Cumulus Support

Was recently notified by a few Colleagues that my Site has been marked for Phishing & bring blocked.

Pattern tended to point to users of Telstra Au, but with the first site still being able to visit on one particular PC.
All other PC's Redirect to a Telstra Generated Page that blocks the site.
Have seen it in person at just two clients sites.

Ran a Scan with TotalVirus, https://www.virustotal.com/gui/home/url and it comes up clean.
Lodged this Report with Telstra & they replied with their result that the root, inverellit.com gets a few Positives

https://www.virustotal.com/gui/url/8f15 ... 878b8c7f46
https://www.virustotal.com/gui/url/ddae ... 88e9178a67

Strange thing is though, that I run my Site as a Subdomain.

weather.inverellit.com points to public_html/weather
but Inverellit.com points to public_html/inverellit.com

Strange thing though is that the public_html/inverellit.com directory is essentially empty.
htaccess file that contains only a <lf>,
And empty folders for
.well-known
.well-known/acme-challenge
cgi-bin

Have Browsed all my directories & nothing looks suspicious.

Only other thing that vaguely fits the timing is my 3248 upgrade performed on the 19th, & then first heard the issue mentioned the next day.
Other thing that comes to mind is that maybe a stale DNS record could have been used by a scanner,
pointing to my previous provider that I dumped back in January, when the majority of their customers were compromised.

When using that provider my domain was pointed at 116.0.212.23.

Anyone have any ideas?
Or able to get any further analysis online with other scanning services?

Thanks

Phil.

Check your .htaccess file if you have one. It may contain redirect rules.

Hi Phil,
Yep shows site blocked on all my Browsers also. However when checking site here : https://gtmetrix.com/reports/weather.in ... /kOGKsuVy/ it resolves fine. Assume the later is cached.
Kind regards,

Interesting as both sites come up fine for me here in the UK.

Stuart

I agree both sites came up fine using Edge in the UK.

when i ran your website on virustotal, it showed 3 vendors flagged your site:


your website is running mixed content - ie, http and https, maybe thats why they are marking you as phishing?

Using virustotal on weather.inverellit.com I get a clean sheet.
Using virustotal on inverellit.com I get multiple hits - mostly phishing but one for malicious content.
Probably a website configuration thing rather than anything real.

As I mentioned at the beginning, there's nothing in the Root Folder for inverellit.com.
The Sub-Domain folder sits beside it in Public_html, not below it.

Checked my htaccess & it's the same as the source, mostly rewrites for the popup graphs.

it maybe the IP address that your website is on as it is shared with other websites.

Hosts on IP 272 (17 risky)

https://threatyeti.com/search?q=https:/ ... ellit.com/

BeaumarisWX wrote: ↑Sun 24 Sep 2023 7:58 pm Hi Phil,
Yep shows site blocked on all my Browsers also.

Telstra need to Wake up to themselves........
Fix their own Sh!#.

Paid my Bill last week; Not including the stated OVERDUE amount. Had paid that 6 days before the current one was issued.

Only took he 40 minutes to pay it on their site.
Just needed to work out I needed to delete their stale cached content & take a sideways link on their pages.

Oh, but I have an old Account they say...
Was ported from our old 2000's system & can cause issues.

ConligWX wrote: ↑Sun 24 Sep 2023 9:45 pm it maybe the IP address that your website is on as it is shared with other websites.

Partially relates to that, but what's worse is that I've found a Rogue Subdomain that points back to my previous Provider.
https://threatyeti.com/search?q=appleid ... rellit.com
That is an IP address I'm familiar with as it's the Vodien Server I was hosted on for years.
Account is still current, but I have no DNS pointing to it.

Can still get to it's cPanel, but can't see much to fix in there.

Edit, Started removing the Http Ref, but work got in the way.

Further to all the above, those mystery Subdomains don't resolve anywhere acording to other DNS Servers.

Where that DNS record is located I don't know, but it is not valid on any other Authoritative DNS Servers as seen below.

https://dnschecker.org/all-dns-records- ... ns=dnsauth
https://dnschecker.org/all-dns-records- ... dns=google
https://dnschecker.org/all-dns-records- ... cloudflare

Phil23 wrote: ↑Tue 26 Sep 2023 11:31 pm Further to all the above, those mystery Subdomains don't resolve anywhere acording to other DNS Servers.

Where that DNS record is located I don't know, but it is not valid on any other Authoritative DNS Servers as seen below.

https://dnschecker.org/all-dns-records- ... ns=dnsauth
https://dnschecker.org/all-dns-records- ... dns=google
https://dnschecker.org/all-dns-records- ... cloudflare

they are probably internal DNS to the hosting company, since a tons of domains are using the same external IP address. might be worth contacting the security vendors that are blocking your domain.

ConligWX wrote: ↑Sun 24 Sep 2023 9:03 pm your website is running mixed content - ie, http and https, maybe thats why they are marking you as phishing?

Think I've fixed all those now....

BeaumarisWX wrote: ↑Sun 24 Sep 2023 7:58 pm Hi Phil,
Yep shows site blocked on all my Browsers also.

Had forgotten I'd also pointed my .au to the same home directories.

These should work.

https://weather.inverellit.au/
https://w2.inverellit.au/
https://s7.inverellit.au/