I have a website built on HTML5 initializr.com bootstrap code.
Until last week it worked fine. Today my AVAST antivirus installed on windows started blocking the navigation on this website because of Infection: JS:Decode-AQE [Trj] (Trojan Horse it says...)
Well the files on the server haven't been modified since a month. That was my first check, if ever someone tried to hack the site.
So nothing changed on files. Furthermore on other system without AVAST the website runs fine.
Actually I saw before hacked websites,,, and in such a case it's google itself blocking a website because contains malaware. (This website is correctly indexed by google no malaware detected)
The only solutions I found until now is to whitelist on AVAST the Domain name, but I wish there could be something better.
Also... since this website is made upon very standard code... I imagine more people will have this problem with clients running Avast AV.
What do you suggest?
I've found that there are more cases of false positives with Avast on web protection.
If ever happen to you just check first if your website is really clean with a online tool such as:
http://sitecheck.sucuri.net/
(Anyway Google is usually the first entity reporting you about malaware:
look in: Webmasters tools->Health->Malaware)
and then report the false positive to Avast at:
http://www.avast.com/contact-form.php
Related
I'm an rather experienced web developer and have Plesk Onyx running on my dedicated server. It features 2FA via Google Authenticator. Inside Plesk, I added multiple WordPress-based webpages of mine and friends of mine. All of these WordPress installations are securely installed by Plesk and hardened access to by moving the admin area, globally disabling comments, 2FA, and so on.
Now a few days ago, a friend told me he was seeing massive ads on my webpage. Since the server also yields my company's page, that is perhaps something to take serious - so did I. However, I couldn't reproduce the ads or the pop ups, etc. - at all -, neither on my Windows machines (10 and Server 2016), nor on any mobile or laptop device. Yesterday, I was viewing my webpage with a friend of mine (desktop PC). And all of a sudden, ads are shown up when he clicks links in my WP menu and stuff like this. Very pushy, very much, absolutely... unacceptable.
I introduced myself as rather experienced web developer. However, I don't know how to tackle this. Whether my server was actually hacked or compromised, some WordPress plugin is messing up with ads (however, friend found problems on multiple sites that are not using the same plugins), or whatever. I think Plesk and WP are both strong and shouldn't be compromised that easy. Besides, I didn't notice any further.
How to tackle this?
Did you try Revisium Antivirus to scan your websites? It is available on Plesk extensions. I had a similar issue and Revisium Antivirus found all the files that were infected.
Also, check your friend's PC (web browser) for malware. There is some malware (hidden software) which can run adds or add strange links to your website. So, in that case, there is nothing to do with your server or websites.
Someone contacted me telling me that my magento company website was not secure, and they addressed me to http://www.magereport.com/scan/. I told them that the patches were installed manually, which it was what I was told at the time by the developers. I double checked with the developers and they told me that the manually applied patches will not be considered in that url. I however checked this other one https://magento.com/security-patch and says that the website appear to be safe. (including the "bespoke" admin url
Could anyone confirm if it is true that the manually installed patches can't show in those url's?
In one hand I have to trust my developers, and I believe they are saying the truth, but on the other hand I had a couple of people (probably trying to sell something) telling me something different. In the meantime I want to make sure the site is safe, and there is no compromise to our customers details.
What would you recommend as the best plan of action?
Magento version is 1.8.1.0
Many thanks for your honest help!
i am checking my magento web site at regularly (one a week)
http://mxtoolbox.com/ (ip and domain badlist control)
http://sitecheck.sucuri.net/ (malware control)
http://www.unmaskparasites.com/ (malware control)
http://www.magereport.com/ (magento security patch control)
You can trust this web sites. And I think, enough to control these sites
http://www.magereport.com/scan/ is very accurate. I would trust your developers.
Magereport is checking site from front end and cannot see is your php files completly patched. You should check Magefence extension that check your site from backend by scanning php files for each security patch, beside other security features. This is most complete security extension for regular site owners. https://www.extensionsmall.com/mage-fence-security.html
I often produce mathematical software in Delphi 2009, and publish it on my web site. However, the last year or so, Google Chrome has started to consider a small (but increasing!) number of my EXEs 'harmful', and Google Chrome refuses do download them.
