Avast WEBforum
Other => Viruses and worms => Topic started by: alireza.021 on March 16, 2020, 07:30:06 AM
-
Hello, I'm having problems with my website - wxw.shiny.ae whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears which states that the website is infected with URL:Phishing.
Please unblock this Url, thank you
-
-> https://sitecheck.sucuri.net/results/www.shiny.ae
-
https://www.urlvoid.com/scan/shiny.ae/
https://www.avast.com/false-positive-file-form.php
-
Hi alireza.021,
Your website could be quite considerably more secure.
Has a mediocre F-grade scan result here: https://observatory.mozilla.org/analyze/www.shiny.ae
Various recommendations to improve website from linting here:
https://webhint.io/scanner/7e6b8281-bebc-4127-ab7a-7f954f33b503
Consider: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3LnNoW255Lnx7~enc
& https://www.shodan.io/host/88.198.59.226
IP related detections: https://www.virustotal.com/gui/ip-address/88.198.59.226/relations
Outdated PHP version. : : PHP 5.6.4
Wait for a final verdict from an avast team member, they are the only ones to come and unblock,
we here are just volunteers with relative knowledge.
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
-
Hello, I'm having problems with my website - wxw.shiny.ae whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears which states that the website is infected with URL:Phishing.
Please unblock this Url, thank you
Detection was removed in 17.03.2020 at 05:41 AM
Our virus specialists have now cleared its reputation in our database.
With URLs this change should be instant, but it might take up to 24 hours with files.
-
I am receiving a URL:Phishing Error when attempting to access jotform.com.
-
I am receiving a URL:Phishing Error when attempting to access jotform.com.
Whilst not blocked by other security software, there are some things you need to consider:
https://sitecheck.sucuri.net/results/jotform.com
You can report this directly yo Avast - Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php (https://www.avast.com/false-positive-file-form.php).
-
Thanks, I have submitted the problem per your suggestion.
-
You're welcome, but you also need to address the other issues as these could be exploited.
-
Problem resolved, block removed. Thanks!
-
You're welcome.
-
same error. I have submitted the problem per your suggestion.
My website: hxtps://vina-ca.vn
-
same error. I have submitted the problem per your suggestion.
My website: hxxps://vina-ca.vn
Please 'modify' your post change the URL from https to hXXps, to break the link and avoid accidental exposure to suspect sites, thanks.
jQuery is out of date on your site - https://awesometechstack.com/analysis/website/vina-ca.vn/?protocol=https%3A
Some security tips on this check - https://webhint.io/scanner/ab18ca52-152c-4d59-a12e-6ec617955eb9
-
Detection could have been IP related. Wait for a final verdict from avast team.
Also consider: https://site-stats.org/vina-ca.vn/#
polonus
-
Hi, I am a web developer and have recently bought 2 new domain names and installed exactly the same way I have installed the other 100 sites I have built. Within a couple of hours, the first site was blocked with the alert ' Threat Blocked, we've safely aborted www. because it was infected with URL:Phishing.'
My client needs his website online quickly so we bought another domain, I did report this to Avast - as a false positive - and have heard nothing back! So today I did a fresh install with the new domain (never used before) and within 3 hours of installation, it has been blocked the same as the first.
First domain was https://trusted-tattoo.com and the new domain is https://trustedtattoo.ink The first site has been deleted
These are standard WordPress sites, no ecommerce, valid SSL and once scanned no malware was found. How can I get this block removed and why is it happening so quickly, can it be an IP address? Ive never had this issue before, and my client is getting annoyed! Thanks for any help
-
<snip>
First domain was hxxps://trusted-tattoo.com and the new domain is hxxps://trustedtattoo.ink The first site has been deleted
These are standard WordPress sites, no ecommerce, valid SSL and once scanned no malware was found. How can I get this block removed and why is it happening so quickly, can it be an IP address? Ive never had this issue before, and my client is getting annoyed! Thanks for any help
Please 'modify' your post change the URL from http to hXXps, to break the link and avoid accidental exposure to suspect sites, thanks.
