Anti-virus is blocking this and sending warning

Resolved AAHLight
(@aahlight)

3 weeks, 3 days ago

As soon as I installed this I started getting pop-up warnings that said “Total AV blocked: google-analytics.shop/apiv3?source=https%3a%2f%2faaslight.com%2f” and my friend got a norton antivirus warning saying it is a threat name URL?Blacklist, Threat type – miscellaneous – this is malicious software that could harm your data, computer or network.

As you can imagine, I want nothing to do with something that will put out this warnings, problem is, I can’t get rid of it. This plugin has been “reset”, deactivated it, deleted it, I deleted my google analytics account and this error continues!!!!

How do I get rid of the other pieces that got installed during this? I am not a computer wiz but this is bad news.

The page I need help with: [log in to see the link]

Viewing 10 replies - 1 through 10 (of 10 total)

Plugin Support James Osborne
(@jamesosborne)

3 weeks, 3 days ago

Thanks for reaching out @aahlight. I don’t suspect this is Site Kit related, given the URL in the source points to a google-analytics.shop domain. I performed some checks and I can see that Norton has flagged this as suspicious, although it’s not a Google owned domain. This domain is also not referenced within Site Kit in any way.

Regarding having installed Site Kit when the error occurred, if you run the same checks with Site Kit deactivated, do you see any errors, or can you share more details on this, such as the source of the request? Feel free to share privately if you wish, using this form.

In the event your site was compromised, you may also with to run some scans.

Plugin Support James Osborne
(@jamesosborne)

3 weeks ago

I’m responding here based on your update from the review @aahlight.

My friend got warnings thru Nortons, saying something like “We prevented your connection to google-analytics.shop because it is a dangerous webpage. Threat category: URL:Blacklist”. I get warning thru my AV software that say “google-analytics.shop/apiv3?source=https%3A%2F%2Faahlight.com%2F

It looks like google-analytics.shop is indeed a suspicious domain, however, this isn’t added via Site Kit. It’s always possible that your site was compromised, and files references this domain could exist anywhere across your site. Do you have any further details you can share from your anti virus scan? If so I’d be happy to investigate this further.

I deleted everything I could and ever tired eh “reset” but I still get these warnings. What do I do?

You can share a recording of this experience, showing full details of the error from your antivirus if you wish. You can use a service such as Loom or Zight to share a screen recording, while using this form to share this privately if preferred. Site Kit is fully open sourced and you won’t find any google-analytics.shop domain within the codebase leading me to suspect there may be issues with your site overall. Please do share more details on this and we can investigate further. Thank you.

Thread Starter AAHLight
(@aahlight)

3 weeks ago

are you able to see this? https://www.loom.com/share/b0db9faed6d24c11a44abf73fedde4ef
Plugin Support James Osborne
(@jamesosborne)

3 weeks ago
Appreciate you sharing the additional insights. Very useful indeed. I checked that request on your site and it’s not coming from Site Kit, see additional details here, no indicating that it’s related to Site Kit in any way, suggesting a report to Cloudflare. The sites DNS records also all point to a site using Cloudflare. While we’re limited to Site Kit specific requests here, I am happy to run through a couple of further checks with you. To do so, follow the steps below:
1. Login to your live site from a Chrome browser incognito window.
2. Install and activate the Health Check & Troubleshooting plugin.
3. Tools > Site Health > Tools > File integrity > Check the files integrity
4. Share any findings here. I suspect there may be some suspicious files that are not part of a standard WordPress site. Do let me know in particular if there are any files within the Site Kit directory.
While you’re sharing the above, please temporary deactivate Site Kit so I can check your site once more. It would be great if you could also share any details from your TotalAV program relating to that google-analytics.shop domain. You’ll need to open that program to review any such details.

Let me know if you have any questions with the above. Thank you.
Thread Starter AAHLight
(@aahlight)

3 weeks ago
Here you go –
- This reply was modified 3 weeks ago by AAHLight.
Thread Starter AAHLight
(@aahlight)

3 weeks ago

I am having no luck sending the image, it wants a URL? here is the text –

StatusFileReasonStatusFileReasonError/home/customer/www/aahlight.com/public_html/bv_connector_00deca116da37d4cdd34e23547b63675.phpThis is an unknown fileError/home/customer/www/aahlight.com/public_html/.htaccessThis is an unknown fileError/home/customer/www/aahlight.com/public_html/.user.iniThis is an unknown fileError/home/customer/www/aahlight.com/public_html/wordfence-waf.phpThis is an unknown fileError/home/customer/www/aahlight.com/public_html/php_errorlogThis is an unknown fileError/home/customer/www/aahlight.com/public_html/wp-admin/php_errorlogThis is an unknown file

Plugin Support James Osborne
(@jamesosborne)

3 weeks ago

Thanks for the update @aahlight. There don’t seem to be any indicators of misplaced files within the Site Kit directory if the above is all that’s appearing. I checked the bv_connector_ prefixed file and this may be from a security plugin.

Back to your issue, did you temporarily deactivate Site Kit as suggested above, so I can perform some additional checks?

Thread Starter AAHLight
(@aahlight)

3 weeks ago

yes it isn’t even installed
Plugin Support James Osborne
(@jamesosborne)

3 weeks ago
Appreciate the update @aahlight. I can see that even with Site Kit deactivated, that the network request to that domain that’s being flagged remains, see this screenshot. We’re limited to Site Kit specific queries here in the support forums, but I would suggest using your TotalAV application to find out more on this. As mentioned, it’s not a Google official URL, nor is it a Site Kit initiated request.

Note also that what you may wish to do, if you suspect the request is suspicious, is to rule out another plugin being the cause. You can do so via process of elimination with the Health Check & Troubleshooting plugin, following the steps below:
1. Navigate to “Plugins > Health Check & Troubleshooting > Troubleshoot”
2. All your third party plugins will then be deactivated (for you only, as a site administrator). Check your site once more, it will look different for you only.
3. From back on the same screen previously, click on the “Available Plugins” tab at the top right and then click on the “Enable” option next to the first plugin that is listed.
4. After enabling another plugin, check your site once more, seeing if any errors are flagged from your antivirus software. If no warnings appear your last activated plugin is not causing the conflict.
5. Enable your plugins one by one (see step 4 above) while rechecking for any warnings each time until the error re-appears. You’ll need to refresh/reload the source code page each time.
6. Once the error appears once more, let me know of the last plugin you enabled. This is likely the plugin that is a factor in the error.
You may also wish to reach out to Cloudflare to report this domain if your antivirus are flagging it. Best of luck regardless!
Plugin Support James Osborne
(@jamesosborne)

1 week, 5 days ago

As we didn’t receive a response I’ll mark this as resolved. Feel free to open a new support topic if you continue to encounter issues, or reopen this topic and we’d be happy to assist.

Viewing 10 replies - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.

Tags