Ext. Upublished vs. Sucuri.net

[TheMuffinMan]

Hi,

one of our our extensions got unpublished due to possible malware as suggested by sucuri.net

I fixed the problem but in fact it was just that a server error 500 was thrown where there should have been a 404 (happened since last Joomla update, shame on me I didn't notice that before).

Not really a problem for me as it is fixed and a ticket has been raised. In fact we have to say thank you for taking your time over the holidays to address things like this!

However, just a suggestion: if you check with sucuri.net, it would be great to check for the payload server response. Sucuri.net treats any error 500 like possible malware if it expects something else, so I recommend to get in touch with the developer before unpublishing to check if a legit malware infection happened (and unpublish like after 24 hours if no response from the dev).

Unfortunately, those 500 errors are way too common to assume there is an infection.

Maybe cross-checking with other services can help, too to make sure.

Best Regards & Happy Holidays!

Markus

[fcoulter]

A 500 error just means "something went wrong with the server", it is a very general error code, it can include a lot of things, including a hack. If a hacker is not competent they may try to inject malicious code into the site files but just end up breaking the site because they put it in the wrong place or made a coding error. This does happen quite a lot. That is the reason (I would guess) why sucuri take this as a sign of potential malware, because it often is.

Do you know that your extension was actually unpublished due to the Sucuri scan? The JED will unpublish an extension if the download link doesn't work, which would be the case if the response is a 500 error, so even without the scan they would have grounds to temporarily unpublish the extension.

I would guess that the JED take the view that they have to err on the side of caution in such a case, and I think that is reasonable.

[TheMuffinMan]

Hi,

yes, I know and I don't have a problem with that. It returns an error 500 where an error 404 was expected, so far so good.

But, Sucuri.net treats any error 500 like it was a 100% sure infection:

"Status: Infected With Malware"

This status is a very bold statement and I guess it is supposed to create some "drama" to upsell their site cleanup services.

However, another thing is that their caching keeps this error up although the bug on our site has been fixed (now throwing a 404 as it should be instead of a 500).

Still I recommend either to cross-check with other services and/or inform the developer in advance to rule out false positives.

[EDIT] btw: Sucuri.net includes the blacklist status of the page being tested. In our case, it is not listed anywhere, maybe this is already enough for cross-checking?

Regards,
Markus

[fcoulter]

This status is a very bold statement and I guess it is supposed to create some "drama" to upsell their site cleanup services.

Yes, I think you are 100% correct there.

But as I mentioned the JED will unpublish an extension if the download link is broken, that is probably why it was unpublished, nothing to do with the sucuri scan.

I don't know the reason why your extension was unpublished, though the VEL is technically part of the JED these days we don't get involved in that type of decision. I think that most of the JED are taking a break at the moment, hopefully someone will explain in due course.

The VEL occasionally list a developer's site due to it containing malware, but we wouldn't do it on the basis of a single scan, we would look for more evidence than that. And we had no involvement in this case.

[TheMuffinMan]

Hi,

it wasn't a broken link. Here is the text (site name and jed curator anon'ed):

Hi!

Your extension have been unlisted, because your site is reportedly infected with malware.

Check this:

https://sitecheck.sucuri.net/results/XXXXX

Clean your site and submit an unsuspension request in order to be added back.

Thank you!

XXXXX


Best Regards,
The Joomla! Extensions Directory

As mentioned before, I am not questioning their decisions on what security tools are used but in that particular case of 500 errors you might want to be very careful about take-downs, especially when all other blacklists show the site to be clean or not listed.

That's why I suggest some sort of min. reaction-time by the developer before an extension is taken down.

Regards,
Markus

[fcoulter]

The problem is that you could then have a situation where the JED wait 24 hours to contact a developer and meanwhile the site is actually infected with malware and the JED are continuing to refer visitors to it. That seems to be unacceptable to me. The JED have to err on the side of caution.

Not everyone who works for the JED is a developer, some team members may not feel able to judge whether a 500 error is actually a sign of the existence of malware or not, and may decide therefore to be cautious about this. I am not going second guess that decision. I don't think that the JED have an official policy on this (although I may be wrong about that), I think that the person dealing with this has to make a judgement call. It seems to me to be better to over-react in such a situation than to under-react.

Probably it would be better to continue this discussion when some actual JED members are available to explain how their decision-making works,