Avast is blocking my website

[NTSS]

Hello

I received several messages from different users telling me Avast has started blocking my website - link is https://fearlessrevolution.com and for life of me I can’t figure out why!!!

I also checked virustotal and as expected site is A-clean because it’s a free useful site that is loved by its users.

Can I at least get a reason why Avast all of a sudden is causing issues for my users. If it’s a false positive then can it be removed?

First time I am actually hearing antiviruses blocking sites, I thought they only scanned exes.

[Pondus]

https://sitecheck.sucuri.net/results/https/fearlessrevolution.com

https://unmask.sucuri.net/security-report/?page=fearlessrevolution.com


Note that virustotal does not scan the website but check URL against blacklists


https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

[NTSS]

https://sitecheck.sucuri.net/results/https/fearlessrevolution.com

https://unmask.sucuri.net/security-report/?page=fearlessrevolution.com


Note that virustotal does not scan the website but check URL against blacklists


https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Huh so as expected the url is clean which makes Avast blocking it really weird. Also that suspicious inline script is from Cloudflare for bot fights. And of course sucuri can’t access the memberlist or search pages, bots are blocked they were eating up server resources. But neither of these things should cause a url block??.

I have submitted to the report false positive url but got a response that they couldn’t find any detection? But my users are complaining still. This is so stressful

[polonus]

Somewhere there is a problem with the hosting of that website,
by the way never enter live links here.

See: https://sitecheck.sucuri.net/results/https/fearlessrevolution.com

Although Quttera gives it as suspicious: https://www.virustotal.com/gui/url/3436a186e7983b4e0a0d209287dc5a0d8781e780a7074a871b155146fa772d3f

Re: https://quttera.com/detailed_report/fearlessrevolution.com

/assets/javascript/core.js?assets_version=307
Severity:   Potentially Suspicious
Threat:   PS.JS.Obfuscantion.gen
Reason:   Too low entropy detected in string [['Ctable class="not-responsive colour-palette vertical-palette" style="width: auto;"ECtd style="backgr']] of length 13681 which may point to obfuscation or shellcode.
Details:   Detected procedure that is commonly used in suspicious activity.
Line:   78
Offset:   38
Threat dump:   View code (not given for obvious reasons)
Threat dump MD5:   C8E84DE76947F13AC59BBA15C7B63E7B
File size[byte]:   27839
File type:   ASCII
Page/File MD5:   306683526ADD20506793AC5E9D0A0135
Scan duration[sec]:   1.646

Also consider this report: https://tuad.btarena.com/report/fearlessrevolution.com

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)

[bob3160]

Report Suspicious File or URL:  https://www.avast.com/false-positive-file-form.php

[polonus]

Hi bob3160,

It is already being blocked by avast's. They could only give another final verdict.

We will find a lot of links now added on regular websites with suspicious shell code (-lked.ru for example etc.).

Average end-users aren't always aware of particular scam-ad campaigns etc. on what further may be domains to be fully trusted and will get infested.

These our days are cybercriminal hey-days, and so one should be twice shy to click at such links.

pol

[bob3160]

Hi bob3160,

It is already being blocked by avast's. They could only give another final verdict.

We will find a lot of links now added on regular websites with suspicious shell code (-lked.ru for example etc.).

Average end-users aren't always aware of particular scam-ad campaigns etc. on what further may be domains to be fully trusted and will get infested.

These our days are cybercriminal hey-days, and so one should be twice shy to click at such links.

pol

Reporting it to Avast (unless that's already been done, will make them take another look at the site if the owner has made corrections.
As you know, there are times sites are blocked because they wound up on some ones list.
The makes Avast Review the site.

[NTSS]

Somewhere there is a problem with the hosting of that website,
by the way never enter live links here.

