Jump to content

Attention all Wing Walkers members with a wingwalkers(dot)org email address:

PLEASE UPDATE YOUR EMAIL PASSWORD IMMEDIATELY

Visit WingWalkers' WebMail and log in with your email address and current password. Click the drop-down menu on the top-right under your username, select "Password and Security" and change your password. If you've forgotten your password, use the "I forgot my password" option and follow the steps (you've done that before, I'm sure.)

Please send me - WWSandMan - a private message on the forum letting me know you've changed your password. Those of you who have done so already, thank you!

** Folks who have not responded that they have updated their email account password will have that account deleted. All unused accounts will be deleted.**

We have far too many email accounts not being used, or which have been compromised, to allow them to remain open. Thank you for understanding the need to go to these lengths.

Sign in to follow this  
WWSensei

SITE ISSUES - GETTING MALWARE WARNINGS

Recommended Posts

Sandy, could be false positive but the site is triggering malware warnings. if you need some help get me at mike dot couvillion at gmail

  • Sad 1

Share this post


Link to post
Share on other sites
Posted (edited)

 yeah, got the same thing this morning.  Chrome indicated it might have something to do with re-directs.  Wonder if the Stats page is causing any problems?

 

965782946_wwsite.jpg.b3b3fea08c23c4a322de44fdc5010e44.jpg

Edited by WWSittingduck

Share this post


Link to post
Share on other sites

hey guys, I'm getting the unsafe page warning, I checked your cert and it's says it's good until 4/29/2019

I checked your page source and found some scripts referencing http://schema.org, which should be https://schema.org

Typically to maintain no issues you don't want any links without the httpor you don't get the padlock and or it can cause security warnings. Unless you are aware of a problem. 

Anyways, if you recently made changes or customization's, etc, check your URL's

right click your home page and any other page or hit CTRL+U to view page source, then CTRL+F to search the source page for http: to see which links might cause and issue.

if you already know this, ignore my note. 

 

 

Share this post


Link to post
Share on other sites

"... found some scripts referencing" what? @WWDriftwood ? This is about as vanilla as you can get with Invision. Old stuff from phpBB has been removed.

Share this post


Link to post
Share on other sites
On 3/14/2019 at 10:43 AM, WWSensei said:

Sandy, could be false positive but the site is triggering malware warnings. if you need some help get me at mike dot couvillion at gmail

Gotta be false positives. Not a ton I can do right now, I can't access the help desk at LunarPages to submit a ticket. And no, I don't want to buy a dedicated IP, especially if it's not necessary.

 

Share this post


Link to post
Share on other sites

Fuck. May need to anyway...

Now why would you need a Dedicated SSL Certificate over the shared one that comes for free with your hosting plan? Shared SSL will not function with ASP, JSP or PHP pages. It will function only with HTML, and cgi/perl based documents/scripts/carts. This is due to security restrictions on the servers. If you require SSL for PHP, ASP or JSP you will need to purchase a Dedicated SSL Certificate and Dedicated IP.

.... and of course we're using lots of php functions. 

Share this post


Link to post
Share on other sites

I'm confused, where is this quote coming from? 

Having php functions shouldn't make a difference. Much of this seems to be html output. Kind of like with wordpress which is all php and html out hosted on shared server with shared certs. Is this in general or only with your host? 

What changed in the last 48-72 hours that caused the issue? I have no issues on my phone/chrome and it has an SSL padlock, just in Firefox and Chrome via the way I have my settings. Is this new to how certs are handled or new to how the host configures there server or new because you installed something new in the last few days? I just had a new shared cert installed on a dedicated server with over 100 sites. If this is coming from the host and nothing has changed on your end, why would they have a shared cert installed which worked fine before and still validates. Somethings missing... 

Question for anyone who "does not have an issue" with this malware message

"When you come to the site, what does it say in the address bar?

  • Is there a red lettered message? 
  • Is there a green padlock? 
  • Try clearing your browser cache and revisit the site to see if you now get the message or everything is fine. 
  • Post what happens and the browser your using. 

good times. 

Share this post


Link to post
Share on other sites

The message I quoted above was from the Lunar Pages (our hosting provider)  Wiki ... and yes, it's likely five years or more old. 

I usually use Chrome (no issue, dark padlock) but also use Firefox (big red MALWARE SITE WARNING and would not let me click through to the site even after clicking "I understand the risk" , kept re-directing me to some Make The Internet World Safe By Signing Up And Buying My Product type of site (utter bullshit IMO.)  Tried Edge, but it kept dropping to desktop and wouldn't connect to anything. 

Share this post


Link to post
Share on other sites

firefox you should be able to click on the "details" button and then click the link that say "ignore the risk" get to the site and "x" out the additional message at the top. Sometimes you can add an exception. 

