Website compromised by harmful content

Status
Not open for further replies.

consolev

New Member
Messages
14
Reaction score
0
Points
1
I'm in dire need of someone (admin) to look at my website files and find the root source of this.

My website was flagged by Google as having malicious content hosted. I have the URL and it has already been reported for web forgery, I'm trying to resolve this issue but I'm having no success in locating any modified source code or any server redirects.

The URL itself seems to bypass any 302 or 301 redirects from source htaccess files, and I'm not sure, but it looks as if there are other websites on the x10 servers which have this problem.

There is a Google cache of said account here: https://webcache.googleusercontent....ity.phishings/75446+&cd=1&hl=en&ct=clnk&gl=us

5th result down. The IP is x10 hosts, could this be a server breach? This is the exact same response as I get on my site. These files or folders do not exist in my file manager, nor can I locate any trace of malicious code in any files.

For anyone using the above link, do not enter any account info or details, this is a phishing site which bears striking resemblance to what is going on on my website.

Any help or ideas out there?!
 

chatterbox42

Member
Messages
38
Reaction score
2
Points
8
I just got the same issue when I tried to load my site - "...has been reported as a web forgery and has been blocked based on your security preferences." It was working fine up to last night, and the only change in the last 48 hours was a Wordpress plugin update (Slimpack). That doesn't appear to be the issue.

May I ask which server you're on? Just wondering if it's limited to mine - I'm on xo1.

Edit: Google Webmaster Tools search console is identifying the same file you indicated as the source of the breach - "home/webstati/public_html/update/Online-Mail.html" but I find no such content in my home directory either. Weird...
 
Last edited:

mattdahe

New Member
Messages
6
Reaction score
0
Points
1
My site has been identified as having this page also. I'm on xo1 as well.
 

essellar

Community Advocate
Community Support
Messages
3,295
Reaction score
227
Points
63
Just keep in mind that what's being flagged is the server's IP address, not any of your individual accounts. The problem file(s) can be in any one user account on the server, but blocks are usually applied at the IP address level rather than the domain level, so all of the accounts on the same server, which all resolve to the same IP address, will be treated the same. Google has no way of knowing which domains/subdomains point to which user accounts on a server; it can only see that they all point to (in this case) 198.91.81.2.

Do note that even when staff fix the problem on the server, it might not be reflected immediately on third-party listings.

If nothing else, this is a good reminder that every single user here is responsible, in the end, for the security of more than just their own account.
 

Dead-i

x10Hosting Support Ninja
Community Support
Messages
6,084
Reaction score
368
Points
83
Hi,

This does look to be caused by a phishing page hosted by another account on the server, which has now been suspended. However, we are looking into a separate issue that caused Google SafeBrowsing to slowly start to block all sites on xo1, rather than just the affected site, to ensure that this does not happen again.

Although the phishing page has now been taken offline, it may take some time for Google to recognize the change. I'm sorry for the trouble this is causing here. Just to clarify, your accounts have not been compromised.

Thank you,
 

Dead-i

x10Hosting Support Ninja
Community Support
Messages
6,084
Reaction score
368
Points
83
Hi,

Just wanted to update everyone on this. The issue that caused people's websites to be erroneously identified based on another website on the same server has now been resolved, so this should no longer be an issue for Google SafeBrowsing in future. ;)

Thank you,
 

shifattk

Member
Messages
55
Reaction score
5
Points
8
Thank you x10 for quickly resolving this issue.

I received the 'social engineering website detected' email from Google and put in a request for review with a paraphrased explanation from this thread and also put the link to this thread. Hopefully they unflag the IP soon. I'm not sure if it would do anything but if everyone who got the email did this, it might make Google unflag it a bit quicker, I'd hope so at least.

My website is also a CV/Portfolio so it definitely would look bad when future employers look at it and see that 'malicious website' message lol.
 

chatterbox42

Member
Messages
38
Reaction score
2
Points
8
Is anyone else's site still displaying this warning? Google sent me a message on Thursday morning saying "the warnings visible to users are being removed from your site. This may take a few hours to happen." But 48+ hours later nothing's changed.

Google Search Console shows no warnings, and the clearinghouse search at stopbadware shows a white square "indicating the URL is not currently blacklisted by any of the companies that provide StopBadware with data".

Is this normal after all this time? Am I missing something? Help?
 
Status
Not open for further replies.
Top