Hello,
Avast Web Shield is blocking my personal web page (mekweb.eu) including all its subdomains. The reason is “URL:Blacklist”.
I have reported a false detection 3 days ago, didn’t receive any reply, and my site is still blocked!
How long should I wait? Is this normal that a website gets blocked without any reason? It doesn’t contain any malicious content.
@Mek7,
Starting with the good news. No vulnerable jQuery libraries there:
https://retire.insecurity.today/#!/scan/58ad73795aa783784e61ea500b7a29135d422c2844dded2ae145468480d1971b
Improvement recommendations, 246 in all: https://webhint.io/scanner/48336579-64fb-4d19-b1bc-f2e1c3829c8b
On that hoster: https://www.shodan.io/host/194.99.21.204
DOM-XSS results on website 1 source and 96 sinks.
Wait for a final verdict from avast team. We are just volunteers with relative knowledge,
but only avast team members can come and unblock.
Not only avast detects also Dr.Web flags the website as a known infection source.
Re: https://online.drweb.com/result/?lng=en&chromeplugin=1&url=https%3A%2F%2Fmekweb.eu
pozdravi,
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Thanks for the links and replies,
I checked those and none of them told me what exactly is wrong with my website.
I created this forum topic to ask how long it usually takes for the Avast team to respond, if my false positive submission didn’t end in the void or such.
Hi Mek7,
They probably respond just over the week-end. I bumped it through a PM.
Let’s wait and see.
Certainly there is PHP insecurity on that website of yours, that should stay on the webserver, not out on that website.
polonus
As in a link given by Polonus links, it looks like there are multiple domains located on this IP address.
This is also shown in this IP scan https://whois.domaintools.com/194.99.21.204
Whilst I don’t know if this is the cause, it is possible another domain on that IP address could be the cause. But we will have to see what the Avast virus labs say.
That said it is still being detected.
Hi Mek7,
Similar thing is what DavidR is hinting at, we have to wait for avast team member’s final verdict though.
They have the last word and are the only ones to come and unblock.
We here are just volunteers that can fill you in with relative information on website security etc.
Adblockers may block a tracker like -https://www.toplist.cz/ there at your website.
For me that is uMatrix, that blocks it.
Trackers on your website are Company Primary Category Tracker
Google Analytics Google Analytics
CDN Googlecdn www.foxnews.com,
MaxCDN CDN Bootstrapcdn
Maxcdn
TOPlist Tracker Toplist * mentioned above as being blocked…
jQuery CDN Jquerycdn
(source Netcraft Site report UK).
3 websites use this IP address: https://whois.domaintools.com/194.99.21.204
So let us consider the scan results here: https://observatory.mozilla.org/analyze/mekweb.eu F-grade results.
and https://securityheaders.com/?followRedirects=on&hide=on&q=mekweb.eu
For some tools I get connection errors on the IP (see the errors mentioned by sucuri’s in their scan results)
Server value has been changed. Typically you will see values like “Microsoft-IIS/8.0” or “nginx 1.7.2”.
That is excessive webserver info proliferation and you should take that up with hoster, MVPS LTD.
polonus
good night.
My website (ptd.verdao.net) is blacklisted and there is no problem, as shown in this link:
Can you ask them to remove the block, please?
Thank you.
@ eduardo466
Use the - Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php form, that goes to the virus labs.
Virus total URL check doesn’t actually scan for viruses, it is checking for blacklisting, you will also notice that Avast isn’t on the list of scanners.
@DavidR
Thank you!
You’re welcome.
Warning: Malware Detected
→ https://sitecheck.sucuri.net/results/ptd.verdao.net
→ https://labs.sucuri.net/signatures/sitecheck/rogueads/?lnkr.2
Code sample scan
https://www.virustotal.com/gui/file/fa3ec2e75065a58d9ba8ccfb4146d870a8709357ab81652bb3949c26638b41b6/detection
Today I finally got a reply from AVAST (also from CRDF and dr.web), all have removed my website from the blacklist. I had a suspicion on a file (that has been marked as false positive for years and nobody cared even when I reported it multiple times) so I removed it from the website.
Btw. I know that more domains are hosted on that IP, that is my server and all of them are my domains which were not blacklisted.
I know that Server value has been changed, and I customized it on purpose so that the server software is not known to the world (and any attackers). That should be taken as a good measure for reputation, not a bad one.
So thank you all for your posts, my issue has been solved. For the future (if anyone from Avast team is reading this) - it would be nice to actually tell website owner that his site has been blocked and why. Blocking a legitimate website out of the blue is just rude. My only luck is that I don’t run any business related to the website and that my friend uses Avast web shield and has told me that my site is blacklisted. I, personally, am using Avast, but not the Web shield.
Hi eduardo466,
You need somewhat web intelligence and URL sanity. So let’s go.
As you can see from the scan results Asyn and Pondus presented you with,
you can establish that your Word Press CMS is outdated, and that poses your website at risk on it’s own.
WordPress Version 5.2.4 ; Version does not appear to be latest
Outdated plug-in software that puts your website at even greater risk:
Plugin Update Status About
wordpress-seo 13.4.1 Warning latest release (14.9)
https://yoa.st/1uj
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version
available and check the developers plugin page for information about security related updates and fixes.
User Enumeration
The first two user ID’s were tested to determine if user enumeration is possible.
Username Name
ID: 1 blog-do-vingador
ID: 2 djalma-verdao
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.
Linked Sites
Reputation checks have been performed on the IP address for each of the linked sites. Hosts found on blacklists with poor reputation may be a threat to users of the site. Hosting and locations are also included in the results.
Externally Linked Host Hosting / Company Netblock OK
www.instagram.com FACEBOOK
www.twitter.com TWITTER
www.facebook.com FACEBOOK
voortz.com.br UNIFIEDLAYER-AS-1
www.verdao.net OVH, FR
servicos.tokiomarine.com.br CLARO S.A., BR
www.forumptd.com OVH, FR
3 vulnerable libraries detected: https://retire.insecurity.today/#!/scan/44edf56363dd5bf6821f6968a013410e880f36b4339fdcd5de96f64eb41e1547
1965 hints to come to a better and more secure website: https://webhint.io/scanner/384438a0-14d2-4bb4-ae7f-9f6d8691cf91
Also consider these scans: https://observatory.mozilla.org/analyze/ptd.verdao.net
Detected JavaScript malcode here @ https://webcookies.org/cookies/ptd.verdao.net/31143198
See blacklisted domains there and suspicious patterns.
So you’d better wait now for the final verdict by an avast team member, as they are the only ones to come and unblock,
or maintain that detection as the website qualifies further to stay blocked.
We here are just volunteers with relative web intelligence expertise, and our information is just informative to assist posters.
Use information forwarded here it in whatever form as it is only informative. We never actually visited your site and all web scan results
resulted from 3rd party scanning and interpreting and combining such results.
So you make Brazil’s website infrastructure somewhat more secure and stay safe both online and offline.
That’s a wish sent by,
polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Hi Mek 7,
Good we could be of any assistance here in solving your problems with what has appeared to be a lingering False Positive detection.
Such things happen, especially with larger AV solutions, but there are av-vendors with quite some worse reputation in these respects.
Thinking here of McAfee’s. Not often seen that DrWeb and avast’s play ball at the same time, they often seem not to overlap in detection as such. Two different worlds actually as so to put it.
Also hope the general web intelligence analysis of your personal website was helpful in some way.
All’s well that ends well, so have a nice day. Thank you again for visiting the official avast forums,
and I hope you will stay with us in whatever capacity.
Respectfully,
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)