A malware report

(Alex Woolfson) #1

So this is strange.

I’ve recently started posting my Discourse comments on my webcomic site using WP-Discourse. A reader commented on my site (Wordpress install) that he got a Hijack report from his anti-virus software (Malwarebytes) when visiting my most current page.

He copy-pasted the report. It was in Polish, but I recognized the Digital Ocean IP address of my Discourse forum.

I had my assistant download the Malwarebytes software, and she got this report:

Malwarebytes%20Pop%20up

I literally just upgraded my Discourse site and all the plugins when I got the Discourse update email yesterday afternoon—a couple hours before getting that comment from my reader. I have (what I think is) a fairly vanilla install of Discourse—no themes, and just with these (I think all official) plugins installed:

I know Discourse is super on-top-of security. I did a search on malware here on this forum, and only found one post from 2016 that seemed like it could have been a false positive.

I’m not sure what to do here. Malwarebytes seems like a legit company that’s been around for ten years. If it’s blocking my Wordpress webcomic site for all its users because of the Discourse comments, I obviously need to figure this out. Especially if this isn’t a false positive.

Any help would be greatly appreciated. Thanks!

(Simon Cossar) #2

I’m not sure what’s going on with this. When I scan either https://webcomics.yaoi911.com or https://community.amwcomics.com with Securi, no malware is being detected: https://sitecheck.sucuri.net/results/community.amwcomics.com.

Does the report from Malwarebytes tell you the page they are finding the problem on?

3 Likes
(Stephen) #3

That doesn’t mean discourse itself was the source of malware, just that something served from that URL triggered an alert.

It could have arrived through the browser via a piece of JavaScript in your theme, or something even simpler such as an attachment.

1 Like
(Alex Woolfson) #4

Both the commenter and my assistant looked at the current page:

(I just tested it with Securi. Seems ok according to them…)

OK. So what do you think is the best way to proceed and get the answer to this. Download Malwarebytes myself, disable the Discourse comments and see if I get the same error? I haven’t done that yet in case y’all needed to look at it yourself.

(Stephen) #5

I would reach out to MalwareBytes Support and ask for more information on the block, they’ve wrongly blocked websites ‘due to hijack’ in the past for simple stuff like shared IPs.

2 Likes
(Alex Woolfson) #6

OK. I’ll do that right now.

When this has happened in the past, do you know if Malwarebytes has been responsive?

(Stephen) #7

In the case of the shared IP it took an update on their side to resolve. In one other case the user reporting the issue hadn’t noticed that their local DNS settings had been hijacked, hence traffic wasn’t going where it was expected.

It certainly can’t hurt to ask.

Does the same user still see that message?

1 Like
(Alex Woolfson) #8

I’ll ask him to check. And I’ll have my assistant check again when she starts her shift this evening.

I’m not sure if Digital Ocean uses shared IPs, but it could be a potential trigger.

In the meantime, I’m filling out the False Report post on their site. I think that’s the correct procedure here.

We’ll see what they say. Thanks! :slight_smile:

EDITED TO ADD: Here’s what I posted on their support forum. I’ll keep y’all posted here.

5 Likes
(Stephen) #9

Looks like it has been taken care of:

Hello,

IP block will be removed.

5 Likes
(Alex Woolfson) #10

Yep! Looks like we are all set.

Thank you for your help with this. Hopefully these posts can also guide others if they run into the same issue with Malwarebytes. :slight_smile:

5 Likes