See: https://sitecheck.sucuri.net/results/https/fearlessrevolution.com

Although Quttera gives it as suspicious: https://www.virustotal.com/gui/url/3436a186e7983b4e0a0d209287dc5a0d8781e780a7074a871b155146fa772d3f

Re: https://quttera.com/detailed_report/fearlessrevolution.com

/assets/javascript/core.js?assets_version=307
Severity:   Potentially Suspicious
Threat:   PS.JS.Obfuscantion.gen
Reason:   Too low entropy detected in string [['Ctable class="not-responsive colour-palette vertical-palette" style="width: auto;"ECtd style="backgr']] of length 13681 which may point to obfuscation or shellcode.
Details:   Detected procedure that is commonly used in suspicious activity.
Line:   78
Offset:   38
Threat dump:   View code (not given for obvious reasons)
Threat dump MD5:   C8E84DE76947F13AC59BBA15C7B63E7B
File size[byte]:   27839
File type:   ASCII
Page/File MD5:   306683526ADD20506793AC5E9D0A0135
Scan duration[sec]:   1.646

Also consider this report: https://tuad.btarena.com/report/fearlessrevolution.com

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)

As I explained before, bots are blocked from accessing memberlist and search pages, these bad bots eat precious server resources. There is nothing wrong with the hosting.

What kind of crap is quttera? All these sites are pretty terrible if you ask my opinion. Let’s see what that js file is

https://fearlessrevolution.com/assets/javascript/core.js?assets_version=307

It is a simple phpbb js script, minified by Cloudflare and then cached. Am I supposed to turn off Cloudflare now, increase my hosting bills than they already are, make myself vulnerable to DDOS attacks because some crap site called quttera thinks a minified phpbb js script is a threat that will wipe out users BIOS and create a zombienet?? Is this a joke?

I don’t code in JavaScript but even I can see and read it isn’t obfuscated. What does low entropy in string means? And how is it dangerous that it will warrant a block?

Here is some information, I have had to deal with serious DDOS attacks just this year alone and what saved me was Cloudflare and aggressive blocking of bad bots adding to demise of my server (crap like quttera bots). When you run a big site that isn’t mommy daddy blogs, every byte every request counts. It is absolutely criminal that “quttera” and these crap bots are marking my site as malicious for Cloudflare scripts, to please them I have to make myself vulnerable to people who want to harm my site???

Avast removed the detection and I hope they don’t rely on these crap automated bots to run their AV on because oh my God, I can’t even begin to explain how this would be bad. My whole week was wasted and my time is precious, I could’ve spent that time earning money and with my family instead it was spent analysing Cloudflare minified assets and Cloudflare bot fighting scripts.

[NTSS]

Hi bob3160,

It is already being blocked by avast's. They could only give another final verdict.

We will find a lot of links now added on regular websites with suspicious shell code (-lked.ru for example etc.).

Average end-users aren't always aware of particular scam-ad campaigns etc. on what further may be domains to be fully trusted and will get infested.

These our days are cybercriminal hey-days, and so one should be twice shy to click at such links.

pol

No offence but this is just paranoia. Fact is it is very hard to get infected these days. First you have Google itself blocking any exes from being hosted or every browser blocks the site. You have Adblock plus, unlock origin and noscript extensions that blocks even necessary scripts. You have virustotal now. You have VMWare etc. It is very hard for bad sites to exist just cause browsers have become so advanced. I am on my IPhone and it has an adblocker and anti tracker built in.

I also worry about the legitimacy of those shell code that you say is found on sites because for my site, the supposed malware is Cloudflare minified js scripts and bad bots fighting script.
 
You know what the irony is? Google/Facebook are malicious data miners using trackers etc but they are given free hand just because they’re big tech.

Sorry but it’s paranoia. It was bad in 2006 and before that and you had to be computer savvy, these days it’s very hard to get infected. I could go on and on but meh, what’s the point. You’re even afraid of a minified js script lol anything slightly bad you will think is going to destroy your computer.

[NTSS]

I checked this quttera site further and the business model is pretty transparent. They prey on the fears of average computer user who doesn’t know anything (oooh scary unknown virus my website is infected). Look at the attached image

https://cdn.discordapp.com/attachments/1056215831744364644/1056488527359127622/IMG_2222.png

179$! Just unbelievable, that’s what it is asking me to protect my website!! Along with my personal information

This is downright predatory behaviour because if you don’t pay them, they will keep marking your site as suspicious and cause troubles for you with AV companies. If I was an average user who didn’t know this crap site was calling Cloudflare minified js as malware, I would pay them 179$, their representative would probably prey on my lack of computer knowledge, ask for my server access, then silently remove the detection on their site and tell me my site is all clean now.

