Need Advice Malware Threat on Website

Please provide comments and solutions that are helpful to the author of this topic.

Dauphinbleu

Dauphinbleu

New Member
Thread author
May 10, 2022
5
Hello,

I just found this forum and I'm not sure if this issue can be discussed here. I have a website which seems to be infected with malware. When I open my website, I can't access it. Instead, I got a notification "This site contains deceptive content". Is help regarding this issue available here?


Thank you
 
  • Like
Reactions: Sorrento, M4RT1NE2 and Kongo
Jack

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,376
Hello @Dauphinbleu
I would recommend that you contact your hosting provider and ask for their help because to remove malware from a site you need admin rights. Also, you should look at your site source code to find out what was exploited and what malicious files are used in this attack.
Did you scan your site to see if there's actual malware on the site or if that warning message is because of the content of the site? Do you see that message on all the pages of your site, or only on specific ones.

Also, it would be a good idea to check the Google Search Console > Security Issues section as there you may find additional details. More details here: Social engineering (phishing and deceptive sites) | Documentation | Google Developers


Scanners:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

sitecheck.sucuri.net

Sucuri Security

SiteCheck is a website security scanner that checks any link or URL for malware, viruses, blacklist status, or malicious code. Check your website safety for free with Sucuri.
sitecheck.sucuri.net sitecheck.sucuri.net


www.urlvoid.com

Check if a Website is Malicious/Scam or Safe/Legit | URLVoid

Free website reputation checker tool lets you scan a website with multiple website reputation/blocklist services to check if the website is safe and legit or malicious. Check the online reputation of a website to better detect potentially malicious and scam websites.
www.urlvoid.com www.urlvoid.com

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com opentip.kaspersky.com
 
  • Like
  • +Reputation
Reactions: Behold Eck, Trooper, plat and 12 others
Kongo

Kongo

Level 34
Verified
Top Poster
Well-known
Feb 25, 2017
2,374
Dauphinbleu said:
Hello,

I just found this forum and I'm not sure if this issue can be discussed here. I have a website which seems to be infected with malware. When I open my website, I can't access it. Instead, I got a notification "This site contains deceptive content". Is help regarding this issue available here?


Thank you
Click to expand...
It would be helpful if you could post the site here, so that people can check it out. If its nothing private of course... Please censore it a little, so that people don't accidentally access it. (y)
 
  • Like
  • +Reputation
Reactions: Behold Eck, Trooper, silversurfer and 7 others
Dauphinbleu

Dauphinbleu

New Member
Thread author
May 10, 2022
5
Jack said:
Hello @Dauphinbleu
I would recommend that you contact your hosting provider and ask for their help because to remove malware from a site you need admin rights. Also, you should look at your site source code to find out what was exploited and what malicious files are used in this attack.
Did you scan your site to see if there's actual malware on the site or if that warning message is because of the content of the site? Do you see that message on all the pages of your site, or only on specific ones.

Also, it would be a good idea to check the Google Search Console > Security Issues section as there you may find additional details. More details here: Social engineering (phishing and deceptive sites) | Documentation | Google Developers


Scanners:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

sitecheck.sucuri.net

Sucuri Security

SiteCheck is a website security scanner that checks any link or URL for malware, viruses, blacklist status, or malicious code. Check your website safety for free with Sucuri.
sitecheck.sucuri.net sitecheck.sucuri.net


www.urlvoid.com

Check if a Website is Malicious/Scam or Safe/Legit | URLVoid

Free website reputation checker tool lets you scan a website with multiple website reputation/blocklist services to check if the website is safe and legit or malicious. Check the online reputation of a website to better detect potentially malicious and scam websites.
www.urlvoid.com www.urlvoid.com

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com opentip.kaspersky.com
Click to expand...
Hello @Jack and @SecureKongo,

Thanks for the reply. I first knew about it because when I opened my website, it got redirected to a suspicious link, and I couldn't access my website. I also couldn't access the WordPress dashboard. I have contacted my hosting provider and asked them to do a full account scan. Two viruses were found, and I followed the guidance to remove the virus. They also helped restore my account using backup before the occurrence, but the problem persisted.

My hosting provider also suggested replacing the default WordPress files which I had also done. I also removed some files and folders with suspicious names. When I opened my website again, I could access the homepage. I could also access the WordPress dashboard. But whenever I clicked on any post, it got redirected again.

