Infection:JS:ScriptIP-inf [Trj] - false positive or not?

[vitozev]

Hello, today my Avast warns me that the following website is infected.

xttp://findealz.com (x = h)

Infection:   JS:ScriptIP-inf [Trj]

I've used some online scanning tools and products there tells me that site isn't infected. No files were modified last few days (site works perfectly yesterday), so I'm not sure what's going on.

Site is hosted on VPS.

Any ideas?

Regards, Chris

[Asyn]

-> http://sitecheck.sucuri.net/results/findealz.com

[Pondus]

and this

urlquery.  http://urlquery.net/report.php?id=147436

[vitozev]

Thanks a lot! Very helpful tools!

Regards, Chris

[polonus]

Hi Chris,

You certainly have to update the website software. WordPress version: WordPress
Wordpress version from source: 3.4.1
Wordpress Version 3.3 or 3.4 based on: http://wXw.findealz.com//wp-includes/js/autosave.js
WordPress theme: http://wXw.findealz.com/wp-content/themes/couponpress/ (holed->: http://kb.parallels.com/en/113321)
Plesk version 10 outdated: Upgrade required.
Why old Plesk versions form a risk read here: http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html  (article author = daniel cid)
"RedKit"exploit kit seems to just use; Java/Exploit.CVE-2012-0507
Website contains the malicious code.
2012-08-27 12:16:18   htxp://www.findealz.com/   6A5215709984DFAEFB313F6A20706894   216.224.178.155   US   Trojan.JS.Iframe.BRR
2012-08-27 12:16:17   htxp://www.findealz.com/wp-login.php?redirect_to=hxtp://www.findealz.com/wp-admin/   F6450952C2D40CF1D15FBCC8A713DF20   216.224.178.155   US   Trojan.JS.Iframe.BRR  (avast detects as HTML:RedirME-inf [Trj])

code hick-up here:
(script) wXw.findealz.com/wp-content/themes/couponpress/PPT/js/slide/slider1.js
     status: (referer=wXw.findealz.com/)saved 59779 bytes b73b65121178e7221fbe48c75de4036133e0fd05
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined variable $.fn
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var $.fn = 1;   problem with the "$" alias?
          error: line:1: ....^
     suspicious:
Third party requests:
# Name Target        URL
1 AddThis Analytics http://s7.addthis.com/js/250/addthis_widget.js#username=p...
2 AddThis Analytics http://ct5.addthis.com/static/r07/core032.js
3 - ? http://maps.googleapis.com/maps/api/js?sensor=false
4 - ? http://maps.gstatic.com/intl/en_us/mapfiles/api-3/9/13b/m...
5 - ? http://google-maps-utility-library-v3.googlecode.com/svn/...
6 AddThis Analytics http://ct5.addthis.com/static/r07/sh098.html#iit=13460763...  benign

Here site is given as benign: http://zulu.zscaler.com/submission/show/c3c16791c388850d863b7d810291de58-1346076649
Here also: http://wepawet.cs.ucsb.edu/view.php?hash=d8a8f576e22988b2f37055ee3efcd431&t=1346076687&type=js

If you find your website is clean, file a report to avast.
You can report FP here  http://www.avast.com/en-no/contact-form.php?noStyles

polonus