Our domain opensaas.sh got blacklisted due to shared dynamic IP and we can't get rid of it

[joeygeo]

Why is Avast antivirus saying that opensaas.sh website is malicious? You may want to check with them for false positives.

[Martinsos]

Hm that is silly! Does it give any extra information? How can we reproduce this: install Avast on Windows and open opensaas.sh in Chrome?

[joeygeo]

Yes exactly those steps. I am attaching a scrshot.
I am using Brave browser in this case, but already tried with Chrome, and has the same issue.
Just check virus total and that also lists one security Vendor : https://www.virustotal.com/gui/url/9ff89c2363f8b07c1a03313e0565d556dee978934748e0c8ce097b9bfd7826cc

[Martinsos]

This is great, thanks! So I told it to run analysis again, and now I got all good! Was it some temporary false positive on their side?

@joeygeo could you also pls check on your side again, if it also tells you all is good now? I will close the issue for now, but if it is till reporting an issue for you, let me know and I will reopen it.

[joeygeo]

VirusTotal looks fine, but Avast still says blacklisted. I have raised a false positive report with them...
That may take a few days... I will report back what they say.

Weirdly enough, even the emails that are coming from github for this repo is marked as suspicious...
Note that I do get comments from other github repos, and they are clean.

[Martinsos]

VirusTotal looks fine, but Avast still says blacklisted. I have raised a false positive report with them... That may take a few days... I will report back what they say.

Weirdly enough, even the emails that are coming from github for this repo is marked as suspicious... Note that I do get comments from other github repos, and they are clean.

Thanks for making that report! Ok let's see, if needed we can also try reaching out to them and try to figure out what is causing this. Would be great if we can somehow get an insight on what is triggering this, maybe .sh extension?

[joeygeo]

Unlikely.. its mostly the content of HTML generated by a website. Check all external links in your website code.

[Martinsos]

Thanks @joeygeo .

I just managed to replicate this via Avast Chrome extension:

I am reopening the issue in any case, since you said Avast still reports it as problematic on your side, and I was also able to replicate it.

What we can try:

1. Go through our page, try to figure out what could be triggering this.
2. Reach out to Avast, try to get more info on what is causing this, if they will want to tell us.
3. Maybe find some other services that can check our page for any weird stuff, maybe that helps us detect what might be triggering this.

[Martinsos]

I sent a false positive report to Avast, asking for help.

I also checked the webpage on Google's checker, which says it is clean: https://transparencyreport.google.com/safe-browsing/search?url=opensaas.sh&hl=en .

[Martinsos]

Some peculiar elements we include on the landing page are:

1. Youtube video.
2. ProductHunt Card, which is in an iframe.

Could that iframe be somehow connected to this? Hm.

[joeygeo]

Did some more digging and found this from IPQS: https://www.ipqualityscore.com/threat-feeds/malicious-url-scanner/https%3A%2F%2Fopensaas.sh%2F

URL Analysis Report:
This URL is rated as suspicious due to matching indicators of similar malicious URLs. We have detected that Fly/b5051385 (2024-06-10) is running on this server, with a hosted IP address at 66.241.124.242.

[rugs07]

same issue with me for AVG antivirus, I just turn off the webshield to open the opensaas site

[Martinsos]

Did some more digging and found this from IPQS: https://www.ipqualityscore.com/threat-feeds/malicious-url-scanner/https%3A%2F%2Fopensaas.sh%2F

URL Analysis Report: This URL is rated as suspicious due to matching indicators of similar malicious URLs. We have detected that Fly/b5051385 (2024-06-10) is running on this server, with a hosted IP address at 66.241.124.242.

Did some more digging and found this from IPQS: https://www.ipqualityscore.com/threat-feeds/malicious-url-scanner/https%3A%2F%2Fopensaas.sh%2F

URL Analysis Report: This URL is rated as suspicious due to matching indicators of similar malicious URLs. We have detected that Fly/b5051385 (2024-06-10) is running on this server, with a hosted IP address at 66.241.124.242.

Thanks, this helps a lot! Sounds like it based the verdict on IP that our app is deployed on at Fly.io. I am guessing that some other app on Fly was using that IP in the past, and was doing something malicious/weird and got flagged, and now we got their IP. So it might be enough to just change that IP. I will reach out to Fly.io to see what they advise.

[Martinsos]

Ok yeah, it seems it is defitively this. Turned out our client for opensaas.sh was sharing IP with other apps on Fly.io, which I wasn't aware of, and one of those apps must have been doing something bad. I will now opt-in for a dedicated IP and set up the domain to point to this new IP and I imagine that should solve the current problem + prevent it from possibly happening in the future again.

[Martinsos]

Ok, did this! A record now points to new, dedicated IP. I will leave the dynamic IP on Fly for a day or so to make sure all DNS records are updated and will remove it then.
I also made another false positive report to Avast with more info this time (info about Fly and shared IPs), so I hope that will help.

[Martinsos]

I removed the dynamic IP, now we completely switched to fully dedicated IP, but that report still says we are suspicious! And now with this new IP. But what remained constant is the mention of Fly/b5051385 (2024-06-10), that was also in the older report when it was mentioning old IP. So I wonder if this is really waht is triggering it. Is this machine id on the Fly? Or some part of their network? I don't know, I asked them what this is, so we can figure out what we need to change. The best I can think of is getting rid of existing Fly machines we have for the client and procuring new ones, but I would love to understand better what Fly/b5051385 (2024-06-10) is first.

[Martinsos]

I just made false positive report to https://www.ipqualityscore.com/ also.

[Martinsos]

I learned that Fly/... is a header that Fly add's to the repsonses. But, I am not so sure Fly header is the issue anymore. I checked out our other apps hosted on Fly and they are not recognized as malicious, even though they have exactly the same header!
So either it has something to do with our page directly (URL? It uses .sh as a domain, could that be suspicious? Or word saas?), or maybe it did get flagged due to shared IP but now that flag is stuck to the URL.
So out of ideas currently except for waiting to see if false positive reports help.

[Martinsos]

I removed Fly's headers by adding to fly.toml file:

[http_service.http_options.response]
  pristine = true

and that got them removed, but still doesn't help.

One thing I did though was check for https://open-saas-wasp-sh-client.fly.dev/ on IQPS, and for this one it says it is ok! This is real URL of open saas client, while https://opensaas.sh is a redirect. Meaning that the problem is not with the page itself, but with the domain. Additionally, it also reports https://docs.opensaas.sh as malicious, which is Astro page, so totally different code, and deployed on Netlify, so both code and hosting are different. So it must be false positive exclusively based on the opensaas.sh domain.

If that is so, and I am now quite confident it is, I don't see what we can do besides asking them to remove that false positive from our domain, or to actually change the domain, which I really don't want to do.

[joeygeo]

I don't see this issue with other .sh domains.
I think this was just the IP issue that you mentioned earlier. Now the security firms have to update their db, which is usually at a corporate pace.

[Martinsos]

I probably worded it badly, but yeah I also don't think it has anything to do with the .sh domain, but with our specific opensaas.sh domain, due to getting tainted by that shared IP.
Yes I hope they will update their databases with time! I can try submitting some more reports in the future, but for now I don't have any more ideas.