Site blocked - MAL:Url - but can't find any infection

[nicholosophy]

Hi guys,

Currently getting MAL:Url on www.fancyladyindustries.com but I can't seem to find the infection.

http://sitecheck.sucuri.net/scanner/?scan=www.fancyladyindustries.com comes up clean.

http://www.UnmaskParasites.com/security-report/?page=www.fancyladyindustries.com suggests it is clean too.

If anyone has any idea what might be triggering it would appreciate some pointers.

[Pondus]

URL:mal mean it is on a blacklist for whatever reason....does not have to be infected

virustotal URL scan
https://www.virustotal.com/nb/url/43c7586efdca0494be6e58f9a699ee9152096b4d8da5b4b700a1c443bd6d95f4/analysis/


check here.  http://urlquery.net/report.php?id=3657401.   Recent reports on same IP/ASN/Domain

like this one http://urlquery.net/report.php?id=3605430.  suricata and snort filter report exploitkit blackhole landing page

[Pondus]

if you think the blocking is wrong, report it here.   http://www.avast.com/contact-form.php
you may add a link to this topic in case they reply here

[polonus]

WP software not consistent Wordpress Version 3.5 based on: htxp://www.fancyladyindustries.com//wp-admin/js/common.js
Suspicious scan here: http://zulu.zscaler.com/submission/show/381584d58224a330135fb5a14d87fa7b-1373580116
iFrame malcode, see: http://jsunpack.jeek.org/?report=7fdbaa85885f9d44e1f2e44ed04903e84c9570c4
(view link with NoScript enabled and in a VM/sandbox - for security researchers only)
Some website security recommendations
-> The common website insecurities (please report to your site admin or hoster): https://asafaweb.com/Scan?Url=http://www.fancyladyindustries.com

polonus

[polonus]

Oh and from the iFrame there is this vuln found: http://bugs.jqueryui.com/ticket/6016  (hope the plug-in version does not have that)
-> https://account.optionsxpress.com/inc/js/plugins/jquery.blockUI.js  previous  next
Some example -
Summary
Severity:      Information
Confidence:      Certain
Host:      https://account.optionsxpress.com
Path:      /inc/js/plugins/jquery.blockUI.js
Issue detail
The following cookies were issued by the application and do not have the secure flag set:

    * TLTHID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com
    * TLTSID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

polonus

[nicholosophy]

WP software not consistent Wordpress Version 3.5 based on: htxp://www.fancyladyindustries.com//wp-admin/js/common.js

I visually checked the version on the site and the vestion in the latest.zip downloaded from wordpress.org. Identical files.

Suspicious scan here: http://zulu.zscaler.com/submission/show/381584d58224a330135fb5a14d87fa7b-1373580116

It seems where I buy my server from is considered risky. But if the site is clean is that a reason to be blacklisted?

iFrame malcode, see: http://jsunpack.jeek.org/?report=7fdbaa85885f9d44e1f2e44ed04903e84c9570c4
(view link with NoScript enabled and in a VM/sandbox - for security researchers only)

The iframe is part of the jquery.blockui code base. I don't see how thiat is an exploit.

Some website security recommendations
-> The common website insecurities (please report to your site admin or hoster): https://asafaweb.com/Scan?Url=http://www.fancyladyindustries.com

polonus

Oh and from the iFrame there is this vuln found: http://bugs.jqueryui.com/ticket/6016  (hope the plug-in version does not have that)
-> https://account.optionsxpress.com/inc/js/plugins/jquery.blockUI.js  previous  next
Some example -
Summary
Severity:      Information
Confidence:      Certain
Host:      https://account.optionsxpress.com
Path:      /inc/js/plugins/jquery.blockUI.js
Issue detail
The following cookies were issued by the application and do not have the secure flag set:

    * TLTHID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com
    * TLTSID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

polonus

I'm not even sure what this has to do with my site

[polonus]

I can well imagine that you cannot imagine what that all has to do with your site. It is with your hoster, where they did sloppy IT managment.
That server has serious security issues to be abused by attackers. You have to take this issue up with them.
By the way burleigh dot ohbees dot com dot au is also being blocked by avast webshield as URL:Mal...web shell vulnability...>
http://www.w3bsecurity.com/warning-wordpress-plugins-vulnerability-list-from-2004-to-2013/
 
polonus

[nicholosophy]

I can well imagine that you cannot imagine what that all has to do with your site. It is with your hoster, where they did sloppy IT managment.
That server has serious security issues to be abused by attackers. You have to take this issue up with them.
By the way burleigh dot ohbees dot com dot au is also being blocked by avast webshield as URL:Mal...web shell vulnability...>
http://www.w3bsecurity.com/warning-wordpress-plugins-vulnerability-list-from-2004-to-2013/
 
polonus

Is there a simple way to scan which plugins may be an issue? perhaps something I can run server side?

