Author Topic: Site Blocked - URL:Phishing  (Read 118637 times)

0 Members and 1 Guest are viewing this topic.

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6829
  • volunteer
Re: Site Blocked - URL:Phishing
« Reply #225 on: April 26, 2019, 04:57:29 AM »
Hi all,

My Avast always shows this (image) popup even though I never access this website. How do I turn it off?

https://imgur.com/fFvgIbN  - Capture

(I can't find upload image funtion on this post)

Detection was disabled yesterday.

Quote from: Avast
Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6829
  • volunteer
Re: Site Blocked - URL:Phishing
« Reply #226 on: April 26, 2019, 05:02:18 AM »
Hello, my Site is marked as url:phishing.
I scanned it at
Complete zip site
https://www.virustotal.com/en/file/baae97423b1024cdb0a41613f7cbbbd95b05efca2e565dd3fa86ab9445043b39/analysis/1555961542/
Url site
https://www.virustotal.com/en/url/87076758495fddc36ba5e872739182f02d78e995d2cd31f8532fb7e0eff00071/analysis/

And show all clean.
If there arent any problem then can be my site removed from blackSite? thanks.

Detection was removed yesterday 25.04.2019 at 12:00.

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.
With URLs this change should be instant, but it might take up to 24 hours with files.

Offline Alpian Noor

  • Newbie
  • *
  • Posts: 1
Re: Site Blocked - URL:Phishing
« Reply #227 on: April 29, 2019, 05:36:38 AM »
hi, ask for our website has been blocked by avast url phishing
website : www.pn-batulicin.go.id

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5416
  • Spartan Warrior
Windows 10 Home 64-bit 1909 Avast Premier Security version 20.1.2397 (build 20.1.5069.559) UI version 1.0.460.

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6829
  • volunteer
Re: Site Blocked - URL:Phishing
« Reply #229 on: May 01, 2019, 01:47:32 AM »
hi, ask for our website has been blocked by avast url phishing
website : www[.]pn-batulicin[.]go.id

Detection was removed on 30.04.2019.

Phishing where

https://www.virustotal.com/gui/url/aa989250c8a546a87fe3557d445bfb94fc7e7087bb58da35e67582e4c27ae89e/detection

http://www.siteadvisor.com/sitereport.html?url=http://pn-batulicin.go.id/cache

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.
With URLs this change should be instant, but it might take up to 24 hours with files.
« Last Edit: May 01, 2019, 01:49:21 AM by jefferson sant »

Offline devilmanozzy

  • Newbie
  • *
  • Posts: 10
Re: Site Blocked - URL:Phishing
« Reply #230 on: May 05, 2019, 06:03:28 AM »
Fandom Community Central has been being labelled a Phishing site the last few days. I'm not a tech. 

https://sitecheck.sucuri.net/results/www.community.fandom.com

Why is it a threat now? Did I miss something here?


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Site Blocked - URL:Phishing
« Reply #231 on: May 05, 2019, 03:22:58 PM »
Also a former AVG threat detection:
https://www.virustotal.com/pl/url/a7414127e577b0c89ed130c3f7e79af0800110d40ea7fc149b22b818357ef4fd/analysis/

What about a link to -https://slot1-images.wikia.nocookie.net/__load/-/cb%3D1556562431137%26debug%3Dfalse%26lang%3Den%26only%3Dscripts%26skin%3Doasis/amd|wikia.tracker.stub,stub|wikia.abTest,cache,cookies,document,geo,instantGlobals,location,log,querystring,window

polonus
« Last Edit: May 06, 2019, 01:32:54 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6829
  • volunteer
Re: Site Blocked - URL:Phishing
« Reply #232 on: May 09, 2019, 10:18:27 PM »
Fandom Community Central has been being labelled a Phishing site the last few days. I'm not a tech. 

https://sitecheck.sucuri.net/results/www.community.fandom.com

Why is it a threat now? Did I miss something here?

Check URL and  the detection was fixed same date on 05.05.2019.

Quote from: Avast
Our virus specialists have been working on this problem and it has been resolved. The provided website isn't detected by Avast anymore.

Offline Rafael390

  • Newbie
  • *
  • Posts: 2
Re: Site Blocked - URL:Phishing
« Reply #233 on: May 11, 2019, 01:11:33 AM »
Hi there,
Could yo please check why my web site marked as url:phishing.
The address is https://www.accountsplusservices.co.nz/
The web-site build and hosted on Wix.com platform and doesn't contain any third party scripts.


