Site Flagged for Phishing.

Phil23 · Post by **Phil23** » Sat 23 Sep 2023 10:24 pm

Was recently notified by a few Colleagues that my Site has been marked for Phishing & bring blocked.

Pattern tended to point to users of Telstra Au, but with the first site still being able to visit on one particular PC.
All other PC's Redirect to a Telstra Generated Page that blocks the site.
Have seen it in person at just two clients sites.

Ran a Scan with TotalVirus, https://www.virustotal.com/gui/home/url and it comes up clean.
Lodged this Report with Telstra & they replied with their result that the root, inverellit.com gets a few Positives

https://www.virustotal.com/gui/url/8f15 ... 878b8c7f46
https://www.virustotal.com/gui/url/ddae ... 88e9178a67

Strange thing is though, that I run my Site as a Subdomain.

weather.inverellit.com points to public_html/weather
but Inverellit.com points to public_html/inverellit.com

Strange thing though is that the public_html/inverellit.com directory is essentially empty.
htaccess file that contains only a <lf>,
And empty folders for
.well-known
.well-known/acme-challenge
cgi-bin

Have Browsed all my directories & nothing looks suspicious.

Only other thing that vaguely fits the timing is my 3248 upgrade performed on the 19th, & then first heard the issue mentioned the next day.
Other thing that comes to mind is that maybe a stale DNS record could have been used by a scanner,
pointing to my previous provider that I dumped back in January, when the majority of their customers were compromised.

When using that provider my domain was pointed at 116.0.212.23.

Anyone have any ideas?
Or able to get any further analysis online with other scanning services?

Thanks

Phil.

Mapantz · Post by **Mapantz** » Sun 24 Sep 2023 9:39 am

Check your .htaccess file if you have one. It may contain redirect rules.

BeaumarisWX · Post by **BeaumarisWX** » Sun 24 Sep 2023 7:58 pm

Hi Phil,
Yep shows site blocked on all my Browsers also.

This-website-has-been-blocked-–-Telstra.png

However when checking site here : https://gtmetrix.com/reports/weather.in ... /kOGKsuVy/ it resolves fine.

Latest-Performance-Report-for-http-weather-inverellit-com-GTmetrix.png

Assume the later is cached.
Kind regards,

broadstairs · Post by **broadstairs** » Sun 24 Sep 2023 8:39 pm

Interesting as both sites come up fine for me here in the UK.

Stuart

Post by **water01** » Sun 24 Sep 2023 8:57 pm

I agree both sites came up fine using Edge in the UK.

ConligWX · Post by **ConligWX** » Sun 24 Sep 2023 9:03 pm

when i ran your website on virustotal, it showed 3 vendors flagged your site:

Screenshot 2023-09-24 215909.png

your website is running mixed content - ie, http and https, maybe thats why they are marking you as phishing?

Code: Select all

weather.inverellit.com/:1 Mixed Content: The page at 'https://weather.inverellit.com/' was loaded over HTTPS, but requested an insecure element 'http://cumulussites.net/button.php?u=Phil23'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
weather.inverellit.com/:1 Mixed Content: The page at 'https://weather.inverellit.com/' was loaded over HTTPS, but requested an insecure element 'http://cumulussites.net/button.php?u=Phil23'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html

Screenshot 2023-09-24 220720.png

Post by **freddie** » Sun 24 Sep 2023 9:14 pm

Using virustotal on weather.inverellit.com I get a clean sheet.
Using virustotal on inverellit.com I get multiple hits - mostly phishing but one for malicious content.

Screenshot_20230924-221131.png

Probably a website configuration thing rather than anything real.

Phil23 · Post by **Phil23** » Sun 24 Sep 2023 9:23 pm

As I mentioned at the beginning, there's nothing in the Root Folder for inverellit.com.
The Sub-Domain folder sits beside it in Public_html, not below it.

Checked my htaccess & it's the same as the source, mostly rewrites for the popup graphs.

ConligWX · Post by **ConligWX** » Sun 24 Sep 2023 9:45 pm

it maybe the IP address that your website is on as it is shared with other websites.

