5 Replies Latest reply on Dec 20, 2013 2:18 PM by Hayton Branched to a new discussion.

    Suspicious Site and Dangerous Site Warnings

    vanban

      Hi,

       

      I need help in resolving the McAfee warning showed on my client's two websites: http://selfesteemday.com/ and http://attractmoney2me.com/.

       

      The wordpress version were outdated and I want to update it to the latest version but then it redirects to McAfee Site Warnings.

       

      Please see the attached images.

       

      Thanks,

      VanBan

       

      Message was edited by: vanban on 12/16/13 8:33:29 PM CST
        • 1. Re: Suspicious Site and Dangerous Site Warnings
          Peacekeeper

          to get a site reviewed teh fastest way is to

          Browse to www.trustedsource.org/en/feedback/url

          1. Recommended for website owners or anyone else who wants to be updated on the request status:  Create an Account and then Login
          2. Click on “Check Single URL” (since most re-evaluation requests would be for a single URL)
          3. Select the Product you are using – in our case choose “McAfee SiteAdvisor”
          4. Type in the URL you want to check
          5. Click “Check URL”
          6. Optional:  Choose up to 3 categories from the drop-down “Optional categorization suggestion:”
          7. Optional:  Leave an “Optional comment”
          8. Click “Submit URL for Review”
          9. If you created an Account (and logged in with it), a Ticket ID will be displayed, along with 3 options on when you will receive email (when the ticket isOpen, Reviewed, or Closed)
          • 2. Re: Suspicious Site and Dangerous Site Warnings
            vanban

            Thanks for your help Peacemaker, http://selfesteemday.com/ is now back to normal. Next site I 'm gonna check for review is http://attractmoney2me.com/.

             

            Thank you!

             

             

            Message was edited by: vanban on 12/18/13 7:19:33 PM CST
            • 3. Re: Suspicious Site and Dangerous Site Warnings
              Hayton

              Both sites need attention. I don't know why the first one has reverted to a Green rating so soon since Sucuri still finds a problem with injected content. And the IP address is blacklisted with a note that it is infected with a spam-sending Trojan.

               

              Still investigating, but I do have to eat sometimes

               

              More later.

              • 4. Re: Suspicious Site and Dangerous Site Warnings
                Hayton

                Some details -

                 

                Both domains are hosted on the same IP Address

                Neither domain is listed in hphosts, but for both sites there is the message "IP PTR - Resolution failed".

                This message indicates that an IP addresses PTR (Pointer record) does not itself, resolve to an IP address. This is shown as a warning specifically because a PTR should resolve to an IP address itself, as per the RFC standards.

                 

                hphosts lists 4 other domains for that IP address but elsewhere there are notes of others including hxxp://www.filmepornoxxx.org, which has (according to Clean-MX) multiple reports of infection by JS_FBJACK.A and is also rated Red by SiteAdvisor.

                 

                The IP address (192.185.48.235) is listed in the Spamhaus XBL because it appears in the CBL (Composite Blocking List).

                See http://cbl.abuseat.org/lookup.cgi?ip=192.185.48.235  - and also see below.

                IP Address 192.185.48.235 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

                It was last detected at 2013-12-18 15:00 GMT (+/- 30 minutes), approximately 12 hours, 30 minutes ago.

                 

                 

                 

                selfesteemday.com :

                 

                1. General

                Green rating in TrustedSource and SiteAdvisor (was Yellow until about a week ago according to TrustedSource). I don't think the site has been submitted for formal testing by SiteAdvisor.

                 

                According to BitDefender, "This URL domain/host was seen to host badware at some point in time"

                 

                2. Outdated software :

                 

                3. Security warnings on the site.

                Sucuri warning selfesteemday.PNG

                http://labs.sucuri.net/db/malware/malware-entry-mwspamseo

                 

                Web site identified with Blackhat SEO Spam. This often means that it was hacked and the attackers inserted links to their own sites to increase their page rank on search engines

                 

                The site is loading a script file from hxxp://dtym7iokkjlif.cloudfront.net/dough/1.0/recipe.js :

                that domain is rated Red by SiteAdvisor (https://www.siteadvisor.com/sites/dtym7iokkjlif.cloudfront.net)

                Cross-site scripting is highly suspect and will be blocked automatically by a number of browser add-ons such as Firefox's NoScript.

                 

                Unmaskparasites (http://www.unmaskparasites.com/security-report, enter domain name for report details) is showing a large number of suspect links to third party sites apparently embedded in wp-content/themes. Here are just a few.

