Is Cloudflare serving malware?

Quttera flagged my website as being malware infected. This was surprising since this is a React app and is hosted on AWS Amplify and fronted with Cloudflare. My development is done completely on Linux. The proability of a malware infection seemed low.

Here is the code that Quttera flagged as malware:

Sitescan report
Scanned files analysis
Additional information
Blacklisting check
Scanned files analysis
Malicious files: 5
/1638179945.855-6uvnhptydj
Severity:	Malicious
Reason:	SEO/Spam detected
Details:	Detected malicious SPAM/SEO content
Offset:	3
Threat dump:	View code
×
File name: /1638179945.855-6uvnhptydj

[[<div style="position: absolute; top: -250px; left: -250px;"><a href="https://noabcla.com/cultured.php?userid=7">table</a></div>  <form class="challenge-form" id="challenge-form" action="/1638179945.855-6uvnhptydj?__cf_chl_f_tk=WwcgZnSsAr4mQ.3VYZRsQuo9xIq48zcmkFbxDpUVXvo-1638179945-0-gaNycGzNBxE" method="POST" enctype="application/x-www-form-urlencoded">  <input type="hidden" name="md" value="6WmjnwgSpMzPBELYvFXHNElwBcFVlpuQsbC.RHmCl6U-1638179945-0-AYVZz83Q9RjgeAQrBTMBvE9x2wnTYvCAiCMXrB1lebIQW4TFxPBeA5xj-xH_DEdKDcNIgjQuO_CCtlzdlTuynAIohY1sNa3VOZ13xwdbcGHT3usDt7YRLE9Hpa_SgLvXlm0gJMCroDgvySTfpmKJlhtKiJ5wsPyUDlbbZvKsiGBeU59kdGrw0H1A6w4SHR1-X03CNFcbu0pGt2AAe9davNjLb6S28iO3LlAYtMmZN586vGbU8taty4gVkSIo8vSxIBk8tSEXnwdEZfcrR0r3jcyaWD9sybgNhLV-ZlrwQaA__gHUYvAtMHm-EaBiVlofEszNswBlJ5hpUTNwOA59vFSWiwnpmrEDRfKaLHYfU6c3TghsCqpmWZLrWXRNRmIeO9HWsH9fFMZry3F00qMbzCyOLLfUv7suj5_Pq9fDOIjZPSulH3B6mK2SZ-FjKrLjEUKJWyw20NicW-qa99X6DBpbvq9O0y4oECEYpxqOYY5FjWmSrt0OCweZy5IeeZ4jnbGWNeiVuU_dKDgJk7Mmn26Wj

This is not my application code. I verified by doing a ‘find + grep’ on my sources.

To cross check, I scanned the Amplfy generated URL of my app on Quttera. No malware this time!

https://quttera.com/detailed_report/master.d3mvcdqtj8ak76.amplifyapp.com

That points to Cloudflare workers as the source of infection. Has anyone else come across such an issue? Would appreciate your insights.

1 Like

I would say no.

Rather, Websites do get malicious code which therefore marks them as a “malware” or “spam” website and they even got blacklisted as well.

Otherwise, there were some topics where anti-virus programs like Malwarebytes or BitDefender, NOD32, warned about “suspicious” or “dangerous” website for few users.

But again, that is not comming from Cloudflare as far as I know.

Nevertheless, this part of an URL come across already here:

I have to admit, I am not familiar with it.
First time I see this.

I also found this so far:

https://www.abuseipdb.com/check/82.165.48.140?page=7

Seems domain is using Cloudflare service (determined by the nameservers for the domains), but “operated by Cloudflare” I would not agree - the user/owner of the Website/domain in this case:

https://noabcla.com/
https://noabcla.com/cultured.php

Due to the usage of webpack for your domain/website and lately npm packages getting malicious code, I would strongly suggest scanning your JS (npm?) packages if using them in your code for your Website, if that could be the case for you?

2 Likes

Thanks for the research. Looks like this is coming from Cloudflare itself. What concerns me is that Google Ads has also flagged my site as malware infected and blocked my ads from running. If this Github gist is authentic, I would expect Cloudflare to clarify. So that Google and other malware detecting tools can whitelist them.

1 Like

Okay, now that’s interesting.

I have tested, on my Firewall Rule with Challenge mode, I do see this:

All the links go to the same webpage content, but on a different domain name which is using Cloudflare nameservers.
Tried on two web browsers on my desktop PC, different domains.

Interstingly why is the link hidden with CSS display:none:

<div style="display: none;"><a href="https://simtelnet.com/mudstealthy.php?e=41">table</a></div>

I think we should ask Cloudflare Support (support[at]cloudflare[dot]com) for more information.

https://community.cloudflare.com/t/url-in-attention-required-page/42870/42?u=fritex

1 Like

I’ve written to CF Support Team and created a ticket regarding this.
Ticket number: # 2315500 (but got automaticaly resolved) @MoreHelp

2 Likes

As far as I’m aware, that URL is standard and is part of the JS/Captcha challenges. I doubt they will go into many details about how it works behind the scenes due to obvious reasons.

The malware flag is likely due to the site being presented as a challenge page.
Since this page is obfuscated and has references to further obfuscated files, this generates an abnormal file entropy flagged as malware.

There is nothing that people can do about it. The whole internet relies in one way or another on obfuscation; flagging files based solely on entropy is rather silly.
If it were me, I would ignore those results as they don’t show any meaningful information.

Thanks @fritex ! Appreciate it!

CF many not delve into the details. But when a site behind CF is being tagged as “malicious”, there needs to be some mitigation. Else, such sites can never run Google Ads!

image

1 Like

Does it affect whole domain or particular URLs?

Entire domain.

1 Like

May I also ask do you possibly see (just in case) any of the GoogleAds bot being blocked, or shown at Cloudflare Dashbaord in Firewall Events? (I assume it checks/visits domain or some URLs jus like crawling/indexing bot does)

1 Like

If Google flagged your site, it’s because their bot was served a challenge that obscures your site’s content. Quttera reports precisely that as well.

Challenges aren’t welcome because they obscure your site’s content, thus making it impossible for tools to determine what content is stored on your site.

If you have firewall rule(s), I’d consider disabling them. If there are no custom firewall rules, I would suggest escalating the issue to CF.

1 Like

Thanks @fritex ! Have allowed Google bot UA in CF FW rules now. This should be it.

1 Like

Thanks for your inputs @jnperamo . Cloudflare Firewall is one place we need to keep watching to confirm no legit bots are being blocked.

No, that’s bad. It will allow malicious attackers from bypassing the rule.
It would help if you used the existing flag “known cf bot”.
https://developers.cloudflare.com/firewall/known-issues-and-faq#example-2

1 Like

Agreed! Thanks!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.