A little over a week ago a client of mine’s website became blocked for users of the Avast online security plugin.
The issue reported was URL:Phishing.
I investigated the website, ran security scans, checked the files and can see no evidence of a breach.
The SSL appears fine and we don’t have any weird rewrite rules.
I reported this via the false positive section of the website and received the following email:
[i]Thank you for contacting Avast with your concerns.
Our virus specialists have been working on this problem and they informed me that this detection is correct.
Should you have any other inquiries please don’t hesitate to contact me again.
Best Regards,
Ondřej
The Avast Support Team[/i]
I emailed back requesting further info, if I could event get an idea of what was tripping the plugin up I could look into resolving the problem myself. Unfortunately I never heard back.
I’m reaching out on the forum in the hope that this is monitored by Avast staff and that someone may be able to help me, unfortunately nobody on the phone would speak to me until I could confirm that I had a paid for Avast product (which I don’t)
Your site no longer appears online, so I can’t grab any scripts running. I pulled an nmap scan on it though. The first one is quite serious, allowing remote, unauthenticated root access!!
Without the ability to check scripts I cannot guess on to why Avast! is blocking your website. I will DM Milos (Avast! employee) to see if he knows. I will also DM Polonus, a website security expert and see if he can find anything I may have missed.
I am only a volunteer. I do not work for Avast!. I cannot change their decision, I can only point out relevant information.
To readers in this thread I cannot stress enough the importance of retiring retirable jQuery libraries found to be vulnerable.
Have retire.js inside the browser or developer’s console, or check online
at https://retire.insecurity.today/#!/scan/ a nifty service brought us by erlend oftedal from Norway (all credits go there).
Often quite some websites have jQuery libraries installed over time like licorice all sorts. :o “So then what one acquires, one should at a given moment also retire”
Thank you both for your input.
Since posting this, Avast! have gotten back in touch with:
[i]I have talked with our virus specialists once again and I receive new information.
The provided website isn’t detected by Avast anymore. The results will be visible with next virus definitions update.
We are sorry for the inconvenience. If you have any further questions, don’t hesitate to contact me again.[/i]
I’m not sure what they mean by “detected” but I am assuming that the block is due to be lifted?
Apologies for my ignorance but as I understand your replies - you believe the site has been breached via the tpproductquestion module? Or are these suggestions on how to improve the security?
I’m afraid I have only a passing knowledge of info-sec so please don’t assume much knowledge on my behalf
I will certainly take a look at upgrading JQuery and see how invasive this might be.
Also regarding Securi reporting the website was down - that is odd as it’s reporting 100% uptime in our dashboard, might this have been a very temporary thing between scans?
Thank you both for your time and expertise.
Alexon
If they’re removing detection, it means it’ll be allowed on Avast! devices once again.
I think my scans may have triggered safety precautions on your domain. The moment I tried to dirb your site, I immediately lost connection to it again. TO be clear, Sucuri had no issues scanning it - my clientside tools did. (nmap worked, dirb hasn’t worked for much more then 80 attempts).
I’m not sure what breached the website, but the easiest way in would’ve likely been Prestashop or Exim. Please understand, fixing one plugin doesn’t fix the rest. Prestashop, Exim, MariaDB/mySQL and any other utility you may have must be updated, otherwise you remain vulnerable to this happening again.