Site Blocked - URL:Phishing

[polonus]

2 engines detect this here: https://www.virustotal.com/gui/url/15f856199512ada1d3b1a0110730d22fef94ceb086d302598e30c4ca57483a82/details

Insecure hosting on IP 87.76.23.83 -> Website is insecure by default
100% of the trackers on this site could be protecting you from NSA snooping. Tell -nexcess.net to fix it.

 All trackers
At least 1 third parties know you are on this webpage.

-obpuk1-05.nexcess.net -obpuk1-05.nexcess.net

 Tracker could be tracking safely if this site was secure.

Webpage kicking up a 400 Bad Request error!

Problem with SSL, a problem with the SSL prevented the page from being retrieved!
Server certificate is issued for different domain(s) and does NOT cover -thekeoghpractice.ie!
Server certificate does NOT cover both domains with and without www.

See: https://sitereport.netcraft.com/?url=http%3A%2F%2Fwww.thekeoghpractice.ie

Wait for a final verdict from an avast team member, as they are the only ones to come and unblock.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[jnli931008]

I also have this issue whit my domain which is demo.rla-latamvirtual.com.. i don't know why is this happening please help cause i am doing a virtual event and many people can not get into de web page

[Asyn]

-> https://sitecheck.sucuri.net/results/demo.rla-latamvirtual.com
-> https://www.virustotal.com/gui/url/7a34c83c3f2da4aa0cd303bf6bcac155127aa505235c5e87c5a0607fb9f00b6c/detection

[polonus]

Re: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=I3ttXS59bHwtbHx0fG12W310dXxsLl5dbQ%3D%3D~enc

You should take this up with GoDaddy's -

1:  < !DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
2:  < html> < head>
3:  < title> 403 Forbidden< /title>
4:  < /head> < body>
5:  < h1> Forbidden< /h1>
6:  < p> You don't have permission to access this resource.< /p>
7:  < p> Additionally, a 403 Forbidden
8:  error was encountered while trying to use an ErrorDocument to handle the request.< /p>
9:  < /body> < /html>

Avast flags the site as with PHISHING.

polonus

[Amesimeku]

Hello i have the same problem!! My website https://crowdmagna.com/ is being blocked but i have scanned it thoroughly and there is no phishing links!! Kindly assist me by removing it from your list for me.

[Asyn]

-> https://sitecheck.sucuri.net/results/https/crowdmagna.com

[DavidR]

-> https://sitecheck.sucuri.net/results/https/crowdmagna.com

Not to mention https://webhint.io/scanner/638f2e77-a37d-48e6-b26a-d73364596468 which is even worse 0 from 10 on the security checks.

[polonus]

Site can be reached for some scanners. Hosted @ 45.133.200.3 that is from -cpanel-host.prohoster.info

<html><head><META HTTP-EQUIV="Cache-control" CONTENT="no-cache"><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html>

The problem is there and you should take it up with the hoster, MBAM also flags:
Website blocked due to trojan
We strongly recommend you do not visit this site.
Website blocked: hxtp://cpanel-host.prohoster.info/

DOM-XSS issues: Results from scanning URL: -https://crowdmagna.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Number of sources found: 41
Number of sinks found: 17
&
Results from scanning URL: -https://crowdmagna.com/wp-content/plugins/wp-fundraising-donation/assets/public/script/single-page/jquery.magnific-popup.min.js?ver=1.1.16
Number of sources found: 13
Number of sinks found: 18

SERVER DETAILS
Web Server:
nginx
IP Address:
-45.133.200.3
Hosting Provider:
INTERNET-IT, NL
Shared Hosting:
65 sites found (use Reverse IP to download list)
Title:
Index of /wp-includes

DShield    CLEAN
AlienVault OTX      CLEAN
Cisco Talos    CLEAN
abuse.ch (Feodo)    CLEAN
URLhaus    CLEAN
Spamhaus (Drop / eDrop)    CLEAN

0 issues found during a high level analysis at a 3rd party word press security scan.

