3

I'm in a bit of a quandary over Norton Safe Web's rating of my company's website.

My question is: is it possible for someone to fool Norton Safe Web into thinking that our website has PHP files which don't exist? Could there be some sort of Spoofing going on, or could someone be manipulating a Norton tool on their machine to tell Norton Safe Web that our site has malicious files?

We host our own website on our in-house web server, and have properly configured firewalls up to layer 7. Mcafee scans our site every day for vulnerabilities and has found no such files, and Google Transparency Report does not report anything malicious.

None of the reported threatening links exist or (to my knowledge) have ever existed on our website. We stopped using PHP a long time ago, and yet Safe Web reports them on our website.

I've included the Threat Report below. I've only replaced my website with "MYWEBSITE" and removed the HTTP and WWW so it would not post as a link:

Drive-By Downloads: Threats found: 5

Threat Name: Web Attack: Wordpress Arbitrary File Download 4 Location: MYWEBSITE.com/wp-content/themes/TheLoft/download.php?file=../../../wp-config.php

Threat Name: Web Attack: Wordpress Arbitrary File Download 4 Location: MYWEBSITE.com/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php

Threat Name: Web Attack: Wordpress Arbitrary File Download 4 Location: MYWEBSITE.com/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php

Threat Name: Web Attack: Joomla Component Local File Inclusion Location: MYWEBSITE.com/news/index.php?option=com_macgallery&view=download&albumid=../../web.config.txt

Threat Name: Web Attack: Wordpress Arbitrary File Download 4 Location: MYWEBSITE.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

Viruses: Threats found: 1

Threat Name: Web Attack: Joomla Component Local File Inclusion Location: MYWEBSITE.com/news/index.php?option=com_macgallery&view=download&albumid=././web.config.txt

Notice they are all PHP and mention WordPress and Joomla, NONE of which we have nor use.

We are in the process of disputing the report with Norton, but this is the second time that this has happened, and the dispute process is taking quite a while. Meanwhile people are being told that our website is not safe and we are losing customers. I know there is nothing more I can do to speed up the process with Norton, but I would like to understand how this is even possible and I would like to be able to prevent this type of thing reoccurring in the future.

So in summary, what I'm trying to understand is: is it possible for Norton Safe Web to have been tricked into giving a false report of our site, or is the only possibility that someone put a file on our site in time for Norton to scan then took it off before we found it?

I'll greatly appreciate any input. Thanks!

Rodrigo Murillo
  • 1,927
  • 11
  • 17
Hawkeye
  • 223
  • 2
  • 8
  • Is your web server Linux or Windows? – Mark Buffalo Mar 01 '16 at 02:05
  • Also, visit those links on your website under a virtual machine... see if it redirects you to a custom 404 page. Does it? Does the custom 404 page exist on the same link that you attempt to visit? It's possible that, if Norton Safe Web is trying to check for those potentially malicious files, and your website returns something other than 404, it will trigger an alarm. – Mark Buffalo Mar 01 '16 at 02:07
  • @Mark It's a Windows Server, and yes, it goes to a file not found page that our firewall puts up. The url shows the non existent link, but our firewall blocks all php and anything with "\." and shows "The specified URL cannot be found" instead, same as anything else with illegal entries. – Hawkeye Mar 01 '16 at 02:32
  • Can you write C#? Alternatively, [you can use Power Shell](https://stackoverflow.com/a/29067433) to create a FileWatcher and watch for those suspicious files appearing, and then disappearing. This will at least rule that out. – Mark Buffalo Mar 01 '16 at 03:28
  • Not really. I'm a VB.NET programmer. I could write a VB program to do that. – Hawkeye Mar 01 '16 at 03:39
  • " it goes to a file not found page" - that's not the same thing as returning a 404 status code. (If your firewall is returning a 200 status, it would imply that the functionality provided by Norton is laughable but would explain the results). – symcbean Mar 01 '16 at 09:23
  • I think I get what you're saying, but today Norton Safe Web finally reevaluated our site, and fixed the rating. The "URL not found" page the firewall puts up with the bad link didn't seem the raise an alarm with Norton this time, so I still don't know what happened or why they gave the bad report in the first place. – Hawkeye Mar 01 '16 at 21:49

1 Answers1

4

This is a Norton Security/Safeweb false positive. Their threat scanning engine is flawed when handling reponses from these 'hacked' URLs, which in vulnerable systems can do damage. The problem is that they interpret the response incorrectly, so sites that have no PHP/WordPress etc get flagged in error. This is hugely damaging to customer goodwill of course. And they do not make it easy or fast to dispute. Additionally, they do not notify the domain holder (in our experience at least), so often the first to report is from a customer. In our case, it was a prospective customer who first reported the problem. They did not buy a website from from us due to this false warning, and the delay in getting it resolved.

It is not your site per se, but rather the response that the site returns to what is essentially a bad URI. If they get anything other than a hard 404 response, they take that to mean the URL is valid, and therefore a vulnerability.

My guess is that your firewall returned a 301 redirect to the initial request, which shows(redirects to) the file not found page. This is called a soft 404. A common way to download a file is via a 301 redirect, so this raises a red flag to the scanner.

You need to make sure the actual response is a hard 404 in these cases. If not, the Norton threat scanner assumes the URL found the vulnerable file/page, and you get flagged.

Rodrigo Murillo
  • 1,927
  • 11
  • 17
  • 1
    Given that the firewall is blocking it, a 403 could be acceptable, too. – Ángel May 12 '16 at 23:13
  • Are you saying that their engine would test for non-existent URLs and php, then upon a 301 redirect that Norton would assume the URL did extist? If so, why did they test for non-existent files and paths like "TheLoft/dowload.php"? Is it Norton looking for known malicious files and then assuming I have them because of the 301 redirect? That makes sense to me. I'm just trying to make sure I understand. – Hawkeye May 14 '16 at 05:23
  • Yes exactly. The urls are known files found on vulnerable WordPress sites. The engine is probing for those files – Rodrigo Murillo May 14 '16 at 14:44