Author Topic: Avast blocks my website. What can I do? (Read 6901 times)

REDACTED · « **on:** April 15, 2016, 03:29:16 PM »

As a software developer and web designer I recommends Avast since the beginnings. But now it blocks a website I am writing for a customer with a very nasty message that suggests that this website contains malware.
The website is located on my own Strato Server, everything is made by myself and there is definitely no malware on it. In fact it is a pretty simple website, no downloads, not links to other sites, just ordinary HTML with a little CSS. Also other websites of my own feather are hosted on the same server without any problem.

I have no idea why Avast do this? It is a thread for my small business!

The website in question is http://www.aabu.eu

Please give me advice what is the reason for this block or remove the false positive.

With kind regards

Tania Hagn - Tania@Hagn-It.EU

Eddy · « **Reply #1 on:** April 15, 2016, 03:41:28 PM »

Unless you like to receive a lot of spam, it is not a smart idea to post your email on a public webboard.

avast is currently not blocking the website.

There are blacklisted domains on the ASN :
http://urlquery.net/report.php?id=1460726818317

essexboy · « **Reply #2 on:** April 15, 2016, 03:42:04 PM »

Concur, just went there with no problem

polonus · « **Reply #3 on:** April 15, 2016, 05:23:21 PM »

But Avast Online Security kicks up an alert - web rep report and says the webpage could harm your computer.
Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: Apache/2.4.10 (Debian)
Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.

You have jQuery libraries to be retired, zip file and save for later reference:
-http://www.aabu.eu/
Detected libraries:
jquery-migrate - 1.2.1 : -http://www.aabu.eu/media/jui/js/jquery-migrate.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.11.3 : (active1) -http://www.aabu.eu/media/jui/js/jquery.min.js
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
2 vulnerable libraries detected

See for instance where this scan may land: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.aabu.eu%2Fmedia%2Fjui%2Fjs%2Fjquery-migrate.min.js

Results from scanning URL: //platform.twitter.com/oct.js
Number of sources found: 80
Number of sinks found: 16

Nameserver is vulnerable to DROWn: http://toolbar.netcraft.com/site_report?url=http://www.aabu.eu
https://test.drownattack.com/?site=ns.stratoserver.net

Missing headers delivering a F-Status: https://securityheaders.io/?q=http%3A%2F%2Fwww.aabu.eu

A-Status: https://sritest.io/#report/3997ac68-9a28-439c-bd87-c25fdb7fb9b5

Document doctype: HTML5 OK

Your Joomla is outdated: Joomla Version
3.5
Version does not appear to be latest 3.4.8 - update now.

Code to be retired on reversed DNS: -http://discovery-design.de
Detected libraries:
jquery-migrate - 1.2.1 : -http://discovery-design.de/media/jui/js/jquery-migrate.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.11.3 : (active1) -http://discovery-design.de/media/jui/js/jquery.min.js
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
2 vulnerable libraries detected

Consider this: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fdiscovery-design.de%2Fmedia%2Fjui%2Fjs%2Fjquery-migrate.min.js landing at e.g. Results from scanning URL: -http://www.qualistiktraining.com/wp-content/plugins/wp-video-lightbox/js/jquery.prettyPhoto.js?ver=3.1.6
Number of sources found: 13
Number of sinks found: 32

polonus (volunteer website security analyst and website error-hunter)

REDACTED · « **Reply #4 on:** April 18, 2016, 01:44:43 PM »

@Eddy, thank you for your concern. This E-Mail is published on many places already, for it is the official contact address for many web sites.

@essexboy. Hmmm. Well, this is a problem. Isn't it?

Link to screenshot: https://www.discovery-design.de/owncloud/index.php/s/asVI9OUeT4NUl5Y

@polonus
Thank you very much for your kind information. I have turned off the unnecessary header. This was very helpful.
I updated http://www.discovery-design.de to the latest version. This is our main website and reverse dns points to it for many websites. Also very good. Thank you!
We do not have any possibilities on the DNS server, for this is handled by our service provider Strato AG germany.

However the problem persists on any windows machine we could check. There are numerous. See screen copy for the current status with latest Avast update.

If it is true, that Avast did not block it. Who was it then who bring out this blocking window?

With kind regards,

Tania

essexboy · « **Reply #5 on:** April 18, 2016, 04:24:28 PM »

That is an IE (windows) block

DavidR · « **Reply #6 on:** April 18, 2016, 04:42:44 PM »

Quote from: essexboy on April 18, 2016, 04:24:28 PM

That is an IE (windows) block

Strange that I tried to visit the Link to screenshot: given by Tania Hagn, only to have Firefox Block it. 'Firefox has not connected to this website.' The advanced view gives more details.

polonus · « **Reply #7 on:** April 18, 2016, 05:21:18 PM »

@Tania Hagn,

For further reference see: https://securityheaders.io/?q=www.discovery-design.de
(you say that the configuration and settings therer is out of your hands, as it is on the server side).

HTML code analysis via Redleg's File Viewer, see: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.discovery-design.de+&ref_sel=GSP2&ua_sel=ff&fs=1

HTML errors and warnings flagged, see: https://seomon.com/domain/www.discovery-design.de/html_validator/
It is more secure to move code over to central CSS. Using inline JS is a security no-no.

Look what is loading for you here on browser compatibility: http://browsershots.org/http://www.discovery-design.de/

Finally for the external link to www.ejbca.org
For their certificate:
Please contact the Certificate Authority for further verification.
Warnings
BEAST
The BEAST attack is not mitigated on this server.