For example, today I wrote a program that visualises the Lorenz attractor. You can find it at https://specials.rejbrand.se/chaos/lorenz/; it's lorenz.exe.
When I use Google Chrome to download this EXE, the following prompt appears:
(Yeah, I actually did try it three times...)
This is Swedish, and the text says "%s is harmful and has been blocked by Chrome". The button says "Remove permanently", and the drop-down menu doesn't offer any other actions (like "I know the file is safe, please let me have it").
Obviously, this is kind of a problem. As far as I know, the EXEs are perfectly safe. At least the code I have written is not harmful in any way, but I suspect there is a theoretical possibility that the Delphi compiler has started to add harmful code behind my back.
Questions
Is there something harmful about my EXEs?
Is there some way to make Google Chrome not block my EXEs?
I could reproduce this behavior with Chrome with your original EXE.
Is there some way to make Google Chrome not block my EXEs?
I can confirm that after I digitally signed it (with my company's signing code certificate) Google Chrome downloads this file without any issues. This is the most efficient (maybe the only) way to avoid this kind of problems.
Another quick solution is to pack the EXE with RAR. Chrome downloaded it with no problem.
Surely this is a False positive "detection" with Google Chrome. My Antivirus (NOD32) did not
found any problem, and other browsers did not have any issues with your EXE.
NOTE also that Your domain might have issues (flagged) as #Sertac Mentioned. If I download your original EXE from my website the error message is %s is not comonly downloaded and could be dangerous. Same goes for any other EXE I uploaded to MY site. (You still have an option to "Keep" the file)
See also here: Google Chrome Browser Will Block Dangerous Downloads
Specially this:
As welcome as the new features are, Chrome is in the unusual position
of playing catch up to Internet Explorer 9, which features an arguably
superior method of blocking potentially malicious downloads.
Microsoft's SmartScreen Application Reputation rates downloads in
three ways: whether they're digitally signed, the reputation of the
author, and--arguably most importantly--how many times the file has
been downloaded by others.
"Is there something harmful about my EXEs?"
No.
Here's a link to the results of Jotti's malware scan (which results with: 22 out of 22 scanners "found nothing"):
http://virusscan.jotti.org/en/scanresult/df25dbecfccc5d10862f52236d664d48d0c72058
The link to virustotal scan (detection ratio = 0/53):
https://www.virustotal.com/en/file/51d9d637a17f5876c371e5eec164e1dc48a35c56900a3235a9c656d10687814a/analysis/1408587813/
"Is there some way to make Google Chrome not block my EXEs?"
One option is to make it block nothing, evidently it's crap anyway. The option is in the "privacy" section in "advanced settings", here are the instructions:
https://support.google.com/chrome/answer/4412392?p=ib_download_blocked&rd=1
Otherwise, you can check what google thinks about safety of your site:
http://www.google.com/safebrowsing/diagnostic?site=rejbrand.se
The report seems to be somewhat indeterminate. Here's a quote (for rejbrand.se):
Has this site hosted malware?
Yes, this site has hosted malicious
software over the past 90 days. It infected 0 domain(s), including .
Presumably you can also request a site review in the security issues of google webmaster tools. But apparently it's not always fruitful. That last link also suggests there's a way to send samples to google hoping that they would analyze better (AFAICT it's not part of webmaster tools), but this might not turn out to be practical depending on the number of executables/versions you produce.
This is a fairly common problem, actually. Because Delphi makes software development easy and has no external runtime dependencies, it tends to get used for writing malware, unfortunately. And so some virus scanner heuristics that are supposed to detect malware instead end up detecting parts of the Delphi RTL.
The best thing to do is to do a bit of research and find out how Chrome is making this determination, and then send the people behind the virus scanner giving the false positives a copy of your EXE(s) with an explanation that this is a false positive and needs to be fixed.
I have equally been frustrated by this warning, and without going into a rant about how ridiculous the whole thing is, I will share the solution that worked for me.
