[German]Anyone who operates a website may occasionally be confronted with the problem that it is reported as "malicious" by security portals or by users. Then the question arises how to proceed to find out if this is a false alarm or if the website has been compromised. Recently, I was asked to look at such a site that was reported as "malicious" by security tools. Afterwards I thought about documenting the steps I undertook – maybe it will help one or the other.
Advertising
It was an e-mail from an unknown sender, that at first made me wonder. But I could quickly see from the signature that it was not SPAM, because the message came from the secretariat of a German sports federation and read:
Panda Security blocks **** portal
Hello Mr. Born,
no idea if the block is justified, but for weeks this site has been blocked by the L***. Is there something to it?
Normally I am not active in consulting measures in the security area. However, since sports initiatives are often carried out by volunteers, I decided to sacrifice a few minutes and take a look at the facts.
Site was black listed
The mail already indicated that the site in question was blocked by security solutions, because it has been blacklisted. Users received a warning, that the site is malicious, if they attempt to surf to the internet address. This can be true if a website is compromised. It can also be a false alarm.
I regularly get such false alerts when users tell me that their security software warns about borncity.com. So far they were all false alarms – the most blatant case why this blog has been blacklisted before: I had documented a phishing attempt in a post and included URLs to phishing sites. These were no longer selectable as URLs due to blanks in the URL. But a broken AI of a internet security solution interpreted the fragments as an attempt to redirect readers to the phishing pages and my site has been blocked. I was then able to clear this up with a contact to the support of this site and borncity.com was unblocked again.
Behind the scenes, the blogs here at borncity.com run both virus scanners and security solutions that should prevent or at least report compromise. In addition, I can trigger further scans in cases of suspicion. Occasionally I get reports that internal files of plugins have been modified – code inspection then shows that often the versions between the WordPress repositories and the blog diverge for a few days – then there are false positives. So far, in the 15 years the blogs have been around, I've gotten through blogging life cleanly.
At this point the question would be: How do you proceed if you suspect an infection. On your own blog, I would immediately use the internal scanners and tools and also third party scanner. For the current case with this foreign website I proceed several checks, I would like to briefly describe below.
Check at Virustotal
To find out if a website is detected as malicious, I like to use the Google-powered virustotal.com for a first test. On the website, the URL of the website to be tested can be entered on the URL tab.
Advertising
When I typed in the URL of the suspicious website (unfortunately I no longer have a screenshot), only one hit was reported. Panda was not listed as a virus scanner – and most of scanners did not raise any concerns about the website.
Virustotal's page provided the notice that the target page had been noticed back in February 2019 – three years ago – as malicious. And there was the info that Sucuri SiteCheck's security solution flags the page as malicious.
Use Sucuri SiteCheck
I use the SiteCheck of the security provider Sucuri here occasionally to check my website for possible infections. So it was obvious to enter the URL of the criticized website directly into Sucuri SiteCheck and have a check performed (there are other 3rd party vendor, who can do similar checks).
This check is free of charge and usually provides a more detailed analysis of what is going on. When I saw the result of the audited page, my heart dropped.
Several malware detections were reported under various URLs. However, a look at the links to the detections showed me that they were not really malware detections. Rather, Sucuri's scanner claimed to have found hidden SEO spam that was "known but harmful".
SEO spam refers to posts (often in comments of blogs) that have only one goal: To push the website of the spammer or his client high in search engines. Or to direct uninitiated users to these target pages when they visit the website. I have hundreds of them here on the blog every day – although my SPAM filters have reliably filtered them out so far. In the above result it still says that the SEO SPAM is "hidden" – so the link is hidden from the human reader – it should only be found by search engines.
At this point I looked at the source code in the browser and searched for "porno" on a trial basis. Promptly I found what I was looking for, because the source code contained hidden links.
Above excerpt from the source code shows the link to porn pages, where this link was positioned -5,000 pixels out of the view area via a CSS statement. So a page visitor never got to see this link. But the link is visible for search engines or bots or even the virus scanners. This was the final proof that the page was compromised. So the blocking is more than justified!
Sucuri also reported that the Apache server used was not up to date (below version 2.4.44) and PHP is also outdated (version was below 7.2.31). So the typical case where a portal was set up with Typo3 and probably not maintained anymore. The infection of the source code with the porn links probably happened via vulnerabilities – and that also explains why the first detections (according to VirusTotal) were already reported on 2018, the last report was on 15.11.2021. There was something wrong for quite some time. At this point, I informed the contact person about the result – combined with the request to take the site offline und let it clean by a professional consultant.
Maybe the above explanations will help one or the other reader, in case a similar suspicion arises on their website, with their first steps.
PS: I did a search for the above URLs on the web. There are a number of other German websites that also show this SEO SPAM and may have ended up on blacklists.
