Sites Being Flagged As Containing Malware

  • Hi Everyone,

    We had a client complaining about being blocked by Google, strange as this was a brand new site so we went and did some investigating. Google said the site was potentially infected with malware. So we started visiting scanning sites.

    This scan threw up an alarm
    https://www.virustotal.com/en/url/56dcaca44955ff9803552612abcefa7b8ddf132c301b3638dc1c84712c90a99a/analysis/1496672308/

    Sophos saying the site was infected with malware. We ran securi scans, wordfence scans and several others all of which said the site was clean.

    Eventually, we were led to quttera.com where we tested several of our sites as well as the clients. Several of them reporting infections.

    All those too passed other malware scans.

    Long story short this is the code that is being reported as an infection in several files. Does anyone know if this is core code or being inserted by a plugin?

    [[<script type='text/javascript' language='javascript' > r3f5x9JS=escape(document['referrer']); hf4N='7801e1f3326a17ec1c875531c374752a'; hf4V='e6ec49b42e4e87e357c4e59310a09928'; jQuery(document).ready(function($) { var e="#commentform, .comment-respond form, .comment-form, #lostpasswordform, #registerform, #loginform, #login_form, #wpss_contact_form, .gform_wrapper form"; $(e).submit(function() { $("<input>").attr("type","hidden").attr("name","r3f5x9JS").attr("value",r3f5x9JS).appendTo(e); return true; } ); var h="form[method='post']"; $(h).submit(function() { $("<input>").attr("type","hidden").attr("name",hf4N).attr("value",hf4V).appendTo(h); return true; } ); } ); </script>]]

    Any help would be much appreciated.

    • This topic was modified 7 years, 9 months ago by 3001web.
Viewing 6 replies - 1 through 6 (of 6 total)

  • Hey 3001web,

    Are you using the WP Spamshield plugin by any chance?

    I searched a few of the strings above and they all seemed to lead to that.

    The plugin seems to apply this on line 9192 of wp-spamshield.php

    $js .= $ao_noop_open.'<script type=\'text/javascript\'>'.WPSS_EOL.'/* <![CDATA[ */'.WPSS_EOL.WPSS_REF2XJS.'=escape(document[\'referrer\']);'.WPSS_EOL.'hf4N=\''.$wpss_js_key.'\';'.WPSS_EOL.'hf4V=\''.$wpss_js_val.'\';'.WPSS_EOL.$cm_var.'jQuery(document).ready(function($){'.'var e="#commentform, .comment-respond form, .comment-form'.$cm_str.', #lostpasswordform, #registerform, #loginform, #login_form'.$tpr_str.', #wpss_contact_form'.$cf7_str.$gf_str.$bp_str;

    I believe this helps prevent spam on the forms specified by querying the url or some other value.

    Hope this helps.

    Hey @adam3128 and @2001web,

    Developers of WP-SpamShield here….perhaps we can help.

    The code referenced by @adam3128 adds WP-SpamShield’s validation keys to the form via jQuery. That’s normal code. No malware whatsoever in WPSS code. That however, does not mean your site’s code was not compromised by something else.

    If your site’s code is being flagged as malware, it’s not because of WP-SpamShield. Our code is scanned by all of the top anti-malware/anti-virus’ algorithms regularly, and never comes up like that.

    I’m just curious what made you say that that particular section of code is whats being flagged? There doesn’t seem to be anything to indicate that based on the data you’ve provided.

    We ran securi scans, wordfence scans and several others all of which said the site was clean.

    That means your Sophos scanner is throwing a false positive, at lease if it’s referencing WPSS code.

    We obviously would want to hear further details, so if you want to submit a support request, we’ll be glad to help you look into this and sort everything.

    – Scott

    Thread Starter 3001web

    (@2001web)

    @redsand

    Sorry to tell you it was indeed your plugin WP-SpamShield.

    We removed your plugin and the site is now showing clean.

    https://quttera.com/detailed_report/celebrationplans.co.uk

    We submitted to Google for a re-scan and they also say the site is now clean.

    Thread Starter 3001web

    (@2001web)

    Confirmed we tested another site using this plugin it showed as having malware, we removed the plugin and it showed as clean.

    I realise this may be a false positive but in this case it affected a site in Google so this needs looking at.

    Hi @2001web,

    Our plugin does not have malware. Like I mentioned above, if your site had malware, it had nothing to do with our plugin.

    in this case it affected a site in Google so this needs looking at.

    That is absolutely not correct. Nothing in WP-SpamShield’s code would negatively affect a site’s ranking or cause it to be blacklisted in Google. That is something we pay special attention to. You can see by looking at the code that it is clean. Please do not make unfounded/false statements like that.

    If you have concerns, you need to contact us directly.

    – Scott

    Thread Starter 3001web

    (@2001web)

    There is nothing unfounded or false in my statement.

    Our client was blacklisted for “potential” malware by Google, sophos and quttera. The exact string of code suspected of being suspicious was stated by quttera was the code above. Adam kindly pointed us in the direction of your plugin (Thanks Adam, probably saved us a few hours there) as the possible producer of that code.

    We removed your plugin from the client’s site and rescanned using quttera to see if this was the case, the site when re-scanned showed clean. We applied for a re-assessment at Google they removed the block from the website agreeing it was clean.

    We then checked other sites using your plugin at quttera they too were showing “Potential” infections. Again we removed the plugin rescanned and they showed clean.

    I did not accuse your plugin of containing malware. In earlier posts I stated I had done many scans that showed up clean, I also stated in one post that I realise this may be a false positive.

    The facts remain my client site is still listed by Sophos which we now have to try and get de-listed, it was listed by Google which we spent time researching and getting de listed. They were listed because of this block of code in your plugin so you may want to address that OR talk to https://quttera.com and https://www.sophos.com about the false positive.

    At NO point have I accused your plugin of containing malware. Please read again.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Sites Being Flagged As Containing Malware’ is closed to new replies.

Tags