I have found that double zipping got rid of the warning right away- zip your files, then zip the resulting zip file, the warning will disappear upon downloading.
The user will have to unzip 2 files to get to your files, but that is a much lesser inconvenience than the dangerous warning.
We've discovered today that our Joomla website has been hacked by a pharmacy trojan.
It was difficult to discover because most users don't see it when visiting our website.
One user reported about 2 weeks ago that our site contains viagra/pharmacy spam.
We've looked into it, but found nothing. The conclusion was that the users computer was infected.
Yesterday another user reported this problem, so I've started to investigate again.
One hour later I've discovered that the site is indeed infected.
When I visit this webpage with my web browser all if fine:
http://www.outertech.com/en/bookmark-manager
But, if I do a google translate of this webpage I see the infection (viagra and cialis links):
http://translate.google.com/translate?sl=en&tl=de&js=n&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fwww.outertech.com%2Fen%2Fbookmark-manager
The same happens if I use curl:
curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://www.outertech.com/en/bookmark-manager
As a next step I made a backup (Akeeba) of the website and transferred it to a local xampp installation for further investigation.
The local xampp installation with the website has also the same problem, so indeed the Joomla installation is infected.
a visit of
http://localhost/en/bookmark-manager
shows no problems, but a
curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://localhost/en/bookmark-manager
contains the viagra links.
I've looked for hours at the (mostly php) files, did a lot of greps etc, but I cannot find anything suspicious.
Virus Total and Google Webmaster report the site as clean.
I did an audit on myjoomla.com, but no malware was found.
I would be really grateful if someone could point me in the right direction.
Where to look inside my Joomla installation for this hack?
I've restored an older backup that was not infected to a local Xampp installation. Did a backup of the current site and installed into to another local Xampp instanced. Made a diff of all files between the two installations and found the hack in the application.php file (it was only one line). Removed the line and the hack died. I still don't know how the site got infected (all addons are the latest versions). I've changed the password as a security measure and monitoring for this hack once a week.
edit: myJoomla.com report did actually find the hack, I didn't read the report carefully enough.
We recently recovered and migrated a Joomla 1.5 site to 2.5 and the hack was found in the template files (index.php and various override files in the templates html/ directory).
The surprising thing was we also found that about 1 in 10 of the articles had been infected. i.e. when we searched the jos_content table we found the fulltext column had Javascript embedded in it. So, I would suggest also looking there.
Your best bet is to use a tool like myJoomla as it was specifically created for this sort of thing for Joomla.
I also had this problem where if I'm visiting a sub page, the home page would load instead and show a lot of Pharmacy gibberish. But this only happened when I had Firefox Firebug opened. It turned out in my template under /html there was a mysql.php file that shouldn't be there. Luckily, I created this template so I deleted the template on the server and uploaded my original version and the problem went away. Hope this helps.
Warning: Something's Not Right Here!
www.mywebsite.com contains malware. Your computer might catch a virus if you visit this site.
Google has found malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.
We have already notified www.mywebsite.comthat we found malware on the site. For more about the problems found on www.mywebsite.com, visit the Google Safe Browsing diagnostic page.
If you understand that visiting this site may harm your computer, proceed anyway.
One of our website is now down and it looks like this. What is the cause of this?
Please HELP.
I can only speculate what the cause is since you didn't provide the link, but my guess is that your site has been compromised. Look at your code and see if there is anything out of place. For example, a tag that is below your closing tag. Someone probably injected code on your site that contains data from their site. Google sees the domain that has been marked as malware and then says that your site has malware.
Can you provide a link to the code?
Just contributing a few links that might be more useful for folks looking to troubleshoot this problem when it comes up on their server.
Malware Blog
Post
Stop
Badware
If the website has been compromised, run the antivirus software on your PC to scan the entire computer. If any malware is detected, delete it. Remember to keep antivirus program up-to-date. If security tools don't work, refer to the instructions below:
http://www.pcworld.com/article/243818/how_to_remove_malware_from_your_windows_pc.html
http://blog.mightyuninstaller.com/infected-by-trojandownloadervbsagent-el-steps-to-completely-remove-trojandownloadervbsagent-el/