My website falsely blocked for phishing by many Antivirus and Malware programs!

I am reposting and rewritten this post since it was deleted first (but still visible on the 26th page on the phishing thread but way more hidden) and because my website still has not been unblocked, and the more I look into it, the more programs seems to be blocking our website without us ever having known anything about it in the first place.
So this information is also important to make others aware of that other programs may still be blocking your website, even if Avast/AVG etc. has unblocked you.

Please AVG/Avast (and everyone else who also blocks us by false information) unblock my website ProphecyFilm.com as fast as possible, since we are not guilty of the charges of Phishing that you falsely hurl against us (as if the site is currently doing this serious offense to unsuspecting visitors as we speak!).

You various Antivirus and Malware programs, stop defaming and labeling your customers as criminals out to steal credit card information, as this is unacceptable (AVG/Avast is way more kind than one other I have seen, so thank you for that, but you still say this activity of Phishing infection is happening on our site as a fact when this is completely untrue, even if you do not directly accuse us of anything but neither do you excuse us so that leaves the visitor to judge for himself when you could easily have excused us). In the future, some not so happy person may in fact take you to court, so you better change your block tactic before that happens, and stop accusing or indicating others for crimes that they are not guilty of, or as if this activity is happening as a fact; yes, in no way must you indicate that they are guilty or that the website is doing this as for a fact (as all of the programs do currently when blocking us), but you should excuse them if they are blocked and rather say it may all be a mistake. (And all the times you have falsely blocked websites for phishing and then just silently unblocked them proves the point, yet you still accused them (and continue to accuse new cases) for crimes or hackings even though they are innocent or it never happened.)

First Malwarebytes blocked me, but I was fastly unblocked by them after contacting them but then I found out that Avast also had blocked me and so I contacted them too yesterday but have received no response (and they even deleted my first thread thus making this important information less known), and now AVG too is blocking my website! When will this end? Do I really have to try out all the Antivirus and Malware programs and contact all of them separately if we happen to be blocked? Is there no one single site on can visit to get unblocked from all? Is this not reasonable, i.e., that you blocking and defamation companies (I am sorry, but this is what you do against us even if you mean good by protecting others) should easen up the process of falsely accused customers or website owners to get unblocked and cleared of their accusation as fast as possible, considering how many people are being falsely calumniated by these programs for being cyber criminals?

For example, I just found out on the Avast forum that a site unblocked by Avast (yes unblocked) was still blocked by Malwarebytes when I checked today. And this was over a week ago that Avast unblocked them! So I don’t know but this to me seems people could still be blocked on other programs even if they are unblocked on others (this is also the case with me currently), or that it can take long time for this to update, perhaps several weeks? I don’t want to worry anyone unnecessarily, but I think many website owners would appreciate this information even if it turns out they were not blocked by other programs just to make sure.

So even if one Antivirus/Malware program unblocks us, another may still be blocking us. This of course creates a nightmare scenario for website owners. I think the same process of awareness of “dangers” that are made known to internet security programs should also apply to the “unblock” awareness, so that people are treated fairly and gets unblocked just as fast and easily (by everyone) as when they where blocked. And if this is not the case, it is unreasonable. But perhaps that is how it works already. If anyone knows how the process works they could explain it to me.

By the way, why should I have to contact AVG or Avast if Malwarebyes already did unblock me. Should this not be your duty to let all others know this information too? Or if Malwarebytes unblocks, all others unblocks too at the same time? That would be ideal! Any way to make this happen, programmers?

For me, it has already gone a day and no response or unblock from you, and with Malwearebytes, it took 3 or 4 days days perhaps but I received no response as to the reason for the block. Is that a reasonable time when the unblock could have happened almost immediately? (since we were always innocent and any easy check would have seen that immediately), if you only had more understanding in seeing this more serious? Is it not easy to read hundreds of mails in a single day when this is your work and duty, but I don’t know how your verify if the link is clean or not, but for the sake of charity and to fix what was made wrong faster, you could always recruit more workers that works to faster verify falsely accused website owners so that they can get unblocked faster.

