Malware and Google Ads

Highlighted
Tourist
5 0 2

Howdy,

I have spent many days attempting to figure out how to remove the 'Malicious Content and Malware' from our Shopify Site as reported by Google Ads.  I have read many of the posts in this Community about the same issues.

We inherited our Shopify site when purchasing a retail store.  
We were contacted by Google Ads last Tuesday, 9 Jul 2019.
I have responses from them with offending links, but I have almost useless in attempting to figure it all out.

The site does have a custom theme created by the original developer.  
I do have access to the code and have used a handy Google extension to search the code, but the links provided by Google do no good.  Comments all of the web mention possible .js and jquery code for the redirects, and the links I was given won't actually be in the code.

I have reached out to that developer with no response yet.  He may be out of office or way.
I have been able to replicate a page redirect only on my mobile, and it is difficult to reproduce.
I have a video of the redirect.
The redirect only happens on random occasions... which was also mentioned in this Community and other threads from a Google search.

I pinged @Nick  and he suggested to post in the Community for possible support.  
I have seen some responses from @Jason in other threads as well.

I am hesitant to post a link to our site, but will if it is required for support.  
Happy to share in PMs.

I appreciate any response and help.  

Ranes

0 Likes
Highlighted
New Member
2 0 2

I went through a similar issue for a client last week. I was lucky in that Google Ads chat support gave me the offending js file and I was able to debug from there.  The offending JS file was also found via a scan on https://sitecheck.sucuri.net/  If it's random then maybe do a few re-tests with sucuri until it triggers the redirect.  Google must be using a similar service because there own safe site checker did not find the offending script - are you sure the links they gave you aren't in your code?  I'm guessing you've checked for the suggested files being loaded in Dev Tools or even in View Source.  Dev Tools will help if the offending file is nested inside another one.

 

The JS file was being loaded via a metafield shortcode added to theme.liquid - it was directly above the closing </head>

 

The client found the offending app from there.

 

 

 

 

1 Like
Highlighted
Community Moderator
Community Moderator
3073 231 501

Hi @Ranes,

 

Nick here from Shopify. 

 

I looked into this for you and can you confirm if it is something like shown in the screenshot below that you see? 

 

19-07-c5ze7-evkb5

Either way, it is likely that your site is referencing code or content from another domain that has malware, which is called "Cross Malware". 

 

To resolve these and possibly any other errors and restore the search results to a 'clean' state, Google has some tools in place which you can find hereThis should be able to point in the direction of the offending external links, at which point an audit of the theme code, blog comments or page/product text content should be done.

 

If the error still persists after taking the steps Google recommends and after the developer takes a look can you let me know in a reply here please and we can take a closer look to see what might be causing this for you. Something to note is that Shopify does routinely conduct security checks to all shops in the background for things such as this. 

 

Hope this helps and hopefully, the developer can locate what's going on. If you could reply and let us know if it is fixed for you either way that would be greatly appreciated. 

 

All the best, Nick

Nick | Community Moderator @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

1 Like
Highlighted
Tourist
5 0 2

@TroyMSW 
I found a Chrome extension, 'Shopify Theme Search by Bold', that helps scan all of the code in a theme... I assume.  The many tests I did for the URLs provided by Google found nothing.  Playing around with other random searches did pull up results for what I was looking for, just nothing helpful, so I assume it does search all the code.

I have looked through the results in DevView.  I have found a few things that looked interesting, but I don't know code enough to know if they were legit.  A few links indicated they were blocked by my AdBlocker.  I researched some of those links and they appeared to be legit.

I am using Sucuri now.  A quick Google search turned up a handful of other "website security check & malware scanner" sites.  I am running all them too.
Sucuri has returned nothing after many tests.  UpGuard found a few 'at risk' items, but none seem to be malware.  Same of Observatory.  
Once I find a Dev, I will look into those results for sure.

