Jump to content

Website Blocked: interactcenter.org


Go to solution Solved by BjelakovicL,

Recommended Posts

Hi, one of my clients, interactcenter.org, is reporting that they are receiving multiple calls saying that our website is blocked by MalwareBytes, while they are promoting a key fundraiser. I believe this is a false positive. I am requesting it be unblocked, or to know what is seen as a thread that needs to be resolved. Even if it's clearly a false positive to unblock, I would really like to know any further details as to why the site was blocked. We've run into this a few times, and I've never been able to find out why it happened. Our best guess was that the embedded CiviCRM software required a security update at one time and must have contained something that was flagged, but that was remedied months ago. In the past there have been reports about specific Windows OS files, but they don't exist in the site, and the codebase is under version control so I would see if someone changed something maliciously.

Thanks,
Jeremy

Link to post
Share on other sites

  • Staff
2 minutes ago, bicycle-theory said:

Hi, one of my clients, interactcenter.org, is reporting that they are receiving multiple calls saying that our website is blocked by MalwareBytes, while they are promoting a key fundraiser. I believe this is a false positive. I am requesting it be unblocked, or to know what is seen as a thread that needs to be resolved. Even if it's clearly a false positive to unblock, I would really like to know any further details as to why the site was blocked. We've run into this a few times, and I've never been able to find out why it happened. Our best guess was that the embedded CiviCRM software required a security update at one time and must have contained something that was flagged, but that was remedied months ago. In the past there have been reports about specific Windows OS files, but they don't exist in the site, and the codebase is under version control so I would see if someone changed something maliciously.

Thanks,
Jeremy

Hi-

See here: VirusTotal - URL - 6bb8aacd3ad5df0337dfb22823f61986680aa2c7d0921d096c44badb5fa29d9a

Here: VirusTotal - URL - ce315ec80295efe1ce4edac96e9540d4761161dfedbe166ea9750aa04d3a9ab9

 

Link to post
Share on other sites

Thanks for mentioning this! The two specific paths (https://interactcenter.org/calendar/zoomtopia and https://interactcenter.org/people/michael-engebretson/) aren't physical folders; rather they are pretty URLs to Staff Member and Event records. There's nothing special or different about them compared to all the other URLs on the site. Double-checking the content, and everything looks as it should – no malicious links or anything.

Link to post
Share on other sites

21 hours ago, bicycle-theory said:

Is there more you can tell me about what's going on here? Do I need to track down and reach out to these 11 vendors to get MalwareBytes to unblock our website?

Hi, I hate to pester but this is hampering our fundraising and event registration. Can anyone answer these questions from earlier?

Link to post
Share on other sites

Have you checked file size and SHA of every file as compared to contemporary versions not stored on the server?  One or more could possibly be hiding some malware.  Those vendors will likely not be willing to change any results if current tests are showing issues.  Older results, yes.  Current, different story.

Link to post
Share on other sites

I have not compared every file on the server to a parallel elsewhere, but since the files are under version control (git) I expect to see anything that has changed from the originals. There aren't any changes to the files according to git. Are you telling me there might be some type of file changes that git wouldn't pick up and I need to check size and SHA? I would like to know more about that if so.

Also, the URLs flagged are simply web pages – basic HTML. No malicious links in content, no external files or libraries other than typekit webfonts and google analytics. I can see in browser network tools that no unexpected files are being loaded (screenshot attached, using standard Chrome without any blockers or anti-malware).

This seems like a false positive to me, and I guess the big question is, what exactly is being flagged? It sounds like I need to find and ask those 11 vendors, is that right?

Will MalwareBytes do nothing about this blocking of interactcenter.org until those vendors clear their flags of the site?

Thanks again.

 

Screen Shot 2021-10-05 at 4.43.34 PM.png

Link to post
Share on other sites

First, let me say that I am just trying to assist here. The researchers have said that you need to find and fix the issues, but VirusTotal is sometimes not exactly helpful when it comes to drilling down to a specific file that is causing problems.  Our researchers make the call here.  I focus on Browser Guard issues, so I am somewhat out of my element.  That said, checking for file size can point out potential issues, but checking a file's MD5 or SHA is best.  You can download MD5/SHA checkers from numerous Internet sources.  Any change to a file is going to change the hash, so comparing installed files against off-line originals (or a listing of each file's hash) will tell you if a file has been changed.  Unless someone has access to your Git implementation, you can compare against that.  With the number of vendors that are reporting malware, a FP is unlikely.  If one or two reported, an FP would be possible.  With 10-12 reporting, there is likely something there.

Link to post
Share on other sites

I have been contacting as many of those services as I can, and have talked with a few. It appears that the reason a handful of anti-malware services are blocking our domain is because the domain was included in a list of hundreds of domains that was baked into the malware used to hack Kaseya a few months ago. This article (https://www.fortinet.com/blog/threat-research/dll-side-loading-technique-used-in-recent-kaseya-ransomware-attack) gets into the forensics of how it all worked, and includes a list of all those domains. It appears some anti-malware services are blocking all these domains, whether or not there is evidence of them being used maliciously. Some of the services I contacted have stopped flagging the domain (down to 7, still working on one of them: https://www.virustotal.com/gui/domain/interactcenter.org)

But no one will tell me any specifics about problems they see with our domain, just that "the researchers have flagged it." I have high confidence the website is clean and the server is secured, and that nothing malicious happened with the website. If someone – anyone – could point me to an actual thing that is problematic, I could address it. But I don't believe there is anything problematic, beyond being listed in that Kaseya malware.

Is there anything else you can tell me to help resolve this, either in general or to get MalwareBytes at least to stop flagging our domain?

 

Link to post
Share on other sites

  • 9 months later...

Hi there. My client is reporting that donors are being blocked from our website again by Malwarebytes.

Our site is clean; there are no unexpected file changes.

And VirusTotal is showing the site to be clean as well: https://www.virustotal.com/gui/domain/interactcenter.org

So I believe we have a false positive here. Could you please confirm?

Thank you,
Jeremy

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.