Author Topic: Phishing False Positive  (Read 901 times)

0 Members and 1 Guest are viewing this topic.

Offline contact290

  • Newbie
  • *
  • Posts: 1
Phishing False Positive
« on: March 23, 2020, 06:27:00 PM »
Hi,

Firstly, appreciate the volunteer work the community members do here & hope you're all safe during the coronavirus scare.

Our homepage https://royalcbd.com/ is blocked by Avast – as reported by one of our team members earlier this morning when he tried to access the site.

We checked server logs for all unique pages that were visited on our site and ran an analyses on every unique page – found no suspicious files.

Submitted the false positive form – was wondering if there's anything I can do to expedite the process (guessing not) as it's caused a flurry of complaints from customers.

https://sitecheck.sucuri.net/results/royalcbd.com
https://www.urlvoid.com/scan/royalcbd.com/
https://observatory.mozilla.org/analyze/royalcbd.com

Looks like we have some work to do on the last one, but no phishing was found.

Thanks, Alex.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83018
  • No support PMs thanks
Re: Phishing False Positive
« Reply #2 on: March 23, 2020, 09:41:23 PM »
Hi,

Firstly, appreciate the volunteer work the community members do here & hope you're all safe during the coronavirus scare.

Our homepage hXXps://royalcbd.com/ is blocked by Avast – as reported by one of our team members earlier this morning when he tried to access the site.

We checked server logs for all unique pages that were visited on our site and ran an analyses on every unique page – found no suspicious files.

Submitted the false positive form – was wondering if there's anything I can do to expedite the process (guessing not) as it's caused a flurry of complaints from customers.<snip>

Looks like we have some work to do on the last one, but no phishing was found.

Thanks, Alex.

No other way to expedite the process, I would assume that they work through them in FIFO order

You may have some more work to do:
See https://webhint.io/scanner/7c66f94c-ed5d-4db8-803b-8851f41cbfc5
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.570) UI-1.0.505/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32436
  • malware fighter
Re: Phishing False Positive
« Reply #3 on: March 24, 2020, 04:12:02 PM »
Insecure tracking: Website is insecure by default
100% of the trackers on this site could be protecting you from NSA snooping. Tell -royalcbd.com to fix it.

Identifiers | All Trackers
 Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.

 -royalcbd.com__cfduid
-d4caad975332e7cd32XXXXXXXXXX36fef1583162006 ajax.cloudflare.com__cfduid

 Tracking IDs could be sent safely if this site was secure.

Vulnerable PHP: PHP, headers - 7.2.27
6.4
CVE-2020-7061
In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.
6.4
CVE-2020-7063
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.
5
CVE-2018-19935
ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function.
5
CVE-2020-7062
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash.
4.3

Some work to do for those website developers and - admins sitting at home to get such websites a tad more secure

The following plugins were detected by reading the HTML source of the WordPress sites front page.
Quote
affiliate-wp   
shopkeeper-extender   
woo-gutenberg-products-block 2.5.14   latest release (2.5.14)
https://github.com/woocommerce/woocommerce-gutenberg-products-block
yith-woocommerce-waiting-list-premium   
jetpack 8.3   latest release (8.3)
https://jetpack.com
woocommerce-gateway-authorize-net-cim   
contact-form-7 5.1.7   latest release (5.1.7)
https://contactform7.com/
elementor-pro   
klaviyo 2.1.7   latest release (2.1.7)
https://wordpress.org/plugins/klaviyo/
ultimate-elementor   
woocommerce 4.0.1   latest release (4.0.1)
https://woocommerce.com/
js_composer   
age-gate   latest release (2.5.0)
https://agegate.io/
yith-woocommerce-anti-fraud-premium 1.2.9   
yith-woocommerce-wishlist   latest release (3.0.9)
https://yithemes.com/themes/plugins/yith-woocommerce-wishlist/
woocommerce-all-products-for-subscriptions 3.1.6   
woo-variation-swatches   latest release (1.0.78)
https://wordpress.org/plugins/woo-variation-swatches/
elementor 2.9.6   latest release (2.9.6)
https://elementor.com/
shopkeeper-deprecated   
woocommerce-square 2.1.1   latest release (2.1.1)
https://woocommerce.com/products/square/
wc-aelia-foundation-classes   
shopkeeper-portfolio   

Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

There are likely more plugins installed than those listed here as the detection method used here is passive. While these results give an indication of the status of plugin updates, a more comprehensive assessment should be undertaken by brute forcing the plugin paths  using a dedicated tool.


Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklis: OK

polonus (volunteer 3rd party cold rec on website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!