Re: Why avast blocking my website?

system · 2017-01-15T09:53:38.000Z

Hello!
I have a problem with blocking my website. There was an accident which was fixed already. But some of the site URLs stay in the blocklist and Avast is blocking access. How I can rescan the site and update the threats list? My site is “filigrana-spb.ru”.
Thanks in advance.

Asyn · 2017-01-15T10:08:10.000Z

versus2 post:1:

Hello!
I have a problem with blocking my website. There was an accident which was fixed already. But some of the site URLs stay in the blocklist and Avast is blocking access. How I can rescan the site and update the threats list? My site is “filigrana-spb.ru”.
Thanks in advance.

→ https://sitecheck.sucuri.net/results/filigrana-spb.ru

Pondus · 2017-01-15T10:10:01.000Z

Norton safeweb > https://safeweb.norton.com/report/show?url=filigrana-spb.ru

Urlvoid > http://www.urlvoid.com/scan/filigrana-spb.ru/

SCUMWARE.ORG

2016-10-25 21:49:01 hxxp://filigrana-spb.ru/counter/5.bin CD768CA7F5E2347D0FBD338C75A64A20 5.101.152.55 RU PHP/Filecoder.D trojan

If you think it is wrong > https://www.avast.com/report-a-url.php

Eddy · 2017-01-15T10:40:00.000Z

Large amount of blacklistings on that IP :
https://www.virustotal.com/en/ip-address/5.101.152.55/information/

Blacklisted :
http://www.urlvoid.com/scan/filigrana-spb.ru/
https://sitecheck.sucuri.net/results/filigrana-spb.ru

Blacklistings on the IP and AS :
http://urlquery.net/report.php?id=1484475556059

Vulnerable libraries used :
http://retire.insecurity.today/#!/scan/51e4dc515b7c3e21ccad34a308a6e50c41e5223c3a56939fb2c037b2f86123a1

system · 2017-01-15T10:51:04.000Z

all that infected blacklisted resources had been removed from the site. the question was how can i speed up blacklist-databases update if it is possible.

Eddy · 2017-01-15T11:00:29.000Z

The simple answer is that you can’t speed up things.
Only thing you can do is ask the ones who blacklist the domain/IP is to have a look at it and request they remove it from their blacklist.

Advise :

Get away from that IP (and perhaps even the host).
Get get dedicated hosting.
Update the vulnerable libraries (if there are newer version without vulnerabilities), or don’t use them at all.

system · 2017-01-15T11:17:32.000Z

thanks at all. will think of changing the host

polonus · 2017-01-15T14:39:42.000Z

Hi versus2,

Apart form Eddy’s advice, there is room for some general improvement on the website code as well.
Try to generate the appropriate SRI hashes for the two issues seen here: https://sritest.io/#report/aadb2907-42bf-4fe8-8fba-e2212d9861a5

Consider the issues with the F-status scan here: https://observatory.mozilla.org/analyze.html?host=filigrana-spb.ru

The implications of these scan results: http://www.domxssscanner.com/scan?url=http%3A%2F%2Ffiligrana-spb.ru
in relation to these finds of retirable jQuery code: http://filigrana-spb.ru
Detected libraries:
jquery - 1.6.4 : -http://filigrana-spb.ru/js/jquery.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
jquery.prettyPhoto - 3.1.6 : -http://filigrana-spb.ru/js/jquery01.js
swfobject - 2.2 : -http://filigrana-spb.ru/js/swfobjec.js
jquery-ui-dialog - 1.10.2 : -http://filigrana-spb.ru/js/jquery-ui-1.10.2.custom.min.js
jquery-ui-autocomplete - 1.10.2 : -http://filigrana-spb.ru/js/jquery-ui-1.10.2.custom.min.js
jquery-ui-tooltip - 1.10.2 : -http://filigrana-spb.ru/js/jquery-ui-1.10.2.custom.min.js

To further support Eddy’s findings on the web server security, these test results to consider,
F-status: https://www.htbridge.com/websec/?id=c94309e85435257890bf9faba4012533433cb1e359cf4b7eefb5b3ff8c6a59e2
Version info proliferation is at the core of the problems for this aspect of the security test.

polonus (volunteer website security analyst and website error-hunter)

HonzaZ · 2017-01-16T09:07:36.000Z

Yup, the domain filigrana-spb[.]ru was blocked in autumn 2016 due to it spreading Locky infection. I have now unblocked it ;).

Announcements