Site Blocked - URL:Phishing

[polonus]

4 engines to detect it on the VirusTotal IP relations scan, one of the first to bark at it, is Bitdefender's. (fresh scans).

Redleg\'s File Viewer alerts for:

URLs that redirect found in: -https://www.nsasoft.us

1: -http://www.wa4y.com/wa.html?wa4y_uid=WA4Y_1_1&wa4y_event=OnPageView&wa4y_js=0 ->
-https://www.wa4y.com/wa4y_api/wahtml.php?wa4y_uid=WA4Y_1_1&wa4y_event=OnPageView&wa4y_js=0

Note: The URLs listed above that were found in the page you are checking are redirecting to other URLs. In many cases the redirects are legitmate so it can be tricky to determine whether or not the redirects are causing a problem. Take a look at the URL that is being redirected to -- Does it look suspicious?? Is the domain being redirected to shown on the malware warning (if you are getting one)?

A moment ago we scanned: https://www.virustotal.com/gui/url/cb0c2bfedad0a9b29edcdb9faa86d8cc5bcb85d17871f9e5aef7486a6027a125/detection
See: https://www.virustotal.com/gui/ip-address/66.206.5.203/relations

So this could well be an FP, wait for an avast team member to give the final verdict. We do not know about the download files?

53
tcp
dns-tcp
-9.11.4-P2-RedHat-9.11.4-9.P2.el7  (with backported security fixes, moderate bind security bug detected).

Excessive server info proliferation is a bad thing however, as malcreants just have to look for existing vuln. & exploits
or create their own code against it.

Resolver name: server.nsasoft.us -> https://toolbar.netcraft.com/site_report?url=http://server.nsasoft.us&refresh=1#history_table

Not found up here: http://isitphishing.org/ -> https://www.bitsdujour.com/software/nsasoft-hardware-software-inventory/virus-scan

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[jefferson sant]

Hello.
I have problem with my site. The avast has blocked my site. pizzeriananda.fi  could you please unblock my site.

Detection was removed on Wednesday 09.10.2019 at 03:43 AM.

Our virus specialists have been working on this problem and it has now been resolved. The provided website isn't detected by Avast anymore.

[mastersoft2]

Hi, I'm having problems with my website (www.mastersoft.com.cy), whenever I try to access it from any computer that has Avast installed it does not allow access.

The site is hosted by bluehost and after a full scanning they tell me the site is clean.

The site is actually still empty, just a wellcome screen.

We mainly use the site's FTP to upload new versions for our clients.

Please advice since we cannot serve our customers anymore.

[polonus]

Probably a html detection related to that domain's IP:
https://www.virustotal.com/gui/ip-address/74.118.69.26/relations

Wait for a final verdict by an avast team member for a final verdict,
as we cannot come and unblock, only avast team members do.

1. URL: -http://www.mastersoft.com.cy/
  Server response code and content type: 301, text/html; charset=UTF-8
  Elapsed time: 1350.80ms
  Dr.Web not recommended websites database: Clean
  Redirect:-http://mastersoft.com.cy/
2. URL: -http://mastersoft.com.cy/
  Server response code and content type: 200, text/html; charset=UTF-8
  Elapsed time: 862.71ms
  Dr.Web not recommended websites database: Clean
  Size: 8048
  MD5: 9a2851c69f8f0956e85615200a5b20c7
  Scan time: 29.07ms
  Scan result: clean
  Full Dr.Web scan report: *

3. URL: -http://mastersoft.com.cy/wp-includes/js/jquery/jquery.js
  Server response code and content type: 200, application/javascript
  Elapsed time: 456.60ms
  Dr.Web not recommended websites database: Clean
  Size: 96873
  MD5: 49edccea2e7ba985cadc9ba0531cbed1
  Scan time: 150.40ms
  Scan result: clean
  Full Dr.Web scan report: *

2019-10-12 17:05:15

Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist:OK
Web Server:
nginx/1.17.3
X-Powered-By:
None
IP Address:
-162.241.218.145
Hosting Provider:
Unified Layer
Shared Hosting:
8000 sites found on -162.241.218.145

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[Asyn]

-> https://sitecheck.sucuri.net/results/www.mastersoft.com.cy

[jefferson sant]

Awast started blocking legitimate company web site hxxps://www.nsasoft.us with reason "URL:phishing". This site doesn't have anything related with "URL:phishing". How to fix and remove this alert?

Detection was removed in 14.10.2019 at 07:50 AM.

Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.

[jefferson sant]

Hi, I'm having problems with my website (wxw.mastersoft.com.cy), whenever I try to access it from any computer that has Avast installed it does not allow access.

The site is hosted by bluehost and after a full scanning they tell me the site is clean.

The site is actually still empty, just a wellcome screen.

We mainly use the site's FTP to upload new versions for our clients.

Please advice since we cannot serve our customers anymore.

Detection was removed in 14.10.2019 at 07:24 AM.

Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.

[Mahmoud Ofeisa]

Hello,

I have the same issue "URL:Phishing" with my website "www.mahmoud-ofeisa.com".

[polonus]

Here the site was not found to be phishing: https://phishcheck.me/47661/details
No indications here: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Lm18aG1ddSMtXWZ7W3N8Ll5dbQ%3D%3D~enc

Your Word Press CMS is outdated, update a.s.a.p.

Again 5 engines detect PHISHING at the IP you share with other domains:
https://www.virustotal.com/gui/url/eeada5a06e596ca581edd0517ecd0efe55f246a02d99235b8d91c75cc1639c93/detection

See: https://www.shodan.io/host/178.128.194.130

2 vulnerable jQuery libraries detected on website: https://retire.insecurity.today/#!/scan/a70ade7b966e00ad73f6050494df1437911a92a65bd32b5cd9ebb0f1b81fd38a

DOM-XSS flaws found: Results from scanning URL: -https://www.mahmoud-ofeisa.com/wp-content/themes/latte/assets/js/parallax.min.js?ver=5.1.3
Number of sources found: 44
Number of sinks found: 2
&
Results from scanning URL: -https://www.googletagmanager.com/gtag/js?id=UA-149912833-1
Number of sources found: 33
Number of sinks found: 12

Wait for a final verdict from an avast team member, as they are the only ones that can come and unblock,
we just advise you through relative knowledge of website security analysis.

Netcraft Risk Rating 10 red out of 10: https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fwww.mahmoud-ofeisa.com
12 immediate threats: https://app.upguard.com/webscan#/www.mahmoud-ofeisa.com

polonus

[jefferson sant]

Hello,

I have the same issue "URL:Phishing" with my website "wxw.mahmoud-ofeisa.com".

Detection was removed in 16.10.2019 at 12:21 PM.

Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.

[omega5]

I also have this problem with http://omegacomputuerservices.ca

1. Please remove this website from your blacklist.

2. Why is this (our) site on your blacklist?

3. Assuming that there was a good reason at one time in the past, why is it still on the list? Don't you guys check these things? Or is it damned once then damned for all time? Not every website that has an issue was designed to be bad. Some could have been attacked and hacked by outside people. Don't you believe that these problems could be eventually found, fixed , and security tightened up?

If you keep reporting a currently good site as bad, it is not the site's problem, it is Avast's. If you are not reliable, then there is no point in using your services, is there?

4. If you don't respond to points 2 and 3, that is an indication of how much you care about customers, which could be reciprocated by how much customers care about your product.

[Pondus]

4. If you don't respond to points 2 and 3, that is an indication of how much you care about customers, which could be reciprocated by how much customers care about your product.

They will not respond unless you report it the correct way .... and how to do that is posted in many reply`s in this topic

[Michael (alan1998)]

<Edit>
Got it.

Please ensure you give us the RIGHT url next time --> http://omegacomputerservices.ca

[Michael (alan1998)]

Google has you guys listed as a COmputer Consultant company.

This URL >> hxxp://www.omegacomputerservices.ca/

Flagged by BitDefender >> https://www.virustotal.com/gui/url/1ab0119ceaa1f93075a443789b762161b0f972347bbc0dd6df0e574a5178c004/detection
URLVoid reveals 2 bans >> https://www.urlvoid.com/scan/omegacomputerservices.ca/
Sucuri warnings on non-https >> https://sitecheck.sucuri.net/results/omegacomputerservices.ca

You keep referencing an email address to omega@portal.ca. Portal.ca appears to be offline.
Offline >> https://downforeveryoneorjustme.com/portal.ca

Interesting though, because the omega website has MX (Mail eXchange) records on it.
DNS >> https://www.ultratools.com/tools/dnsLookupResult

Polonus will more then likely have more to add.

