Avast WEBforum
Other => Viruses and worms => Topic started by: Biox on December 22, 2011, 10:51:01 PM
-
A site that I receive RSS feeds from has started showing up as having a Trojan however the name seems to change. I have tried contacting the site in question qrjuice.com however no response.
I'm wondering if this is just a false positive. Appreciate any feedback and comments.
thanks
-
what is the full avast message....can you attach a screenshot ?
-
Jotti: http://virusscan.jotti.org/en-gb/scanresult/3c962e89641522c22837dda1147f9df192d90ab0
metascan: http://www.metascan-online.com/results.cgi?uid=rlxeh30b21fyoms20dzi9ihxf16g7w3m
Sucuri say - infected
see screen shot - click to enlarge
Malware info: http://sucuri.net/malware/malware-entry-mwjsdepack
Description:Encoded javascript using a packer by Dean Edwards. This packer can be used on legitimate applications, but is often deployed by attackers to hide their scripts.
Wepawet
-http://wepawet.iseclab.org/view.php?hash=3c8edf5696bb22b85178531bc6c75a54&t=1324591024&type=js
-
Hi Pondus,
You should put a - to -http://wepawet.iseclab.org/view.php?hash=3c8edf5696bb22b85178531bc6c75a54&t=1324591024&type=js
because our unaware users with the avast shields up get an alert on the malcode, namely for
JS:ScriptSH-inf[Trj]
suspicious =
-qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/jquery.fancybox-1.3.4.pack.js?ver=1.3.4 suspicious
[suspicious:2] (ipaddr:216.172.185.51) (script) -qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/jquery.fancybox-1.3.4.pack.js?ver=1.3.4
status: (referer=-qrjuice.com/)saved 15624 bytes caeb31e930068ce5820b239d44d8415f95957138
info: [embed] -qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/
info: [iframe] -qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable Image
error: line:22: TypeError: Image is not a constructor
suspicious incomplete....
polonus
-
Thank you for that swift reply.
Apologies for my late reply, I didn't see an alert that someone had responded already.
I'll upload a screen within the day.
thanks
-
The site in question is owned by me. QrJuice.com.
Whilst most of this conversation has gone completely over my head, I can tell you the malware has been removed.
-
Hi you siteowner,
Your site may be clean(sed) now, there is still an alert that your Wordpress version is outdated according to sucuri's: Wordpress internal path: /home/qrjuice/public_html/wp-content/themes/Polished/index.php
That means you could be re-infected again, other recommendations is for the website server. That server gives away a full version number of the server software. This should be avoided, so would-be-hackers would not know what exploits would work against it. It is a bit like in Little Red Ridinghood's fairytale - just pull the cord hanging out the door and you can come in...and then they could,
Stay safe and secure is the wish of,
polonus