In the past week a number of my users have noted that my site has been marked as a phishing site, but most are not seeing this including myself. I have a number of security errors in my logs, which all come back to this javascript file:
Most of the reports of this happening were Sunday night and then everyone seemed to stop getting the warning, but now I have people emailing me again stating that itâs happening again today.
It seems like it may be CDN related as the common theme is with images. I contacted digital ocean and they said they were not seeing any problems on their end. Any ideas?
Log env
hostname
community-app
process_id
[24095, 24114]
application_version
bcf4a1775169698f103c78c4ec61fecedd21e3f8
HTTP_HOST
community.naturephotographers.network
REQUEST_URI
/logs/report_js_error
REQUEST_METHOD
POST
HTTP_USER_AGENT
[Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko, Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko, Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko, Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko, Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko]
Do we even return 402 anywhere in our code paths @sam?
It is a very odd response value
402 Payment Required
Reserved for future use. The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, as proposed for example by GNU Taler, but that has not yet happened, and this code is not usually used. Google Developers API uses this status if a particular developer has exceeded the daily limit on requests. Sipgate uses this code if an account does not have sufficient funds to start a call. Shopify uses this code when the store has not paid their fees and is temporarily disabled.
It is possible your scanner was hitting a Discourse rate limit, though I find the usage of 402 rather ambiguous. There is a proper response code for rate limiting, 429
429 Too Many Requests (RFC 6585)
The user has sent too many requests in a given amount of time. Intended for use with rate-limiting schemes.
Are you sure your host isnât causing this? Where is your site hosted, with what company? The ârequires paymentâ response code is very curious indeed and makes me think this is about money and hosting.
Itâs your members only page which is returning the 402 errors. When I follow the URL mentioned in the site scan manually, it gives me a members only login page.
But when I request it using a command line tool, Iâm getting a 402 Payment required. Which seems logical given the fact that it actually requires payment in order to get to the content.
Ahh yes, this is from the Category Lockdown plugin, I looked through the code and it does use 402, @david could it be causing the phishing warnings? I see the plugin hasnât changed since October but maybe something in core is conflicting? I will try disabling it and see if the users still get the warning.
I canât say for certain, but a google search doesnât bring up any examples of 402s being used as an indicator for phishing sites. In fact the first google result is this topic .
I think in this case â402â is actually the correct error code - payment is required to view the content.
But I donât think I am on the list, itâs just a browser trigger. If I check the site on Sucuri it doesnât show on any list, and most users including myself are not getting this warning.
The only connection I can make is that all the red screens reference the digitalocean cdn and the users getting this warning are not able to load images (I have my image hosting through a digital ocean space with cdn)
You are on the list. Did you follow the link for more information?
The url thatâs on the list is the digital ocean cdn (npn.sfo2.cdn.digitaloceanspaces.com). Perhaps someone uploaded a phishing site there and is sharing the link, not necessarily in your forum site.
Thanks guys, I didnât see the link David posted at first. I didnât think of checking the DO link, I have submitted to google for review and we will see where it goes from here. I do find it odd that it is only affecting a handful of users still.
DigitalOcean finally got back to me and acknowledged that someone on their network had uploaded phishing material and it has now been resolved. Itâs a bit crazy that they are not siloed, thank you all for your help.