Sucuri has flagged as a malware file

All of a sudden various sites in my account got flagged by Sucuri that they include a Known javascript malware: malware.magento_shoplift?102 (https://labs.sucuri.net/signatures/sitecheck/malware.magento_shoplift/?102)

The file in question seems to be this http://vasada.com.cy/cdn-cgi/bm/cv/669835187/api.js

1 Like
1 Like

Thanks for the reply. I wasn’t allowed to open a ticket in the morning.

I have run some tests and the issue seems to be the following.

When the Bot Fight Mode is on sucuri shows that the site has been hacked.
When the Bot Fight Mode is off sucuri shows that the site is just fine.

2 Likes

We are having the exactly same issue… It is affecting us big time because customers are complaining too… that they are getting issues… Something wrong…

/cdn-cgi/bm/cv/669835187/api.js

same for our website too… THANK YOU for the tip. We are disabling Bot Fight Mode for now.

1 Like

Same problem here. I tried disabling the Bot Fight Mode and sucuri.net/sitecheck still detected the malware. I’m unable to submit a ticket to support and instead Cloudflare redirects me to the community board. Is there any update on this?

Hi @hop.n,

You should be able to submit one.

To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help.

3 Likes

I received the same warning from my hosting: Known javascript malware.: https://atuavidanosastros.com/cdn-cgi/bm/cv/669835187/api.js
Website Malware

This message was sent to my both sites. I did run a scan with wordfence on both sites and no malware was found.
I would like to know what can be causing this, if anyone can tell me that. Thanks

1 Like

Also having same problem! What is the answer here? False positive?

This is the reply from support, what kind of answer is this? If Sucuri and Cloudflare and feuding the customer should not be in the middle of it.

Thanks for contacting Cloudflare support.

Please see article below that explains the usage of this internal script:

Please let us know if you have any other questions and we will be happy to assist.

Best regards,

Was that a bot answer, or did it come from a person? The first reply is usually from a bot, but if that’s not sufficient, you need to reply and let them know the bot answer didn’t resolve the issue.

from a person via email.

Thanks for contacting Cloudflare support.

Please see article below that explains the usage of this internal script:

Please let us know if you have any other questions and we will be happy to assist.

Best regards,

Tobi | Technical Support Engineer
Cloudflare Community

Hmmm…that article doesn’t seem to say anything about being flagged by virus/malware scanners. Try replying and asking for clarification. And posting the ticket number here will loop @cloonan in on the issue. Maybe @Benedikt-CF can follow up as well.

1 Like

This was a false positive from Sucuri

Get in touch with them so they can take this seriously. Send them an email at [email protected] so they can have a look and fix it.

Here is the reply we got from Cloudflare support.

Given we take security very seriously here at Cloudflare, we’ve submitted the mentioned URL for further testing over at
https://www.virustotal.com/gui/url/357d0296e9184d7764f6e8d0c35526500bb2061c56b63176f24aacf032303503/detection

The result:

No engines detected this URL

In light of this, we strongly believe this to be a false positive by Sucuri/GoDaddy.

We’ve reached out to the Sucuri team separately and are investigating on this further but if you happen to be a customer of them we’d appreciate if you let them know as well.

The mentioned JavaScript is part of Cloudflare Bot Management solution and it is not malicious in any way.

Please let us know if you have any further questions here and we’ll be happy to help

2 Likes

Jus to follow up, I disabled the bot fight on my firewll options of Coudflare and, after that, my hosting sent me the message «security warning cleared». so, definitelly, this issue is caused by this feature. I am wating to see this solved to enable it again on my account.

Just for my own piece of mind, where are you guys seeing this?
Are end users getting issues?
Or is it from your host etc… flagging the file?

It’s not your host flagging the file. Your host is using Sucuri which is flagging the file wrongfully. If your host disables your site due to this then your users will have an issue. Disable the bot fight mode for now until we all get some good news from Sucuri.

3 Likes

Hi
I received a message from Godaddy my hosting with a warning for my 2 sites. After disabling the feature on cloudflare, firewall, tools, I received a new message saying the warning was cleared

1 Like

Given that we take security very seriously here at Cloudflare, we’ve submitted the mentioned URL for further testing over at virus total

The result:
No engines detected this URL

In light of this, we strongly believe this to be a false positive by Sucuri/GoDaddy.
We’ve reached out to the Sucuri team separately and are investigating on this further but if you happen to be a customer of them we’d appreciate if you let them know as well.

The mentioned JavaScript is part of Cloudflare Bot Management solution and it is not malicious in any way.

Please let us know if you have any further questions here and we’ll be happy to help

3 Likes

Yep, we’re experiencing the same.

Cloudflare’s module “Bot Fight Mode” is affecting our website’s Sucuri malware check results.

It’s also affecting the malware check results provided by the WordPress plugins, Sucuri Security and iThemes Security.

In all cases, when “Bot Fight Mode” is activated, we’re getting false positives.

Our temporary fix is to keep “Bot Fight Mode” deactivated.

Does anybody have an update or permanent fix for this?

Cheers!