So what is the host tech support saying about this? Are they looking at it or telling you you need to pay for something more? 

It seems to be a miss-configuration problem but I don't know all the details. Just trying to clarify some facts for you as I read the post.

You can't research what's going on with the host server admin side since you don't have access, it's a mission of rinse and repeat insanity customers are often sent on... 

Share this post


Link to post
Share on other sites
10 hours ago, WWDriftwood said:

 

So what is the host tech support saying about this? Are they looking at it or telling you you need to pay for something more? 

It seems to be a miss-configuration problem but I don't know all the details. Just trying to clarify some facts for you as I read the post.

Fresh cup of coffee, going back through my notes to see if I have the keys to the customer service area. 

Share this post


Link to post
Share on other sites

sorry guys....just caught up with this.  I did submit a work ticket.  Sandy, next Tuesday if you are flying we can brake away and go thru the customer service log in to see why you can't get in.  I will send you my info via PM if you want to try again.

  • Like 1

Share this post


Link to post
Share on other sites

Got in to check the reply from Geezer's submitted trouble ticket. No help at all... 

Hello,

Thank you for contacting Lunarpages Internet Solutions & Web Hosting support.

The issue doesn't have to do with your website's domain's SSL certificate. As you can see at :

https://www.sslshopper.com/ssl-checker.html#hostname=wingwalkers.org

... the wingwalkers.org domain is actually covered by a valid SSL certificate at this time. Most likely, a phishing or scam website was set up under your wingwalkers.org domain.

Situations such as these are either the result of running outdated website scripts or outdated versions of Website scripts or due to using weak passwords, poorly secured or public / open wifi networks to manage your hosting account or website or possibly having malware on your own computer you access or manage your hosting account or website from. This issue is not the result nor an indication of the server itself having been compromised or having weak security.

While we do run website security software on our servers by default for free so as to protect our customers website (software such as Mod Security and a server firewall), these cannot always stop attacks targeting security vulnerabilities or exploits in the website itself.

Kindly note that we strongly encourage our customers protect their web hosting accounts. To that end we are offering a new software tool called Secure Live. SecureLive is real time protection from hackers and exploits. More information can be found at http://www.lunarpages.com/website-solutions/securelive/ . This application will not remove existing exploits or malicious code; it would only protect you from future exploits and only if your hosting account has been fully and thoroughly cleaned of any existing malware.

To clean or remove the files found by our sysadmins and advised to you as being infected or malware php scripts you can either use the File Manager tool in your hosting account control panel or a FTP client such as Filezilla. If you'd prefer our senior technical staff handle cleaning of infected php scripts on your account or removing of malware ones, you can enable our Managed Shared Hosting service for your hosting account to have our staff handle this for you.

This is an optional service we offer as a monthly subscription which you can order for your hosting account to have our senior technicians help address issues which do not strictly pertain to webhosting technical support but exceed the scope and extent of that kind of support and venture into webmaster type work. Particularly when issues with 3rd party causes or origins require addressing and you'd like our senior, specialist technical staff to help.

If you'd like to, you can enable the Managed Shared Hosting service for your account from your Customer Account Page :

https://account.lunarpages.com/purchase_addons_tab.php

Managed Shared Hosting is offered as a monthly subscription and charged for on a monthly basis as well, for the duration you have it enabled. You are not locked into using this service indefinitely once enabled. But at least one month of Managed Shared Hosting will be charged for if you activate this service.

....

The cost for the Managed Shared Hosting service subscription is 39.95 USD per month. You are not locked into having the service enabled indefinitely / perpetually if you do activate it. You can request its discontinuation before it comes up for renewal the following month.

Please advise. We look forward to your reply and update.

Thank you for your time and consideration.

Best regards,

Laurențiu Victor Vișan

Customer Service Representative

I've looked at the file structure of our site, and have not found anything to indicate there's any surprising changes. I really don't want to download the entire site's structure, especially the Vault, just to run virus scans on it. But I certainly can't see paying $40/month for their "security" program. 

Thoughts?

Share this post


Link to post
Share on other sites

Yes, they basically gave us many opportunities to buy more services, but not much supprt to fix the current service we already buy.

Share this post


Link to post
Share on other sites

That’s a lot of money to protect against possibilities that have never reared their head until we moved to the new site. 

Share this post


Link to post
Share on other sites

Agreed, high price for a monitoring service that doesn't address the original issue and won't be useful until.

This gets me.... 

Quote

This application will not remove existing exploits or malicious code; it would only protect you from future exploits and only if your hosting account has been fully and thoroughly cleaned of any existing malware. 

 

Share this post


Link to post
Share on other sites

Do you have a solid date on when the message started popping up? 

If you've been making a lot of changes and customization's using any scripts I'd try back tracking and remove or comment out anything you did. 

