Site Compromised?

I was scanning my website [REDACTED_FOR_PRIVACY] and I keep getting malicious errors saying my site has malicious code.

My website is a social web app and has never had this issue before.
Could this be due to deprecation of past projects from the Dev Community?

Cloudflare’s Diagnostic Center says:

Check the status of encrypted traffic

How well does the website support encryption via an SSL/TLS certificate?

Error Found

Error Found

Resolve Issue

Error

Description

untrusted_root

The Root Certificate Authority (CA) was not found in the Mozilla CA list located at >curl - Extract CA Certs from Mozilla.

Online Scan Tool Quettera Results:

States that I have malicious snips in my HTML which isn’t in my project; these are from which was injected because of Cloudflare (i.e: “Security check Pages”);

Relating Issue (doesn’t solve my issue):

Thanks!

That who scan site seems suspicious, and they are trying to sell you something that you do not need.
From the header

The scanner crawlers are blocked by the web application firewall on this domain/website. The scan result could be incomplete.

Also, none of that code they show seems bad, just extra CSS. I wouldn’t be worried about it

2 Likes

I was thinking the same thing, just seems scary cause someone else previously linked it then it shows there’s .gen files… That’s legit Trojan and I use a shared host of 16 year. Definitely not them.

When I load the domain direct URL to the specific file;
http://REDACTED_FOR_PRIVACY/d361b2a5a1b74957d7a8dcfe5511a70c

My Certificate disappears and it results a “404.shtml”; that’s not a supported format in-house.

I see one of them link to haxx.se, which claims to be a “group of fathers” who write boot loaders and other malicious scripts?

Yeah, I would ignore the scan, there is nothing really productive there.

2 Likes

Okay,
Makes me feel better. Thank you. I thought I was just acting crazy.

My Host is running a .cgi/XCSS CORS Attack Diagnostics for me now. Just got to wait for their Devs to let me know if it’s a legitimate claim. I also linked this notice which is linked in via the code snippets they displayed:

If they don’t close this immediately, I’ll post the results here because I see it’s an open case and people are still seeing this occur.

Results are in:
Quttera.com throws False Positives for Financial Gain;
They simulate an impersonation of Cloudflare snippits which seem to be dynamically based off my Shared-Host IP Address.

1.2.3.4/infectedfileString

Deems all infectedfileString is a pre-judgement based off of an IP’s Reputation of a precursor.

The /infectedfileString (d361b2a5a1b74957d7a8dcfe5511a70c), other .gen files it claimed existed; do not exist in my root / nor does it have any lawfully-injected snippets relating to the warning Screenshot above.

If you encounter this issue, just understand your infrastructure is fine, these morons just generate Trojan Spoofs to scare us into paying for their crappy services.

Hope this helps!

1 Like