×
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
nole99
Former Member
Message 11 of 15
‎10-04-2013 08:43 PM

Re: My site has been blacklisted please fix!

Wow- Thanks for the insight!  Not sure exactly what the charts are but interesting.  I appreciate you trying to get to the bottom of this! I hope you get it figured out! Thank you so much.

Joanna

0 Kudos
Reply
Hayton
Reliable Contributor
Reliable Contributor
Message 12 of 15
‎10-04-2013 11:23 PM

Re: My site has been blacklisted please fix!

I think I've got it, but if not then I'll have to call it a night.

Before I go into the site detail, I think you should check the old site, which appears to have (or probably had) a connection with a name server (ns1.ipage.com) with IP address 66.96.142.116, whose ISP is The Endurance International Group; this name server has a number of really strange entries associated with it, all of them apparently ridiculing someone by the name of "Robert M Stanley" who has a connection with something called "Unicus". It looks as if someone has hacked a server, or poisoned a DNS server, to create these entries. I absolutely don't want to go into this any further than I have to, so a couple of those entries will serve as an example -

- unicus.iamtoodumbtosetupdns.116.142.96.66(dot)hitfarm(dot)com

- robert-m-stanley-unicus-foundation-scammer-spammer-fraudster.are-we-having-fun-yet-robert-backstabbing-liar-stanley.unicus.iamtoodumbtosetupdns.116.142.96.66(dot)hitfarm(dot)com

According to the most reliable tracers both of your sites now come under Incapsula, so perhaps this no longer affects your site. If you don't have any connection with that ISP, all of this is irrelevant to the enquiry - just another of those false leads. However, it's a salutary reminder that information about websites in different places on the internet may show discrepancies because some organisations are not very good at updating their records. When TrustedSource receives input from third-parties about a website those third-parties could be accessing stale data.

So now to the chase. Here are the most probable causes of the Red rating.

1. TrustedSource has flagged the site as Malicious, and that rating has been passed on to SiteAdvisor. "Malicious" means it's a problem on the site itself. The Red rating seems to have been in effect for the past month or so, and thus has nothing to do with the WordPress security plugin which you say was only recently installed. The rating details are the same for justkeepblogging and www.justkeepblogging, but the rating page for the first site includes details of a mail server. The email reputation shows no warning spikes, so you're not being flagged for sending spam; this is a Web reputation problem. Note especially that the First Seen/Last Seen dates for both of them are 2009, so you've not been assessed since then; and the DNS server information is out of date. Re-submitting your site to SiteAdvisor for re-checking is therefore essential to re-establish the site's credentials. A lot can change in four years. (And I know SiteAdvisor is supposed to come back and re-check automatically from time to time, but it doesn't. There are just too many sites.)

http://www.mcafee.com/threat-intelligence/domain/default.aspx?domain=justkeepblogging.com

http://www.mcafee.com/threat-intelligence/domain/default.aspx?domain=www.justkeepblogging.com

2. Sucuri, one of the first tools I use to check a site for problems, was unable to scan your site properly. That is only to be expected with the WordPress plugin, but it may also be that Incapsula is blocking automated scanning tools from functioning correctly. And, guess what, some at least of the TrustedSource web reputation feedback comes from automated site scanners which crawl all over the web looking for problems (creepy, isn't it?). So maybe, just perhaps, there was a flag raised because your site suddenly became unscannable. Not grounds enough for a Red rating, but it may have put your site on a Watch list.

3. Sucuri, however, did detect at least one iframe on the site. And Quttera, another site scanner, detected three. (Oh, and Quttera thinks your "www." site is in Israel - more confusion). Now, iframes are inherently suspicious (another black mark for the site) because they are very often used to deliver malware dynamically. They provide a window into some other site which cannot be scanned by anti-virus software until whatever code is in the iframe does its job, and then it's often too late. Quttera says the 3 iframes it found are all Hidden, and all link to "my.incapsula.com". One of those iframes (the third one) is flagged by Quttera as Suspicious. So Incapsula is now in the frame as the chief suspect ...

