Hacker News new | past | comments | ask | show | jobs | submit login

The domain that was blacklisted was not demos.shapingrain.com (I checked), shapingrain.com itself was blacklisted as you can see from the Google Safe Browsing report here: http://safebrowsing.clients.google.com/safebrowsing/diagnost...

The theme currently in use on http://wp-abtesting.com/ has a main stylesheet called style.css which contains the URL http://www.shapingrain.com in its comments in the header.

It looks like shapingrain.com itself was infected on 2013-08-19 but cleaned by 2013-08-20. It was likely infected with a JavaScript injection vulnerability linking to the site lartedio.com which served the actual payload (likely something trying to self-install, break out of the box, etc.).

After shapingrain.com was infected and flagged by Google Safe Browsing, wp-abtesting.com would then have been flagged when Google analyzed the CSS file and saw what appeared to be a resource link to an infected site. This would appear to be a limitation via the scanner which is scanning CSS comments and treating them as valid code, though this is not without precedent and certain browsers will evaluate what is contained in comments under certain circumstances (see IE conditional comments).

So, in the end, it looks like shapingrain.com was infected yesterday and Google blacklisted that site as well as any sites pulling resources from the infected site, erring on the side of caution (possibly) and interpreting URLs within comments in CSS as possible resource links.




Hi John,

Thanks a lot for your detailed response. Really appreciated.

Probably both sites were infected at some point. Again, I never saw the malware message myself but the guy that alerted us first copied the message he got and it was explicitly mentioning the demo site: “Content from demos.shapingrain.com, a known malware distributor, has been inserted into this web page. Visiting this page now is very likely to infect your Mac with malware.”

And now, we’re going to immediately clean the CSS since this is something that had not occurred to us could be the cause of the problem. Let’s make sure we are not blacklisted again!


Sure thing. I've had some experience with the blacklist detection due to a JS file hosted on a trusted 3rd party site that had another section of their site hacked (meaning their site was blacklisted and anything pulling resources from their site was similarly blacklisted). I researched more about how things worked then and have been sharing when I can since then. I hadn't seen your specific situation before but it is my guess based on an understanding of how similar scanning setups work.

For future reference, another useful tool is Sucuri SiteCheck, which will show you the results of multiple website malware blacklists on one page: http://sitecheck.sucuri.net/scanner/

(I checked and http://wp-abtesting.com/ is clean)


You shouldn't pull static assets from 3rd party sites like that. Looks like you've fixed it. You should also use W3 TotalCache, WP Minify, or a similar plugin to minify and combine your CSS and JS. You have a lot of files loading which slows the site down.


They apparently weren't pulling static assets from a 3rd party site. They were using a theme developed by a 3rd party. That theme is hosted on their own server but has the developer's name and URL listed in the comments of the CSS (which is fairly common practice). No assets were being loaded from an external site, but it looks like that URL in the comments triggered Google's alerts. That said, combining and minimizing CSS and JS would have eliminated the comments and prevented the issue with Google's scanner.




Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: