Author Topic: URL Phishing (Read 2472 times)

Andreas Leong · « **on:** May 22, 2019, 04:13:18 PM »

Hi everyone, may I know why is my website showing URL Phising problem? My website is wxw.5dummies.com and I had contacted with Hostgator, they had helped me to remove all the suspected content and virus from my website, but it still having this problem. Anyone can help me to solve this?

Milos · « **Reply #1 on:** May 22, 2019, 04:19:03 PM »

Hello,
use https://www.avast.com/false-positive-file-form.php

Milos

Andreas Leong · « **Reply #2 on:** May 22, 2019, 04:41:09 PM »

Alright, I submited

polonus · « **Reply #3 on:** May 22, 2019, 06:35:08 PM »

Hi Andreas Leong,

Some recommendation towards your site's improvement, also security related items * of which 125 security items:
249 in all: https://webhint.io/scanner/01c75d8f-cd88-4bd2-8c85-4804945ea3a6

* Security Checks for -http://www.5dummies.com
(6) Susceptible to man-in-the-middle attacks
(5) Domain at risk of being hijacked
Vulnerabilities can be uncovered more easily
(2) Emails can be fraudulently sent
(3) Unnecessary open ports
DNS is susceptible to man-in-the-middle attacks

Still get a webshield detection for url-phishing from avast..probably an old McAfee blacklisting on IP domains.
Given an all green here: https://zulu.zscaler.com/submission/d9967602-452e-40ba-aac8-47f70b11b746

Word Press config, disable settings for directory listing!

DOM-XSS issues: Results from scanning URL: -http://www.5dummies.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.1.3
Number of sources found: 32
Number of sinks found: 13

and Results from scanning URL: -https://stats.wp.com/e-201921.js
Number of sources found: 121
Number of sinks found: 26

Detected with Retire.js
jquery   1.12.4   Found in -https://s1.wp.com/home.logged-out/page-jan-2019/js/bundle.js?v=1556230286
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

F-grade scan results and recommendations: https://observatory.mozilla.org/analyze/www.5dummies.com

Dr.Web's URLologist says:
Checking: -https://www.5dummies.com/wp-json/
Engine version: 7.0.34.11020
Total virus-finding records: 7682689
File size: 159.23 KB
File MD5: e24a826f48c27f7db49359cd3dba9fbf

-https://www.5dummies.com/wp-json/ - Ok

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

Andreas Leong · « **Reply #4 on:** May 22, 2019, 06:49:52 PM »

Thank You

Andreas Leong · « **Reply #5 on:** May 23, 2019, 05:04:31 AM »

Hi guys, my website still showing url phishing now

polonus · « **Reply #6 on:** May 23, 2019, 06:01:24 PM »

Hi Andreas Leong,

You are welcome.

The only ones, that can come and unblock, are avast team members.
We here are just volunteers and in my case, someone with relevant knowledge of website security analysis issues,
third party JavaScript analysis and retirable JQuery libraries and ignoring best (code) policies
and security config. & header settings, being at that for over 12 years now here on the forums.

I am also working as a proctor at an Institute of Higher Education for Communication, Media & IT Studies,
so aware what happens in the field website developer education and technical IT (front-end/back-end),
Dom-XSS issues and other issues for instance.

So my advice is to wait for someone of Avast Team to react and give a final verdict,

polonus

Jiří Šembera · « **Reply #7 on:** May 24, 2019, 04:21:09 PM »

Hi Andreas,

I've disabled the detection and I strongly recommend focusing on your website security since we've seen quite a few phishing campaigns hosted on your site. Otherwise it is quite likely your whole website gets blocked again. In fact one of the campaigns is still live at 5dummies[.]com/en/wp-admin/js/z5.

Regards
Jiri

Andreas Leong · « **Reply #8 on:** May 28, 2019, 04:22:15 PM »

Thank You so much, but now my website still showing this? And I dont really sure which of my post/campaign are getting problem now?

Pondus · « **Reply #9 on:** May 28, 2019, 04:42:16 PM »

hxxp://5dummies.com/en/wp-admin/js/z5
https://www.virustotal.com/#/url/a7f4f04bc423930919fd15354dfe7b4ad559f44dfe52ffb8eee4624dc82ef182/detection

IP history https://www.virustotal.com/#/ip-address/108.179.234.144

VT community
https://www.virustotal.com/#/file/dad77b4e03da0b316a68760e47d7fa73d38b6aee78c004fbf5cb41b5a5d83ebf/community

Sucuri https://sitecheck.sucuri.net/results/5dummies.com/en/wp-admin/js/z5

urlQuery https://urlquery.net/report/04593caf-67bc-4522-a4de-99668b51b7f7

Andreas Leong · « **Reply #10 on:** May 29, 2019, 06:30:42 PM »

Thank You, but is anyone can tell me which part of my website has virus? So that I can delete it, or plugin problem? I am really so sorry because I really dont know anything about this

jefferson sant · « **Reply #11 on:** June 03, 2019, 12:59:50 PM »

Quote from: Andreas Leong on May 29, 2019, 06:30:42 PM

Thank You, but is anyone can tell me which part of my website has virus? So that I can delete it, or plugin problem? I am really so sorry because I really dont know anything about this

Hello Andreas Leong.

You will have to ask for a review to clear the reason obvious blocked is this result

Quote from: Avast

It seems that the provided URL is detected by Google Safe Browsing, as you can see in this report: https://transparencyreport.google.com/safe-browsing/search?url=5dummies.com

Once this is resolved in the Google service, Avast should automatically unblock the website as well.