I also scanned my website using Quttera Online Website Malware Scanner. There were many files detected as infected by a trojan. I have removed the script that was pointed out as malicious. This is the script that I removed from many js files :

1652250515287.png


Another full account scan has been done by my hosting account provider, and the result shows that the viruses have been successfully removed. But the posts on my website are still inaccessible.

I tried to check the database and found this script on some rows:
1652243142692.png


I have deleted all of those scripts I could find. But now, every time I try to click on any post on my websites, I still get this notification

1652242084142.png
1652242132557.png


Before asking for the full account scan, I checked on the google search console, and the result was clean. I checked on Sucuri before, and there was malware found on the website. But the last scan showed no malware found, though the site is still blacklisted.

This is the current result from virustotal scanner :

1652243042004.png


and this one from urlvoid

1652233918833.png


Here's the last external monitoring scan report from Quttera

1652247670823.png

1652247683618.png

1652247709581.png


I tried to find the redirected link in the database and Cpanel files, but I couldn't find anything. I would very much appreciate it if someone could help me fix this issue.
 
Last edited:
  • Like
  • Thanks
Reactions: plat, Kongo, M4RT1NE2 and 1 other person
harlan4096

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,445
I'm getting this in my Kaspersky Plus when I accessed to Your last (previous) post:

1652250316588.png

Event: Download denied
User: TERMINUS-PC\HARLAN4096-PC
User type: Active user
Application name: firefox.exe
Application path: C:\Program Files\Mozilla Firefox
Component: Safe Browsing
Result description: Blocked
Type: Trojan
Name: HEUR:Trojan.Script.Generic
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object path: Q&A - Malware Threat on Website
MD5 of an object: 6E8A61EB7FFB3CC052ED9A4DFB979DB5
Reason: Expert analysis
Databases release date: Today, 11/05/2022 3:50:00
Click to expand...
 
  • Like
  • Thanks
  • +Reputation
Reactions: plat, silversurfer, Kongo and 4 others
Dauphinbleu

Dauphinbleu

New Member
Thread author
May 10, 2022
5
Hello Everyone,

Just want to let you all know that I have sorted out the problem. Apparently, there was more of this script in the database than what I had found before.
1652315990019.png

The filtering row didn't catch it. So I went to a deeper search and found that the script was injected at the end of every single of my post. Now they all have been successfully removed from the database and my website has become accessible again.

I have also run a scan with Wordfence on my WordPress Dashboard and repaired/removed all the files that were flagged as an issue. So far it seems to work well and hopefully will continue this way.

I'm not sure if there is still an issue that needs to be taken care of. Based on a scan from sucuri, and internal monitoring from Quttera, the website is now clean and I no longer get a warning notification from my browser when accessing the website. However, scan results from virustotal and urlvoid remain the same as before. I guess for now I will just let it be while keeping a close eye on my website.
 
  • Like
Reactions: Kongo and harlan4096
Kongo

Kongo

Level 34
Verified
Top Poster
Well-known
Feb 25, 2017
2,374
Dauphinbleu said:
Hello Everyone,

Just want to let you all know that I have sorted out the problem. Apparently, there was more of this script in the database than what I had found before.
View attachment 266562
The filtering row didn't catch it. So I went to a deeper search and found that the script was injected at the end of every single of my post. Now they all have been successfully removed from the database and my website has become accessible again.

I have also run a scan with Wordfence on my WordPress Dashboard and repaired/removed all the files that were flagged as an issue. So far it seems to work well and hopefully will continue this way.

I'm not sure if there is still an issue that needs to be taken care of. Based on a scan from sucuri, and internal monitoring from Quttera, the website is now clean and I no longer get a warning notification from my browser when accessing the website. However, scan results from virustotal and urlvoid remain the same as before. I guess for now I will just let it be while keeping a close eye on my website.
Click to expand...
Any clues yet on how the scrip was embedded on your website?
 
  • Like
Reactions: brambedkar59 and harlan4096
JB007

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,540
Also Malwarebytes blocks the site.
3.PNG

and also µBlock Origin !

5.PNG
 
Last edited:
  • Like
Reactions: BryanB

Similar threads

A
    • Like
Need Advice Suspicious link on Instagram bio
Replies
6
Views
521
General Security Discussions
AdamBull
A
snadge
Need Advice Infected Inbox, dodgy threat emails
Replies
7
Views
199
General Security Discussions
snadge
snadge
R
    • +Reputation
    • Wow
    • Like
Ghacks.net website delivering malware via fake browser update messages
Replies
30
Views
1,213
Malware Analysis
TairikuOkami
TairikuOkami

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top