False positive for cfprotools.com and associated domains

[jaime128]

I've submitted a false positive report using the official form as well, but wanted to post here also.

Customers of CF Pro Tools have recently started reporting that they are getting an Avast warning of a URL:Phishing from Avast for cfprotools.com

CF Pro Tools provides add on codes for ClickFunnels customers and provides services to thousands of customers.  There are no phishing scripts provided by CF Pro Tools.

This false positive is severely affecting the reputation of my business and the platform.  It's also impacting the businesses of many of my customers because their sites are now also throwing the warning because they've included scripts and images from cfprotools.com to aid in their businesses.

Please remove any cfprotools.com domains from the phishing blacklist and add to the "clean" list so that this doesn't happen again in the future.

I appreciate your rapid support in getting this corrected.

Thanks
Jaime Smith
Founder, CF Pro Tools

[gregorydakins]

I am a user of Jaime's tools and this is really affecting some of my pages! There is no phishing occurring here, just trying to make my webpages run smoother!


Would love if this false positive could be rectified quickly! I know myself and thousand of other small business owners rely on our pages running smoothly and this is blocking them completely for users running popular antivirus softwares like AVG!


-Gregory Dakins

[Asyn]

Hi guys, I forwarded it...

[jaime128]

Thanks so much!

[Asyn]

You're welcome.

[Asyn]

Info from Threat Labs: There is an active phishing on the domain.

[polonus]

Redirect: -http://cfprotools.com redirects to -https://cfprotools.com/get-started
then to -https://www.clickfunnels.com/assets/cfpop.js
Checking -http://cfprotools.com
Xmark
Checking for cloaking
There is a difference of 8556 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that's trying to hide from browsers but make Google think there's something else on the page:

(Tiny part of it is given here andXXX blurred by me, pol for obvious reasons)............;peXXXXXX.DMzEOxxQ*=+((!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+(!![])+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![])+(!+[]-(!![]))+(!+[]+(!![])+!![]))/+((!+[]+(!![])+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![])) etc etc.  ...............

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[jaime128]

Redirect: -http://cfprotools.com redirects to -https://cfprotools.com/get-started
then to -https://www.clickfunnels.com/assets/cfpop.js
Checking -http://cfprotools.com
Xmark
Checking for cloaking
There is a difference of 8556 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that's trying to hide from browsers but make Google think there's something else on the page:

(Tiny part of it is given here andXXX blurred by me, pol for obvious reasons)............;peXXXXXX.DMzEOxxQ*=+((!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+(!![])+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![])+(!+[]-(!![]))+(!+[]+(!![])+!![]))/+((!+[]+(!![])+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+(!![])+!![]+!![])) etc etc.  ...............

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Thanks for the extra info.  The pages you're reviewing are the sales pages for my service that use ClickFunnels.com to generate the pages.  I've updated the page to remove the use of the clickfunnels.com/assets/cfpop.js .  I have no idea why that would be serving different content to Chrome versus Google Bot.

I hope that fixes the core issue.  The bigger concern is that there was a blanket block applied to all cfprotools.com domains and subdomains.  That blocks my entire service because something was found on the sales page.  That literally shuts down the service for thousands of clients because of something weird on the sales page.

Can we please whitelist the app.cfprotools.com and cdn.cfprotools.com subdomains so that my customers are no longer getting warnings on their sites that use the CF Pro Tools service.  The sales page and the actual service are hosted in completely different environments.

I appreciate the help.  This is extremely detrimental to my business and my customers' businesses.

[polonus]

Hi jaime128,

You are welcome. Wait for a final verdict from one of the avast team members. They are the only ones to come and unblock.
We here are just volunteers with relative knowledge in the field of website security intelligence.

Phusion Passenger Enterprise 6.0.2. is affected by an authenticated Directory Traversal vulnerability
and an Insecure Permissions vulnerability in SpawningKit in Phusion Passenger....
->https://www.shodan.io/host/104.16.12.194

Again checking your destination domain is Destination -cfprotools.com
But a downgrade attack towards -http://cfprotools.com is possible.

DOM-XSS sinks and sources issues with results from scanning URL: -http://cfprotools.com
Number of sources found: 37
Number of sinks found: 436

polonus

[jaime128]

Thanks for all the extra info.  To be honest, most of it is over my head.  From what I can understand, it appears that the reference to Phusion Passenger is related to the fact that the sales page for cfprotools.com is hosted by ClickFunnels.  ClickFunnels serves hundreds of thousands of sites across the internet and has an entire security team that works to keep things secure.  Hopefully this block can be reversed to avoid the negative impact on my business and my customers' business.

I can appreciate the effort to keep Avast customers safe, but hopefully everyone can understand that making a blanket block for an entire domain and all subdomains can have far reaching and catastrophic effects. 

I'm more than happy to help get this resolved in any way possible.  It would be amazing to be able to scan app.cfprotools.com and cdn.cfprotools.com separately and add then to the clean list.  Those domains are used specifically to provide services directly to my customers.