Quttera justkeepblogging report.JPG

Quttera justkeepblogging file report.JPG

4. I submitted the "jstest.html" file to jsunpack to see if there was anything there worth noting. The report that came back included a listing of the page, which says, basically, 

"Hello, I am a java script test analytics page".

- so no joy there.

5. However, the results from jsunpack for your site as a whole were most interesting.

Somewhere on your site there are two blocks of javascript code which have been obfuscated - heavily disguised. That is going to ring alarm bells when an anti-virus scanner or page scanner encounters them. One is in CharCode (...38,100,61,34,43,101,110,99,111,100 ...), the other is in Hexadecimal (... D3D22723A222B286E65 ...). When I passed them through translators, the CharCode turned into "function getSessionCookies()" / "function setIncapCookie()";  the hex code turned into something that included the fragment in the screenshot below - I'm not taking the risk of putting it into this web page, just in case.

obfuscated javascript 1.JPG

It's creating a new ActiveXObject on the fly? I'm not sure that's really approved. And they both have a reference to an image, also created dynamically :

document.createElement("img").src="/_Incapsula_Resource?ES2LURCT=67&t=78&d="+encodeURIComponent

Whatever it's doing, it's all part of the Incapsula service, but it's all hidden and disguised. And that could look suspicious - although jsunpack classed it all as Benign.

6. I confirmed the presence of the obfuscated javascript by examining the Javascript eval sections of the reports from Urlquery. These reports also included the HTTP Transactions, and these indicated another possible cause for the rating. They show three GET requests to 'forms.aweber.com' - two of which return an image, the third a javascript file. I thought this worth following up, so I checked the domain and its reputation. The site provides "Email marketing and autoresponder software" which looks innocent enough, but the reviews are extremely mixed. Those who don't like the company are extremely hostile. SiteAdvisor says it's Green, but some of the reviewers say the site spams and/or hosts malware. Google Safe Browsing finds no fault with the site, nor does SiteAdvisor, but the javascript file indicates that aweber.com is dropping tracking cookies onto my system, and (if I read the HTML correctly) placing hidden elements onto the web page for tracking purposes. None of which is going to bother TrustedSource, but site reviewers tend to notice that sort of thing.

http://urlquery.net/report.php?id=6320817

https://www.siteadvisor.com/sites/aweber.com

https://www.mywot.com/en/scorecard/aweber.com

http://forms.aweber.com/form/28/651516428.js

So, a provisional and tentative conclusion. The Red rating is probably being triggered by obfuscated javascript which may be embedded in the web page by Incapsula, even though I've checked the Home page's source code in Chrome and I can't see it anywhere. (Which is why this is tentative). TrustedSource pays no attention to user reviews anywhere, so the AWeber connection can be ruled out. The suspicious iframes looked promising, but are not definitely harmful. That leaves Incapsula, and whatever it does to protect your site, as the chief suspect.

That was quite a journey of exploration. I'm sorry I can't be more definite about the reason for your site's rating, and I realise that I may have missed something crucial which is the real reason for the rating; but that's about as much as I can do. You'll have to wait now for the results of any re-rating request that you've made.

If you want to open a ticket with TrustedSource about this, here's how to go about it.

If you want to address an issue with a web site in Site Advisor, that is based on McAfee's Trusted Source Web Reputation, please go to  http://www.trustedsource.org/en/feedback/url and use the web form to contact the Trusted Source team.
If you want to track your requests or be notified via email, you can register for a free TrustedSource.org account.
0 Kudos
Reply
nole99
Former Member
Message 13 of 15
‎10-05-2013 07:12 AM

Re: My site has been blacklisted please fix!

This all reads like a bad spy novel...First off I just got this domain name on 9-4-13 only a month ago from Godaddy...

Is all the information tied to the domain name or the server which is ipage hence the ns1.ipage.com

I went ahead and submitted a request with trusted source.  When you buy a domain isn't it supposed to be clear of everything? Anyone else I could go to about this?  Maybe Godaddy?

