URL Blocking: Phishing

[Florov]

Hi,

Today I`m noticed that Avast blocked url:florov.com with Phishing
I`v checked website with Sucuri, Virustotal and many others and nothing was found.

https://sitecheck.sucuri.net/results/https/florov.com
Virustotal https://www.virustotal.com/gui/url/bbbba6808912ed65412f4e0c381662582c23a5b3bb419e0ea0743aaa771d875f/detection

Also check and IP`s, found that result from scumware detection 1 year before, but all threads have cleaned a long time ago, more than 1 year.

[Asyn]

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php

[polonus]

Witam Florov,

There are nine immediate threat risks found on that site from White Russia:
see: https://app.upguard.com/webscan#/florov.com

Moreover there are 2 vulnerable jQuery retirable libraries detected: https://retire.insecurity.today/#!/scan/bee14c00a237d800fbb35a1c6532fc2bd384881c5aff6d27b30f86a98fd51ecb

Insecure WordPress settings detected:
User Enumeration
  The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   None   florov
2   None   None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Reputation Check
PASSED
Google Safe Browse: OK
Spamhaus Check: OK
Abuse CC: OK
Dshield Blocklist: OK
Cisco Talos Blacklist: OK
Web Server:
Apache
X-Powered-By:
None
IP Address:
-78.142.62.227
Hosting Provider:
Telepoint Ltd 
Shared Hosting:
193 sites found on -78.142.62.227

Vulnerabilities to take up with the hoster: https://www.shodan.io/host/78.142.62.227

CVE-2018-15919   Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

CVE-2017-15906   The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

Hoster uses OpenSSH 7.4 so is vulnerable!

Probably through detection on other domains on that same IP: https://www.virustotal.com/gui/ip-address/78.142.62.227/relations

Website linting results (improvement recommendations): https://webhint.io/scanner/793a80d2-c3f6-4765-9e5c-d983009b8fde

Wait for an avast team member to give a final verdict. They are the only ones to come and unblock.
We here are just volunteers with relative knowledge on website security analysis that come to advize you.

pozdrawiam,

polonus (volunteer 3rd party cold reconnaisance website security analysis and website error-hunting)

[jefferson sant]

Detection was removed in 16.10.2019 at 10:10 AM.

Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.