Thanks in advance.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Site Blocked - URL:Phishing
« Reply #234 on: May 11, 2019, 11:53:37 AM »
Once there could have been an intrusion attempt from 130.211.46.196 as a MultiHost/MultiPort Probe, Scan, Hack -

Threats for that address - mails can be fraudulously sent - SPF not enabled - DMARC not enabled;
DNS is susceptible to M-i-M attacks.
No abuse reports for Wix.com, Ashburn  ;)
Could be avast flags this script on your site: results from scanning URL: -https://static.parastorage.com/unpkg/requirejs-bolt@2.3.6/requirejs.min.js
Number of sources found: 7 ; number of sinks found: 2  and the connection DOM-XSS scan link to : //cdn-rtb.sape.ru/teasers/ there.

Hosting: https://toolbar.netcraft.com/site_report?url=https://static.parastorage.com
But wait for a final verdict from an avast team member after this weekend, as they are the only ones to come and unblock..
We are just volunteers with relevant knowledge.

Some improvement recommendations you could implement anyways, just 3, very, very good results for the included scripts:
https://webhint.io/scanner/0afa232f-0551-4104-8b68-a575e8dcd3f2   ;)

Given clean here, no alerts: https://urlquery.net/report/cbea3ecc-9526-4fca-a759-2df231ae7749

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
« Last Edit: May 11, 2019, 12:08:59 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Site Blocked - URL:Phishing
« Reply #235 on: May 11, 2019, 12:31:55 PM »
About the scanning via 130.211.46.196 -196.46.211.130.bc.googleusercontent.com   a.k.a. https://www.shodan.io/search?query=parastorage.com (GoDaddy),
Quote
Full Name:
                  URI:-http://crl.godaddy.com/gdig2s1-848.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: -http://certificates.godaddy.com/repository/
                Policy: 2.23.140.1.2.1

            Authority Information Access:
                OCSP - URI:-http://ocsp.godaddy.com/
                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt

            X509v3 Authority Key Identifier:
                keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE

            X509v3 Subject Alternative Name:
                DNS:*-.parastorage.com, DNS:-parastorage.com
            X509v3 Subject Key Identifier:
                7D:9F:A9:69:69:B4:B0:F6:9C:F4:F2:2B:AF:0B:26:3E:39:ED:4C:9F
            1.3.6.1.4.1.11129.2.4.2:
                ...j.h.v.......X......gp

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Dastel

  • Newbie
  • *
  • Posts: 1
Re: Site Blocked - URL:Phishing
« Reply #236 on: May 11, 2019, 09:03:22 PM »
Hello i have the same problem with my Website:
https://www.envases-riviere.com.ar
Can you unlock URL?

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 67440
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Win 8.1 [x64] - Avast PremSec 20.9.2435.Beta#3 [UI.575] - CC 5.73 - EEK - FF ESR 78.4 [NS/AOS/uBO/PB] - TB 78.4 - SB/CP/SL/DU.B
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Site Blocked - URL:Phishing
« Reply #238 on: May 11, 2019, 11:55:08 PM »
Site has been blacklisted by certain parties. You are with 134 other domains on that same Ip address.
165 Website improvement tips: https://webhint.io/scanner/530fbc69-1d2c-46d5-8e95-03c7f9c1f338
Service temporarily unavailable: https://www.shodan.io/host/181.88.192.108
Re: https://toolbar.netcraft.com/site_report?url=http://host108.181-88-192.telecom.net.ar/
DOM-XSS issues: Results from scanning URL: -https://www.envases-riviere.com.ar/js/jquery-ui.min.js
Number of sources found: 286 ; number of sinks found: 14
Consider JQuery vuln. listed here: https://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003
and
Results from scanning URL: -https://www.envases-riviere.com.ar/js/bootstrap.js
Number of sources found: 33 ; number of sinks found: 10

jQuery library retirables: Retire.js
jquery-ui-dialog   1.10.4   Found in -https://www.envases-riviere.com.ar/js/jquery-ui.min.js
Vulnerability info:
High   CVE-2016-7103 281 XSS Vulnerability on closeText option   
jquery   2.2.0.min   Found in -https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   

Found with JavaScript error notifier:
Quote
SyntaxError: Invalid or unexpected token
 /js/jquery-2.2.0.min.js:3

Bootstrap's JavaScript requires jQuery
 /js/bootstrap.js:1

ReferenceError: jQuery is not defined
 /js/main.js:1

SyntaxError: Invalid or unexpected token
 /js/jquery-ui.min.js:6

ReferenceError: $ is not defined
 /:275

issues like security headers not set: content-security-policy upgrade-insecure-requests

x-content-type-options Header not returned

x-xss-protection Header not returned

x-frame-options Header not returned

Issue:
Quote
Loaded script with known vulnerabilities: -https://www.envases-riviere.com.ar/js/jquery-ui.min.js
 - jquery-ui-dialog 1.10.4 - Info: -https://github.com/jquery/api.jqueryui.com/issues/281 https://nvd.nist.gov/vuln/detail/CVE-2016-7103 https://snyk.io/vuln/npm:jquery-ui:20160721
 - jquery-ui-autocomplete 1.10.4 - Info:
 - jquery-ui-tooltip 1.10.4 - Info:

Ask for an avast team member to give a final verdict, we here are just volunteers with relevant knowledge,
but only avast team members can come and unblock.

