# facebook says my website my be malicious buts tested safe HELP



## cshannonpa (Jan 15, 2014)

Facebook (which sends most traffic to my website, now warns people to be cautious going to my website because it might be malicious. However I have tested it with Norton web safe, trend micro, sucuri and it tested clean on all. 
I depend on f/b for most of my website traffic.

I have a business and over 32,000 page likes and this is devastating my business. Please help. I did contact f/b and my host provider and I've had no help. 

I need serious advice. I know nothing of programming and what to do.


----------



## cshannonpa (Jan 15, 2014)

Hi any help is appreciated. My website for my business has tested clean by Norton, sucuri, micro trend...
But when I share my link on facebook it says on redirect that my site could be malicious. 

I contacted my host provider. They can't or won't help me. I've searched all over the net and only seen many others suffering from this warning with no solution. 
It's killing my business as I heavily rely on social networking to send traffic to my site. Please help.


----------



## dvk01 (Dec 14, 2002)

This isn't a malware cleaning issue so moved to web development 
before we can offer any sort of advice we need the website url and a facebook link that points to your site so we can see what might be the problem


----------



## cshannonpa (Jan 15, 2014)

Oh ok, im sorry...

My website is: www.cshannon.ca

Do i need to put it somewhere or is as a reply Ok? Thank you so much.... Im new to using a forum


----------



## dvk01 (Dec 14, 2002)

There are no alerts when I follow any links from https://www.facebook.com/CrystalShannonPetPortraits to http://www.cshannon.ca/
where do you get the alerts
exactly what do they say
What browser are you using when it alerts you


----------



## cshannonpa (Jan 15, 2014)

I've tried it with firefox, opera, dolphin browsers
Here is a screen shot of what im seeing.


----------



## dvk01 (Dec 14, 2002)

That is a mobile phone or tablet and as far as I know facebook always puts that message up on leaving facebook on mobile connections not desktop connections 
there is no fix or cure whatsoever for it and loads of people complain about it


----------



## cshannonpa (Jan 15, 2014)

Oh my goodness! That makes sense now, but that's terrible for page owners with so many people being mobile these days. Do you have any suggestions to help? Would any kind of plugin or something help? 
I am wondering if I should mention this online. I know most times people won't click continue and I think it's damaging to a good clean website. 
I thank you sincerly for your assistance.


----------



## JiminSA (Dec 15, 2011)

As previously stated, you are not alone! Hope this helps


----------



## cshannonpa (Jan 15, 2014)

http://www.cshannon.ca/prices-and-ordering.html

hi again. I just had a potential customer tell me yesterday that her virus program warned her my site had "a malicious payload attached to it" 
Please help.. this warning had nothing to with facebook
My host said there might be a problem on this page.... but couldnt tell me what or how to fix it.

Specific link is start of this reply.


----------



## dvk01 (Dec 14, 2002)

There is absolutely nothing showing on that page that is malicious or could be deemed malicious. BUT I am in UK and sometimes malware payloads are geo specific and will only be served up to visitors from a specific country, but even then you will generally see the base code in the page even if the payload isn't easily visible


----------



## cshannonpa (Jan 15, 2014)

Ok thank you so much. Do you have any advice for me to try? I so appreciate your help.


----------



## dvk01 (Dec 14, 2002)

I really don't know with this one 
if you can find out which antivirus is detecting it as "bad" we can see what triggers it is finding as bad so you can alter the website code to avoid them.

I would suspect but have no proof that it is the way that your pictures are being processed and included in the html code. 
It is very unusual to have what looks like tracking codes after the image name & that might well be what the trigger is.

A normal website will ahev an image with the code of 
image src= Link to picture.jpg 
you have a code with image src= Link to picture.jpg?123456?324563?234535

Now in a normal website the ? after a file name is meant to include instructions to perform an action
for example on the Techguy website here there is code on a page that looks like 
http://forums.techguy.org/login.php?do=logout

The only time I normally see the ? action = " do something" is on a php site when an action is needed
I have never previously seen it on images .and I would not be at all surprised to find out that it is responsible for both the facebook warnings and the visitor's antivirus warning

You might find that one of the other web development gurus here will disagree with me but any action associated with an image would be flagged as suspicious

Now whether you have inserted the code or whether it is your drag & drop web creation software that is responsible is only something you can find out


----------



## cshannonpa (Jan 15, 2014)

Again i sincerely appreciate your help... would it help at all if i deleted home folder and started again with different images and then uploaded it? Lets say i redid the entire site even if i had to, could it help?