Volunteer

As for points 2 and 3,

To answer them

2. Why is this (our) site on your blacklist?

The anti-virus tells you, Phishing.

3. Assuming that there was a good reason at one time in the past, why is it still on the list? Don't you guys check these things? Or is it damned once then damned for all time? Not every website that has an issue was designed to be bad. Some could have been attacked and hacked by outside people. Don't you believe that these problems could be eventually found, fixed , and security tightened up?

No, you're not damned once, then damned for all time. There are 28 pages (IN THIS THREAD) of people having their respective issues handled. You comment served no purpose other then to annoy people.

Do they check up on domains? Hell. No. There are 324.6 million domains registered. Avast! definitely does not have the time to check them; and for that matter, no company has the time to check that many domains.

Hacked by others: Yes, that's true, domains can be hacked by others. That's your job to fix, whether that means doing it yourself, or contracting someone else is up to you. Here's what Avast! knows, it's doing something bad. That's the bottom line, not "who did it" because that doesn't matter.

Do you believer problems can be found, fixed and security tightened: Yes, obviously. Reference 28 pages in this thread alone of people like Polonus, Jefferson and Pondus pointing out vulnerable jQueries, software of plain stupid oversights.

To respond to point 4.

If you don't respond to points 2 and 3, that is an indication of how much you care about customers, which could be reciprocated by how much customers care about your product.

It's an indication if you go through official channels maybe. Most of the people on these forums (with exceptions like Milos, VitSU, and others) are all here as volunteers. These forums are not monitoring 24/7, and while Avast! usually keeps tabs around, others usually call Avast!'s attention to updates and responses in threads so they don't get lost.

The OFFICIAL way of documenting a potential false-positive can be found here >> https://www.avast.com/false-positive-file-form.php.

If you keep reporting a currently good site as bad, it is not the site's problem, it is Avast's. If you are not reliable, then there is no point in using your services, is there?

On the surface, all may appear well and good. Heck, there may not even be a way to get from the homepage to the phishing page. THe phishing page might be buried to avoid detection. I've seen this in the wild, legit websites (hotel in this case) be completely normal on the surface, and then have a full blown Microsoft phishing page buried deep, with no way of accessing unless you have the direct URL (or seriously go hunting for it.)

[omega5]

The OFFICIAL way of documenting a potential false-positive can be found here >> https://www.avast.com/false-positive-file-form.php.

I started with avast.com. The above looks like the proper place to go but either I did not find a way to get there, (I could have missed the link) or I didn't get a response (It has been a few months since I first started this quest). Google eventually led me to this place but I don't feel up to reading 4000 responses to catch up on the history of this issue.

The website in question is static. It does not ask for any information from the viewer. The most sophisticated thing it does is to use bootstrap to properly display on various devices.

The email address is as it is for historical reasons. The ISP was absorbed by others but the email address domain still exists. The mailbox associated with omegacomputerservices.ca exists but is not being used.

omegacomputerservices.COM is a different company and today that url redirects to ocs.help.

A bit over a year ago, something hacked the site and a separate subdirectory tree was planted. This was ripped out and, currently, nothing that does not belong there is there.

But avast details reports URL:Phishing with the offending URL being
http://omegacomputerservices.ca/bootstrap/css/bootstrap-responsive.css   one time and
http://omegacomputerservices.ca/bootstrap/js/jquery.js                            another time
and eventually just about every file in that directory tree. If there were an actual problem, it would not move around from file to file.

From this forum I did discover  sitecheck.sucri.net  and
https://sitecheck.sucuri.net/results/omegacomputerservices.ca
says the site is clean.

If I were not using Avast, I would not be aware that Avast had a problem with this website. If Avast would continue showing it bad until somebody tells Avast that it is not, the false status could go on forever.

If any of this helps in solving the problem, then thank you all and thank the goddesses. If this does not solve the problem, then the goddesses will need another sacrifice.