ROCK ART MUSEUM MALISCIOUS FILES DETECTED

Warning to all that visit the rock art museum, I have reason not to trust Jul Jones AKA Rocky or his website, despite him running a computer security webiste and apparently being very adept at computer security, a recent scan appears to have revealed 4 malicious files hosted on his website, these could be TRojans, RATS, Viruses and Spyware or ransomware. These are exactly the kind of software Jul reportedly has expertise in preventing, and his website rock art museum also has built in software to block bots from scanning his site? possibly to prevent malware being discovered?

Check for yourselves.
[You must be registered and logged in to see this link.]

Ive just done another scan from a differnt computer and operating system and browser. the same result.
[You must be registered and logged in to see this link.]

I just ran a scan and the results are 100% bogus See the results below
NOTE After 35 years as a security analyst I certainly know how how to protect a website and check for malicious files

The 1 "malicious" file reported is actually from Cloudflare (which I use for a firewall before my site loads). In fact Cloudflare is blocking that scanner site (scanner.pcrisk.com) as it is detected as a bot.
The file in question is Cloudflare's main CAPTCHA bot blocker which of course is 100% harmless. The "report" from scanner.pcrisk.com is totally bogus.

[You must be registered and logged in to see this link.]

Complaint sent to pcrisk.com
[You must be registered and logged in to see this link.]

Here is the last months Cloudflare report for RockartMuseum.com. I have created approx 550 firewall rules on Cloudflare
[You must be registered and logged in to see this link.]
After a request to get pages on my site the request is allowed, blocked or sent to a Captcha by Cloudflare
If the request passes that firewall then I have another firewall that is ahead of my actual website with over 500 different AI rules (that I wrote myself) which will allow, block or go to Captcha. The blocking and release rules automatically increase or decrease per IP depending on the requests.
The net result is that >99% of automated bots are prevented from getting to my site so the results they attempt to get are bogus.

For those who still doubt the above try this link [You must be registered and logged in to see this link.]
Google is one of the few bots I allow full access to everything on my site
[You must be registered and logged in to see this link.]

Rocky wrote:I just ran a scan and the results are 100% bogus See the results below
NOTE After 35 years as a security analyst I certainly know how how to protect a website and check for malicious files

So what exactly are you saying here? Are you saying that I faked these scan images and they are bogus? or are you saying that the website [You must be registered and logged in to see this link.] is Bogus?

Because [You must be registered and logged in to see this link.] Definitely 100% reported 4 malicious files on your website
And a cached or archived version of your website will show this, just like the reports stored on [You must be registered and logged in to see this link.] server will also show I'm 100% correct in this.

I don't think your post proves anything much, anyone being caught with there pants down would surely be pulling there pants up sharpish don't you think? You have clearly edited your website.

Also none of the files that were reported as being Malicious has the file name you report as being a false positive.
These have different file names according to the scanner and none of the MD5 check sums for the 4 files matches the MD5 check sums for the current file that is being reported as malicious.

Can anyone else smell burning underwear?

As I said it is a bogus false positive. Whether you understood my previous explanation is now irrelevant

Here are the email responses I got from PCRISK.com after reporting it
[You must be registered and logged in to see this link.]

Follow-up email from them
[You must be registered and logged in to see this link.]

Initial report to PCRISK.com
[You must be registered and logged in to see this link.]

Yes, the current file that is being reported as malicious is a false positive, I will give you that, but 1 is not 4, and the 1 does not match any of the 4 according to the MD5 checksum or file names, don't play ignorant and pretend you didn't delete those files form your website, and that you don't know what an MD5 check sum is.

Below: the 4 files reported as malicious, along with there file names and MD5 Checksums.
[You must be registered and logged in to see this link.]
Below: the 1 file that is reported as being malicious, but attributed to a false positive.
[You must be registered and logged in to see this link.]

These file names and MD5 checksums don't match do they Rocky? so how about you restore your website to the way it was when I did the scan originally, and then lets see what Ramanus of PCRisk has to say, because that way all the checksums will add up, and all the files can be cleared.

What you are showing is meaningless. You need to click on the View Code so I can see the actual code which I will send to PCRISK.com and report them as false positives.
[You must be registered and logged in to see this link.]

I don't even know how you are getting those "'malicious" files. Are you using Google cache instead of testing the live site? If so that would explain why it is getting more false positives, due to my firewall redirecting their scanner to the CAPTCHA because they are a bot. It could also be you are scanning from GB and my scan is from Canada, That could also trigger false positives as your scan test could be originating from a set of different IP's triggering my firewall CAPTCHA blocks - again false positives.
I have I not changed or deleted any core files period. I can't see those files reported scanning the live site. If you are not interesting in helping me to prove they are bogus let me know. I take security very seriously and I am wasting a lot of time on a wild goose chase due bad scanner rules reporting false positives and not actual infected files.

Absolute bull shit, and you know it. So why has your site changed from yesterday if there was nothing malicious?

LOCKING THIS THREAD

Brett before you rudely closed that thread with wrong assumptions [You must be registered and logged in to see this link.] you did not let me finish my analysis.
To make it perfectly clear there never was any malicious files on my site period.