As poste in this topic:
You can report this directly yo Avast - Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.
Modify message
-
-> https://sitecheck.sucuri.net/results/https/trustedtattoo.ink
-> https://labs.sucuri.net/signatures/sitecheck/warning-tls/hostname-mismatch/
-
Hello, I'm having problems with our company website - you.com. whenever our users to access it from any computer that has Avast installed it does not allow access and the attachment popup appears which states that the website is infected with URL:Phishing.
Please unblock this you.com url, thank you
-
Hello, I'm having problems with our company website - you.com. whenever our users to access it from any computer that has Avast installed it does not allow access and the attachment popup appears which states that the website is infected with URL:Phishing.
Please unblock this you.com url, thank you
No alert when I checked.
I do get a little suspicious about sites reportedly blocked and not (link spamming, which is frowned upon), I'm a trusting sort ;)
Some other checks:
Considered a medium security risk - https://sitecheck.sucuri.net/results/you.com
Some vulnerabilities affecting your website - https://snyk.io/test/website-scanner/?test=220117_BiDcCD_923b5adc40bae165c2ab3542361f43af&utm_medium=referral&utm_source=webpagetest&utm_campaign=website-scanner
-
Links seem OK Source: hackertarget word press scan -
HTTP/1.1 200 OK
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/html
Content-Security-Policy-Report-Only: script-src 'nonce-ZpzbxmAL1kUUS8wUnIOBeQ' 'report-sample' 'self' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' http: https: https://ssl.google-analytics.com https://www.google-analytics.com https://www.google.com https://www.googleadservices.com; object-src 'none'; img-src 'self' *.fls.doubleclick.net *.google.com data: https://www.google-analytics.com www.googletagmanager.com; connect-src 'self' *.g.doubleclick.net https://www.google-analytics.com; report-uri https://csp.withgoogle.com/csp/uxe-owners-acl/chrome; base-uri 'none', require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/uxe-owners-acl/chrome
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="uxe-owners-acl/chrome"
Report-To: {"group":"uxe-owners-acl/chrome","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/uxe-owners-acl/chrome"}]}
Date: Tue, 18 Jan 2022 04:51:34 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 05 Jan 2022 19:00:00 GMT
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Server: sffe
X-XSS-Protection: 0
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Transfer-Encoding: chunked
&
3rd party cold recon passive Analysis of WordPress Site(s)
Valid Target(s)
www.example.com
https://example.com/
192.16.1.1
Passive Analysis
.
Automated analysis of http://you.com that redirected to https://you.com/
SERVER DETAILS
Web Server:
cloudflare
IP Address:
172.66.43.199
Hosting Provider:
CLOUDFLARENET
Shared Hosting:
451 sites found (use Reverse IP to download list)
Title:
Please Wait... | Cloudflare
0
issues
A check of threat intelligence sources and blacklists was performed against the hostname and IP address of the target. The findings will identify reputation issues or even the presence of malicious code.
DShield CLEAN
AlienVault OTX CLEAN
Cisco Talos CLEAN
abuse.ch (Feodo) CLEAN
URLhaus CLEAN
Spamhaus (Drop / eDrop) CLEAN
Google Safe Browsing is maintained by Google and used to by Chrome to warn users that they are about to visit a malicious site. Use the link to perform a live check of the target site.
Virus Total is a powerful analysis engine that uses threat intelligence and antivirus to help researchers track malware. References found on Virus Total may contain live malware. Use with caution.
If the IP address of a shared hosting server is listed in a blacklist, it may simply indicate one of the hosted websites has been compromised. It does not neccessarily indicate an immediate threat to another site on the same host, but should be investigated. Multiple listings from a shared hosting server may indicate a hosting service with poor reputation or poor security practices.