So I decided to rewrite this post (since it was deleted) and make this post a public post instead of just sending a link in order for this unblock to happen faster and also because I want to inform others.

As I said, I have already waited over one day with Avast and still no response. And Malwarebytes has not responded at all so far as to the reason behind my block, and my forum posts remains silently unanswered so far. For all the information relevant to this issue, consult these links:
https://forum.avast.com/index.php?topic=218384.msg1520352#msg1520352
https://forums.malwarebytes.com/topic/251913-my-website-is-being-blocked-wrongfully-please-help-unblock/

However, AVG and Avast, I want to say thank you for being much more kind than Malwarebytes was in their block message, for you only said the site is being infected with Phishing and that it is phishing, whereas Malwarebytes said the site was phishing in the pop up and internet site, and then when explaining what phishing was on their official information, it essentially accused us for trying to steal others credit card information. That is unacceptable.

Libel and defamation and false accusation is a criminal offense, and just because you think someone is guilty of doing this does not mean you can actually accuse them of this since they may in fact be completely innocent and the charges false and unfounded.

If you think some site is infected, please let the block say the website is hacked and may be infected with phishing and that we are trying to contact the owners of the website in order to asses the situation. Do not just accuse them as if the site is infected or give the impression that the website itself is guilty or doing this (since this is outrageous, and I am sure many have become angry unnecessarily for being falsely and wrongfully defamed as thieves during all these years), but say again that they are probably being attacked by hackers, or that it is a mistake and that they are innocent. (We both know that many times or even most times? this phishing accusation is completely false.)

Don’t be lazy! Before you actually accuse others of trying to steal – or may trying to steal – others credit card information (i.e, phishing) and that this is actually occurring on this website as if it was an established fact (yes your block message gives the impression that this is indeed happening on this website even though this accusation in my own and many other peoples cases is completely false!), you should first look into the website and see if this is true. But you don’t or do you?

But even if the website is attacked by someone, you must not assume the website is guilty, and you must state this clearly in your block message if you block it, i.e., “that we think this site may be affected”, and “that we think it could be hacked etc.” You must not jump to conclusions immediately or say they are guilty and you must rather excuse them and say they we are only blocking it in order to protect you and you should even say that this block may be completely unfounded and untrue and the website totally clean and innocent. But no! Antivirus or Malware programs never do this (which would only be natural and reasonable not to jump to conclusion and excuse others if one is kind and honest), and instead they all just accuse the website and the owners for crimes that in many or even most cases, they are completely innocent of and never happened!

I already asked this in Malwarebytes support mail and forum and received no response and also from avast and we will see what they answer, but received no response so far form anyone: But I mean, do you have statistics to show how many of these serious phishing accusations are actually genuine as opposed to false? My guess is many are false and hence you calumniate them without purpose (and without even contacting them thus putting them completely in the dark without even knowing anything at all unless someone emails them about it perhaps days or weeks later!) just because you are too lazy to do your job properly by contacting them yourself and by manually verifying first with some more advanced programs if this report is correct rather then just letting an automatic bot or report from (whom?) that can be completely false, wrong or made up just decide if it should be blocked (perhaps even automatically) without any verification first.

Can a website just get reported by anyone, even a program without human reason, and then they are blocked? If that is not how it works, then how does it work? And what is the reason for all these false positives and innocent people’s websites being blocked and accused for serious crimes and then unblocked as if nothing happened? And we don’t even have a single advertisements on our website as perhaps many others do, so what really was the culprit on our site? I want answers (but none so far has been given, either by Malwarebytes, or Avast or anyone else, but we shall see)!

Thank you for your help and understanding.
And may God and the Blessed Virgin Mary bless you all abundantly!