Wait for a final verdict from an avast team member, as they are the only ones to come and unblock,
or establish we deal with a genuine trojan detection.

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)

[mgnplay1]

Hi Avast.
I have this website , activegear2go.com, that has been flagged as phishing. The hosting company, bluehost, informed me numerous times the site is ok. I cannot use it due to aborting mechanism built in your code.
Please help me get control over the website.
Thank you.

[DavidR]

Hi Avast.
I have this website , activegear2go.com, that has been flagged as phishing. The hosting company, bluehost, informed me numerous times the site is ok. I cannot use it due to aborting mechanism built in your code.
Please help me get control over the website.
Thank you.

It isn't just avast that considers it suspect https://sitecheck.sucuri.net/results/activegear2go.com
Also see https://webhint.io/scanner/46ed5c96-c13e-4b30-b775-8b6410d8d471 for other things that may need to be addressed.

Outside of that - You can use the Reporting Possible False Positive on Website - https://www.avast.com/false-positive-file-form.php form.
That will get a review, but no guarantee that it would be removed as there is some vulnerable software on that site which could place it at risk.

[polonus]

There are also problems with the security of the Word Press CMS.
Set user enumeration and directory listing on disabled.
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Directory indexing is tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

polonus

[mgnplay1]

Hi Avast.
I have this website , activegear2go.com, that has been flagged as phishing. The hosting company, bluehost, informed me numerous times the site is ok. I cannot use it due to aborting mechanism built in your code.
Please help me get control over the website.
Thank you.

It isn't just avast that considers it suspect https://sitecheck.sucuri.net/results/activegear2go.com
Also see https://webhint.io/scanner/46ed5c96-c13e-4b30-b775-8b6410d8d471 for other things that may need to be addressed.

Outside of that - You can use the Reporting Possible False Positive on Website - https://www.avast.com/false-positive-file-form.php form.
That will get a review, but no guarantee that it would be removed as there is some vulnerable software on that site which could place it at risk.

Hi,

Thanks for your quick response. I replaced all the wordpres files with good ones . I checked the links and in the first one, only McAfee finds an issue with the site and in regards to the second link , i don't know what to make of it. Can you help me understand what is relevant to my problem?
Thank you in advance.

[DavidR]

Hi,

Thanks for your quick response. I replaced all the wordpres files with good ones . I checked the links and in the first one, only McAfee finds an issue with the site and in regards to the second link , i don't know what to make of it. Can you help me understand what is relevant to my problem?
Thank you in advance.

As for "Replacing the wordpress files with good ones," I'm not entirely sure what you mean by that. What needs to be done is to ensure that you have the latest wordpress version installed on your website as older versions are vulnerable to attack.

The first link is just to confirm Avast isn't alone in blocking the site and you would also have to try and get that cleared also.

The second link shows details of what areas (in particularly related to security) it didn't do well in.  That would have to be taken up with whomever built the site or help from your Hosting service.  I'm sorry, this isn't something that I can help with, nor something that we undertake in the forums.

[polonus]

Hi mgnplay1,

Still 2 issues
Issues found during a high level analysis of the target site. It is recommended that further active scanning be undertaken for a more accurate assessment.
Scan can be performed here: https://hackertarget.com/wordpress-security-scan/  then you could see issues for yourself.

1. User Enumeration
The first two user ID's were tested to determine if user enumeration is possible.

Username   Name
ID: 1   not found   
ID: 2   admin1   admin1
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

2. Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

Path Tested   Status
/wp-content/uploads/      enabled
/wp-content/plugins/      disabled
Directory indexing is tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Linked sites OK - javascript resources also OK.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[avast686]

The AVAST WebShield is also blocking the Centurylink webmail link at https://webmail.centurylink.net/mail#1;

I have verified a number of times by disabling the web shield and the site loads.  If enabled, the site does not load.

I have verified this issue on several workstations and with several Centurylink accounts.  Can you remove this URL from the block list?

The notification at the time of the blocked site URL load was that the site was blocked: PHISHING.