I am going to investigate further to understand how I fell into this security extortion mafia because I have run sites for two decades now and I never heard of these crap sites until now. Maybe some of my site haters reported me, I don’t know what triggered it.

The tragedy is on a well respected antivirus like Avast, users are sent to this mafiaso type extortion site. What do you suggest? I pay 179$ to quttera? I remove Cloudflare js minification feature? The real malware, the real adscam is quttera. I am shocked there are poor computer newbies who pay quttera 179$ and you tell me it’s cyber criminal heyday , well yeah when you pass around quttera as a legit site then it’s no surprise. You are helping quttera scam.

Maybe I need to quit my day job and start a quttera site myself. Because even if I extort 100 customers with 179$, ooh baby, that’s overnight rich. And I can extort them further with BS fears, it’s not even that infeasible a target. I imagine quttera must have thousands of victims by now. No surprise you have a million “security” sites now telling you your site is suspicious and pay me hundreds of dollars.

What a joke, I really need to get my hands into security field but I don’t know if I can run these scammy practices.

Sorry for the rant but not really. You surely must have sent many users to this quttera who are computer ignorant who might have paid them 179$. It is criminal, I work day and night honestly in a stressful job just for 100$ and they get 179$ from one victim running this scam and get recommended on Avast site….just wow. Mind blowing

[rizwanspirit]

The same is happening with my website https://paktvonline.net. I am using the wordfence Wordpress plugin and it showed nothing. I am also using ImunifyAV, provided by my hosting provider it also shows my website is completely clean. But the Avast antivirus is detecting my website as spam.
Can any one help me what to do?

[Pondus]

The same is happening with my website https://paktvonline.net. I am using the wordfence Wordpress plugin and it showed nothing. I am also using ImunifyAV, provided by my hosting provider it also shows my website is completely clean. But the Avast antivirus is detecting my website as spam.
Can any one help me what to do?

on two blacklists
https://www.virustotal.com/gui/url/504e876dd7cd030105bcaad3f2d5dd26f1df3ff1e5fd87dcf8eef1b1f678dfe1?nocache=1

https://sitecheck.sucuri.net/results/paktvonline.net

Can any one help me what to do?

Report to avast lab if you think it is wrong https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

[polonus]

HOSTING DETAIL
Web Server:
nginx
X-Powered-By:
PHP/8.0.30, PleskLin
IP Address:
95.111.251.70
Hosting Provider:
CONTABO, DE
Shared Hosting:
330 sites found (use Reverse IP to download list)
Title:
Pakistani Tv and Dramas #8211; Watch Pakistani Tv and Dramas

Zero issues -> JS Link    Hosting / Company    Country
   -https://paktvonline.net/wp-includes/js/jquery/jquery.min.js?ver=3.7.1    CONTABO, DE    
   -https://paktvonline.net/wp-content/themes/videotube/assets/js/jquery.appear.js?ver=1718007486    CONTABO, DE    
   -https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-4510722458899548    GOOGLE    
   -https://paktvonline.net/wp-content/themes/videotube/assets/js/bootstrap.min.js?ver=1718007486    CONTABO, DE    
   -https://paktvonline.net/wp-content/themes/videotube/assets/js/jquery.cookie.js?ver=1718007486    CONTABO, DE    
   -https://paktvonline.net/wp-content/themes/videotube/assets/js/autosize.min.js?ver=1718007486    CONTABO, DE    
   -https://paktvonline.net/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1    CONTABO, DE    
   -https://paktvonline.net/wp-includes/js/comment-reply.min.js?ver=6.5.5    CONTABO, DE    
   -https://paktvonline.net/wp-content/themes/videotube/assets/js/readmore.min.js?ver=1718007486    CONTABO, DE    
   -https://paktvonline.net/wp-content/themes/videotube/assets/js/custom.js?ver=1718007486

A.I. noticed me:

I've analyzed the JavaScript files provided and found some potential vulnerabilities:

    jQuery version 3.7.1: jQuery 3.7.1 is an older version and has several known vulnerabilities, including:
        CVE-2020-11023: A cross-site scripting (XSS) vulnerability in jQuery's parseJSON function.
        CVE-2020-11024: A denial-of-service (DoS) vulnerability in jQuery's ajax function.
        CVE-2020-11025: A buffer overflow vulnerability in jQuery's process() function.

