Author Topic: change the URL from www to wXw  (Read 731 times)

0 Members and 1 Guest are viewing this topic.

Offline eadhassan55

  • Newbie
  • *
  • Posts: 1
change the URL from www to wXw
« on: April 09, 2021, 09:54:01 PM »
Hello, I'm having problems with my website - wxw.forward-web.com whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears which states that the website is infected with URL:Phishing.

Please unblock this Url, thank you
« Last Edit: April 20, 2021, 06:19:45 PM by Milos »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85128
  • No support PMs thanks
Re: My website being blocked for apparent URL:Phishing
« Reply #1 on: April 09, 2021, 10:36:32 PM »
Hello, I'm having problems with my website - wXw.forward-web.com whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears which states that the website is infected with URL:Phishing.

Please unblock this Url, thank you

Please 'modify' your post change the URL from www to wXw (or just post the domain name), to break the link and avoid accidental exposure to suspect sites, thanks.

Considered a low security risk in this check https://sitecheck.sucuri.net/results/forward-web.com - but advices not to reveal the PHP version being used.

JQuery needs to be updated according to this check https://awesometechstack.com/analysis/website/forward-web.com/

There is a possibility that your domain is on an IP address that is used by many different domains (or has 3rd party links to other sites), if one of those is malicious you could be suffering.
See https://www.virustotal.com/gui/url/e05ecaba5f18bacc202fe8355a053f2b8e65599727c4344d6105365139878a7c/links

Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33200
  • malware fighter
Re: My website being blocked for apparent URL:Phishing
« Reply #2 on: April 10, 2021, 12:01:58 AM »
Confirming what DavidR states here:
Quote
1   missing-content-security-policy
No Content Security Policy configured for this site.
1   Outdated JavaScript Library
jquery   3.5.1   Found in -https://www.forward-web.com/assets/js/bundled-script-v1.0.1.js
Outdated JavaScript libraries detected. jquery 3.5.1
No vulnerabilities detected in this version

reported by retire.js

Additionally I report:

See: https://urlscan.io/result/9eae6679-3a08-43bb-b353-58b5215fe746/

What an avast alert could be based upon: https://urlscan.io/result/9eae6679-3a08-43bb-b353-58b5215fe746/#indicators

Also Location: hxtps://www.forward-web.com/
cf-request-id: 095a3a25ac0000c775d918c000000001
Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"hxtps:\/\/a.nel.cloudflare.com\/report?s=blSw4avP9LvZrX%2FdFW8UMu4rjyDIb5Do4jww2CA383ntDoiFx6nAho09k%2FeT0F%2FLpnB0XHUyqem%2F5eEaJZs%2FBZVvENYWzf3MoBkXsymyuLRCxbq4"}]}
NEL: {"max_age":604800,"report_to":"cf-nel"}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 63d6f94f7ed9c775-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

=========================
Server IP(s):
0.0.0.0

Where we will find DATA  REDACTED...with bot client set-ups -> https://www.virustotal.com/gui/domain/a.nel.cloudflare.com/relations

Wait for a final verdict from avast team, as they are the only ones to come and unblock.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33200
  • malware fighter
Re: My website being blocked for apparent URL:Phishing
« Reply #3 on: April 10, 2021, 02:34:56 PM »
Somehow so-called Callback Recorddata through Amazon -https://d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js
seems being involved.

Example
Quote
<html>

<head>
    <script src="//d3uvwl4wtkgzo1.cloudfront dot net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js"></script>
    <script src="chrome-extension://lcmaikahgebmdmnckjbaikfllpmgabei/detection/script.js"></script>
    <link id="smallstyle" rel="stylesheet" type="text/css" href="chrome-extension://aleacfocnimnddplebbpbfedfagnckcc/css/recreate_smallstyle.css">
</head>

<body><pre style="word-wrap: break-word; white-space: pre-wrap;">/**/ console &amp;&amp;console.log &amp;&amp;console.log({"ip": this part blurred for obvious reasons by me, pol. etc. etc.

});</pre><iframe id="finderUIWrapper" name="finderUIWrapper" src="chrome-extension://aleacfocnimnddplebbpbfedfagnckcc/html/iframe.html" style="display: none;"></iframe></body>

</html> 
Re: https://beta.shodan.io/search?query=https%3A%2F%2Fipinfo.io%2F

Stumbled unto this at various recent avast PHISHing detections, where this link shows up:
-https://d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js

Let us wait for a reaction from avast team,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33200
  • malware fighter
Re: My website being blocked for apparent URL:Phishing
« Reply #4 on: April 12, 2021, 06:02:48 PM »
Site is still under downgrade attacks, as HTTPS Everywhere warns.
Avast still warns against this.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!