Author Topic: Site Blocked - URL:Phishing  (Read 115170 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32691
  • malware fighter
Re: Site Blocked - URL:Phishing
« Reply #525 on: April 21, 2020, 04:57:43 PM »
Hi Eric624,

It is not only avast that flags this site:
https://www.virustotal.com/gui/domain/activate-payments.com/detection
Also even more to detect it here: https://www.virustotal.com/gui/domain/activate-payments.com/relations

Outdated WordPress version detected.
Outdated plug-in: The following plugins were detected by reading the HTML source of the WordPress sites front page.

contact-form-7 5.1.7   latest release (5.1.7)
https://contactform7.com/
wordpress-seo 13.2   latest release (13.5)
https://yoa.st/1uj
js_composer   
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

There are likely more plugins installed than those listed here as the detection method used here is passive. While these results give an indication of the status of plugin updates, a more comprehensive assessment should be undertaken by brute forcing the plugin paths  using a dedicated tool.

CMS Misconfigurations: User Enumeration
  The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   admin   admin
2   activate-payments   activate-payments
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/      enabled
/wp-content/plugins/      disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Improvement hints found by linting: https://webhint.io/scanner/7eea67df-6521-4b2a-928c-09cd02e50d2c
Added while the SNYK scan did not materialize in security, this added scan results: https://retire.insecurity.today/#!/scan/ec72a1190b192398655426afbbb11c2e5538fe782ff355a98b6aca16059fccd5
Moreover this link is blocked for me by an adblocker: hxtps://static.doubleclick.net/instream/ad_status.js

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
« Last Edit: April 22, 2020, 12:19:04 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Guillaume77

  • Newbie
  • *
  • Posts: 4
Re: Site Blocked - URL:Phishing
« Reply #526 on: April 22, 2020, 09:12:45 AM »
Hi,

I have trouble with my website too (rootstravler.com). I can still check it on my phone, but no way to check it from the computer. Has my website really been hacked or is it an error from Avast?

If you could unlock it, I would really appreciate it.

Best regards,
Guillaume

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66860
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Win 8.1 [x64] - Avast PremSec 20.8.2428.B#3 [UI.562] - CC 5.72 - EEK - FF ESR 78.3 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Guillaume77

  • Newbie
  • *
  • Posts: 4
Re: Site Blocked - URL:Phishing
« Reply #528 on: April 22, 2020, 10:25:27 AM »
Hey,

Thanks, it seems like the website is back up now.

Wish you the best,
Guillaume

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32691
  • malware fighter
Re: Site Blocked - URL:Phishing
« Reply #529 on: April 22, 2020, 03:06:43 PM »
Hints to come to website improvement: https://webhint.io/scanner/f834c9bd-0028-4bc3-93e6-02087e0770a6
& see: https://retire.insecurity.today/#!/scan/ebd0c539e28a2d9eedbae5816f7e8aeb4ca0f583fb9512778ba3a7b24f4d6143

 User Enumeration
  The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   bordg20001407   bordg20001407
2   None   None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist: OK

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
« Last Edit: April 22, 2020, 03:31:46 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6829
  • volunteer
Re: Site Blocked - URL:Phishing
« Reply #530 on: April 23, 2020, 12:00:58 AM »
A client's site has been marked as Phishing when it is not as per https://sitecheck.sucuri.net/results/accountingandtaxgroup.net and Metamask's Cryptonite.

Accountingandtaxgroup.net should not be considered phishing.

Help?

Detection was removed in 22.04.2020 at 06:18 AM

Quote from: Avast
Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.

Offline Guillaume77

  • Newbie
  • *
  • Posts: 4
Re: Site Blocked - URL:Phishing
« Reply #531 on: April 23, 2020, 10:17:05 AM »
Quote
User Enumeration
  The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   bordg20001407   bordg20001407
2   None   None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Thanks Polonus for the check and for those pieces of advice.

However, it turns out that my website is down with the same error as yesterday. I feel like this could be a fake positive.

Is there any way to put the website (rootstravler.com) back up?

Also, I did a sucuri site check too but did not arrive at the same results: some timeout reach site issues were detected.
https://sitecheck.sucuri.net/results/https/rootstravler.com

I hope we will be able to end this issue,
Guillaume

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32691
  • malware fighter
Re: Site Blocked - URL:Phishing
« Reply #532 on: April 23, 2020, 02:03:45 PM »
Hi Guillaume77,

Take it up with your hoster, and also report it here: https://www.avast.com/false-positive-file-form.php
Wait for an avast team member to receive a final verdict as a reaction on what you have reported,
they are the only ones to come and unblock any FP.

See the script from line 871 hence onwards
Quote
< svg style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1"
represented here:  https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=fV1ddHN0fXx2bHt9Ll5dbQ%3D%3D~enc   (which is hxtps://stats.wp.com/e-202017.js and being blocked for me)
-> https://www.shodan.io/host/192.0.76.3 -> https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=c3R8dHMud3AuXl1tYHstMjAyMDE3Lmpz~enc

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Guillaume77

  • Newbie
  • *
  • Posts: 4
Re: Site Blocked - URL:Phishing
« Reply #533 on: April 23, 2020, 08:06:23 PM »
Okay, thanks again for your time Polonus. I filled the FP form and I'm waiting for an answer.

Best regards,
Guillaume

Offline master2020

  • Newbie
  • *
  • Posts: 2
Re: Site Blocked - URL:Phishing
« Reply #534 on: April 27, 2020, 01:19:30 PM »
Hello, I have problems with my site (elenakarpova.com), whenever I try to open a page from any computer on which Avast is installed, it does not allow access and a pop-up window appears with an attachment.

