Security Settings 2

We’re finding the same thing. Quttera + Bot Fight Mode = malicious files

Turn off Bot Fight Mode and no more malicious files.


Thank you for asking.

I am not aware how Bot Fight Mode could affect or cause any malicious files.

Regarding Qutterra, maybe when you were checking and testing your website, the requests from their service could be challenged or blocked and that way show it’s malicious, while it’s not.

May I suggest to look into the similar topic from posts below which might be related to this:

1 Like

Likely automated tools that should be ignored. The only pattern that could be deemed malicious of bfm is the obfuscation or the APIs it consumes
It’s safe to ignore and should be reported to the tool’s creator as a false positive.

If, after this, you are still not confident about using bfm, disable it.

1 Like

Quttera shows these list of links found when their bot visits - some of them are most definitely cloud flares bot challenge. Others make you wonder if Cloudflare’s bot challenge is infected.

This is one of the links they say is malicious

Unfortunately its hard to test because Quttera likes to use cached results on their scan, and I don’t know their cache TTL to know when i can test a change in Cloudflare.

But I have the same exact website hosted on a different domain, served by the same database, same apache, same exact code (not even a copy), and quttera finds no problems. It only has issue with Cloudflare challenges, just as all the other posters have noted.

To make matters worse, Quttera doesn’t provide any method of reporting a false positive, instead they seem utterly focused on using their scans to upsell website owners on their silly services.

AND Quttera doesn’t even see fit to publish their IPs so that we can manually whitelist them in Cloudflare (which i understand why they would not, but at least Cloudflare should recognize them as they do googlebot etc)

Quttera is used as an authority by browser giants. Google will not allow adwords if you are listed in Quttera. This is no simple matter. Cloudflare really needs to look at this.

Can you show the code dump of the detection?

Thank you for providing feedback information.

I am really sorry to hear this.

Please, feel free to write a ticket to Cloudflare Support regarding this by:

  • Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button. If you get automatic reply, reply and indicate to it you need more help and reference to this and similar related topics
  • Or send an an e-mail to support[at]cloudflare[dot]com from your e-mail associated with your Cloudflare account

Unfortunately Quttera doesn’t see fit to show the dump of the whole html page their bot sees. You only get pieces that they found malicious like

The issue is that the bot is being challenged, and they interpret that as potential spam content. Your best bet is checking the logs and allowlisting quttera.

Unfortunately its hard to tell from the firewall logs which is Quttera. They do not identify themselves, they masquerade as a browser. This issue could really affect everyone’s websites at some point, its not an isolated case.

I see, makes sense; in general terms, bot fight mode is very sensitive and doesn’t allow people to customize its behavior or allow clients. The best bet is to set it to allow and use it as a very general overview of the bot traffic that reaches your site.

I’ve written to Cloudflare support - since this is an authoritative bot, they really should work with them to whitelist their scans.

But scarier, how could that code be found in cloud flares challenge page? its hard to think of that as a false positive. Makes you wonder if Cloudflare is compromised.

It’s not.
The Challenge page allows people to hide spam content, it makes sense for a bot to flag it as potential SEO Spam because there is no way for it to know what’s behind the challenge page.

I don’t think its as simple as that. They show this code in the site. That domain name derchris is a compromised malicious domain

Oh, fair enough, I only looked at the rest of the code and didn’t see that href.

That’s odd, though; I don’t think anybody can interfere on the challenge page at all, not even CF apps. It makes me believe it might be a backdoor trying to mock the challenge page.

Well that’s pointless, they want me to upgrade that domain to a paid plan before they’ll even listen to the report I’m giving them about their compromised challenge page… :roll_eyes:

So, Solution? stop using Cloudflare…

Disabling Bot Fight Mode AND all proxy and I get

You would think someone at Cloudflare would actually care about such a report…

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.