URL Blocked

Hi there Avast team,

A little over a week ago a client of mine’s website became blocked for users of the Avast online security plugin.
The issue reported was URL:Phishing.

I investigated the website, ran security scans, checked the files and can see no evidence of a breach.
The SSL appears fine and we don’t have any weird rewrite rules.

We have regular Securi checks which have yielded no issues:
https://sitecheck.sucuri.net/results/nyfast.com

I reported this via the false positive section of the website and received the following email:
[i]Thank you for contacting Avast with your concerns.

Our virus specialists have been working on this problem and they informed me that this detection is correct.

Should you have any other inquiries please don’t hesitate to contact me again.

Best Regards,

Ondřej
The Avast Support Team[/i]

I emailed back requesting further info, if I could event get an idea of what was tripping the plugin up I could look into resolving the problem myself. Unfortunately I never heard back.

I’m reaching out on the forum in the hope that this is monitored by Avast staff and that someone may be able to help me, unfortunately nobody on the phone would speak to me until I could confirm that I had a paid for Avast product (which I don’t)

Thank you very much for your time
Alexon

VT >> https://www.virustotal.com/gui/url/00c688c9b3292a3cb5cca96f85a093e210f5730f5b3a1834cd3d80d957188f32/detection
Sucuri >> https://sitecheck.sucuri.net/results/nyfast.com
CheckPhish >> https://checkphish.ai/insights/url/1570493828691/00c688c9b3292a3cb5cca96f85a093e210f5730f5b3a1834cd3d80d957188f32
URLScan >> https://urlscan.io/result/1227006e-1773-4a26-9f54-2b6256fd0153
URLVoid >> https://www.urlvoid.com/scan/nyfast.com/
Zulu >> https://zulu.zscaler.com/submission/fef26f69-bd4b-467f-801a-c6ebf1f9d157

Your site no longer appears online, so I can’t grab any scripts running. I pulled an nmap scan on it though. The first one is quite serious, allowing remote, unauthenticated root access!!


Ports 587, Exim smtpd 4.92 
VULNERABLE: https://nvd.nist.gov/vuln/detail/CVE-2019-15846


Ports 53, BIND 9.11.4
VULNERABLE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5740


*Local Only*
Ports 3306, MySQL/MariaDB 5.5.5
https://www.exploit-db.com/exploits/40360
https://www.exploit-db.com/exploits/40678
https://www.exploit-db.com/exploits/40679

Sucuri says you have PrestaShop running. With your website down ( :frowning: ) I can’t dirb it, but I’m willing to guess that PrestaShop is also outdated.

1.6.X and 1.7.X vulnerability >> https://www.exploit-db.com/exploits/45964.

Without the ability to check scripts I cannot guess on to why Avast! is blocking your website. I will DM Milos (Avast! employee) to see if he knows. I will also DM Polonus, a website security expert and see if he can find anything I may have missed.

I am only a volunteer. I do not work for Avast!. I cannot change their decision, I can only point out relevant information.

Edit:
XFE >> https://exchange.xforce.ibmcloud.com/url/nyfast.com
XFE (IP) >> https://exchange.xforce.ibmcloud.com/ip/83.223.113.32

Hi Michael (alan1998),

The problem resided here: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Lm55ZnxzdC5eXW1gbV0jdWx7c2B0cHB9XSN1XnRxdXtzdFtdbmBqc2BzXn1bcHQuanM%3D~enc
javascript file has been cleansed - no content for -https://www.nyfast.com/modules/tpproductquestion/js/script.js
Probably through a Prestashop exploit: https://exploitalert.com/search-results.html?search=prestashop
Consider: https://webcookies.org/cookies/www.nyfast.com/28518298?907008
Site should be hardenend. Backend-gltches DNS: https://toolbar.netcraft.com/site_report?url=nyfast.com
Re: https://webhint.io/scanner/27dc8a74-559d-4200-b18c-87fa599eef76
Consider: https://urlscan.io/result/2c06cdab-b88f-4a01-84af-c08514626cb7
and 2 redirects - https://urlscan.io/ip/2606:4700:20::6819:280a

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

L.S.

To readers in this thread I cannot stress enough the importance of retiring retirable jQuery libraries found to be vulnerable.
Have retire.js inside the browser or developer’s console, or check online
at https://retire.insecurity.today/#!/scan/ a nifty service brought us by erlend oftedal from Norway (all credits go there).

Often quite some websites have jQuery libraries installed over time like licorice all sorts. :o
“So then what one acquires, one should at a given moment also retire”

How to cure PrestaShop malware attacks through fake jQuery scripts, read:
https://www.getastra.com/blog/911/prestashop-malware-infection/

pol

Hi Polonus and Michael (alan1998)

Thank you both for your input.
Since posting this, Avast! have gotten back in touch with:
[i]I have talked with our virus specialists once again and I receive new information.

The provided website isn’t detected by Avast anymore. The results will be visible with next virus definitions update.

We are sorry for the inconvenience. If you have any further questions, don’t hesitate to contact me again.[/i]

I’m not sure what they mean by “detected” but I am assuming that the block is due to be lifted?

Apologies for my ignorance but as I understand your replies - you believe the site has been breached via the tpproductquestion module? Or are these suggestions on how to improve the security?

I’m afraid I have only a passing knowledge of info-sec so please don’t assume much knowledge on my behalf :slight_smile:
I will certainly take a look at upgrading JQuery and see how invasive this might be.

Also regarding Securi reporting the website was down - that is odd as it’s reporting 100% uptime in our dashboard, might this have been a very temporary thing between scans?

Thank you both for your time and expertise.
Alexon

I'm not sure what they mean by "detected" but I am assuming that the block is due to be lifted?
Detected = Blocked / Blacklisted ......

If they’re removing detection, it means it’ll be allowed on Avast! devices once again.

I think my scans may have triggered safety precautions on your domain. The moment I tried to dirb your site, I immediately lost connection to it again. TO be clear, Sucuri had no issues scanning it - my clientside tools did. (nmap worked, dirb hasn’t worked for much more then 80 attempts).

I’m not sure what breached the website, but the easiest way in would’ve likely been Prestashop or Exim. Please understand, fixing one plugin doesn’t fix the rest. Prestashop, Exim, MariaDB/mySQL and any other utility you may have must be updated, otherwise you remain vulnerable to this happening again.

PrestaShop > https://www.prestashop.com/en/download
Exim >> https://www.exim.org/mirrors.html
MariaDB >> https://downloads.mariadb.org/
JQuery >> https://jquery.com/download/
Bind >> https://www.isc.org/download/