Netlify's IP address 75.2.60.5 is marked as unsafe by Avast

Support
, ,
#1

Hi guys. Our site is this one 69f.netlify.app, hosted on Netlify and pointing to a google domain via A type record e.g. A 75.2.60.5.
Our users are reporting that Avast antivirus is blocking access to the site because of it being a phishing URL.
We’ve run a Sucuri check and it comes back as OK. Then we scanned the IP address 75.2.60.5 with https://www.scumware.org/ and it reported 2 malicious websites on the same IP address

image
image2491×627 62.1 KB

So our site is not infected but because it shares IP it is deemed unsafe by Avast.
The most obvious solution would be to move to a dedicated IP but maybe there are some other ways to solve this? This should be affecting a lot of Netlify customers.

#3

Hey @ihorbond

A little diging and cURLing on top of browser testing paints a slightly clearer picture of this.

When I curl http://whatsmyname.tech I see

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>What's My Name: Name Generator</title>
    <link rel="stylesheet" href="styles.css">
  </head>
  <body>
	<script src="index.js"></script>
<h1 id="titre">What's My Name </h1>
<div id = get_started><button onclick="window.location.href='generator_form.html';">Get Started</button>
</div>
    </body>
</html>

The styles.css, index.js and generator_form.html are all equally as tame in terms of content. I would definitely say there is nothing on here (that is published as a known path) that contains a trojan.

Using Chrome however I see this, which is certainly not the same result as above.

Screen Shot 2022-04-14 at 7.35.30 am
Screen Shot 2022-04-14 at 7.35.30 am1920×1037 74.7 KB

cURL explains this behaviour

$ dig whatsmyname.tech A +noall +answer
whatsmyname.tech.	1538	IN	A	66.96.162.142
whatsmyname.tech.	1538	IN	A	75.2.60.5

There domain uses NS1 nameservers with has multiple A records. One shows the very simple HTML from Netlify, the other a page with an <iframe> that loads another (possible dodgy) placeholder site.

I also downloaded the file from https://celestiusrvr.com/ and scanned with AVG (same thing as Avast) and it found no issues.

AVG did not attempt to block access to either site, though my ISP did try to block the first.

These are, potentially, false positives IMHO.

1 Like
#4

Thank you for checking it out! Not gonna lie, don’t completely understand how this works like why when curling it loads the Netlify hosted HTML, and when navigating in the browser something else. Just a server config? My ISP blocks the first one as well actually. For the time being, I’ve reported a false positive to Avast hopefully they can resolve it quickly otherwise we’d have to just move to a different IP.

#5

If you can load the Netlify version, this is what you would see:

Screen Shot 2022-04-14 at 8.38.37 am
Screen Shot 2022-04-14 at 8.38.37 am3544×2560 307 KB

This I was able to achieve by using Opera’s built-in VPN set to Americas. Using other locations render a “this site is blocked” message.

So the content served is based on the location it is requested from.

1 Like