Hosts on IP 272 (17 risky)

https://threatyeti.com/search?q=https:/ ... ellit.com/

Phil23 · Post by **Phil23** » Mon 25 Sep 2023 6:54 am

BeaumarisWX wrote: ↑Sun 24 Sep 2023 7:58 pm Hi Phil,
Yep shows site blocked on all my Browsers also.

Telstra need to Wake up to themselves........
Fix their own Sh!#.

Paid my Bill last week; Not including the stated OVERDUE amount. Had paid that 6 days before the current one was issued.

Only took he 40 minutes to pay it on their site.
Just needed to work out I needed to delete their stale cached content & take a sideways link on their pages.

Oh, but I have an old Account they say...
Was ported from our old 2000's system & can cause issues.

Phil23 · Post by **Phil23** » Tue 26 Sep 2023 8:38 pm

ConligWX wrote: ↑Sun 24 Sep 2023 9:45 pm it maybe the IP address that your website is on as it is shared with other websites.

Partially relates to that, but what's worse is that I've found a Rogue Subdomain that points back to my previous Provider.
https://threatyeti.com/search?q=appleid ... rellit.com
That is an IP address I'm familiar with as it's the Vodien Server I was hosted on for years.
Account is still current, but I have no DNS pointing to it.

Can still get to it's cPanel, but can't see much to fix in there.

Edit, Started removing the Http Ref, but work got in the way.

Screenshot 2023-09-27 063052.jpg

Phil23 · Post by **Phil23** » Tue 26 Sep 2023 11:31 pm

Further to all the above, those mystery Subdomains don't resolve anywhere acording to other DNS Servers.

Where that DNS record is located I don't know, but it is not valid on any other Authoritative DNS Servers as seen below.

https://dnschecker.org/all-dns-records- ... ns=dnsauth
https://dnschecker.org/all-dns-records- ... dns=google
https://dnschecker.org/all-dns-records- ... cloudflare

ConligWX · Post by **ConligWX** » Wed 27 Sep 2023 10:24 am

Phil23 wrote: ↑Tue 26 Sep 2023 11:31 pm Further to all the above, those mystery Subdomains don't resolve anywhere acording to other DNS Servers.

Where that DNS record is located I don't know, but it is not valid on any other Authoritative DNS Servers as seen below.

https://dnschecker.org/all-dns-records- ... ns=dnsauth
https://dnschecker.org/all-dns-records- ... dns=google
https://dnschecker.org/all-dns-records- ... cloudflare

they are probably internal DNS to the hosting company, since a tons of domains are using the same external IP address. might be worth contacting the security vendors that are blocking your domain.

Phil23 · Post by **Phil23** » Wed 27 Sep 2023 9:05 pm

ConligWX wrote: ↑Sun 24 Sep 2023 9:03 pm your website is running mixed content - ie, http and https, maybe thats why they are marking you as phishing?

Think I've fixed all those now....

Phil23 · Post by **Phil23** » Wed 27 Sep 2023 9:20 pm

BeaumarisWX wrote: ↑Sun 24 Sep 2023 7:58 pm Hi Phil,
Yep shows site blocked on all my Browsers also.

Had forgotten I'd also pointed my .au to the same home directories.

These should work.

https://weather.inverellit.au/
https://w2.inverellit.au/
https://s7.inverellit.au/

Cumulus Support

Site Flagged for Phishing.

Site Flagged for Phishing.

Re: Site Flagged for Phishing.

Re: Site Flagged for Phishing.

Re: Site Flagged for Phishing.

Re: Site Flagged for Phishing.

Re: Site Flagged for Phishing.

Re: Site Flagged for Phishing.

Re: Site Flagged for Phishing.

Re: Site Flagged for Phishing.

Re: Site Flagged for Phishing.

Re: Site Flagged for Phishing.

Re: Site Flagged for Phishing.

Re: Site Flagged for Phishing.

Re: Site Flagged for Phishing.

Re: Site Flagged for Phishing.