sapphirecoastanglicanparish.org.au

[AvaQ]

I represent a small church organisation, with a very basic website. Recently several internet providers/browsers have started blocking access to our website due to ‘Malicious content’ (despite no changes to the website). It appears our website may have been allocated a new IP address on 20 June, which is about when the problem started. Your organisation is one that has flagged our website. Can you please review and remove from your Blacklist? Thank you.

[Dashke]

Unfortunately the block will not be removed as there are still some phishing pages -

http://sapphirecoastanglicanparish.org.au/Pdf%20Invoice%20Page%202016/9c48f2f845bc2f11d2ae59a944985b21/
http://sapphirecoastanglicanparish.org.au/wp-dotyer/

Please remove them so we can unblock your website.

[AvaQ]

I am not a tech expert but I went into our site files and found the two files you quoted and deleted them from our website. Can you check if it is now clear? Thanks so much for your help. I really appreciate it as I am very new to this and have very little experience in this area.

[Zynthesist]

Hello,

I understand you say you deleted the "files" but did you secure your site? Was your site compromised? 

[AvaQ]

To the best of my knowledge the site is secure and was not compromised. Here is the sequence of events:

About 10 days ago I was made aware one particular ISP in Australia was blocking access to our website citing suspected malicious activity.

Through the ISP I became aware of VirusTotal.com (where 6 companies had flagged our site) and Maltiverse.com. Maltiverse shows a new IP address became associated with the website on 20 June, a few days before I became aware of the problem. Maltiverse also shows that IP address was previously associated with a website address that was flagged for suspicious/malicious activity. 

Based on the information provided by the previous staff member (above) and Maltiverse, I went into the control panel of the Content Managment System that we use, found the file directory, located the files/folders that corresponded to the suspicious urls identified (above), and permanently deleted them. I refreshed everything I was able.

I have run every virus scanning tool I have available, both through the Content Management System and Domain Hosting site (NetRegistry), and retail anti-viruses via home and office computers (Norton and Kaspersky), and had 0 results. Deleting the questioned urls has not affected the site. Prior to deleting the site I pasted the urls in my web browser (to try and further refine/identify the problem) and it returned a negative result. 

As mentioned, our website is for a small church group and is very basic, almost a blog. It has pages detailing service times, PDF attachments of Church newsletters, and photographs taken by our members. None of these have been flagged as a problem. (See Maltiverse diagram below). I have also been in contact with the other security companies that initially flagged us on VirusTotal.com - AegisLab WebGuard and Emsisoft have removed the flags and cleared the site, and I have received an email from Fortinet saying they have cleared us but it may take time to show as cleared due to the Antispam cache. The website is still available and functioning normally through numerous other Australian ISPs - from what I can gather the site was never compromised, and it was the change of IP address that caused suspicious urls to somehow be associated with our site. 

I apologise for the lengthy explanation and my lack of technical skills. Our website was initially established by a small IT Company that donated their time because we are a church/religious organisation. Unfortunately they are very busy for the moment, and because their time is donated, won’t be available to assist us for several weeks. So I am trying to resolve the situation as much as my limited skills will allow. 

Thank you so much for your patience and assistance.