Avast detects my website as a Threat, Mal:url

Viruses and worms
1

I have a website, http://factwide.com
Any time i try visiting it on my browsers, either Mozilla Firefox, Chrome, I get “threat has been detected”
It displays the ip address of the website which is http://45.56.118.185/

Please help me out
I have tried checking the url on my friends that use Avast, i still get the same alert and threat detection

Thanks, Akpan Promise

2

Hi,

Your website indeed have some issues. If you take a look:

https://sitecheck.sucuri.net/results/factwide.com

You have outdated server software that is making visitors as well as the site vulnerable to infections.

Unable to connect to the server

https://www.ssllabs.com/ssltest/analyze.html?d=factwide.com

There are problems on the same IDS

http://urlquery.net/report.php?id=1435163186965

3

Blacklisted IP:
http://zulu.zscaler.com/submission/show/1ed892471a3dcedf0318e0c169942f32-1435164510
http://urlquery.net/report.php?id=1435164634271
http://urlquery.net/report.php?id=1435164655152

SOA problem:
http://dnscheck.pingdom.com/?domain=factwide.com

And what are all those cracks, warez and porn doing there ?

4

Netcraft risk status 2 red out of 10: http://toolbar.netcraft.com/site_report/?url=factwide.com
Not only SOA problems, also Nameserver response issues: FAIL: While quering domain’s records, some of your name servers didn’t responded. Name servers which didn’t responded:
udp4:75.127.96.10
udp6:2600:3c02::a
TCP connection errors: WARNING: Couldn’t connect using TCP protocol:
tcp4:75.127.96.10
tcp6:2600:3c02::a
Check your name server’s configurations and firewall rules. When response to a DNS query exceeds 512 bytes, TCP is negotiated and used, all name servers should allow TCP connections (port 53).
Warning: WARNING: We found different serial numbers on your name servers, it’s OK if you had modified your zone recently.
Error·establishing·a·database·connection- Temp/_index_defaultpage.html → http://www.rexswain.com/cgi-bin/httpview.cgi?url=http://www.factwide.com/&uag=MSIE+8.0+Trident&ref=http://www.google.com&aen=&req=GET&ver=1.1&fmt=AUTO

Server: Apache/2.2.22 (Ubuntu) | X-Powered-By: PHP/5.3.10-1ubuntu3.18 | X-AspNet-Version: Unknown | X-AspNetMvc-Version: Unknown | Web forms app: No | ASP.NET site: No | ASP.NET version: Unknown | 6 requests were made by ASafaWeb:
URL Page title Response size Duration

  1. -http://www.factwide.com/ Database Error 251 bytes 108 ms
  2. -http://www.factwide.com/trace.axd Database Error 251 bytes 88 ms
  3. -http://www.factwide.com/< Database Error 251 bytes 112 ms
  4. -http://www.factwide.com/foo/trace.axd Database Error 251 bytes 107 ms
  5. -http://www.factwide.com/ (POST 1,001 params) Database Error 251 bytes 79 ms
  6. -http://www.factwide.com/elmah.axd Database Error 251 bytes 68 ms
    1,506 bytes 562 m
    Excessibe headers warning and Clickjacking warning.

WP theme h4 vulnerable to shellshocker exploit! ->see on http://h4x0resec.blogspot.com/
vulnerable before using modsec!

So site might be under maintance now.

polonus (volunteer website security analyst and website error-hunter)

5

Hello.
TwinHeadedEagle,
I have looked at the sitecheck, and found that to be correct, i use Apache2.2, while the latest is Apache2.4. But the server i use is Ubuntu12.04LTS. The Apache new version can and will ruin that version of Ubuntu, so i plan on upgrading the entire system.
But my question is once I update and upgrade it, will i still see that threat alert?

Hi Eddy,
where in the world did you see porn in my site?

Dear Polonus,
I also checked too, you used http://www.factwide.com instead of http://factwide.com

6

Hi Akpan,
I can visit your website without any problems now - does Avast still complain when you try it?

7

Hi HonzaZ,

Can confirm the site opens up without any alerts.

polonus

8

I just found out something strange.
When I try to open the website in a browser there is no problem.
When I try to scan it with IntelliTamper the avast webshield blocks it (url mal)

Looks like there is really something “fishy” is going on on that IP…

Attachment is just a small part of the folder structure…

9

Hi Eddy that anomaly is for AppData/Local/Temp/_index_defaultpage.html
resulting in:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Database Error</title>

</head>
<body>
<h1>Error establishing a database connection</h1>
</body>
</html>

Also see: http://www.domxssscanner.com/scan?url=http%3A%2F%2Ffactwide.com%2F

This plug-in code is vulnerable for https://www.exploit-db.com/exploits/18126/ → htxp://factwide.com/wp-content/plugins/jetpack/modules/wpgroho.js?ver=4.2.2
htxp://factwide.com/wp-content/plugins/jetpack/modules/wpgroho.js?ver=4.2.2

Vulnerable in -jquery.swipebox.min.js?ver=1.5.7 → Bugfix for fatal error: Call to undefined function add_submenu_page() in dynamic-widgets.php on line 633 when the host is not meeting the requirements (anymore).
Bugfix for several notices about an undefined index and deprecated wpdb::escape()
Bugfix for Invalid arguments passed in custompost_module.php on line 216, cured with 1.5.8.
But you all better update to version 1.5.10!

There is more than meets the eye at first glance, but these are the insecurities that came up strikingly right away.

polonus (volunteer website security analyst and website error hunter)

10

I still get the “threat has been detected” when i open the website on my browser. :cry:

I am confused.

11

I suggest you start with fixing all the issues we mentioned.

12

I was finally able to find out what’s wrong - the IP is not 45.56.118.185, as you mentioned in your post, but 45.56.113.185, as can be seen in the printscreen.
I am unblocking the IP now, but please do not take advice given in this topic lightly ;-)!