Q&A Malware Threat on Website

Dauphinbleu

New Member
Thread author
May 10, 2022
5
Hello,

I just found this forum and I'm not sure if this issue can be discussed here. I have a website which seems to be infected with malware. When I open my website, I can't access it. Instead, I got a notification "This site contains deceptive content". Is help regarding this issue available here?


Thank you
 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,382
Hello @Dauphinbleu
I would recommend that you contact your hosting provider and ask for their help because to remove malware from a site you need admin rights. Also, you should look at your site source code to find out what was exploited and what malicious files are used in this attack.
Did you scan your site to see if there's actual malware on the site or if that warning message is because of the content of the site? Do you see that message on all the pages of your site, or only on specific ones.

Also, it would be a good idea to check the Google Search Console > Security Issues section as there you may find additional details. More details here: Social engineering (phishing and deceptive sites) | Documentation | Google Developers


Scanners:





 

SecureKongo

Level 29
Verified
Top poster
Well-known
Feb 25, 2017
1,832
Hello,

I just found this forum and I'm not sure if this issue can be discussed here. I have a website which seems to be infected with malware. When I open my website, I can't access it. Instead, I got a notification "This site contains deceptive content". Is help regarding this issue available here?


Thank you
It would be helpful if you could post the site here, so that people can check it out. If its nothing private of course... Please censore it a little, so that people don't accidentally access it. (y)
 

Dauphinbleu

New Member
Thread author
May 10, 2022
5
Hello @Dauphinbleu
I would recommend that you contact your hosting provider and ask for their help because to remove malware from a site you need admin rights. Also, you should look at your site source code to find out what was exploited and what malicious files are used in this attack.
Did you scan your site to see if there's actual malware on the site or if that warning message is because of the content of the site? Do you see that message on all the pages of your site, or only on specific ones.

Also, it would be a good idea to check the Google Search Console > Security Issues section as there you may find additional details. More details here: Social engineering (phishing and deceptive sites) | Documentation | Google Developers


Scanners:





Hello @Jack and @SecureKongo,

Thanks for the reply. I first knew about it because when I opened my website, it got redirected to a suspicious link, and I couldn't access my website. I also couldn't access the WordPress dashboard. I have contacted my hosting provider and asked them to do a full account scan. Two viruses were found, and I followed the guidance to remove the virus. They also helped restore my account using backup before the occurrence, but the problem persisted.

My hosting provider also suggested replacing the default WordPress files which I had also done. I also removed some files and folders with suspicious names. When I opened my website again, I could access the homepage. I could also access the WordPress dashboard. But whenever I clicked on any post, it got redirected again.

I also scanned my website using Quttera Online Website Malware Scanner. There were many files detected as infected by a trojan. I have removed the script that was pointed out as malicious. This is the script that I removed from many js files :

1652250515287.png


Another full account scan has been done by my hosting account provider, and the result shows that the viruses have been successfully removed. But the posts on my website are still inaccessible.

I tried to check the database and found this script on some rows:
1652243142692.png


I have deleted all of those scripts I could find. But now, every time I try to click on any post on my websites, I still get this notification

1652242084142.png
1652242132557.png


Before asking for the full account scan, I checked on the google search console, and the result was clean. I checked on Sucuri before, and there was malware found on the website. But the last scan showed no malware found, though the site is still blacklisted.

This is the current result from virustotal scanner :

1652243042004.png


and this one from urlvoid

1652233918833.png


Here's the last external monitoring scan report from Quttera

1652247670823.png

1652247683618.png

1652247709581.png


I tried to find the redirected link in the database and Cpanel files, but I couldn't find anything. I would very much appreciate it if someone could help me fix this issue.
 
Last edited:

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Well-known
Apr 28, 2015
8,019
I'm getting this in my Kaspersky Plus when I accessed to Your last (previous) post:

1652250316588.png

Event: Download denied
User: TERMINUS-PC\HARLAN4096-PC
User type: Active user
Application name: firefox.exe
Application path: C:\Program Files\Mozilla Firefox
Component: Safe Browsing
Result description: Blocked
Type: Trojan
Name: HEUR:Trojan.Script.Generic
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object path: Q&A - Malware Threat on Website
MD5 of an object: 6E8A61EB7FFB3CC052ED9A4DFB979DB5
Reason: Expert analysis
Databases release date: Today, 11/05/2022 3:50:00
 

Dauphinbleu

New Member
Thread author
May 10, 2022
5
Hello Everyone,

Just want to let you all know that I have sorted out the problem. Apparently, there was more of this script in the database than what I had found before.
1652315990019.png

The filtering row didn't catch it. So I went to a deeper search and found that the script was injected at the end of every single of my post. Now they all have been successfully removed from the database and my website has become accessible again.

I have also run a scan with Wordfence on my WordPress Dashboard and repaired/removed all the files that were flagged as an issue. So far it seems to work well and hopefully will continue this way.

I'm not sure if there is still an issue that needs to be taken care of. Based on a scan from sucuri, and internal monitoring from Quttera, the website is now clean and I no longer get a warning notification from my browser when accessing the website. However, scan results from virustotal and urlvoid remain the same as before. I guess for now I will just let it be while keeping a close eye on my website.
 

SecureKongo

Level 29
Verified
Top poster
Well-known
Feb 25, 2017
1,832
Hello Everyone,

Just want to let you all know that I have sorted out the problem. Apparently, there was more of this script in the database than what I had found before.
View attachment 266562
The filtering row didn't catch it. So I went to a deeper search and found that the script was injected at the end of every single of my post. Now they all have been successfully removed from the database and my website has become accessible again.

I have also run a scan with Wordfence on my WordPress Dashboard and repaired/removed all the files that were flagged as an issue. So far it seems to work well and hopefully will continue this way.

I'm not sure if there is still an issue that needs to be taken care of. Based on a scan from sucuri, and internal monitoring from Quttera, the website is now clean and I no longer get a warning notification from my browser when accessing the website. However, scan results from virustotal and urlvoid remain the same as before. I guess for now I will just let it be while keeping a close eye on my website.
Any clues yet on how the scrip was embedded on your website?
 

JB007

Level 25
Verified
Top poster
Well-known
May 19, 2016
1,445
Also Malwarebytes blocks the site.
3.PNG

and also µBlock Origin !

5.PNG
 
Last edited:
  • Like
Reactions: BryanB