Need help? Check out our Support site, then


Bad website behaviour

  1. Hello,
    We have a website that we're operating as a sister project site to vancity.com.
    Their IT people have found suspicious behaviour and are blocking the website from their staff until it has been dealt with. I have since gone and disallowed all pingbacks (in case they are the problem), but the pingbacks aren't actually available on the "about" page he's made mention of.

    Please have a look into this issue and get back to me as soon as possible. I have included the body of an email that was forwarded to me by the project manager.

    Much appreciated,

    Shawnee

    "The site is displaying a lot of behavior that is common to both malicious and hacked sites (redirects, accessing files from other sites, use of javascript libraries that seem to obfuscate code, and have hidden messages in the code).

    While I could find nothing that would actually exploit a user of the site, I think it may be prudent for you to get the partner to ask the developer for an explanation of what’s up. The page specified in the ticket 98181, the “about” page, does have a hidden message in it. I’ve extracted the response headers showing it and attached the page as text. The developer may want that.

    Before attempting to whitelist this site, I think I’d like to see if what the reason is first.

    The other things beyond the message? Well, it may be possible that the Dev is attempting at some kind of Web2.0 like mash-up page, but one should be careful about sites classified as malicious, and it needn’t have been done like that.

    To be extra careful, I’ve also asked McAfee to retest, since their Trusted Source is what classified it as malicious, to take another look. However, who knows what will happen with that request. I think it may be faster to have you contact the partner to get input from the site developer.

    This page was mentioned in one ticket: http://we-community.ca/about/

    The site does some things that malicious site do (redirects, calling of images and web pages from offsite (violating cross domain policy), javascript libraries that seem to obfuscate code -- and comments in the page that make it look like it's been hacked.

    I found this in the about page responses:

    Date: Wed, 21 Nov 2012 00:47:34 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    Vary: Accept-Encoding
    Vary: Cookie
    X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
    X-Pingback: http://we-community.ca/xmlrpc.php
    Link: <http://wp.me/P2tc2k-2&gt;; rel=shortlink
    Content-Encoding: gzip

    While it looks suspicious, I think the site Dev is either enterprising or is playing some kind of (non-malicious) game. "

    The blog I need help with is we-community.ca.

  2. Hi there - thanks for the report. Our developers will investigate and I'll keep you posted.

  3. Hi shawneehummel,

    Thanks for contacting us. I'm sorry to hear about the issues you're having with accessing your WordPress.com site.

    All WordPress.com sites load resources (such as images, css and JavaScript files) from a few different URLs. This is part of normal operations at WordPress.com.

    Based on the forwarded conversation above it seems like the firewall of Vancity's network may be reacting too strongly, and we would recommend setting an exception for your website in the firewall settings.

    If you have any other questions regarding our operations or the security of WordPress.com, please let us know.

    If you think you've genuinely identified a security breach or issue, please report it privately by visiting http://automattic.com/security/ or email us at security [at] wordpress [dot] com.

  4. Hi Guys,

    Thanks so much for the speedy response! We thought that was probably the case. You and our off-site programmer confirmed this for us.

    We really appreciate the help!

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.