Thanks, and peace!
Signed,
Ville Hietanen (Jerome)
Search: “The End Times Prophecies and Revelations of Saint Bridget of Sweden”

Remember to live a good life to its fullest in love and happiness, that you spread love and happiness to everyone but especially those most in need, that you think good thoughts about yourself and others but especially your enemies that can become your beloved friends again, and that you are kind and charitable to the oppressed and poor people and everyone else, for if you do so, you will receive great love and happy eternal rewards from God, the Blessed Virgin Mary and the whole of Heaven in the next life, where we also will meet our beloved dead once again and everyone else that has ever lived! Pray, live your life in goodness and happy thoughts, have faith and hope in love and goodness, and be good, and do not worry about anything!

Stick to this topic, any further duplicates will be removed.

Posting massive tomes doesn’t help, what will get you the analysis of your site is using the link I gave you before.
Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php and it will be investigated.

They aren’t looking for information other than giving the URL you feel is an FP to investigate the site.

You might also want to take a look at this https://sitecheck.sucuri.net/results/ProphecyFilm.com as Site is Outdated and vulnerable because of outdated PHP software. This could well have been the reason it was blocked in the first place if that vulnerability has/had been exploited.

I have tried to stick to the point, and yes, posting tomes do help if it makes you understand not to do this against people.

Perhaps it is not a big deal to you, but others are loosing their online reputation because of this and being accused for cyber crimes, and they are losing readership, sales and donations – and all of this may have occurred for several months or weeks since if no one contacts them about it, no one will know. Certainly, your own company (if you work here or are you only a private volunteer?) do not even contact anyone before blocking them and listing their website as phishing, or as being infected with phishing? Am I right?

One can only wonder which small websites may still be blocked without even knowing anything because almost no one visits their website or even contacts them about it (or don’t use these programs) because companies like AVG or Malwarebytes refuses to contact the accused themselves (as should be their duty) before blacklisting them.

So this is a big deal, and it means much to many. That is why I care, and that is why I would like you to see the logical reason and kind thought for others behind what I do.

You wrote: “They aren’t looking for information other than giving the URL you feel is an FP to investigate the site.” Well, that was also the point with my forum posts. If you will not do your work properly, I will inform you of what should be done and so that there will be changes benefiting both you and your company.

If a company is honest and wants to please their customers, they have nothing to fear from public forum posters dealing with valid and legitimate concerns that so easily could be fixed. I have been completely reasonable in my approach and I have also tried to be kind, and no one should have any problem with my postings, but if you do, please state your concern and I will reply back.

I in no way mean to spread hate or anger towards you or your company or anyone else (please don’t hate anyone since all can change; and if we think someone does wrong against us or others, let us talk and hope the problem can be solved peacefully, so that all can be friends), but my issue with this debacle was rather to make you aware of that this your current system of approach is not appreciated and that it easily can be improved. Just don’t accuse anyone, and let the block message say the site is probably innocent or hacked or that this block may even be completely wrong. Anything really is better than giving even the slightest impression that someone else is guilty of a serious crime when they are not guilty of it and nothing yet has been proven yet.

To not manually verify first if a soon to be blocked website by companies like yours is true and in fact infected; and on top of that, not even contacting them about this even though it could be done so easily (no, instead they are just left in the dark until someone else contacts them, which could be days, weeks or even months), is unreasonable and uncharitable (even if this was not your intent to be uncharitable), since this system of you being lazy and making it far too easy for yourself to just block others and getting them bad reputation and even inflicting losses upon them, is wrong, and it need to stop.

Also, you would not like to be falsely blocked or labelled criminals or phishers or anything of the kind even remotely indicating this, therefore, do not to this towards your neighbours also.