Here Dr.Web gives the site the all green:
Checking: -https://www.envases-riviere.com.ar/js/jquery-ui.min.js
File size: 223.19 KB
File MD5: e13b62d667cbfc5665579e7b57962f61

-https://www.envases-riviere.com.ar/js/jquery-ui.min.js - archive JS-HTML
-https://www.envases-riviere.com.ar/js/jquery-ui.min.js - Ok

Checking: -https://www.google.com/recaptcha/api.js
File size: 762 bytes
File MD5: 1b7fbf87773cb1fd579adc8e30af340c

-https://www.google.com/recaptcha/api.js - archive JS-HTML
>-https://www.google.com/recaptcha/api.js/JSFile_1[0][2fa] - Ok
-https://www.google.com/recaptcha/api.js - Ok

Checking: -https://www.envases-riviere.com.ar/js/bootstrap-slider.js
File size: 33.13 KB
File MD5: 2f03afee2a8e39461e6110eb708f2d09

-https://www.envases-riviere.com.ar/js/bootstrap-slider.js - Ok

Checking: -https://www.envases-riviere.com.ar/js/bootstrap.js
File size: 35.79 KB
File MD5: 64763807038d13f7e33cdac2d2bcbdaa

-https://www.envases-riviere.com.ar/js/bootstrap.js - Ok

Checking: -https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js
File size: 83.58 KB
File MD5: 4f4791cfd0bda7f2e54452ce76be60b1

-https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js - archive JS-HTML
>-https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js/JSTag_1[ab2e][a327] - Ok
>-https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js/JSTag_2[ba0f][9446] - Ok
>-https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js/JSTag_3[13a0f][1446] - Ok
-https://www.envases-riviere.com.ar/js/jquery-2.2.0.min.js - Ok

Checking: -https://www.envases-riviere.com.ar/js/main.js
File size: 5022 bytes
File MD5: c44e2777229dc5a6e92d35068e450759

-https://www.envases-riviere.com.ar/js/main.js - Ok

Checking: -https://www.envases-riviere.com.ar/
Engine version: 7.0.34.11020
Total virus-finding records: 7658532
File size: 29.32 KB
File MD5: 054b738f1f38e3311bedbae2b911bad4

-https://www.envases-riviere.com.ar/ - archive JS-HTML
>-https://www.envases-riviere.com.ar//JSTAG_1[e][189] - Ok
>-https://www.envases-riviere.com.ar//JSTAG_2[3c57][11e] - Ok
>-https://www.envases-riviere.com.ar//JSTAG_3[6ace][5ca] - Ok
>-https://www.envases-riviere.com.ar//JSTAG_4[70cf][2f8] - Ok
>-https://www.envases-riviere.com.ar//JSTAG_5[73f9][131] - Ok
-https://www.envases-riviere.com.ar/ - Ok

confirmed here: https://www.virustotal.com/en/url/955885af59c7308e4cd1aca4caa7ec453be1e0c1fe9bd488c0c30f79d93c8efc/analysis/

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
« Last Edit: May 12, 2019, 12:25:13 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Rafael390

  • Newbie
  • *
  • Posts: 2
Re: Site Blocked - URL:Phishing
« Reply #239 on: May 12, 2019, 04:40:23 AM »
Some improvement recommendations you could implement anyways, just 3, very, very good results for the included scripts:
https://webhint.io/scanner/0afa232f-0551-4104-8b68-a575e8dcd3f2   ;)

Re: https://www.accountsplusservices.co.nz/ blacklist

This web-site was built by my friend for her little company and who knows nothing about software development and cyber security as same as an obvious Wix.com user.
She asked me to check why it doesn't work just 2 days ago.
I found that there were some incorrectness in Name zone records on Wix.com and in the service where she bought domain name at the same time.
Finally I fixed that and her email became working.
Thanks for recommendations, but as I said the web-site built totally on Wix.com platform and we don't have to understand how their scripts work on that site and on thousands others sites where those features are enabled.
Moreover, I don't think we are able to fix them.
I can just re-address your recommendations to the Wix.com developers and ask money back for the time while site was blocked.
Surprisingly the web-site blacklisted only in Avast.
So I would prefer to hear verdict from Avast team as from first instance  and then contact Wix.com if it won't help.
« Last Edit: May 12, 2019, 04:47:16 AM by Rafael390 »