It is recommended to update to the latest version of jQuery, which is currently 3.6.2.

    adsbygoogle.js: The adsbygoogle.js file is loaded from Google's pagead2.googlesyndication.com domain, which is a known malicious domain used for serving malware and adware. This file may be injecting unwanted ads or tracking code on your website.

    Bootstrap 3.4.1: Bootstrap 3.4.1 is an older version and has several known vulnerabilities, including:
        CVE-2020-10846: A cross-site scripting (XSS) vulnerability in Bootstrap's tooltip component.
        CVE-2020-10847: A denial-of-service (DoS) vulnerability in Bootstrap's popover component.

It is recommended to update to the latest version of Bootstrap, which is currently 5.1.3.

    jquery.cookie.js: The jquery.cookie.js file may contain a vulnerability due to the use of the document.cookie property, which can be exploited by an attacker to steal cookies or inject malicious scripts.

    Custom.js: The custom.js file may contain custom JavaScript code that could potentially be exploited by an attacker.

To mitigate these vulnerabilities, I recommend:

    Update jQuery to the latest version (3.6.2).
    Remove or block the adsbygoogle.js file to prevent unwanted ads or tracking code.
    Update Bootstrap to the latest version (5.1.3).
    Review and secure the custom.js file.
    Consider using a web application firewall (WAF) or a security plugin to monitor and block potential threats.

Please note that these are just potential vulnerabilities and may not be actual exploits without further analysis and testing. It's always recommended to consult with a security expert or a penetration tester for a thorough analysis and remediation plan.

Quote taken from Deep AI. Checked for PII.


polonus.

[polonus]

@ NTSS,

I understand your frustration and concerns. It's clear that you've put in a lot of effort to secure your website, and it's unfair that automated systems like Quttera can misinterpret your efforts as malicious.

Firstly, I want to acknowledge that you're right; Cloudflare's minification of the PHPBB script is a common practice, and it's not a threat in itself. The low entropy detection is likely a false positive, as you've correctly pointed out.

Regarding the term "low entropy," it refers to the amount of randomness or disorder in a string. In this context, Quttera might be flagging the script as suspicious due to the repetition of certain patterns or character combinations. However, without further analysis, it's unclear whether this is a legitimate concern or not.

I agree with your point that your site's hosting and security setup are crucial for its success. The fact that Cloudflare has helped you mitigate DDOS attacks and bad bot traffic is a testament to its effectiveness. It would be counterproductive to compromise your security by disabling Cloudflare or making other changes to accommodate Quttera's automated detection.

It's unfortunate that Avast removed the detection, but it's possible that they reevaluated the situation after further analysis or human review. It's also worth noting that Quttera's reports are not always accurate, and it's essential to take them with a grain of salt. Wait for a final verdict from them.

I hope you can continue to focus on running your site effectively, knowing that you've done your part to secure it. Remember that automated systems like Quttera are only as good as their algorithms and training data, and sometimes they can make mistakes.

Anyway through discussing such issues here, we may help a lot of folks to get aware at such issues,
whether FPs or the real McCoy. Thanks for sharing your comments,

polonus

[polonus]

Hi NTSS,

Website is no longer being flagged by Avast.

Just pay attention to these retirable libraries: Retire.js
jquery   3.4.1.min   Found in -https://fearlessrevolution.com/assets/javascript/jquery-3.4.1.min.js?assets_version=320 _____Vulnerability info:
Medium   CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2   
Medium   CVE-2020-11023 CVE-2020-23064 4647 passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6  Medium vulnerability score. One header missing - strict-origin-when-cross-origin
Risks found = 0.