Hi jaime128,

You are welcome. Wait for a final verdict from one of the avast team members. They are the only ones to come and unblock.
We here are just volunteers with relative knowledge in the field of website security intelligence.

Phusion Passenger Enterprise 6.0.2. is affected by an authenticated Directory Traversal vulnerability
and an Insecure Permissions vulnerability in SpawningKit in Phusion Passenger....
->https://www.shodan.io/host/104.16.12.194

Again checking your destination domain is Destination -cfprotools.com
But a downgrade attack towards -http://cfprotools.com is possible.

DOM-XSS sinks and sources issues with results from scanning URL: -http://cfprotools.com
Number of sources found: 37
Number of sinks found: 436

polonus

[polonus]

Hi jaime128,

I fully understand that the technical side of that potential detection is rather out of scope for the average and non-tech-savvy user
to grasp the meaning and the full implications of what I report back here. But it can assist website developers/ admins and cloud provider staff and server admins. It is public information from 3rd party cold recon scan results. Going to the website is just to check on the avast detection, and that is still there at the moment I am writing this to you.

So after you have reported an FP to avast, we all should wait for avast team to come up with an answer.
They know best what they flagged and why, and whether this is a genuine detection or not.

I bumped the matter there by PM, so let us wait and see.
Again they are the only ones to give the all green to the site or keep it blocked.

It could well be ClickFunnels is not at the core of the problem, but a kind of cloaking they use that could be interpreted as PHISHing,
again we have to wait for a final verdict with those that decide on avast's detection repertoire.

Hope the issue will be sorted out for you soon, consider:
https://www.virustotal.com/gui/url/8104d5260c5c2f391aa3510d5c6e1fb57b4fa3b84d22f21e1326cce5c3d67576/detection
1 to flag: https://www.virustotal.com/gui/ip-address/104.16.12.194/detection  (1 engine detects this IP).
Executable detection: https://www.virustotal.com/gui/ip-address/104.16.12.194/relations

polonus

[jaime128]

Thank you for the extra info.  I appreciate it.

Hi jaime128,

I fully understand that the technical side of that potential detection is rather out of scope for the average and non-tech-savvy user
to grasp the meaning and the full implications of what I report back here. But it can assist website developers/ admins and cloud provider staff and server admins. It is public information from 3rd party cold recon scan results. Going to the website is just to check on the avast detection, and that is still there at the moment I am writing this to you.

So after you have reported an FP to avast, we all should wait for avast team to come up with an answer.
They know best what they flagged and why, and whether this is a genuine detection or not.

I bumped the matter there by PM, so let us wait and see.
Again they are the only ones to give the all green to the site or keep it blocked.

It could well be ClickFunnels is not at the core of the problem, but a kind of cloaking they use that could be interpreted as PHISHing,
again we have to wait for a final verdict with those that decide on avast's detection repertoire.

Hope the issue will be sorted out for you soon, consider:
https://www.virustotal.com/gui/url/8104d5260c5c2f391aa3510d5c6e1fb57b4fa3b84d22f21e1326cce5c3d67576/detection
1 to flag: https://www.virustotal.com/gui/ip-address/104.16.12.194/detection  (1 engine detects this IP).
Executable detection: https://www.virustotal.com/gui/ip-address/104.16.12.194/relations

polonus

[ryan380]

Hello, I'm a representative from ClickFunnels. It appears that the Cloudflare bot protection via JS challenge is being flagged as malicious. The difference of 8556 bytes is likely that of bot protection served in instances where deemed necessary and is obfuscated but is merely used to prevent simple bots from attacking our sites. Can someone from AVAST please confirm this is the case? If so, we would suggest a more thorough review of the bot protection mechanism in this case and would suggest updating the mechanism AVAST is using to detect malicious code. That or whitelisting Cloudflare specifically as this is a means to protect many sites on the internet.

We're happy to help provide any details necessary and/or bring the appropriate contacts from Cloudflare on a conversation to resolve this.

Please advise.

[polonus]

Howdy ryan380,

Thank you for reporting back. We are all waiting here for a reaction from avast's as to what they exactly have flagged,
and what they hold about this all. I PM-ed for a reaction from avast team.

I just reported in this thread on the cloaking info and the difference between code,
as to what Google and Googlebot will be presented with.

Whenever that is what CloudFlare's bot protection is causing, that has to be solved in between the respective development teams.
I cannot be in that crossfire, that is fully out of my scope here. Both parties are helped by cooperation.

I also hope, that jamie128 will also bark up at CloudFlare's tree on this issue.

The waiting now is for an avast team member reaction, as this is their detection, their blocking, and finally also completely theirofficial forums where they have rendered me a platform to comment as an error-hunter in the field of website security intelligence to further their mission. Stay secure both online and offline, is the wish of,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

See now that that detection is no longer there, finalizing this thread here with a [SOLVED].
Update - Actually avast's web shield is still detecting.

Still there is an "unexpected token" error in the code on line 9 etc

<form class="challenge-form" id="challenge-form" action="/?

,
that is left for ryan380 to take up with appropriate development concerned.

Hopefully all's well that ends well,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)