The security header status for that website is a poor F-Status: https://securityheaders.io/?q=www.ejbca.org
the http version of the site has a R-Status only.

polonus (volunteer websitre security analyst and website error-hunter)

polonus · « **Reply #8 on:** April 18, 2016, 06:09:45 PM »

Well why was it blocked in IE and did firefox kick up a warning. Because of this DANG: https://shaaaaaaaaaaaaa.com/check/www.discovery-design.de This server's certificate is not trusted - Signature algorithm   SHA1withRSA WEAK
You have a TRUST issue and with that considered Qualys gives a poor T overall rating, else you would have reached B-Status.
As of January 1, 2016, no publicly trusted CA is allowed to issue a SHA-1 certificate. So any new certificate you get should automatically use a SHA-2 algorithm for its signature.

Additional Certificates (if supplied)
Certificates provided   1 (1146 bytes)

Chain issues   Incomplete

Handshake Simulation
Android 2.3.7 No SNI 2   Incorrect certificate because this client doesn't support SNI
RSA 2048 (SHA1) | TLS 1.0 | TLS_RSA_WITH_AES_128_CBC_SHA

Handshake Simulation
Android 2.3.7 No SNI 2   Incorrect certificate because this client doesn't support SNI

IE 6 / XP No FS 1     No SNI 2   Server closed connection
IE 7 / Vista   RSA 4096 (SHA1)    TLS 1.0   TLS_RSA_WITH_AES_128_CBC_SHA No FS
IE 8 / XP No FS 1     No SNI 2   Incorrect certificate because this client doesn't support SNI
RSA 2048 (SHA1) | TLS 1.0 | TLS_RSA_WITH_3DES_EDE_CBC_SHA

Java 6u45 No SNI 2   Incorrect certificate because this client doesn't support SNI

Android 2.3.7 No SNI 2   Incorrect certificate because this client doesn't support SNI

Java 6u45 No SNI 2   Incorrect certificate because this client doesn't support SNI

Apple ATS 9 / iOS 9 R   Client requires SHA2 certificate signatures

So you have a serious SSL Server Test Security Issue,

polonus

Lotan · « **Reply #9 on:** April 18, 2016, 08:04:53 PM »

you may want to nullifi the -http://www.aabu.eu link as its giving me warnings on my streamfilter log just been linked in the forum 6 instances of the ip 85.214.102.33 giving me a "Service buffer reach the injection" warning. I never once clicked the link to goto the site yet its interacting with my avast.
Also privacy badger is telling me im getting cookies from -www.discovery-design.de which is also on the same IP as aabu.

polonus · « **Reply #10 on:** April 18, 2016, 11:39:01 PM »

Thank you, Lotan, for the heads-up on that one. The website owners certainly have some work to do on the security side of things.
Anyway they are privileged to get all this security information for free here, a sure benefit for website owners when they come to the forums and have their website analyzed for security issues via 'cold' reconnaissance third party scanning. We educate and inform and hopefully they will apply.

polonus

Eddy · « **Reply #11 on:** April 19, 2016, 12:06:01 AM »

Let's see...
"The website is located on my own Strato Server" and "We do not have any possibilities on the DNS server"
Even on the cheap shared hosting that I use, I have options to set the DNS.
Time to get a more decent host I would say.

Quote

It is a thread for my small business!

As I see it you are the real thread.
A web-designer that is using obsolete code as well as vulnerable libraries on their own website is for sure not one I would hire to take care of my website.

If it is your server (I take it, it is a dedicated one), you are responsible for correct install and use of the certificate.

REDACTED · « **Reply #12 on:** April 20, 2016, 10:53:16 AM »

@DavidR: I am not talking about the SSL issue here, as stated before the SSL side is not yet implemented! I am talking about the Avast blocking here in the chrome browser (See my screenshot)!
In other browsers there is no block. Maybe there is a problem with the chrome browser that leads to problems in combination with avast. I would agree that this might be a bot, but then this bot is very widespread because the block occurs on many different computers in different locations and with different ownerships. In my opinion it would be very helpful to track down this issue also, because then this bot would be a very very widespread one and it is not discovered by Avast up to now.

@Eddy: Looks like you have not much more to offer than lamenting on the SSL thing and to insult me. No need of this. As I wrote before SSL is not implemented yet, it is the one selfsigned from the server. Further more I will forward your critics concerning the DNS to Strato AG, that you accuse to be a security risk and a bad provider ;-)

Well, I have stripped down the site a little. Here is the source code of my web site:

<!doctype html>
<html lang="de">
<head>
<meta charset="utf-8">
<title>Test Seite</title>
<meta name="description" content="Test Seite" />
<meta name="author" content="Tania Hagn (Hagn-IT.eu)" />
</head>
<body>
<h1>Testseite</h1>
</body>
</html>

Same behavior, totally blocked by Avast.

Steps to reproduce:

- Use windows
- Start chrome browser
- Surf to http://www.aabu.eu

I am curious!

HonzaZ · « **Reply #13 on:** April 20, 2016, 01:45:15 PM »

Removed from our blacklist

REDACTED · « **Reply #14 on:** April 20, 2016, 02:16:00 PM »

Ah, now it works. I have restored the original website, perfect.

Thank you very much for the fast and good help and please forgive me for beeing impatient. I have deep understanding that false positives may be occur in this field. Everything is fine now for this could be fixed so easily.

I will continue to recommend Avast to our customers. Take care!

Tania Hagn