Thanks

Joanna

0 Kudos
Reply
Hayton
Reliable Contributor
Reliable Contributor
Message 14 of 15
‎10-06-2013 12:29 PM

Re: My site has been blacklisted please fix! 

nole99 wrote:
This all reads like a bad spy novel...

Hey, I've just been promoted to the ranks of bad-spy-novel writer, now I can rub shoulders with the likes of Dan Brown

I had to go back into the past history of justkeepblogging.com to check whether TrustedSource was holding onto some old rating data, which took a while. Answer : no, I don't see anything.

What I see is that on May 17 2009 the domain name expired. That ties in with the last-seen date on TrustedSource. There are no historical records on Clean-MX for that domain name, so it is unlikely that the site was rated Unsafe during its previous incarnation.

In the week before September 17 2013 the domain name was transferred from WildWestDomains (a GoDaddy re-seller) to iPowerWeb. That company is related to StartLogic, and does not appear to be part of GoDaddy : it's a web hosting company and is a subsidiary of Endurance International Group.

On September 17 the domain name was transferred into iPage.com, so the name servers are ns1.ipage.com and ns2.ipage.com; compare those to the name server details that TrustedSource still holds for the site and you'll see the possibility for false reporting if they're still checking the old name servers.

When you buy a domain name that's had a previous existence a conscientious re-seller ought to carry out some checks at least to make sure that any blacklisting of the domain as a result of its previous activities has been lifted, or at the very least that the new owner is told about it. I don't think GoDaddy (and others, probably) do that, so some new owners inherit the past bad reputation of the site they've bought. You at least don't seem to have that problem.

As far as I can see the rating is caused by obfuscated javascript inserted into your site pages by Incapsula, for reasons of their own. Heavily disguised inserted page scripts are highly suspicious, as they often indicate a malware attack. If the decoded script is innocuous (and I think it may be) then I wonder why Incapsula encoded it in the first place.

The people from either TrustedSource or SiteAdvisor will need to look at this and decide whether it's okay. If it is, you should get a Green rating pretty soon.

In the meantime you might want to weigh up whether you need the protection Incapsula offers, if it's going to cause this sort of problem. I can't offer any advice because I've never come across them before. But they're in Wikipedia, and reviews are mostly favourable.

Sources -

http://www.mcafee.com/threat-intelligence/domain/default.aspx?domain=justkeepblogging.com


http://www.justdropped.com/drops/051709com.html

http://webcache.googleusercontent.com/search?q=cache:Mr_C52NseIgJ:www.webhosting.info/webhosts/repor...

http://www.dailychanges.com/ipage.com/2013-09-17/#transferred-in

http://whois.domaintools.com/justkeepblogging.com  (WhoIs record and Server Stats)

http://en.wikipedia.org/wiki/Incapsula

Message was edited by: Hayton on 06/10/13 20:38:32 IST
Reply
quatrel
Contributor
Message 15 of 15
‎10-26-2013 04:56 AM

Re: My site has been blacklisted please fix!

Just a quick note, Incapsula is a security proxy and their main offices are in Israel. To protect against bots etc. they test all access to protected wesite to see if they accept cookies and understand javascript. Bots usually do not accept cookies, so this is one way they flag the bots.

If Incapsula is unsure about a visitor's status, they will throw out a javascript captcha challenge for the visitor to enter. Bots fail these too and so bots are kept out of the protected site.

It is possible to whitelist "good" bots and security scanners can be whitelisted and I seem to rememer Securi, McAfee etc. are all listed in Incapsula.

If these challenges have been coming up on a protected website, the blocked access attempts, including all details will be listed in the Incapsula dashboard.