[polonus]

You could do a scan with this: http://wordpress.org/plugins/exploit-scanner/  download from:  http://downloads.wordpress.org/plugin/exploit-scanner.1.3.3.zip
check also on the server: open  mysql    MySQL (unauthorized)

Server should be hardened not to be so loud with header info (attackers get far too much info that way):

 1. Server: Apache/2.2.22 (@RELEASE@)
   2. X-Powered-By: PHP/5.3.3
 It looks like 2 cookies are being set without the "HttpOnly" flag being set (name : value):

   1. woocommerce_items_in_cart : 0
   2. woocommerce_cart_hash : 0

How to do this, you could read here: http://www.shanison.com/2012/07/05/unset-apache-response-header-protect-your-server-information/
link article from Shanison  software engineer...

polonus

[nicholosophy]

You could do a scan with this: http://wordpress.org/plugins/exploit-scanner/  download from:  http://downloads.wordpress.org/plugin/exploit-scanner.1.3.3.zip
check also on the server: open  mysql    MySQL (unauthorized)

Server should be hardened not to be so loud with header info (attackers get far too much info that way):

 1. Server: Apache/2.2.22 (@RELEASE@)
   2. X-Powered-By: PHP/5.3.3
 It looks like 2 cookies are being set without the "HttpOnly" flag being set (name : value):

   1. woocommerce_items_in_cart : 0
   2. woocommerce_cart_hash : 0

How to do this, you could read here: http://www.shanison.com/2012/07/05/unset-apache-response-header-protect-your-server-information/
link article from Shanison  software engineer...

polonus

Thanks. I ended up using wordfence (http://wordpress.org/plugins/wordfence/) and found something on one of the sites. *doh*
Just sorted out the firewall so the only things externally available are http, dns, mail and ssh. I'll look at the http headers now. Can't change the cookies though, as they are used to store cart information used by jscript - at least that is my understanding.

[polonus]

Hi nicholosophy,

But after cleansing, you also have to deal with the blacklisting,

polonus

[nicholosophy]

Hi nicholosophy,

But after cleansing, you also have to deal with the blacklisting,

polonus

Indeed. Where do I start? CLEAN MX for starters I guess...

[nicholosophy]

Just a note that the offending site (definatalie dot com) and associated server (burleigh dot ohbees dot com dot au) are still blacklisted in avast. Sadly this sees me readded to the CLEAN-MX list. (https://www.virustotal.com/en-gb/file/88aee051c595ee99cb146f88b2c32578f2aa04691865badec5821dec361c4c85/analysis/)

Scanned with maldet and clamscan this morning and both report that it is clean. Also clean at http://www.unmaskparasites.com/security-report/?page=www.definatalie.com and http://sitecheck.sucuri.net/scanner/?scan=www.definatalie.com

http://zulu.zscaler.com/submission/show/c74a308349cec9304f3b9996226bb454-1373862802

[polonus]

You could always ask avast to make an exclusion for your domain on that IP.
Contact virus AT avast dot com.
Because this is the domain that is causing all the trouble for you with it's Blackhole exploit kit Landing page ....
-> http://urlquery.net/report.php?id=3605430
You should report this to the folks at WebNX, Inc., so they can close that malware or take care it is cleansed and dead!
Point this thread here out to them - their server was hacked via SQL...
This domain, similar infection: http://urlquery.net/report.php?id=3392176
So these domains on that IP you share were infested with Blackhole!
And they are flagged by avast for going here: htxp://areacner.immaculateconception.com.au/  avast! Web Shield URL:Mal alert
And that malware is long, long overdue! over 599.8 hours! -> http://support.clean-mx.de/clean-mx/viruses?id=12230378
How and why the infection, see: http://support.clean-mx.de/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fservisracunalnikov.com%2F
see also: http://urlquery.net/queued.php?id=33569484 - seems cleansed now!
also flagged by avast = htxp://www.servisracunalnikov.com/wp-includes/js/hoverIntent.min.js?ver=r6 (see safe virusviewer report)

polonus

[nicholosophy]

I gave up on my host and moved to a dedicated server, so I'm not associated with that infected machine any more. Funny because it was my host who alerted me to being infected in the first place but keep telling me those other sites have nothing to do with it. Which you and I both know isn't true.

Right now avast have told me that fancyladyindustries.com is infected at /54a8c1fbdabde31d03dcb1c4ea249031/54a8c1fbdabde31d03dcb1c4ea249031/q.php?jnlp=3de182668d but I can't see it, so I'm hoping that's an old hit.