P.S. Sorry for my English
« Last Edit: April 27, 2020, 01:21:58 PM by master2020 »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66860
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Win 8.1 [x64] - Avast PremSec 20.8.2428.B#3 [UI.562] - CC 5.72 - EEK - FF ESR 78.3 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline master2020

  • Newbie
  • *
  • Posts: 2
Re: Site Blocked - URL:Phishing
« Reply #536 on: April 27, 2020, 02:42:33 PM »
Thanks for the answer. But I did not understand why avast blocks the pages of my site.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83792
  • No support PMs thanks
Re: Site Blocked - URL:Phishing
« Reply #537 on: April 27, 2020, 03:51:01 PM »
Thanks for the answer. But I did not understand why avast blocks the pages of my site.

Well being considered a Medium Security Risk is a start, outdated software is vulnerable and can be exploited.  Not saying that this is the case but certainly possible.  If it happened in the past or linked to an IP (multiple domains on the same IP address) that has been hacked could impact all domains on that IP.

You should certainly address the points in the link given by Asyn and update the outdated software. 

You can use the Reporting Possible False Positive on Website - https://www.avast.com/false-positive-file-form.php form.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.598) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32691
  • malware fighter
Re: Site Blocked - URL:Phishing
« Reply #538 on: April 27, 2020, 04:10:42 PM »
Hi master2020.

Additional to what Asyn and DavidR reported, and where I strongly agree, pay attention to the following glitches,
found through third party cold reconnaissance scanning of the website at hand.

As you can establish and was mentioned to you, you have outdated CMS, outdated Word Press core version.
Update a.s.a.p.

Also oudated plug-in software, there also update a.s.a.p.:

The following plugins were detected by reading the HTML source of the WordPress sites front page.

pageviews 0.11.0   latest release (0.11.0)
https://pageviews.io
js_composer   
all-in-one-seo-pack 3.3.5   latest release (3.4.3)
https://semperplugins.com/all-in-one-seo-pack-pro-version/
gallery-images-ape 2.0.8   latest release (2.0.11)
https://wpape.net/gallery-wordpress
wpfront-scroll-top 2.0.2   latest release (2.0.2)
http://wpfront.com/scroll-top-plugin/
woocommerce 3.9.2   latest release (4.0.1)
https://woocommerce.com/
shortcodes-ultimate 5.7.0   latest release (5.8.1)
https://getshortcodes.com/
mega-addons-for-visual-composer 3.1   latest release (4.0)
https://addons.topdigitaltrends.net/
contact-form-7 5.1.6   latest release (5.1.7)
https://contactform7.com/
widgetize-pages-light 2.6   latest release (2.6)
http://otwthemes.com/
wp_testme   
robokassa 5.3   latest release (1.3.4)
/wp-admin/admin.php

Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

There are likely more plugins installed than those listed here as the detection method used here is passive. While these results give an indication of the status of plugin updates, a more comprehensive assessment should be undertaken by brute forcing the plugin paths  using a dedicated tool.

Vulnerable (non-vulnerable) code
 
Quote
PHP, headers - 7.2.25
6.4
CVE-2019-11047
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
6.4
CVE-2020-7059
When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.
6.4
CVE-2020-7060
When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.
6.4
CVE-2020-7061
In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.
6.4
CVE-2019-11050
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
6.4
CVE-2020-7063
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.
5
CVE-2019-11044
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
5
CVE-2018-19935
ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function.
5
CVE-2019-11046
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.
5
CVE-2020-7062
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash.
4.3
CVE-2019-11045
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
4.3
jQuery, script
Not vulnerable
jQuery, headers - 1.12.4
Not vulnerable
jQuery Migrate, script
Not vulnerable
jQuery UI Core, headers - 1.11.4
7.3
Bootstrap, script
Not vulnerable
All in One SEO Pack, html - 3.3.5
Not vulnerable
Font Awesome, html
Not vulnerable
Wordpress - 5.3.2
Not vulnerable

See vulnerabilities at your hoster: https://www.shodan.io/host/87.236.16.192

Retirable jQuery libraries detected:
Quote
bootstrap   3.3.5   Found in -https://elenakarpova.com/wp-content/themes/nisarg/js/bootstrap.js?ver=5.3.2
Vulnerability info:
High   28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331   
Medium   20184 XSS in data-target property of scrollspy CVE-2018-14041   
Medium   20184 XSS in collapse data-parent attribute CVE-2018-14040   
Medium   20184 XSS in data-container property of tooltip CVE-2018-14042   1
jquery   1.12.4   Found in -https://elenakarpova.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   1234
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   123
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   123
Medium   Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

JavaScript errors - ReferenceError: VK is not defined
 /:551
DOM-XSS sinks and sources: results from scanning URL: -https://elenakarpova.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=3.9.2
Number of sources found: 50
Number of sinks found: 32
- "INJECTED" nodes have been injected to DOM by Javascript after initial page load.

Improvement hints found through linting: https://webhint.io/scanner/217dc635-8e3f-48d8-bc48-20caa9f15aac

kind regards,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline zigainfotech

  • Newbie
  • *
  • Posts: 1
Re: Site Blocked - URL:Phishing
« Reply #539 on: June 18, 2020, 06:54:59 PM »
Hello, I'm having problems with my website (http://thekeoghpractice.ie/), whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears.

Please allow this to load the website for the public.