Remove a site from blacklist

Hi Guys, i was marked with virus on my site, that was running on Godaddy and Wordpress, we decide to drop all the site and create a new site only on HTML and move the server to a brand new server, but the alert on Avast is still, what we need to do to be remove of the blacklist.

the domain name is www.web-informatica.com

I generate a sucury site checkup to see if the issue persist, but is not infected anymore.
https://sitecheck.sucuri.net/results/web-informatica.com/

Best Regards
Jose.

URL:Mal = IP and/or domain is blacklisted.
The site can be infected, but doesn’t have to be.

Blacklisted :
http://www.urlvoid.com/scan/web-informatica.com/
http://zulu.zscaler.com/submission/show/3c16a5a2e35e4cb8dbccf5017659b416-1452793646
http://urlquery.net/report.php?id=1452792657749
http://urlquery.net/report.php?id=1452792682400
http://multirbl.valli.org/lookup/192.185.140.111.html

TLS/SSL problems :
https://www.ssllabs.com/ssltest/analyze.html?d=web-informatica.com

If you believe avast should allow your site, submit a ticket and ask them to review the site.

See Netcraft website status (9 red out of 10): http://toolbar.netcraft.com/site_report?url=http://192.185.140.111
Security certificate issue - google safebrowsing alerts privacy error - certificate stems from *.websitewelcome.com
(common name invalid). google.webserver → http://toolbar.netcraft.com/site_report?url=https://web-informatica.com
Re: https://oscarotero.com/embed/demo/index.php?url=https%3A%2F%2Fweb-informatica.com&options[minImageWidth]=0&options[minImageHeight]=0&options[facebookAccessToken]=&options[embedlyKey]=&options[soundcloudClientId]=YOUR_CLIENT_ID&options[oembedParameters]=
IP badness history: https://www.virustotal.com/en/ip-address/192.185.140.111/information/

polonus

I cannot see anything malicious now, so I am unblocking web-informatica.com.

Rightfully ublocked off-course, but the remaining security issues should be addressed somehow.

polonus

Can you please remove my site http://ipwa.net I removed everything after my site got hacked only have a holding page my emails and two associated domains.

Header issues:

https://securityheaders.io/?q=http%3A%2F%2Fipwa.net%2F
https://securityheaders.io/?q=https%3A%2F%2Fipwa.net%2F

Guide to fix this: https://scotthelme.co.uk/hardening-your-http-response-headers/#server

Blacklisted by McAfee: https://sitecheck.sucuri.net/results/ipwa.net/
Malicious for Scumware.org: https://www.virustotal.com/en/url/41c4f5ef4067901c3f50a22617476be7dc05df5a1d59549077998579ce1a86cf/analysis/1465122284/

Also several vulnerable libraries are used.
http://retire.insecurity.today/#!/scan/c9bf2f7ea39143ec3fd0968939b22ae254ef5b9655f8757ecbb216239ec36993

Time to check with Redleg’s File Viewer: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fipwa.net+&ref_sel=GSP2&ua_sel=ff&fs=1

There we get this message

Note: It looks like your site has returned a 503 Error. In some cases the firewall or a bad bot utility will block the use of this tool. If the response is unexpected you should verify the response with another tool such as Rex Swain.

But we see that the site is under maintanance. Still we see excessive header info proliferation: the address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: nginx/1.10.1
Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.

Clickjacking Warning: Overview
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An “X-Frame-Options” header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.

Result
It doesn’t look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.

We see this blocked inside script

23:  < sc​ript type="text/javascript" src=hxxp://ipwa.net/misc/jquery.js?v=1.4.4"> < / sc​ript > 
24:  < sc​ript type="text/javascript" src=hxxp://ipwa.net/misc/jquery.once.js?v=1.2"> < / sc​ript > 
25:  < sc​ript type="text/javascript" src=hxxp://ipwa.net/misc/drupal.js?o808s0"> < / sc​ript > 
26:  < sc​ript type="text/javascript"> 

There are problems with the nameserver and the reversed DNS: https://test.drownattack.com/?site=ns1.hostmonster.com
DROWn vulnerable ::slight_smile:http://host82.hostmonster.com/
There could be an IP block because of this: http://webyzer.net/ip/74.220.215.116 (domains sharing one and the same IP).

The IP is being blacklisted by 127 sites.

polonus

I do not think we block ipwa.net, we might have blocked the IP it is on though.

I updated my site to the latest Drupal 8 version, and I haven’t found the IP blacklisted.

IP blacklisted :
http://zulu.zscaler.com/submission/show/82a774449fb4e7f0c2744de9cd43fd15-1465314436

Blacklisted :
http://www.web-malware-removal.com/website-malware-virus-scanner/?url=ipwa.net

http://www.malwareurl.com/listing.php?as=AS46606&active=on
7344 active domain were found for AS46606 (BLUEHOST) - show 200 of 7344
I’m not even gonna look at all of them.
The first 200 are all malicious !

Vulnerable libraries are still present :
http://retire.insecurity.today/#!/scan/f26594bb661977d2a5fe365f680964a4f5589b3c2d87a26177c3b93838370545

Very good reason on why to keep software updated :
https://blog.sucuri.net/2014/10/drupal-warns-every-drupal-7-website-was-compromised-unless-patched.html

My advise :

  • Get dedicated hosting at a company that takes security serious
  • Fix the vulnerability issues.