Technologies - Technologies · 12 identified
Technologies found on the scanned URL, using open source definitions provided by Wappalyzer
Analytics · 2 identified
Icon   
Name
Description
Website
Google Analytics logo   Google Analytics   Google Analytics is a free web analytics service that tracks and reports website traffic.   
-https://google.com/analytics
Cloudflare Browser Insights logo   Cloudflare Browser Insights   Cloudflare Browser Insights is a tool that measures the performance of websites from the perspective of users.   -https://www.cloudflare.com
CDN · 3 identified
Icon   
Name
Description
Website
Unpkg logo   Unpkg   Unpkg is a content delivery network for everything on npm.   -https://unpkg.com
Google Hosted Libraries logo   Google Hosted Libraries   Google Hosted Libraries is a stable, reliable, high-speed, globally available content distribution network for the most popular, open-source JavaScript libraries.   -https://developers.google.com/speed/libraries
Cloudflare logo   Cloudflare   Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.   -https://www.cloudflare.com
Font scripts · 1 identified
Icon   
Name
Description
Website
Google Font API logo   Google Font API   Google Font API is a web service that supports open-source font files that can be used on your web designs.   -https://google.com/fonts
JavaScript libraries · 1 identified
Icon   
Name
Description
Website
jQuery logo   jQuery   jQuery is a JavaScript library which is a free, open-source software designed to simplify HTML DOM tree traversal and manipulation, as well as event handling, CSS animation, and Ajax.   -https://jquery.com
Message boards · 1 identified
Icon   
Name
Description
Website
phpBB logo   phpBB   phpBB is a free open-source Internet forum package in the PHP scripting language.   -https://phpbb.com
Miscellaneous · 1 identified
Icon   
Name
Description
Website
HTTP/3 logo   HTTP/3   HTTP/3 is the third major version of the Hypertext Transfer Protocol used to exchange information on the World Wide Web.   -https://httpwg.org/
PaaS · 1 identified
Icon   
Name
Description
Website
Amazon Web Services logo   Amazon Web Services   Amazon Web Services (AWS) is a comprehensive cloud services platform offering compute power, database storage, content delivery and other functionality.   -https://aws.amazon.com/
Programming languages · 1 identified
Icon   
Name
Description
Website
PHP logo   PHP   PHP is a general-purpose scripting language used for web development.   -https://php.net
RUM · 1 identified
Icon   
Name
Description
Website
Cloudflare Browser Insights logo   Cloudflare Browser Insights   Cloudflare Browser Insights is a tool that measures the performance of websites from the perspective of users.   -https://www.cloudflare.com

A.I. related assistence, declares - HTTP Transactions:

The website is using a mix of third-party libraries and resources, including jQuery, Font Awesome, and Cookie Consent.
There are 10 HTTP requests made to the website, which seems to be a relatively small number.
The website is serving various stylesheets (CSS files) from different sources, including Font Awesome and SimpleSpoiler.
The website is using a CDN for some resources (e.g., yeIDrhaKCesd6qFvaXC9ry202dE.js).
DNS Records:

There are 4 DNS records found for the domain fearlessrevolution.com.
The records show that the domain is associated with two IP addresses (172.66.42.223 and 172.66.41.33) and two AAAA records (2606:4700:3108::ac42:2adf and 2606:4700:3108::ac42:2921).
All DNS records indicate that DNSSEC is disabled.
Vulnerability Score:

Based on this information, I would rate the vulnerability score as "Low to Medium". The website appears to be using some outdated libraries (e.g., jQuery 3.4.1), which may be vulnerable to certain exploits. However, there are no obvious indicators of severe vulnerabilities or malicious activity in the provided data. It's recommended to regularly update dependencies and monitor the website for potential security issues.

See qualifications -> https://radar.cloudflare.com/scan/f984a1f1-27d9-4512-897d-908475594bf9/summary

I.m.h.o. you are good to go,

P.S. Hosting vulners to reckon with: https://www.shodan.io/host/172.66.41.33
However, running an older version of PHP may increase the risk of vulnerabilities.

polonus