You wrote: “This could well have been the reason it was blocked in the first place if that vulnerability has/had been exploited.” I don’t think so, because our site was never infected to begin with, which is why we were promptly unblocked. Also, many websites do not have the newest .php, and I don’t think this is too bad. Otherwise would not only Malwarebytes or AVG/Avast (and who knows whom else) have blocked, but google would have done so too. My FTP client also showed only we had entered and uploaded something, so everything point to a false positiv. It seems there may be no reason for my block, or if there is one, it may be completely unreasonable and could have been avoided, if someone would only verify manually first – thus saving us (hundred of thousand or even millions others) the time to having to deal with cases like this. But we shall see if I ever receive an answer as to the question what happened in my case.

And that is also the reason I wonder about how you go about when blocking someone else’s website, since evidence seems to not even be required (or at least, not to verify it before blocking)? Again, what exactly was the reason for our block? If you don’t know, just say so. But at least you gave a theory, so thank you. I also had a theory in the malwarebytes forum thread of a possibility for our block that had nothing to do with phishing, but rather asking persons who have contacted us (and we them) of an adress and name in order to be able to send them free materials, books, dvds, and religious items etc. Yes I am religious and like to give them material so they can learn to know God and live a spiritual life. Nothing wrong with that. (And the same offer is up for you, if you are interested, contact me.) Could such emails be listed as phishing by an automatic robot or bot, or if someone reported me? I don’t know, but perhaps it could.

God and the Blessed Virgin Mary bless you all!
Thanks, and peace!
Signed,
Ville Hietanen (Jerome)

It may be a IP problem, 10 blacklisted URLs on that IP >> https://www.virustotal.com/gui/ip-address/192.145.238.14/relations

also see:
https://www.virustotal.com/gui/url/5d903d02666c56fd502793529f8b5eff6bec235112a948b3f27b75135b477f10/detection

https://www.virustotal.com/gui/url/93da23331fc5adcff6a24b2223a1299a9d2a03bfc793973cc071a4d6415b12a5/detection

https://www.virustotal.com/gui/url/6670f37883fc032fec544d61f9cd289f0b8c69910f9c9a75d874a480cceb8fb1/detection

Some files found on those URLs listed at that IP:
https://www.virustotal.com/gui/file/1abf64a0c7114a0299b72a44353fb2b822ef895f138fa89776cb5870fbbc9733/detection

https://www.virustotal.com/gui/file/758b0c7eaab0e897467f24d2804df8573c49aa4efdd1738233aae75252b1eafe/detection

https://www.virustotal.com/gui/file/0142f3173d438638550685f2d48890bab105c89e9f1849e371699ad4575809b5/detection

Communicating Files
https://www.virustotal.com/gui/file/0e0df0cb71a43c49154c5d7070e16de23ed25ca8685f249b948e98cbf63892b3/detection

Thanks for your kind reply, but could you please explain to me what this means and what has happened? What is it with the ip adressers? I don’t understand.

And what about the files, what are those files with long numbers so I can look at them? I will show your post to my webhost provider also and see what they say.

According to my webhost provider who can check ips for logins, only I have logged in all of september (he told me to check manually for my self for longer times, and I will look into that also), so no one can have uploaded anything or modified any of the files and also, all files remain unchanged and the date has not ben changed so they are not edited and I also downloaded the .php from the server from one of the so called affected pages, and it seems completely clean and no foreign line of code or html or anything added.

Also, if our site is infected (or is it, it seems to according to these links) why am I not blocked anymore by Malwarebytes (and just now Avast emailed me telling me they will unblock me)? So what is this about? Please help me understand!

I do not believe we are infected, and to me, it seems, if one program decides to block, the others follow suit? Is this how it can work among programs? But to me it seems those links you provided did found something, but I don’t understand.

If we are infected, I cannot find any problem with the server or webhosting, and neither is a virus found on my system.

I am clearly at a loss as to what has happened.

Any help would be much appreciated.