The links from Google are:

Please find the link that Needs to be Removed:

https://press.connectioncdn.com/f/stats.php

https://sslgateways.com/?s=fCb4FrwfoCJPxXK4G6yzPzFRIeE9ZZkVP41W4p7JP%2BsSOXuWRxiV3Sfule%2BvN50us1n1%...


I am going through the theme.liquid file now, and more searching through DevView.  

Thanks for the advice.

 

1 Like
Highlighted
New Member
2 0 2

The first link you provided is definitely the issue:

 

https://sitecheck.sucuri.net/results/https/press.connectioncdn.com

 

So you now just need to find out where https://press.connectioncdn.com/f/stats.php is being called on your site.  Feel free to reach out on troy at makesearchwork.com.au if you'd like me to see if I can find that in your live site.  Or PM me here if you can.

 

 

1 Like
Highlighted
Tourist
5 0 2

@Nick 

Google search results do not indicate , "This site might be hacked".

I started using Google Search Console towards the end of last week.  That site didn't pull up any results for a few days last week.  I need to re-visit that site tonight.  The, "... resources for hacked sites" looks promising!  Great info.

The comment about Shopify doing searches like this, do they contact the site owner, or just fix the the code?  

I have contacted the dev that created the site and it is his custom theme with no response.  I have contacted another dev that is a genius in all things, but he runs on Genius Standard Time and might get back to me one day, if he remembers. 

I appreciate the help and support and will continue down this rabbit hole.  
It might be past time for a 'want ad' for a dev that knows Shopify.  I am simply not worthy.

Ranes



0 Likes
Highlighted
Community Moderator
Community Moderator
3073 231 501

Hi @Ranes,

 

When I mentioned about Shopify doing routine checks, I mean the team is constantly monitoring and checking for anything which shouldn't be happening. It would more than likely be something that is noted on the Shopify Status page here. You can also subscribe to updates on Shopify Status to be the first to know also. 

 

19-07-wb8ga-8kmrc

Because of this, individual stores would more than likely not be contacted to answer your question. 

 

If the problem is still persisting, it might be worth having our higher-level support team take a look at this for you. If you would like them too, I could reach out to you via email about this? If you would, could you confirm if the best email to reach you on is the one you signed up to the community with? If not could you let me know what is the best email. 

 

 

 

 

Nick | Community Moderator @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

1 Like
Highlighted
Tourist
9 0 2

Nick I am facing the exact same issue in one of my stores, exactly the same, I have been blocked by Google Adwords because my store is redirecting to sslgateway.com which is a malware... I checked every single line of code and I submitted a ticket to the Shopify support... All I got is some google links!!

 

PLEASE escalate this issue to the platform security team

0 Likes
Highlighted
Tourist
9 0 2

@Ranes Please let me know if you found a solution for this issue. I having the same exact issue in one of my stores.

 

In order to help each other, would you please tell the list of the applications you currently have installed on your store? let's compare it and see if there are any similar apps on both of our stores.

 

I suspect that this malware code is being injected by one of the applications we have installed, as these apps can return {content_for_header} code in the store header code.

0 Likes
Highlighted
Tourist
5 0 2

Follow up:

I found a local DEV that is currently working on the issue.  
I have asked him to provide some details on what he found and how he fixed it.  
I might not understand it all, but it will be a beneficial learning tool for me.

From what research I have done so far, found online, or been offered by others, I assume my issue is either from a compromised plug-in or a product image inserted into the site recently.  One of these is calling connectioncdn[.]com  and / or  sslgateways[.]com’.  The redirects I have seen have flashed a sslgateways url before redirecting.  

The information from both @Nick and @TroyMSW has been great and I have learned a bunch.
Nick, I subscribed for updates as suggested.
Troy, I found a sites similar to Sucuri that found other some things that I will be looking into.  
Both of you offered great advice and the information has been helpful and educational.  Thank you.
I was minutes from contacting one of / both of you to dig deeper when I found a local DEV that also uses Shopify.  

@josephraphael I created this thread because I found so many other topics that were the same or very similar.  
I will attempt to share the resolutions as I understand them as get them.

Ranes

1 Like