Avast WEBforum

Other => General Topics => Topic started by: twiy.com on November 23, 2019, 07:53:13 PM

Title: Avast blocking my newly acquired domain - Need help pls from Avast team member
Post by: twiy.com on November 23, 2019, 07:53:13 PM
Hello, the domain "weedsmoke.org" is being blocked on computers with Avast installed on them. I just acquired this domain a few days ago, is there a chance the prior owner was running something malicious and this resulted in the block? What process do I have to go through to unblock the domain. Thanks in advance for the help.
Title: Re: Avast blocking my newly acquired domain - Need help pls from Avast team member
Post by: DavidR on November 23, 2019, 09:37:11 PM
That is a possibility, but another possibility could be where it is being hosted, e.g. what IP address as there could be other sites on that domain are infected or malicious.  This could then impact other domains on that same IP address.  In order to know that we would need to know what the avast alert is.

Nothing direct found here https://sitecheck.sucuri.net/results/weedsmoke.org (https://sitecheck.sucuri.net/results/weedsmoke.org), but there are some Medium Security Risk issues that should be addressed.  Though I'm not sure if these are the cause.

Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php (https://www.avast.com/false-positive-file-form.php).

EDIT: Also see https://www.virustotal.com/gui/url/5cfc6af0f59488b8a296214278be310e70bddcb86dc40c8fa37ee5664e6b2828/detection (https://www.virustotal.com/gui/url/5cfc6af0f59488b8a296214278be310e70bddcb86dc40c8fa37ee5664e6b2828/detection).
Title: Re: Avast blocking my newly acquired domain - Need help pls from Avast team member
Post by: polonus on November 25, 2019, 01:03:04 AM
3 engines detect this website: https://www.virustotal.com/gui/url/5cfc6af0f59488b8a296214278be310e70bddcb86dc40c8fa37ee5664e6b2828/detection
and that was  a moment ago.
See: https://www.myip.ms/info/whois/158.106.136.183/k/2229768043/website/weedsmoke.org

polonus
Title: Re: Avast blocking my newly acquired domain - Need help pls from Avast team member
Post by: twiy.com on November 25, 2019, 06:59:56 PM
Thank you for the replies. What " Medium Security Risk issues that should be addressed" please let me know so I can try to fix it or tell my host. Thanks in advance
Title: Re: Avast blocking my newly acquired domain - Need help pls from Avast team member
Post by: DavidR on November 25, 2019, 07:54:42 PM
Thank you for the replies. What " Medium Security Risk issues that should be addressed" please let me know so I can try to fix it or tell my host. Thanks in advance

Check the link that I gave as they were listed.

TLS Recommendations
Protection
Security Headers
Title: Re: Avast blocking my newly acquired domain - Need help pls from Avast team member
Post by: jefferson sant on November 25, 2019, 10:33:15 PM
Hello, the domain "weedsmoke.org" is being blocked on computers with Avast installed on them. I just acquired this domain a few days ago, is there a chance the prior owner was running something malicious and this resulted in the block? What process do I have to go through to unblock the domain. Thanks in advance for the help.

Detection was removed 25.11.2019 at 10:43 AM

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.
Title: Re: Avast blocking my newly acquired domain - Need help pls from Avast team member
Post by: polonus on November 26, 2019, 12:37:22 AM
What is still there for the 'weedsmoke dot org website is
Google/Browser Difference
scrub malware

Not identical

Google: 358286 bytes       Firefox: 358853 bytes
Diff:         567 bytes

First difference:
enu tdi_1_5d6 td-no-subcats td_with_ajax_pagination td-pb-border-top td_block_template_1" data-td-block-uid="tdi_1_5d6" ><script>var block_tdi_1_5d6 = new tdblock(); block_td...

See check for cloaking: http://isithacked.com/check/weedsmoke.org
Quote

There is a difference of 1139 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that's trying to hide from browsers but make Google think there's something else on the page.

Status codes

These should normally all be the same.

    GoogleBot returned code 403
    Google Chrome returned code 301 to -https://weedsmoke.org/

Just to let you know,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Avast blocking my newly acquired domain - Need help pls from Avast team member
Post by: polonus on November 26, 2019, 12:08:12 PM
For the cloaking found, read: https://wordpress.org/support/topic/ad-space-problem-with-tagdiv-cloud-library-plugin/

The website is on Word Press CMS and with the settings as they are now set, you run risk of being compromised,
could well be you already are. The website is too chatty, do not let it speak that loud!

Plug-in to update a.s.a.p. wordpress-seo 12.5.1   latest release (12.6)
https://yoa.st/1uj

Wrong settings, should be disabled:  User Enumeration
  The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   Mary Jane   dolir
2   None   None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Wrong Settings - should be disabled:
Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/      enabled
/wp-content/plugins/      disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Google Safe Browse checks have been performed on each of the linked sites, these seem OK.

polonus