----------



## JiminSA (Dec 15, 2011)

Nothing so extreme is necessary methinks. If you just got rid of the "?123456>3456... etc." appendages to the image files it will probably sort it out, as Derek intimated.
I have never seen this in all my years of web work and haven't a clue as to it's purpose. Taking out these mysterious suffixes will not affect the rendering of your images, but I feel in my gut that it will probably stop the site being flagged by whatever bit of software is doing so!


----------



## dvk01 (Dec 14, 2002)

I don't think that is going to help if you continue to use the same web development software that includes the references

open your website in IE or Firefox 
right click the page and select view source and you can easily see all the images with the strange code

check your web making program & see if it is inserting the code & if it is, speak to them & find out how to turn off that function 

I think you are using weebly to host or create images & slideshows before transferring them to your own webspace and weebly is putting the code in 

I am sure Jim will be better placed to help you as I am more security related and more used to cleaning up infected computers or fixing infected websites and trying to plug vulnerabilities on servers. Yes I do a certain amount of web development but nothing like the amount Jim does 
I don't know how you will overcome that as it is probably part of there tracking code


----------



## JiminSA (Dec 15, 2011)

Sound advice from Derek for a permanent solution. In the interim you can try my suggestion (i.e. if your website creation software allows you to amend source - if it doesn't get back to us and we'll see what temporary measures we can perform to alleviate the flagging!).


----------



## cshannonpa (Jan 15, 2014)

i see where there is numbers after the jpg with a ?, but I don't know how to remove it. I know there is a spot to edit code and edit html in the file manager, but I'm so afraid because I find code so confusing and kind of scary. i am lost and so frustrated


----------



## JiminSA (Dec 15, 2011)

I've checked your site on a couple of malware online detectors and have had positive feedback, so maybe we are being paranoid.
It would be good if you can discover what software your potential client was using ...


> I just had a potential customer tell me yesterday that her virus program warned her my site had "a malicious payload attached to it"


for this situation to arise - then we could contact their team and ask how they arrive at that conclusion and go from there ...
As Derek said those appendages are probably being used by the dragndrop.com software (so we won't mess with the source code) and ignored by the browsers, but highlighted by the malware detectors - sort of a catch-22, but if you can discover the anti-virus that was used ...


----------



## cshannonpa (Jan 15, 2014)

I just contacted that person and she said she was using Web root. (?) Not one I'm familiar with.


----------



## dvk01 (Dec 14, 2002)

webroot uses cloud technology & relies on heuristic analysis a lot rather than traditional signatures and unfortunately is well known for false alarms

they use brightcloud reputation system 
check here 
http://www.brightcloud.com/support/lookup.php

enter the website URL and you can get the false alarms and bad blocks sorted out
and read http://www.brightcloud.com/toc/webreputationlearnmore.php

I would not be surprised to learn that facebook uses that system


----------



## JiminSA (Dec 15, 2011)

Thanks for the heads-up Derek:up:
The company has half a dozen contact emails here
I would opt for the website one and ask them for specific information on your site which would enable you to correct the situation which on the one hand causes the site to be considered 'suspicious' and yet on the other, be defined as 'trustworthy' and have 'no threats found' (in their Real-Time Intelligence Analysis) ...
Storm in a teacup


----------



## cshannonpa (Jan 15, 2014)

Hi! I inquired with brightcloud. this is their response 
"
The determined that the site is safe and we are working on adjusting its reputation score accordingly.


Please allow 24 to 48 hours for the change to take place.


Thank you for bringing this to our attention!"

~ SO is there a way to find out if other anti virus, antispy, etc, programs that might be need to reevaluate my site ?


----------



## JiminSA (Dec 15, 2011)

That's a question that you can ask your connection at brightcloud - they broke, they should fix it! They also know the people they've (mis-)reported to ...


----------

