Blocking site

General Topics
1

Hello,

My wife’s website is being blocked by avast - www.pilateswithangela.com. I have had our laptop serviced and had the wordpress site checked by both a web developer and also our hosting provider godaddy with no issues raised at all. I have run lots of checks recommended on similar posts of this type. The only erroneous error is on this site http://quttera.com/detailed_report/www.pilateswithangela.com. Is this enough of a concern to warrant the site being blocked? The site has been checked on a number of other laptops running other antiviruses and they have no issue.
Is the only solution to recreate the website using a different theme.
I raised a ticket with avast support 6 days ago and have heard nothing back :cry:

I am not very technical so please be kind in your responses

Any help greatly appreciated. This is keeping my wife awake at night.

James

2

URL:Mal = domain and/or IP is blacklisted

JQuery issues that need to be fixed :
http://retire.insecurity.today/#!/scan/3e980d077ff87059d99ddabc71f8ea1e0154661b1c4c6bcd754fa222fcd7cb3c

Blacklisted :
http://zulu.zscaler.com/submission/show/cb8c2dd360e4a4295666daddfd5118c7-1456696298
http://multirbl.valli.org/lookup/184.168.47.225.html
http://urlquery.net/report.php?id=1456696714896
http://urlquery.net/report.php?id=1456696726158

Several problems (including link to blacklisted site) :
http://www.web-malware-removal.com/website-malware-virus-scanner/?url=www.pilateswithangela.com
https://sitecheck.sucuri.net/results/www.pilateswithangela.com

Infected :
http://quttera.com/detailed_report/www.pilateswithangela.com

3

Any tips on how we resolve these - recreate the website using a new wordpress theme?

4

That won’t solve the JQuery problem.
The problem is that a old version is used.

Another problem is the shared hosting on GoDaddy.

5

Apart from all the CMS issues that Eddy mentioned and have to be tackled,
there are also issues out of your hands
as those issues have to do with the IP, which you share with neighbours,
and that neighbourhood might kick up issues as well
and could be responsible for your domain being blocked.

Re: https://www.virustotal.com/en/ip-address/184.168.47.225/information/
JS:Redirector-BHC [Trj] is kicked up from the realms of that IP, as is JS:ScriptIP-inf [Trj].

And your domain also has health problems and is being blacklisted for spam here: https://mxtoolbox.com/domain/www.pilateswithangela.com/

So you might not be a happy GoDaddy customer… :wink:
as 184.168.47.225 is also listed on Cyberwarzone

polonus (volunteer website security analyst and website error-hunter)

6

Any chance you could be so kind as to explain that in layman’s terms? Who do we speak to for help?

Sorry to ask stupid questions but we are really stuck!

7

You could ask your hoster to be moved away from that IP range, after you have solved the issues on your side of the bargain (website configuration, CMS, hardening) or better even go for dedicated hosting of that domain. As it seems now they won’t assist you pro-actively to solve your current problems with that domain on that shared IP, as they have left you fend for yourself mainly. That could be the problem with bulk-hosting and that is your situation explained in layman’s terms.

pol

8

You can find many good hosts out there like OVH (France), Microsoft Azure (Virtual Servers), Hetzner Online (/Germany)
STRATO (germany) , HostEurope (Germany) and many many more.

9

As Steven Winderlich so aptly notes, there is many an alternative to your existing hosting trouble.

pol

10

Just some things to start with (my opinion) :

  • Stay away from GoDaddy.
  • Use dedicated hosting.
  • Don’t use WordPress but learn php, mysql and html5 and use that.
11

Yep, DreamWeaver can help here to edit the site, but you still have to learn PHP, HTML5 etc.

Also employ Incapsula CDN (For performance and security), keep the server up-to-date, use up-to-date frameworks.

IN SHORT: Keep everything updated.

Azure has some really nice help with their security center here :slight_smile: Just saying, and you only have to pay for what you actually use.

