Hello
We are still having Avast Virus detection at cacs.org.br/linguas
This issue is causing serious problems to us and we are triyng to fix it for a couple months.
I did some things trying to find out a solution but I need a hand from someone here, from Avast. Please help us. Bellow I listed the solutions I tried:

1 - I moved my website from a host to another (from kinghost.com.br to hostgator VPS).
2 - I activated a SSL certificate
3 - I activated the sitelock protection service (This link: https://www.sitelock.com/verify.php?site=cacs.org.br)
4 - I moved the wordpress website that was installed at this URL: cacs.org.br , then we just have one wordpress website installed (cacs.org.br/linguas), the most important one.

I can not figure out anything more I could to to fix it. Is there anybody here that could help us?

By best regards,

Paulo, from Brazil

https://www.virustotal.com/en/url/a0ff441b6c309c42f201242490700d5990a69b6adad3e952d39242ab85551cd5/analysis/1499626563/
https://www.virustotal.com/en/ip-address/50.116.86.193/information/
http://zulu.zscaler.com/submission/show/ca58bec98a2cb860035dcc7d01c63feb-1499626599
http://urlquery.net/report/1756d063-5031-45cd-9564-6a85ad8539d5
https://quttera.com/detailed_report/cacs.org.br

Wordpress issue:
Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.
ID User Login
1 None admin
2 None flavio

http://retire.insecurity.today/#!/scan/bcadfaaf8f5e0a578961de847df682f9d3eb95ddbb2abe77fddcb1974ad20c11

Hi paulo241,

As Eddy reported above in this thread, the website has still some room for security improvements, see the links he gives.

I added some issues with missed security headers here, through a scan with F-status, see here: https://securityheaders.io/?q=https%3A%2F%2Fcacs.org.br%2F&followRedirects=on

VT does not alert here: https://www.virustotal.com/pl/url/b018d17b660517f35fc3bb5edab4a4a3cfe40a1f869bec08d463f752bc8c09e2/analysis/1499627740/
and no alerts here: http://urlquery.net/report/1756d063-5031-45cd-9564-6a85ad8539d5

Look here for nonnumeric port: ‘image’ code: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fcacs.web-ded-208750a.kinghost.net

So wait for an avast team member to arrive here next week (to-day is a Sunday) as he will give the final verdict on the website.
We are just volunteers with relevant knowledge, as only avast team members can unblock.

polonus (volunteer website security analyst and website error-hunter)

Hello Eddy and Polonus,
I appreciate your attention. This situation is getting really serious over here. We got a lot of Avast users that are getting this alert and can’t open our website. I tried to fix this alerts, but Im not sure about the right way to do it:

1. About this alert: https://www.virustotal.com/en/ip-address/50.116.86.193/information/ There is no such file (http://cacs.org.br/novosite/logos.gif) in the ftp. We don’t even have a folder named “novosite”.
2. I just removed those two plugins listed as suspicious here: https://quttera.com/detailed_report/cacs.org.br
3. Why would a User Enumeration cause a virus alert by Avast? And how do I prevent it?
4. What do these alerts mean? https://securityheaders.io/?q=https%3A%2F%2Fcacs.org.br%2F&followRedirects=on How could it affect this Avast Alert?

If Avast tell me what is causing it, I could try to fix it. Or maybe just remove the false positive.

Thanks!

1] If the file isn’t (or wasn’t) there it would not have been detected.
2] That is a start to clean up things.
3] Who ever said that it would cause avast to give a alert ?
4] If you have to ask, it is time you hire someone who does have the knowledge to properly maintain/run a website.

We have showed you several (security) problems.
I suggest you start fixing/solving them.

It was indeed because of cacs[.]org.br/novosite/logos.gif?12588fd3=-1832616296.
I am removing the URL from our blacklist now, but please do follow others’ advice in order not to be infected (and blocked) again in the future.

Thanks Eddy and HonzaZ,

I don’t really know why this file is being an alert. It doesn’t exist. I’m sure about it. Is it possible to be something caused by a cyber attack? Like, if they try to access a file that doesn’t exist it forces the host to return a 404 error and overloads everything?

Thanks HonzaZ. I will keep checking all these alerts.

My best regards,