Take care visiting the listed threat intelligence resources. Links, hosts and references found on these sites contain live malware and should be treated with caution unless you know what you are doing.
There are likely more plugins installed than those listed here as the detection method used here is passive. While these results give an indication of the status of plugin updates, a more comprehensive assessment should be undertaken by brute forcing the plugin paths using a dedicated tool.
Linked Sites
Reputation checks have been performed on the IP address for each of the linked sites. Hosts found on blacklists with poor reputation may be a threat to users of the site. Hosting and locations are also included in the results.
Externally Linked Host Hosting / Company Netblock Country
chrome.google.com GOOGLE
www.cloudflare.com CLOUDFLARENET
Login for WordPress Enumeration & Vulnerability Scanners
Aggressive enumeration of plugins, themes, version and interesting urls.
Re:
Date: Tue, 18 Jan 2022 04:55:26 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 6cf53b25bfa782ed-IAD
Age: 113
Cache-Control: max-age=120
Expires: Tue, 18 Jan 2022 04:53:48 GMT
Last-Modified: Tue, 18 Jan 2022 04:52:47 GMT
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
CF-Cache-Status: HIT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Set-Cookie: __cf_bm=L0EP.E0zOutScFfjwNzkBNY.gEfaVqNWsqrQ42idatI-1642481726-0-AYXyHMW7ybzQ+TlPfP8y77f23sz5A2se02+ojR7rnKid+UpuFqhBlEAkVCjUujyIoa2DpfYyd8itHf3+MLqCtwtVTKF0uqemSeD1HylTrLV0; path=/; expires=Tue, 18-Jan-22 05:25:26 GMT; domain=.www.cloudflare.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BNlQz9y0USohniZStwhlu6huOYEIqjYD6E%2BoGNSLE67CWe2qJ8AKtf6rkBQ2Bu2BtCvoP7wyhDBVNbLWOIVCWUXH%2BrEKVdQNtV4cs9LEdpM%2BsNqlTRzD0ZB%2BjtLu8lD9w419UF6N3KY4elF%2Fmyhb%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
Content-Encoding: gzip
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
polonus
-
Hi,
I keep getting the URL:Phishing threat alert from this site: https://services.signin.interac-id.ca/cbs/saml/login?l=1&lang=eng
How do I fix this, please?
Thanks!
(https://i.ibb.co/4gfLG7b/url-phishing.png) (https://ibb.co/VpNGZtF)
(http://[url=https://ibb.co/VpNGZtF][img]https://i.ibb.co/4gfLG7b/url-phishing.png)[/url][/img]
-
^^ NVM. I figured it out by addign it to exceptions. TY!
-
Hi,
I keep getting the URL:Phishing threat alert from this site: hXXps://services.signin.interac-id.ca/cbs/saml/login?l=1&lang=eng
How do I fix this, please?
Thanks!
It would have been better to start you own 'new' topic than use one over four years old.
Images can be attached to your post and not hosted on a 3rd party site.
- Attaching Images to your post - When you Click the Reply button it opens a text window for you to post your comment (reply or post).
Click the Preview button, that shows what you have input and expands it to include 'Attachments and other options'. Click that it further expands, here you can attach images, etc. at the bottom of your post.
See my attached image, click to expand.
Also posting a live link to a suspect site isn't wise, it should be broken as I have in the quoted text above.
Adding an exclusion isn't necessarily wise, and needs investigation one why it is happening.
EDIT: You could have submitted it to Avast for analysis and clearing if found to be OK.
-
Here it has been given the all green: https://quttera.com/detailed_report/services.signin.interac-id.ca
as well as here:
https://www.virustotal.com/gui/url/09979f02242673ad33ca4d2fa43cc2bf782fc9ab76753e5670b0922fe8bbe4b4
Problem is a parked site, that could be abused - Page non trouvée / Page not found
So wait for a final verdict from avast's.
polonus