This file contains a URL that is a suspected phishing site …

  • Resolved xprt007

    (@xprt007)


    6 years, 4 months ago

    Hi there

    File contains suspected phishing URL: wp-content/cache/supercache/www.xxxx.com/directory/listing/a-and-a-computers-ltd/index-https.html
    ….
    Filename: wp-content/cache/supercache/www.xxxxx.com/directory/listing/a-and-a-computers-ltd/index-https.html
    File Type: Not a core, theme, or plugin file from www.remarpro.com.
    Bad URL: [link redacted]
    Details: This file contains a URL that is a suspected phishing site that is currently listed on Google’s list of known phishing sites. The URL is: [link redacted]

    I have been running a small regional web directory for a couple of years. In the last couple of days, I have been getting for the first time warnings about files at least so far specifically in the cache directory of Super Cache. They all involve web directory’s listings and of this nature “This file contains a URL that is a suspected phishing site …”. I think also one or some of the culprit listings-related cached code the first time I had this warning the other day involved some small piece of foreign code (Base64_decode ?) in it.

    The first time, it involved about 6 links. I went to the cpanel but some of those links were no longer there, probably deleted by the caching mechanism(?).
    Anyway, I deleted all related folders from Cpanel, esp. since Wordfence could not delete some of them, as they were apparently missing by the time I checked them out in file directory. Does this imply the problematic cached files only stay for a short time on the site?

    Then yesterday, I got the second alert, with one link, shown above. I checked out the web link in the mentioned directory web listing at virustotal.com with => this result, with 1/67 saying it’s malicious.

    I actually have just checked the code related to that file and found this piece of code in it `…src=”data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7″></div> <!– Start of StatCounter Code –> <script><!–
    var sc_project=….. ;…`

    I’m not expert on this, but feel it’s not good … or not?

    Can I assume the danger is foreign and associated with these foreign links in the directory listing and not being generated locally? There’s no report of compromised site files, except a couple of theme files I have personally altered.

    Where does the above base64 code in the caching file come from?

    Is locating such potentially dangerous, phishing sites a new function in Wordfence, as I have never had such reports in years, but 2 in the last 3 days? At this rate, I would not be surprised if more are reported in daily Wordfence scan alerts.

    What’s the best course of action? Delete the directory listings? In some cases, I suppose folks clean their sites. Some of the involved sites are Government sites, probably compromised and with incompetent IT personnel, who may not even be aware of the problems. The other sites are also probably not compromised by owners but by foreign criminals.

    Is there anything I can do to stop this, so I have no such alerts, like was the case before this started a couple of days ago?

    I would very much appreciate your help.

    Kind regards

    • This topic was modified 6 years, 4 months ago by xprt007.
    • This topic was modified 6 years, 4 months ago by xprt007.
    • This topic was modified 6 years, 4 months ago by xprt007.
    • This topic was modified 6 years, 4 months ago by xprt007.
    • This topic was modified 6 years, 4 months ago by xprt007.
    • This topic was modified 6 years, 4 months ago by Steven Stern (sterndata).

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter xprt007

    (@xprt007)

    Update:
    I carried out a manual scan and got a similar alert message related to another single web directory listing related Super Cache cached file. This time the culprit link checked out at Virus Total: => result, as you can see some government site.

    It seems many sites across the web are compromised.

    The base64 code mentioned above seems to be before the start of the Statcounter plugin code.

    This is part of the code which seems to end with the base64 code:

    <p>Please add <a title=\"https:\/\/getadmiral.com?utm_medium=plugin&utm_campaign=abn&utm_source=abnlinks\" href=\"https:\/\/www.mysiteurl.com\" target=\"_blank\" rel=\"noopener\">www.mysiteurl.com<\/a> to your adblocking whitelist or disable your adblocking software.<\/p>\n","anAlternativeClone":"2","anAlternativeProperties":"","anOptionModalShowAfter":0,"anPageMD5":"","anSiteID":0,"modalHTML":"<div class=\"ANKjkRKQJQun-default\">\n\t<h1 style=\"\">Adblocker detected! Please consider reading this notice.<\/h1>\n\t<p><img class=\"alignleft size-full wp-image-844957\" src=\"https:\/\/www.mysiteurl.com\/wp-content\/uploads\/2018\/07\/adblockerlioness.png\" alt=\"\" width=\"164\" height=\"300\" \/>We've detected that you are using AdBlock Plus or some other adblocking software which is preventing the page from fully loading.<\/p>\n<p>We don't have any banner, Flash, animation, obnoxious sound, or popup ad. We do not implement these annoying types of ads!<\/p>\n<p>We need money to operate the site, and almost all of it comes from our online advertising.<\/p>\n<p><strong>Please add <a title=\"My Site\" href=\"https:\/\/www.mysiteurl.com\" target=\"_blank\" rel=\"noopener\">www.mysiteurl.com<\/a> to your ad blocking whitelist or disable your adblocking software.<\/strong><\/p>\n<\/div>\n<a class=\"close-modal close-ANKjkRKQJQun\">×<\/a>"}/* ]]> */</script><div id="adsense" class="an-sponsored" style="position:absolute; z-index:-1; height:1px; width:1px; visibility: hidden; top: -1px; left: 0;"><img class="an-advert-banner" alt="sponsored" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div> <!-- Start of StatCounter Code -->

    I must say I use a plugin “Ad blocker notify lite” and adblocker related text seems to be related to it. Can it be this base64 code is part of text related to this plugin & not bad?

    In a response, I would appreciate the other question on phishing site alert being addressed.

    Thank you.

    Hi @xprt007,
    The image code does look like something that was added by the adblocker plugin. I would recommend you reach out to the authors of that plugin to verify.

    For the bad URLs you got notified about, they are indeed bad. You’re getting warnings about those links because they’ve ended up on the Google Safe Browsing blacklist. Government websites get infected too.

    You should remove links to infected sites from your website. Linking to them could potentially impact your own SEO, especially if you are linking to several infected sites.

    The scan for bad URLs is not a new feature in Wordfence. It’s been around for years. Maybe you had that specific scan option disabled previously, or maybe installing the cache plugin made those URLs visible to Wordfence. If they previously only existed in some database tables and those tables were not being scanned, Wordfence wouldn’t have seen them.

    As for how your cache works I’m afraid I can’t respond to that. I’d recommend you reach out to the authors of your cache plugin to find out how long the cache files normally stay on your site.

    Hi @xprt007,

    We haven’t heard back from your in a while, so I’ve gone ahead and marked this thread as resolved. Please feel free to open another thread if you’re still facing issues with Wordfence.

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘This file contains a URL that is a suspected phishing site …’ is closed to new replies.