12

@ramisalami1716, eddy, Steven Winderlich,

To come back to the vulnerability that Quttera flags and kicks up as with

Too low entropy detected in string [[‘data:application/octet-stream;base64,AAEAAAAOAIAAAwBgT1MvMj7AUhIAAADsAAAAVmNtYXDYeRm3AAABRAAAAUpjdnQ’]] of length 580645 which may point to obfuscation or shellcode.
see for code flagged: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.pilateswithangela.com%2Fwp-content%2Fthemes%2Fcannyon%2Fmedia%2Fcss%2Ficons.css%3Fver%3D06ca29fd4093b4b1dedad26f6712c1c9
and
https://oscarotero.com/embed/demo/index.php?url=http%3A%2F%2Fwww.pilateswithangela.com%2Fwp-content%2Fthemes%2Fcannyon%2Fmedia%2Fcss%2Ficons.css%3Fver%3D06ca29fd4093b4b1dedad26f6712c1c9&options[minImageWidth]=0&options[minImageHeight]=0&options[facebookAccessToken]=&options[embedlyKey]=&options[soundcloudClientId]=YOUR_CLIENT_ID&options[oembedParameters]=

This code could create overflow problems on application servers - as Quttera warns for obfuscated shell code compromittal.
But with “same origin scripts” as seen from the following scan results you run less risks here I presume…

Also consider the stylesheet SRI issues for third party css,
see: https://sritest.io/#report/263c737e-1fe9-4cf2-8f6c-e0bf13cbde97

Tag Result

Missing SRI hash Missing SRI hash Missing SRI hash

This particular WordPress code javascript may enhance the overall WordPress vulnerability status: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.pilateswithangela.com%2Fwp-includes%2Fjs%2Fjquery%2Fjquery-migrate.min.js%3Fver%3D06ca29fd4093b4b1dedad26f6712c1c9
(superfish exploit vulnerable code :o )

So you see that establishing the security status of a particular website demands quite a bit of relevant knowledge, insight and moreover experience. I have seen many a piece of website code pass the “scan grinder” before I could point the “weaker bits” in it out to my audience here. Also redleg taught me a lot and where to specifically look for, see https://aw-snap.info/file-viewer/ :wink:

polonus (volunteer website security analyst and website error-hunter)

13

It was blocked back in 2015 due to distributing Angler EK. I do not see anything malicious on that domain right now, so I am unblocking it.

14

Great news for the owner of that website, that her website is not malicious and came unblocked by an Avast Team Member.
Whenever you mitigate the issues mentioned, the site will be more secure.
Whenever you consider to continue to use Word Press CMS then I would:

  1. Only allow certain IP-addresses for /wp-admin/
  2. First log-in to the webserver with a unique username and password. *
  3. After that log-in to WordPress with a unique username and password.
  4. Then user enumeration should be set to disabled and directory listing should be set to disabled.

polonus (volunteer website security analyst and website error-hunter)

15

Thank you HonZaZ :slight_smile: :slight_smile: :slight_smile: :slight_smile:

This is James’s wife. I very much appreciate my site being unblocked!!

I have raised the issues today with godaddy and they reassured me that the webpage is hosted across a number of servers so the IP address isn’t an issue. I also reconfigured my site using a new Wordpress theme which has addressed a lot of the alerts that we were seeing.

16

Nothing wrong with GoDaddy. :slight_smile: (Personal opinion.)

17

Meaning OK, lest you have good neighbors there: IPs allocated: 1768192
Blacklisted URLs: 10402
See this report: http://sitevet.com/db/asn/AS26496
The bad ones are into all sorts of abuse, spam bots excluded.
osts…
…malicious URLs? Yes
…badware? Yes
…botnet C&C servers? No
…exploit servers? Yes
…Zeus botnet servers? Yes
…Current Events? Yes
…phishing servers? Yes
…spam servers? Yes
…spam bots? No
…spam activity? Yes

But not too bad for such a big bulk hoster.

polonus

18

Do a check on Microsoft and MS Azure hosting websites :slight_smile: Youll be surprized.