Malicious Uploaded Documents Will Nearly Kill Your Online Business

So, this one takes days to impact, weeks to detect and months to get off blacklists. Essentially any website-driven business dies because of months of impact.

Recently, one of our customers reported her site as infected. Following the usual protocol, we ran various types of scan via WordPress plugins and even some Linux anti-virus software. Detection: nada… zilch!

Table of Contents

  1. Root-Cause
  2. Problems With Detection
  3. Check & Analyze SERPs
  4. Final Findings
    1. See Also:

Root-Cause

Apparently, not an scanner on earth would detect what’s wrong with the website. The site essentially was clean.

Avast One reported the site as phishing. The site had a brandname with .info in the domain name. There was a competitor with the same brandname but with a .com in the domain name. Could that be the issue?

Avast One even popped up while working in the WordPress Admin Dashboard wp-admin area.

While we monitored the site… soon McAfee Webadvisor started flagging the site as Risky and containing PuPs — Potentially Unwanted Programs.

Looking into Google Transparency Report — Safe Browsing site status, the site was clean.

Problems With Detection

So essentially:

  1. The scanners detected nothing.
  2. Google detected nothing.
  3. The site was getting flagged by multiple vendors — all for weird, random, unknown reasons.

What in the world…!

So the only thing left was to go back to the drawing board.

How do various security-vendors collect the data? Without getting technical about it:

  • These security vendors have no access to the WordPress backend (exception: antivirus browser-plugins).
  • They rely on user-submitted reports.
  • Scanning website content which is publicly available.

Check & Analyze SERPs

We put ourselves in these shoes and ran a Google Site-Search on the affected site… lo and behold… Voila! Digging a few SERPs deeper, the site had PDFs indexed and some of them weren’t some a site-owner would expect.

Final Findings

Now let’s take a few steps back and see what happened:

  1. A rogue user registered on the website.
  2. The user had the ability to upload PDFs on the website.
  3. The uploaded PDFs would have taken a few days to get indexed.
  4. The site would have been flagged by one security vendor and then the next.
  5. No malware scanner was able to detect these suspicious PDF uploads.
  6. The site would take a long time to be taken off multiple blacklist.

As you can see, this is one unusual and super-tricky case wherein a website would have killed a business without leaving any clue.

See Also:

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.

Need help with restoring your hacked site?

Our dedicated incident response team, state-of-the-art technology, and excellent customer service makes sure that your website is 100% clean and secure.

Request Malware Cleanup →