbl51fXN8dF19Ll5dbWA%3D~enc
See: https://retire.insecurity.today/#!/scan/57a2628d59993ba2092968ce5e3cf79edffab0603cd62403bc2902f77893cf00
Recommendations for improvement: 28 hints -> https://webhint.io/scanner/7d5a7619-d6b0-4f84-ae19-df9703f805da
F-grade security: https://observatory.mozilla.org/analyze/www.concursator.com
Results DOM-XSS risk: hxtps://www.concursator.com/js/validations.js
Number of sources found: 43
Number of sinks found: 19
IP is blacklisted here: 82.223.14.113 is blacklisted by 39 websites using IP Blacklist Cloud Plugin.
e.g. by Conspiracy Roundup

polonus (volunteer website security analsyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: mabuitragor on December 23, 2018, 05:42:02 PM
Hi,
detection was disabled.

Lukas

Hello Lukas, thanks
I'm continue being blocked by the web shield, and I have updated the viruses database.
I'm not sure if I have to wait some time or if I have to do any other action from my part.
Title: Re: Site Blocked - URL:Phishing
Post by: mabuitragor on December 23, 2018, 05:58:37 PM
Additional info and security recommendations

Adblockers block scripts from htxps://s1.adform.net/ with persistent cookie.
See: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Ll5dbl51fXN8dF19Ll5dbWA%3D~enc
See: https://retire.insecurity.today/#!/scan/57a2628d59993ba2092968ce5e3cf79edffab0603cd62403bc2902f77893cf00
Recommendations for improvement: 28 hints -> https://webhint.io/scanner/7d5a7619-d6b0-4f84-ae19-df9703f805da
F-grade security: https://observatory.mozilla.org/analyze/www.concursator.com
Results DOM-XSS risk: hxtps://www.concursator.com/js/validations.js
Number of sources found: 43
Number of sinks found: 19
IP is blacklisted here: 82.223.14.113 is blacklisted by 39 websites using IP Blacklist Cloud Plugin.
e.g. by Conspiracy Roundup

polonus (volunteer website security analsyst and website error-hunter)

Hello, thanks for your recommendations and work on this.
I think the points you indicate are not critical and the website has not been hacked.
In addition, I have not found the IP listed in any blacklist.

Are any of these points the reason why they have
cataloged the website as phising?

Title: Re: Site Blocked - URL:Phishing
Post by: polonus on December 23, 2018, 07:10:01 PM
Hi mabuitragor,

That question can only be answered by LukasJ or one of his avast member colleages, as I am not aware for what reason the website was once originally being critically flagged.

The run of the mill malware scanners do not flag your website. That is a good thing.

What I do is scanning websites for use of best practices via third party cold reconnaissance website scanning.
It is just trying to be of assistence to the website admins. Your site isn't  in the fragment of websites with critical website security issues, but there is always room for improvement when there is a technical ability to implement it (via webserver and with assistance of the hosting parties). The relevant knowledge for this I gained constantly over time since 2004.

The hints or security recommendations will just enhance the website's security grade and harden it further against being compromised. Some PUP-scanners frown upon adform.net persistent adware and will flag it.

polonus aka Damian
Title: Re: Site Blocked - URL:Phishing
Post by: mabuitragor on December 23, 2018, 07:20:30 PM
OK. I understand, many thanks Polonus for your help.

Hopefully Avast support can help me because the website is still blocked.
I do not know what component can load that stuff from 'adform.net'... Google Adsense? Facebook?
Title: Re: Site Blocked - URL:Phishing
Post by: mabuitragor on January 05, 2019, 10:28:02 AM
Hello again,

The website concursator.com is being blocked again. And nobody has given us an explanation of why it is happening.

I think the cause may be to continue appearing on the Bitdefender blacklist. But nobody answers us there although we have taken dozens of tickets. All is discouraging.

Thanks,
M.

Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on January 05, 2019, 12:20:30 PM
https://www.virustotal.com/#/url/029d4214501cb3b505ed97a5d7dd4f2fbe110765d2876c632fa343c0ef23ec36/detection

https://fortiguard.com/webfilter?q=concursator.com


also blocked by F-Secure and TrendMicro
Title: Re: Site Blocked - URL:Phishing
Post by: mabuitragor on January 05, 2019, 01:52:41 PM
Yes, I see.
The data must go from one list to another. But nobody explains the cause of the detection of possible phishing.
They can give a veredict but without showing anything it is a terrible help.

