Author Topic: Avast blocking my newly acquired domain - Need help pls from Avast team member  (Read 1331 times)

0 Members and 1 Guest are viewing this topic.

Offline twiy.com

  • Newbie
  • *
  • Posts: 2
Hello, the domain "weedsmoke.org" is being blocked on computers with Avast installed on them. I just acquired this domain a few days ago, is there a chance the prior owner was running something malicious and this resulted in the block? What process do I have to go through to unblock the domain. Thanks in advance for the help.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82269
  • No support PMs thanks
That is a possibility, but another possibility could be where it is being hosted, e.g. what IP address as there could be other sites on that domain are infected or malicious.  This could then impact other domains on that same IP address.  In order to know that we would need to know what the avast alert is.

Nothing direct found here https://sitecheck.sucuri.net/results/weedsmoke.org, but there are some Medium Security Risk issues that should be addressed.  Though I'm not sure if these are the cause.

Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.

EDIT: Also see https://www.virustotal.com/gui/url/5cfc6af0f59488b8a296214278be310e70bddcb86dc40c8fa37ee5664e6b2828/detection.
« Last Edit: November 23, 2019, 09:40:22 PM by DavidR »
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31936
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline twiy.com

  • Newbie
  • *
  • Posts: 2
Thank you for the replies. What " Medium Security Risk issues that should be addressed" please let me know so I can try to fix it or tell my host. Thanks in advance

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82269
  • No support PMs thanks
Thank you for the replies. What " Medium Security Risk issues that should be addressed" please let me know so I can try to fix it or tell my host. Thanks in advance

Check the link that I gave as they were listed.

TLS Recommendations
Protection
Security Headers
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6434
  • volunteer
Hello, the domain "weedsmoke.org" is being blocked on computers with Avast installed on them. I just acquired this domain a few days ago, is there a chance the prior owner was running something malicious and this resulted in the block? What process do I have to go through to unblock the domain. Thanks in advance for the help.

Detection was removed 25.11.2019 at 10:43 AM

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31936
  • malware fighter
What is still there for the 'weedsmoke dot org website is
Google/Browser Difference
scrub malware

Not identical

Google: 358286 bytes       Firefox: 358853 bytes
Diff:         567 bytes

First difference:
enu tdi_1_5d6 td-no-subcats td_with_ajax_pagination td-pb-border-top td_block_template_1" data-td-block-uid="tdi_1_5d6" ><script>var block_tdi_1_5d6 = new tdblock(); block_td...

See check for cloaking: http://isithacked.com/check/weedsmoke.org
Quote

There is a difference of 1139 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that's trying to hide from browsers but make Google think there's something else on the page.

Status codes

These should normally all be the same.

    GoogleBot returned code 403
    Google Chrome returned code 301 to -https://weedsmoke.org/

Just to let you know,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31936
  • malware fighter
For the cloaking found, read: https://wordpress.org/support/topic/ad-space-problem-with-tagdiv-cloud-library-plugin/

The website is on Word Press CMS and with the settings as they are now set, you run risk of being compromised,
could well be you already are. The website is too chatty, do not let it speak that loud!

Plug-in to update a.s.a.p. wordpress-seo 12.5.1   latest release (12.6)
https://yoa.st/1uj

Wrong settings, should be disabled:  User Enumeration
  The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   Mary Jane   dolir
2   None   None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Wrong Settings - should be disabled:
Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/      enabled
/wp-content/plugins/      disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Google Safe Browse checks have been performed on each of the linked sites, these seem OK.

polonus
« Last Edit: November 26, 2019, 05:02:23 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!