0 Kudos
Reply
How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community

* Important Terms and Offer Details:

  Subscription, Free Trial, Pricing and Automatic Renewal Terms:

  • The amount you are charged upon purchase is the price of the first term of your subscription. The length of your first term depends on your purchase selection (e.g. 1 month or 1 year).  Once your first term is expired, your subscription will be automatically renewed on an annual basis (with the exception of monthly subscriptions, which will renew monthly) and you will be charged the renewal subscription price in effect at the time of your renewal, until you cancel (Vermont residents must opt-in to auto-renewal.)
  • Unless otherwise stated, if a savings amount is shown, it describes the difference between the introductory first term price (available only to customers without an existing McAfee subscription) and the renewal subscription price (e.g., first term price vs. each year thereafter).
  • Pricing is subject to change. If the renewal price changes, we will notify you in advance so you always know what’s going on.
  • You can cancel your subscription or change your auto-renewal settings any time after purchase from your My Account page. To learn more, click here.
  • You may request a refund by contacting Customer Support within 30 days of initial purchase or within 60 days of automatic renewal (for 1 year terms or longer).
  • Your subscription is subject to our License Agreement and Privacy Notice. Subscriptions covering "all" devices are limited to supported devices that you own. Product features may be added, changed or removed during the subscription term.  Not all features may be available on all devices.  See System Requirements for additional information.
  • Free Trial Terms: At the end of your trial period you will be charged $39.99 for the first term. After the first term, you will be automatically renewed at the renewal price (currently $124.99/yr). We will charge you 7-days before renewal. You can cancel at any time before you are charged. ​

 **Free Benefits With Auto-Renewal:

  • For many qualifying product subscriptions McAfee offers additional benefits for free when you are enrolled in auto-renewal. You can check your eligibility for these benefits in your My Account page. Not all benefits are offered in all locations or for all product subscriptions.  System Requirements apply.   Turning off auto-renewal terminates your eligibility for these additional benefits. 
  • Virus Protection Pledge (VPP): If we cannot remove a virus from your supported device we’ll refund you the amount you paid for your current term subscription.  The refund does not apply to any damage or loss caused by a virus.  You are responsible for backing up your data to prevent data loss. See terms here: mcafee.com/pledge.
  • Safe Connect VPN:  You will receive free, unlimited access to our VPN wireless on supported devices. Users not on auto-renewal have access to 500 MB/month of bandwidth.

   Additional Terms Specific to Identity Monitoring Service:

  • Eligibility: McAfee® Identity Monitoring Service Essentials is available within active McAfee Total Protection and McAfee LiveSafe subscriptions with identity monitoring for up to 10 unique emails. Phone number monitoring is enabled upon activation of Automatic Renewal. Not all identity monitoring elements are available in all countries. See Product Terms of Service for more information. 
  • Your subscription is subject to our License Agreement and Privacy Notice. Product features may be added, changed or removed during the subscription term. Some features may require registration and a valid ID number to activate. See System Requirements for additional information.
  • While McAfee Identity Monitoring Service provides you tools and resources to protect yourself from identity theft, no identity can be completely secure.
  • US Only:
    Fair Credit Reporting Act: You have numerous rights under the FCRA, including the right to dispute inaccurate information in your credit report(s). Consumer reporting agencies are required to investigate and respond to your dispute, but are not obligated to change or remove accurate information that is reported in compliance with applicable law. While this plan can provide you assistance in filing a dispute, the FCRA allows you to file a dispute for free with a consumer reporting agency without the assistance of a third party.
  • Identity theft coverage is not available in New York due to regulatory requirements.


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Products

McAfee® Total Protection
McAfee® Gamer Security
McAfee® Identity Monitoring Service
McAfee® Security Scan Plus
McAfee® WebAdvisor
McAfee® Techmaster Concierge
McAfee® Virus Removal Service

Resources

Antivirus
Free Downloads
Parental Controls
Malware
Firewall
 Blogs
Activate Retail Card
Threat Center
McAfee Enterprise

Support

Consumer Support
FAQs
Renewals
Support Community

About

About McAfee
Careers
Contact Us
Newsroom
Investors
Legal Terms
Your Privacy Choices
System Requirements
Sitemap

Copyright © 2022 McAfee, LLC
Copyright © 2022 McAfee, LLC