why is my web page banned by your antivirus?

[FluffyDog]

My website, which I created 100% lines of codes myself, meaning I didn't use a single plug in, not dreamweaver, not anything, I wrote all the code. Is not accesible for some of my users because your antivirus is not letting them in.

I use the standard HTML5, CSS3, javascrip, php, myql and ajax. Nothing really rare as far as I know.

There is a zero chance that I put any malicious software there, but regardless, I have no way to know what it is that your antivirus is finding hazardous there, please tell me so I can try to fix it. Please email me the answer, I am not sure if I'll be able to come back here.

Sorry for putting my question here, it probably is not the right forum, but I am not an avast user so those commercial names mean nothing to me.

my website: www.bridgegod.com

[polonus]

Well malicious iFrame redirection detected: http://urlquery.net/report.php?id=3379689
See the yellow colored javascript there,

polonus

[FluffyDog]

Thanks for the quick answer, looking forward to it.

[FluffyDog]

I see there is something called tracker.php redirected from a malicious IP.

I downloaded my archives from the server and see no references to that thing, so either my server is injecting it, or something is injecting it while the page is being transfered, does any of these make sense?

[DavidR]

Well php like any content management software if it isn't fully up to date it can be vulnerable to exploit. This could be an injection into template pages or into the page when compiled.

If you are responsible for providing the PHP (or other content management) software then you have to keep it up to date, if it is down to your host provider they should keep it up to date.

[polonus]

Hi DavidR and Fluffydog,

Website software that caused the problem is PleskLin and the 0-day exploit. Read Brian Krebs story on this attack campaign: http://krebsonsecurity.com/2012/07/plesk-0day-for-sale-as-thousands-of-sites-hacked/
Read here: http://kb.parallels.com/en/113321
This malware from the same IP has been closed in the mean time: http://support.clean-mx.de/clean-mx/viruses?id=12065708

polonus

[FluffyDog]

Thanks again guys, my host said they are aware and working, I will send them your links, hopefully it will speed them.

[polonus]

The detection is or was with redirection to this Luxembourg tracker: http://urlquery.net/report.php?id=3382870
due to a broad php attack...nx domain -> http://dns.kify.com/dns.php  NXDOMAIN, id: 27526
See also: http://jsunpack.jeek.org/?report=18299d4b952ec0cf55293ef44a4e95d3904eab79
(Open above link with script blocker active and in a VM/sandbox, for advanced users only)

polonus

[DavidR]

Thanks again guys, my host said they are aware and working, I will send them your links, hopefully it will speed them.

You're welcome.
Hopefully they will have the exploit closed quickly.

[polonus]

Hi DavidR and Fluffydog,

And even when you get a 404 error from the other end, you could still be infected as instead, it contains malicious JavaScript code on the backend to exploit users when the page is loaded. Read about this trick from Ahmad Azziz on his lab69.blog here: http://blog.lab69.com/2013/01/404-and-youve-been-exploited.html,
so alwayss check these redirects given them in to jsunpack for instance or checking via an urlquery dot net scan. Malcreants are devious and like all devious entities cannot be trusted....

polonus

[polonus]

Hacker ninja test results identified a risk with the generic web bot test...

polonus