Avast is blocking my website

Hello,

Avast is blocking my company website and I’d like to know how to detect if is there any threat. I’m confident there isn’t any, but I’d like to know a trustworthy way to check this. And, of course, if this is a false positive, I’d like to know how to proceed.

The website is www.brax.com.br.

It is hosted in DreamHost in a shared plan (which may or may not be the issue here).

I checked with VirusTotal and I got “Clean site” everywhere.

Can you help me, please?

Thanks in advance.

URL:Mal = IP and/or domain is blacklisted

VirusTotal does not scan websites.

Thanks Eddy.

I mean virustotal.com, which someone else in the forum used to verify a website.

Anway, how can I check if it’s the IP (from my shared hosting) our my domain name?

If it is my domain name, how to know how did it get blacklisted and do something about it?

Thank you!

As I said, virustotal does not scan websites, it only checks certain blacklists.

Run online scans and look at blacklists to find out why avast (might have) blacklisted the domain/site.

Other than outdated JQuery no of the scanners in my bookmarks detect any malicious code:

http://retire.insecurity.today/#!/scan/4f516ced4949143164cd1d910981edfaf80e77a9ffe3f226b7eea4e9247cad38

If you did not already update to PHP 7 if possible, much better performance for your entire site.

Also update Modernizr: https://modernizr.com/news/modernizr-3-3-1

And any other frameworks your site runs.

Add Incapsula CDN for protection and better performance:

https://www.incapsula.com/cdn-content-delivery-network/
https://www.incapsula.com/incapsula-vs-cloudflare.html

Maybe LiteSpeed as web server will help you saving resources too :slight_smile:

@Eddy,

URLVoid didn’t report anything.

MultiBRL had two reports:
RFC-Clueless (RFC²) Metalist RBL
RFC-Clueless (RFC²) whois RBL

Malc0de didn’t report anything

WhatIsMyIPAddress didn’t report anything

Is it possible that the RFC-Clueless Metalist and whois are causing this?

Any other blacklist checker I should use?

@Steven,

Thank you! I will check those tips! So it is unlikely that Avast blocked my website for malicious code, right?

Thanks again!

All scanners i have do not report malicious code, but maybe @polonus can find more :slight_smile: Ive notified him.

As for CDN you can also use CloudFlare but i cant recommend them, see the CloudFlare vs Incapsula link to see why :slight_smile:

I would like to check with Hybrid-Analysis but they had to take down URL Analysis about 30 minutes ago -_-

MultiBRL had two reports: RFC-Clueless (RFC²) Metalist RBL RFC-Clueless (RFC²) whois RBL
This is related to spam blocking ... mail from listed IP get higher probably spam score by the spam filter

I checked in rfc-clueless.org, it says it was the ADD request was ACCEPTED, with the following comment:
whois.registro.br provides only eMail address of each contact. It provides neither the address of the registrant nor phone number of any contact.

Is it possible that the absence of those data in my country’s registrar are causing this issue?

EDIT: Actually the problem is with the WHOLE “.br” suffix, which is very strange.

"brax.com.br is INDIRECTLY listed in RFC2 RBL.

An ancestor of brax.com.br is causing the domain to be listed. You cannot directly remove brax.com.br as it is not directly listed."

The “ancestor” word links to http://rfc-clueless.org/lookup/br

Could be something with the IP and the neighbouring domains there.
See reversed DNS address: http://toolbar.netcraft.com/site_report?url=http://apache2-bongo.cameo.dreamhost.com

Look here for some error and warnings: https://mxtoolbox.com/domain/www.brax.com.br/
Check for Stealth Name Servers

WARNING: http://www.dnsinspect.com/brax.com.br/1456261718
Found stealth name servers:
ns3.dreamhost.com.
All name servers returned by domain name servers should be listed at parent servers.
Reverse Entries for MX records.
AOS blocks on basis of a web analysis.

Check your WordPress plug-ins:
WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.
Are there with left code, all patched?

mtphr-shortcodes	latest release (2.2.7)

mtphr-widgets latest release (2.2.1)
ditty-image-ticker
mtphr-galleries latest release (2.0.18)
ditty-posts-ticker
mtphr-members latest release (1.1.7)
ditty-twitter-ticker
ditty-news-ticker latest release (2.0.6)
http://dittynewsticker.com/
contact-form-7 4.4 latest release (4.4)
http://contactform7.com/

Important misconfiguration (not that anyone has direct access, nevertheless insecure):
Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.

ID User Login
1 None lucas-dias-gabriel
2 None rander-couto

It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

And another one :o Warning Directory Indexing Enabled
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Some issues here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.brax.com.br
See: Results from scanning URL:
-http://www.brax.com.br/wp-includes/js/mediaelement/mediaelement-and-player.min.js?ver=2.18.1
Number of sources found: 38
Number of sinks found: 51

You should get the final verdict from an Avast Team Member.
We are just volunteers with relevant knowledge.

polonus (volunteer website security analyst and website error-hunter)

Thanks, polonus.

How is the “official” way to get this final verdict from an Avast Team Member?

Thank you.

submit a support ticket >> https://support.avast.com/support/tickets/new

Hi renatoat,

I have PM-ed an Avast Team Member that could come to unblock your site
when he feels it is no longer malicious. Hopefully he will respond here in this very thread. :wink:
Normally one is to report as Pondus stated and as is being described here, see
FAQ: https://www.avast.com/faq.php?article=AVKB194

polonus

I did submit a support ticket before opening this thread.

They answered today:

"Viruslab confirms the false positive and informs that it will be fixed in the next virus database update.

We apologize for any inconvenience."

Thank you guys!