I read the note from the host. But I still don't understand everything that was done to the site as far as updates. When you say new site does that mean new host, same host new server, new or updated software, etc. etc. You could have added a seemingly benign script or the host could have modified there security settings either or / or both could trigger the malware message. Unless of course there is actually malware which I would think the host would scan your site to see. 

Quote

To clean or remove the files found by our sysadmins and advised to you as being infected or malware php scripts you can either use the File Manager tool in your hosting account control panel or a FTP client such as Filezilla. If you'd prefer our senior technical staff handle cleaning of infected php scripts on your account or removing of malware ones, you can enable our Managed Shared Hosting service for your hosting account to have our staff handle this for you.

A little confused, is this if you use secure live? 

Or

Did the host send you a list of files and scripts to remove from your site? If they did, document and remove them one at a time testing the site as you go by clearing your cache etc. 

Is any of your software and scripts old and outdated? Looking at old scripts that you know are not malware doesn't mean there not going to trigger a message. If added recently, when in doubt, comment them out... backup the file and remove them which is the best way to be sure. 

Defiantly go through and update any simple Passwords if you have them. That can cause problems.

Currently your site is blacklisted by google and yandex

Yandex says you have an iFrame virus/ https://en.wikipedia.org/wiki/Iframe_virus

https://www.yandex.com/infected?url=wingwalkers.org

So what ever you added day of or days before to the site, remove it. 

Might have to contact these services to get off the list, not clear on the procedure; but you will want to check as you troubleshoot. You may remove the unwanted code but still get the message. 

Pain in the butt all the way around. 

If you have a backup predating the message, you might consider this as well. 

If the host gave you a list of script to remove, start there. 

I'm not sure how the STATS site and app is tied to your site/host/domain? Or is this run from a home pc or? Maybe temporally remove this?  

again the biggest help will be what was done to the site/server/ect the day of or prior to this message. 

Sorry your having trouble... 

 

Share this post


Link to post
Share on other sites

Yeah, my head hurts from the BS  provided by Google. Yandex is basically a Google mirror, so... *shrug*

As soon as I was able to get onto this site from my work computer (my employers block everything that could possibly be an issue, including their own intranet stuff quite often) I knew Google was full of shit.

Our host did not provide any sort of list of files to be cleaned... They will gladly run scans for $40/month additional fee for as long as we need them.

Our contract with this host is due to renew in October, I can guarantee we will be looking into a new host before then.

All old scripts/software have been removed from the file structure (includes old phpBB, CopperMine Gallery, WordPress installations <had two of them> for a couple months now. Only remaining software 'active' is Invision Community. ICS has been completely updated this month by uploading all new files to support the latest sub-version of their software. It's possible they have a recalcitrant "0" trying to be a "1" somewhere, but I doubt it.

Have not customized anything that requires hand-editing of code. I'm simply trying to ensure that Invision is running solidly before I tinker with it. The only add-on is a commercial theme ("Brave", officially supported and available through the ICS web store, and is the dark theme or skin visitors see by default.) The only change to that was me installing it correctly with a vanilla parent and a customized 'child' (by addition of the WW logo only so far. I can go back to using the default ICS theme (white/light skin) and see if that still causes Google to shit on the floor. And no... I'm not intending for the site to appear racist, just making the site is easily user-friendly for those who like either white on black or black on white text. 

Passwords for all admin operations pass as "strong" or better. My personal admin access passwords are all ** characters or more. They're not infallible, but they're not "password123" either.

We've had Duck's Server Stats app linked for about a month or more, would not expect that to act up, but it is on Duck's private server. We only link to it. (Russian built though, so... ? ) 

Will keep digging, obviously something is amiss but damned if I know what. 

Thank you for the positives! :) 

  • Thanks 1

Share this post


Link to post
Share on other sites

Your welcome, very frustrating situation I know. 

Unfortunately the blacklist is not going to go away until what ever is triggering it is removed and everyday it's not removed will make it harder to get off the blacklist since they track how fast it's resolved. 

I'm not clear what your employees stuff has to do with the web server files? Or if changes made will immediately remove the warning which makes it difficult to troubleshoot. 

I would look closer at yandex reporting the iFrame virus or simply ask your host if paying the $40 for the month means they will scan, find, remove/fix the problem. A $40 fix and blacklist removal would be cheap. I'd think it would be in there best interest to not have a website on there shared server that's blacklisted for malware. 

Maybe contact Invision Community support and report your having issues since you updated the software to see if there have been some similar issues. 

Pain in the butt stuff... 

Share this post


Link to post
Share on other sites

Sandy , keep the faith.  Let me know if you want to consider Driftwood’s suggestion to pay for the scan for one month to see if that solves the problem.   Going to clean up my passwords to make them more challenging this weekend.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...

Important Information

Please confirm you have read and understand the rules above