Thanks for your kind reply, but could you please explain to me what this means and what has happened? What is it with the ip adressers? I don't understand.
There is more then one website on that IP
And what about the files, what are those files with long numbers so I can look at them? I will show your post to my webhost provider also and see what they say.
Click the link(s) i posted and see info
Also, if our site is infected (or is it, it seems to according to these links) why am I not blocked anymore by Malwarebytes (and just now Avast emailed me telling me they will unblock me)? So what is this about? Please help me understand!
Only avast lab can say why they blocked your website

As i said above, it could have been a IP problem, dont know avast lab must tell you …
Many infected websites on same IP (if many bad guys live in the same neighborhood as a good guy then evryone may think he is also a bad guy)

There is a huge number of security vendors out there and many have been around from early 80s,
There is a ongoing arms race among the good guys and bad guys, and the world of malware is not static, it changes evry day so if there was an easy way to block/detect the bad stuff and avoid false positives then they would have used it, these guys work 24/7 with this so they have tried evrything and are still trying to improve

To pointedly answer your questions, VirusTotal will (or use to, and should still) automatically send samples that other engines detect that yours doesn’t.

Ex: Avast! detects file.exe (SHA1: A07D9810370F787A9F9A2B7A0DCE298A95B52A88). BitDefender, Windows Defender, Kaspersky, and ESET also detect it. Malwarebytes doesn’t detect that hash, and therefore Malwarebytes will get an email (with the sample) to analysis and detect if they chose.

Avast!, along with most other programs can sometimes block based off an IP Address. An IP block does occasionally catch innocent people by mistake. 1 IP Address does not only mean one website. You could have 100 websites on an IP Address, 99 are malicious and 1 is clean. Unfortunately, that one will get caught. Your hoster should allow you to change your IP Address. To be clear, I have zero idea why the Avast! or MBAM have chosen to unblock your website. It’s extremely vulnerable.

Among the most notable is your distinct lack of encryption on the website.

I had some interesting scans on your site via nmap last night. In short though, you’re running outdated versions of OpenSSH, mySQL, postgreSQL. Unfortunately, your website is not online, so I can’t rescan it.

Here I find an all green: https://toolbar.netcraft.com/site_report?url=www.prophecyfilm.com%2F
Nothing also on IP: https://www.virustotal.com/gui/ip-address/192.145.238.14/details
Here we have a detection by 3 engines: https://www.virustotal.com/gui/url/5d903d02666c56fd502793529f8b5eff6bec235112a948b3f27b75135b477f10/detection
Your website has vulnerabilities on that particular PHP version and is being blacklisted
626 improvement hints, of which also on security: https://webhint.io/scanner/0ed2571f-8e3e-4c82-91db-18a9ce25f40a
see: https://webhint.io/scanner/0ed2571f-8e3e-4c82-91db-18a9ce25f40a#category-security

Wait for an avast team member to give a final verdict, as we are just volunteers with website security expertise,
but cannot come and unblock. Your site at the moment is being blocked for PHISHing (checked at avast secure browser).

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)


21/tcp   open  ftp        Pure-FTPd
|_ssl-ccs-injection: No reply from server (TIMEOUT)
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384
|             Modulus Type: Non-safe prime
|             Modulus Source: RFC5114/2048-bit DSA group with 256-bit prime order subgroup
|             Modulus Length: 2048
|             Generator Length: 2048
|             Public Key Length: 2048
|     References:
|_      https://www.ietf.org/rfc/rfc2246.txt
|_sslv2-drown: 
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)


80/tcp   open  http       Apache httpd (PHP 7.2.19)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.


110/tcp  open  pop3       Dovecot pop3d
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
|_sslv2-drown: 
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)


143/tcp  open  imap       Dovecot imapd
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
|_sslv2-drown: 
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)


993/tcp  open  ssl/imap   Dovecot imapd
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
|_sslv2-drown: 


995/tcp  open  ssl/pop3   Dovecot pop3d
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
|_sslv2-drown: 
2222/tcp open  ssh        OpenSSH 5.3 (protocol 2.0)
3306/tcp open  mysql      MySQL 5.5.5-10.2.25-MariaDB-log
5432/tcp open  postgresql PostgreSQL DB 9.6.4 - 9.6.6