                - mailcrops.com safe? - displaying 2 of 2

                - onlinemarketerblog.com safe? - displaying 1 of 1

                - xn--cckagh7b4b8gxikd9d.com safe? - displaying 1 of 1

                 

                Wepawet does not show these, so possibly the site has been cleaned up.

                 

                Sucuri has a warning about the pathname of the following -

                Sucuri selfesteemday WP warning.PNG

                 

                 

                4. Domain blacklisting.

                Not blacklisted.

                 

                 

                 

                attractmoney2me.com :


                1. General

                 

                2. Outdated software :

                The site is running under an outdated version (3.2.1) of WordPress. The latest version is WordPress 3.8, and it is strongly advised that the latest version should be installed as soon as possible.

                 

                3. Security warnings on the site.

                Sucuri has a warning about the pathname of the following -

                Sucuri attractmoney2me WP warning.PNG

                 

                Unmaskparasites (http://www.unmaskparasites.com/security-report, enter domain name for report details) reports a suspicious inline script -

                 

                Suspicious Inline Scripts

                 

                Long suspicious script

                 

                var a2a_config=a2a_config||{},wpa2a={done:false,html_done:false,script_ready:false,script_load:func...

                 

                 

                - and also shows links to 1.hypwealth.pay.clickbank.net; this domain (clickbank.net) has a mixed reputation with many users accusing it of being a Spam site. Its official reputation however appears to be Green (SiteAdvisor, Norton SafeWeb,

                 

                4. Domain blacklisting.

                Red rating in TrustedSource and SiteAdvisor. I don't think the site has been submitted for formal testing by SiteAdvisor, so the TrustedSource rating is a real-time alert. The "Web Category" is "dl" which is "Malicious Downloads".

                 

                According to Scumware.org, "This URL is or was distributing a malware variant of HTML/Framer".

                Scumware listing attractmoney2me.PNG

                This is also noted by AVG (HTML/Framer last detected December 02) which advises "Surf with caution"

                 

                 

                 

                 

                http://cbl.abuseat.org/lookup.cgi?ip=192.185.48.235

                NEW INFORMATION: IMPORTANT

                 

                The IP address 192.185.48.235 corresponds to a web site that is infected with a spam or malware forwarding link.

                 

                The website's host name is "selfesteemday.com", and this link is an example of the redirect: "http://selfesteemday.com/triumph.html".

                In other words the website "selfesteemday.com" has been hacked.

                 

                Usually, the redirect takes the user's browser to a spam or malware site. It's usually fake russian pills or pornography.

                 

                Usually, the infection is a Cpanel, Plesk, Joomla or Wordpress CMS install that has become infected either through a vulnerability (meaning the CMS software is out of date and needs patching), or the owner of "selfesteemday.com" has had their account information (userids/passwords) compromised. Then malicious software/files are being uploaded by ftp or ssl.

                 

                It is often simplest to disable or suspend the web site (meaning you can delist the IP to resolve your CBL listing issues) and then deal with the problem in a somewhat more leisurely/less-urgent fashion.

                 

                In many cases, particularly with older compromises, the criminals that hacked this site will have uploaded a wide variety of spamming and other compromise tools. Therefore, the account corresponding to "selfesteemday.com" needs to be examined very carefully for signs of tampering. Further, the criminal will even modify existing web pages (particularly http://selfesteemday.com itself) to have hidden references to pill/drug/porn sites. If you're not completely certain that you've removed all traces of the compromise, we strongly recommend reinstalling the site from scratch.

                 

                Furthermore, the site's passwords MUST be changed, and the customer should run anti-virus scanners on their own personal computers immediately to try to find and remove any keystroke loggers.

                 

                We believe that the malicious redirects are done by altering web server access control mechanisms (example, ".htaccess" files on Apache web servers), and causing the redirect to occur on all "404 url not found" errors.

                 

                 

                That is as far as I got. Some of the information for selfesteemday.com appears to be a few days older than the rest, and the site may indeed have been cleaned of whatever infection it had. But after an infection has been cleaned it is advisable to (re-)submit a site for SiteAdvisor testing, which will then check it thoroughly and re-rate it if necessary.

                • 5. Re: Suspicious Site and Dangerous Site Warnings
                  Hayton

                  WARNING

                   

                  The domain 'selfesteemday.com' is still hacked.

                   

                  The URL given above (hxxp://selfesteemday.com/triumph.html) redirects to hxxp://medictram.ru

                   

                  The Green SiteAdvisor rating for the site is and must remain erroneous until the website is thoroughly cleaned.

                   

                  Message was edited by: Hayton on 20/12/13 20:18:24 GMT