Thank you.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on January 05, 2019, 02:49:27 PM
Could not imagine it is other than general IP based, as here it comes up as "not a PHISH":
https://www.phishcheck.me/164328/details

The only one that can explain what the "renewed" detection is based upon is an avast team member,
As I see -82.223.14.113/ being blocked in Avast Secure Browser.
Consider reports here: https://www.abuseipdb.com/check/82.223.14.113

Quote
document.cookie = cname & obj2CH.value = obj2CH.name;
is a source in combination with 429 sinks,
when scanned for DOM-XSS flaws.

polonus
Title: Re: Site Blocked - URL:Phishing
Post by: mabuitragor on January 05, 2019, 08:25:37 PM
Hello, thank you very much for the time you have dedicated.

But I do not know if I understood correctly.

In the quoted text (I think understand) appears the set value of a cookie and a part of the javascript code that we have to avoid the data injection by robots in the comment forms.

Can those code snippets cause a positive phishing? (sounds strange)

In addition to this. A few days ago, I thought that a $ .ajax call to a subdomain 'push.concursator'.com' could make the positive detection, so I made changes so that every ajax call was to the main domain 'www.concursator.com'. All of this has occur after we included the components for webpush notification. basically a serviceworker.js and other javascript file (but not sure if it is related with the detection). I don't think that code snippets are so complicated or rare for cause a positive.

Therefore, I do not know what I have to change or if I have to change something with the data we now have.

Thanks.
M.
Title: Re: Site Blocked - URL:Phishing
Post by: polonus on January 05, 2019, 11:22:57 PM
Ola mabuitragor,

No that is a general recommendation stemming from a DOM_XSS vulnerability scan, and does not even says that it can be explored.

As I stated before three solutions (according to VirusTotal) now do flag that particular IP that you share with others for phishing.
As far as I can establish with my 14 years of relative knowledge and experience it is not your particular domain that is actually being abused as a PHISH. So they could exclude that address and block others that share that particular IP or take it up with your hoster.

However I cannot say for sure why avast and the others that have your address on a phishing domain or IP list do this.
You can only hear that from the horse's mouth, an avast team member, as we are just volunteers here with relative knowledge but cannot come to unblock as only avast team members can,

vaya con Dios,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)


Title: Re: Site Blocked - URL:Phishing
Post by: mabuitragor on January 07, 2019, 09:59:11 AM
Hello, thanks again for your response.

The IP is not listed in blacklists.
We also have other websites hosted on the server without any being marked/listed with problems.

The only thing that occurs to me, is that the latest functionality we've included, for send webpush notifications, will trigger the false positive. An Ajax call is made to re-subscribe the users in the background. But I'm not sure about anything and no one has given us an explanation. The systems for analysis create a positive and do not know the reasons? All this seems very strange to me, really.

Thank you,
Miguel.
Title: Re: Site Blocked - URL:Phishing
Post by: Breno28 on January 09, 2019, 10:55:53 PM
I have submitted a request to have my webapp delisted through the form: festalab.com.br
https://www.avast.com/false-positive-file-form.php

How do I find out what triggered the inclusion in the list? I mean, was it some script, a url, or something?
Title: Re: Site Blocked - URL:Phishing
Post by: Pondus on January 09, 2019, 11:18:55 PM
Quote
How do I find out what triggered the inclusion in the list? I mean, was it some script, a url, or something?
You find out when they reply


Title: Re: Site Blocked - URL:Phishing
Post by: polonus on January 09, 2019, 11:23:18 PM
Hi Breno28,

What we see here the IP came up 8 times in the recent past: https://checkphish.ai/ip/104.25.227.27
check IP also here: https://www.ip-adress.com/website/fishlab.com
Domain not flagged here: https://phishcheck.me/166555/details
IP was also involved in running these malicious executables from:
https://any.run/report/d7c1cbab71892a5fca83d1ee267a80792fd53df32488ba6299f7c395b4cb7866/65f18cc8-2d1f-4413-9143-e2f6e9a9ca28

So probably Cloudflare general IP abuse related, but you can only get the real information from an Avast Team Member,
as we here are just volunteers with relevant knowledge, but only Avast Team Members know on what ground an IP or domain may be blocked and they are the only one to unblock.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Site Blocked - URL:Phishing
Post by: Breno28 on January 10, 2019, 02:27:55 AM
Thank you Polonus. I've been using Cloudflare for a year and never had a problem. This means that they recently moved me behind an IP that was probablematic, which means I should ask them to assign me a new IP, is that right?
Title: Re: Site Blocked - URL:Phishing
Post by: HonzaZ on January 10, 2019, 09:42:17 AM
Hi,
I have removed festalab[.]com.br from our blacklist.
Title: Re: Site Blocked - URL:Phishing
Post by: Breno28 on January 10, 2019, 01:43:34 PM
Hi,
I have removed festalab[.]com.br from our blacklist.

Thank you HonzaZ. I updated and rebooted and can now access my website.