Avast! is blocking my site

[REDACTED]

Hello,

I have a website hosted on Microsoft Azure Web Apps located at: hxxp://www.andrei15193.ro. Avast! keeps saying that the site may have infected my PC every time I have WebShield on when I access my site by that address. If I access the site by the address provided by Azure: hxxp://andrei15193.azurewebsites.net/ Avast! has no problem with it. I'm clueless to why it decides to do so, both addresses point to the exact same location, why is accessing through azurewebsites.net ok and accessing through custom domain not ok while they both provide the exact same content? Anyway, what can I do to solve the issue?

[DavidR]

Please break the link to the suspect site to prevent accidental exposure, e.g. wXw.andrei15193.ro.

If you can attach a screenshot of the avast alert that will help someone when investigating.

It may well have the same content, but your alert could be based on your HOST if it has multiple sites hosted on the same IP other domains could well be infected/hacked resulting in the blocking of the IP address. Though it is strange if both point to the same site.

[polonus]

First things first, there are NS & SOA issues: http://www.dnsinspect.com/andrei15193.ro/1438528150
See: http://toolbar.netcraft.com/site_report/?url=+http%3A%2F%2Fwww.andrei15193.ro
Website Risk Status 1 red out of 10: http://toolbar.netcraft.com/site_report/?url=+http%3A%2F%2Fwww.andrei15193.ro
Various warnings on this scan: https://asafaweb.com/Scan?Url=www.andrei15193.ro
Result: The address you entered is unnecessarily exposing the following response headers
which divulge its choice of web platform:

Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 5.2

Web App issues here: http://waws-prod-db3-003.cloudapp.net/

Finally Quttera detects 6 malicious files: http://quttera.com/detailed_report/www.andrei15193.ro
Detected reference to blacklisted domain
Details:   Detected reference to malicious blacklisted domain -bitbucket.org

Also vulnerable JQuery: Exploit Title: ownCloud 6.0.0a File Deletion XSS and CSRF ... src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js">
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.andrei15193.ro
This is especially flagged by Avast Online Security: wXw.markdownparser.development.andrei15193.ro/
-> http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.markdownparser.development.andrei15193.ro%2F

Re: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fandrei15193.ro%2FScripts%2Fmodernizr-2.6.2.js

polonus (volunteer website security analyst and website error-hunter)

[polonus]

Moreover this is being flagged on VT: https://www.virustotal.com/nl/url/718e5761cc8cb2ded36752fbe234c69031b7a59eaaa2a4419589d141163317b6/analysis/1438529895/
Poodle issue and certification problems: http://toolbar.netcraft.com/site_report/?url=https%3A%2F%2Fbitbucket.org%2FAndrei15193%2Fmarkdownparser
Website Risk Status - 1 red out of 10: http://toolbar.netcraft.com/site_report/?url=https%3A%2F%2Fd3oaxc4q5k2d6q.cloudfront.net%2Fm%2Fffe29cc6f115%2Fcompressed%2Fjs%2Fd9ec1b680445.js
Autoshun flags: https://www.virustotal.com/nl/url/a7e7b744cf248984866a075d68fe9a7cdff8e34d22c313733682707a1af44492/analysis/1438530269/  (2 days ago, but could be harmless)
Also consider: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fd3oaxc4q5k2d6q.cloudfront.net%2Fm%2Fffe29cc6f115%2Fcompressed%2Fjs%2Fd9ec1b680445.js
& https://urlquery.net/report.php?id=1438530794619
Did you check the ocsp-response  there to be secure?
Added code 2 code that downloaded automattically from sd.symcd.com at 23.46.123.27  NL. Availo Networks AB.
This in-code link was blocked for me; Matrix has prevented the following page from loading:
http://www.google-analytics.com/plugins/ga/inpage_linkid.js  found inside: htxps://d3oaxc4q5k2d6q.cloudfront.net/m/ffe29cc6f115/compressed/js/d9ec1b680445.js

polonus

[REDACTED]

How come an Atlassian web site is malware? I have no idea.

I have attached a screenshot with my error.

[polonus]

Hi Andrei15193,

This is a warning from Avast Online Security. It says "This website could have harmed your computer".
What the alert this is based on could be explained best by an Avast team member, I am not,
I am just a volunteer with relevant knowledge. You could mail virus@avast.com and put a link to this thread here.

However you could pay attention to my recommendations given above.
I assume this is a false positive detection for some portion of obfuscation and/or pseudo-code,
I cannot really think of anything else. The hosting party for the website alas has still some work to do.

polonus

[REDACTED]

Hi,

I have went through your recommendations. The one that yields most suspicion is the one saying it found malware however when I look at the concrete results it thinks that bitbucket.org is malware. I don't know since when Atlassian makes malware so that is most likely a false positive.

The domains are set up accordingly as Microsoft Azure requires. They are even mapped in the management portal, if they we're not set up accordingly the portal wouldn't let the custom domain be set.

The warnings regarding excessive headers is partially solvable. The website is hosted as a Web App inside Microsoft Azure, I do not have direct access to IIS that hosts the site making the server header impossible to remove. The web site has been changed to remove all other excessive headers.

I don't think the warnings regarding 3rd party libraries could lead to a WebShield block. If they were indeed problematic WebShield would have blocked the site from any address not just the custom domain. This also makes me think there's still something to be done on the DNS side as that is the only thing that differs from the Microsoft Azure provided domain (DNS lookup + domain name, does Avast! block based on domain name if it matches some pattern? I hardly believe it does but who knows.). I'll see what can be done on the DNS server as it is hosted inside an Azure Virtual Machine so theoretically it can be configured in any possible way.

Thanks for the help so far!

[polonus]

Hi Andrei15193,

Thanks that you take security that seriously, I'd wish all website admins would.
I also hope your contacts with Avast will resolve that remaining Avast issue for that website.
Welcome aboard our forums, as we specially welcome responsible developers and coders,

best greetings,

polonus (volunteer website security analyst and website error-hunter)

[REDACTED]

Hi,

I just checked. Avast! is no longer blocking my site

There was a misconfiguration in the DNS system that is now fixed (don't know if that did it as I also e-mailed Avast! about this topic).

Thanks for the help!