My sites clean on Google, Qutera... but blacklist in Avast

[REDACTED]

Hello,
In February 2016, my web server has been attacked by malware Mal/Iframe-Gen.
I have been blacklisted by Google, Yandex and Qutera.
It took two weeks to clean my server.
Then Google, Yandex and Qutera removed my server from their blacklist.
At the moment, my server is OK.
On my web server, I heberge 6 websites for my customers.
They tell me that my server is blacklisted, but I do not understand why.
Today, I found that Avast is the cause of this disaster
I have a client who can not do business because many customers can not access to his site ljs-structure-gonflable.fr
This customer wants stop our colaboration and I'll lose money.
The Alexa rank of my main site esoft-studio.fr dropped from 500 000 to 17 million!
It's the same thing for the other sites on my server:
- angels-meet.fr
- techni-decors.fr (a small company very dissatisfied)
- memoire-deportation-ain.fr (departmental institution)
- acaju-design.fr
- geobike.fr
- fcipro.fr
...
I tested the main site: no problem:
http://www.urlvoid.com/scan/esoft-studio.fr
https://www.virustotal.com/en/url/40ee8d86ba93994e4de7126a4874fed670ca1ddacc8c94aac7ff2ce04bcc1692/analysis/1461614166/
https://sitecheck.sucuri.net/results/esoft-studio.fr
Thank you to remove my sites and server 213.246.52.33 from your blacklist because this server is clean.
It is very important for my business !!!
Thanks in advance.

[Pondus]

Submit support ticket  >  https://support.avast.com/support/tickets/new

[REDACTED]

Hi Pondus. Thanks for your reply,
I posted now a new ticket.
I hope it will be quick because my customers insult me because their sites are blocked!

Thanks in advance

[Secondmineboy]

angels-meet.fr

I would use a newer version of Windows Server than 2008 R2: http://prntscr.com/awt34y
Also update ASP .NET if possible.

techni-decors.fr

Update JQuery here: http://prntscr.com/awt408

memoire-deportation-ain.fr

Also JQuery Updates required: http://prntscr.com/awt4kh

acaju-design.fr

JQuery Update required i guess too: http://prntscr.com/awt59u

geobike.fr

Same story with JQuery: http://prntscr.com/awt5p9

fcipro.fr

JQuery and ASP .NET dated: http://prntscr.com/awt6hw

ljs-structure-gonflable.fr

Again JQuery and ASP outdated: http://prntscr.com/awt75g

esoft-studio.fr

ASP and JQuery dated once again: http://prntscr.com/awt7ub



The Web server headers are insecure for all websites: https://securityheaders.io/?q=http%3A%2F%2Fwww.angels-meet.fr%2F
A Guide how to fix that: https://scotthelme.co.uk/hardening-your-http-response-headers/#server

Lastly anyone can get the servers IP adress just by pinging it for example.
I would recommend adding a CDN Network for performance, security and less server load, my personal recommendation would be Incapsula CDN from Imperva.

[REDACTED]

Hi Steven,
Thanks for you reply. I'm going to study yours explains.
I give you results when done.
Thanks again

[polonus]

Apart from what Steven Winderlich reports, just look at the results of the ASafaWeb scan: https://asafaweb.com/Scan?Url=www.angels-meet.fr
Custom errors: Fail

Requested URL: http://www.angels-meet.fr/?foo=<script> | Response URL: http://www.angels-meet.fr/?foo=<script> | Page title: Runtime Error | HTTP status code: 500 (Internal server error) | Response size: 3,420 bytes | Duration: 85 ms
Overview
Custom errors are used to ensure that internal error messages are not exposed to end users. Instead, a custom error message should be returned which provides a friendlier user experience and keeps potentially sensitive internal implementation information away from public view.

Result
It looks like custom errors are not correctly configured as the requested URL contains the heading "Server Error in".

Custom errors are easy to enable, just configure the web.config to ensure the mode is either "On" or "RemoteOnly" and ensure there is a valid "defaultRedirect" defined for a custom error page as follows:

<customErrors mode="RemoteOnly" defaultRedirect="~/Error" />

Overview
By default, excessive information about the server and frameworks used by an ASP.NET application are returned in the response headers. These headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers.

Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.

Requested URL: http://www.angels-meet.fr/ | Response URL: http://www.angels-meet.fr/ | Page title: ♥ ANGELS MEET- Site de rencontres pour trouver une femme, un homme, des amis | HTTP status code: 200 (OK) | Response size: 28,656 bytes (gzip'd) | Duration: 3,124 ms
Overview
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.

Also consider the analysis at redleg's fileviewer site here: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fangels-meet.fr&ref_sel=GSP2&ua_sel=ff&fs=1
Could it be the code on line 50 is being flagged....

Suspicious ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP code here:  wXw.angels-meet.fr/clientScript/HttpHandlers.js as it exceeds run time...undefined variable p


polonus (volunteer website security analyst and website error-hunter)