Hi!
I'm getting a red warning screen using Chrome that flags that my moodle site is being marked as unsafe with malicious software.
After looking at Google Search Console and have no details about affected URL's, and scanned entire server + moodle internally, I don't know what's exactly happening and how to solve it.
Any ideas? Does anyone passed through the same?
site: https://evea.upe.edu.ar
Screenshot Google Search Console
Thanks in advance
Pardon interruption ...
Using Chrome on a mac - Guest user.
Am getting a login screen.
Safari on Mac warns
The site ahead contains malware
Attackers currently on evea.upe.edu.ar might attempt to install dangerous programs on your Mac that steal or delete your information (for example, photos, passwords, messages, and credit cards).
Show details:
Google Safe Browsing recently detected malware on evea.upe.edu.ar. Websites that are normally safe are sometimes infected with malware.
If you understand the risks to your security, you may visit this unsafe site before the dangerous programs have been removed.
Points to a page:
https://transparencyreport.google.com/safe-browsing/search?url=evea.upe.edu.ar&hl=en-US
Curl test to / clips:
server: Microsoft-IIS/10.0
x-redirect-by: Moodle /D:\EVEA\moodle35\lib\moodlelib.php:2783
x-powered-by: ASP.NET
Is your server's certificate up to date? Is server responding to access on port 443?
FQDN seems to resolve to 2 IP's:
54.156.141.39, 34.204.114.190 - both are amazon?
'SoS', Ken
My test of DNS was from my computer/network connection. You need to do the same from your workstation.
Just a dig tld ... just now
;; QUESTION SECTION:
;evea.upe.edu.ar. IN A
;; ANSWER SECTION:
evea.upe.edu.ar. 60 IN A 34.x.x.x
evea.upe.edu.ar. 60 IN A 54.x.x.x
And it was a curl -I command at domain that showed 2 IP's - earlier
curl -I -vvv https://site
just now gets 34.204.114.190 ... earlier got more than one IP.
For localhost browsers getting 2 different IP addresses might throw a security alert to users browser.
So I'd check DNS setup for that server.
'SoS', Ken
@Andrew ... not entirely wrong.
IF server is really a 10. then both of the public IP addresses could be in public (external) DNS different, but mapped in boundary firewall to same 10. OP hasn't mentioned 2 servers with 2 code bases etc.
OP said:
"I'm not sure about those 2 IP Addresses.. Those are not IP address within my whole amazon servers. How can I troubleshoot where are they configured?"
OP has not mentioned much, if anything, about entire setup.
Wonder if you @Andrew could verify my findings? or anyone else for that matter.
'SoS', Ken
Just checked site again with Firefox ... warning there still.
In digging some more - it's kinda like Email blackholes ... someone could have reported site .. please follow/read ...
https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work?as=u&utm_source=inproduct
I’ve confirmed that my site is safe, how do I get it removed from the lists?
If you own a site that was attacked and you have since repaired it, or if you feel that your site was reported in error, you can request that it be removed from the lists. We encourage site owners to investigate any such report thoroughly, though; a site can often be turned into an attack site without any visible change.
To request removal from the list of reported phishing sites, use this form provided by Google.
http://www.google.com/safebrowsing/report_error/?tpl=mozilla
Comments:
Don't re-call anyone ever posting here in Moodle forums the same issue ... but then again these sorts of things weren't being used a few years ago! :|
And another comment (you are probably not going to like):
Many years ago there used to be a very small ... but significant sentence in Moodle pages ... basically it said 'Use Linux'! Not that Linux hosted anything is that much more secure (although it is right out of the shrinkwrap) cause a lot depends upon admin of server. To be 100% honest, wonder why one would choose to host a Windows server on Amazon! :|
Have you contacted Amazon tech support?
Please do return and share the fix ... for others who might face similar.
Best of luck!
'SoS', Ken