Before PCRISK.com fixed their false positive scan rules the possible reason you saw multiple files flagged is that if you typed in rockartmuseum.com Cloudflare redirects that it to [You must be registered and logged in to see this link.] which would have triggered multiple CAPTCHA's which would have different MD5 signatures for the same file names. Note since their scanner is an automated bot their scans are temporarily blocked (CAPTCHA) by CloudFlare.
The only files their scanner even sees is on CloudFlare. It never reaches my server files which is behind CloudFlare's firewall.

There is a reason I am in the top 1% of the most secure websites in the world

How did I know those files you saw were false positives? - Easy Google has full access to my site and indexes at least 50 of my pages a day, everyday.
If there was malicious files on my site they would have notified me and anyone clicking on my site from Google would get a warning.
The result would be I would have lost my extremely important 1st page search ranking. [You must be registered and logged in to see this link.]
Do you really think I would risk that by having malicious files on my site?
Please remove your last comment or just delete that topic as it is bogus and I will delete this topic. Swearing has no place on a public forum.

[You must be registered and logged in to see this link.]

As you are aware I had a response on hold from yesterday, I really cannot be bothered with this, because I feel you have been being deceptive and avoiding the facts as I see them.

Firstly it does not matter if you scan your site for 100 years from now on and it comes up clean, that scanner detected four things before. This is the point. However, if you could show us online genuine reports (not screen shots, externally hosted reports on genuine web security scan sites) from prior dates to the scans I reported, where everything was scanned and nothing was blocked by your 'bot blockers' then I guess that would help.

Secondly, even the scan above claims that your website is blocking the crawlers and the scan could be incomplete. Surely anything could be in areas that were unable to be scanned? Why stop such scans in the first place?

Now, when someone finds out that there website is reportedly hosting 'malicious' files what would be the likely scenarios to play out, when someone else is reporting this online?

I would suggest theses as possibilities, run the scan themselves, grab screenshots, save the report. Post the report, as is claiming innocents. Perhaps explaining those flagged files. The report would exactly match the original one.

Or if they have something to hide because they know they have 'malicious' codes on there website, edit them out and the try to make excuses and explain the anomalies away.

You still did not explain the four files, you avoided it, you obviously edited your site right? Why not post the original scan which i guess you would of done detecting four files? and explain those four?

Your above explanation is very plausible, the captcha could have been reported four times, so why don't we have a report from you showing 4 anomalies exactly matching my original scan? people can explain anything away, it does not mean its the truth.

Actually Im gonna call bullshite on this 'captcha' triggered 4 times malarkey. How could it even get triggered 4 times? the crawler is not pressing any buttons, It cant. The code and offset and MD5's and file sizes CLEARLY point to 4 different things, not the same 'MAGICALLY TRIGGERED' capture script 4 times. Later on The cloud flare script was still in there right? how come it didn't trigger four captcha triggers like you claim at the later date.

NONE OF YOUR CLAIMS SEEM TO ADD UP IN THE SLIGHTEST.

The answer is simple for those who are actually technically familiar with how the Internet works. If you type in a browser [You must be registered and logged in to see this link.] CloudFlare sends that request directly to my main server behind CloudFlare's firewall. However if you instead typed [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.] CloudFlare does an internal redirect to [You must be registered and logged in to see this link.] giving a 301 (https://habr.com/ru/post/458108/) redirect response, then forwards that request internally to [You must be registered and logged in to see this link.] I don't deny the validity of the 4 files you saw. If you didn't precisely type in [You must be registered and logged in to see this link.] using PCRISK's scanner hat would have triggered multiple CATPCHA blocks. When I did my PCRISK scanner test I used [You must be registered and logged in to see this link.] and therefore only got 1 file falsely reported (which again is a CloudFlare file) . As you saw as previously stated PCRISK acknowledged and fixed their false positive response. Had you actually clicked on the View Code on those 4 files you (which I asked you to) would have seen those files are from CloudFlare only and not from my main server. Any one familiar with packet analysis and server header response analysis would confirm this. Your implication that I am somehow lying or hiding something is beyond the pale. Also re the changing MD5 signatures of my server index files, This occurs many times a day as I do many updates a day. As page content changes my WordPress cache plugin kicks in automatically generating new HTML files.

The one finial comment is: Had you reported the false positive "malicious" files to me by email before jumping to erroneous conclusions this back and forth would not have even happened. I would have thanked you for the observation and as I got PCRISK to fix their scanning rules which generated the false positives at least something good occurred out it.

Right, well whatever the truth is, its somewhere on these two pages. Case closed. If you can get an independent to prove you are right I will delete the threads.

You ask me a question then you close the topic so I can't respond ???
[You must be registered and logged in to see this link.]

The correct question should have been: Surely the DNS resolves the DOMAIN NAME from the URL to an IP Address.
Answer: Of course yes, however you obviously don't understand how DNS and CDN's work.
[You must be registered and logged in to see this link.]

Look take this to some cloudflare forum, its very strange how out of the thousands of thousands that use cloud flare and do security scans, this just happens to happen! And saying I don't understand something is not the answer. You were talking about domain names, and  typing them differently. I'm Correct in this again.! Your just clutching at straws.

Its also clear that the scanner is reporting to be scanning the Exact same URL/domainnames in all the screenshots given, so again Rocky's response stinks of an attempt to confuse or create excuses for the facts.

LOCKED, I WILL CONDENCE THIS ALSO.