Site blocked - MAL:Url - but can't find any infection

[DavidR]

Having switched host, it may take a little time before all DNS servers reflect your new IP address - Strange that it is still present on a .php file that you can't find. I would check your php templates and see if there isn't something in there inserting and running the q.php file on page creation.

I visited the site and got a network shield alert, but if I disable the network shield I get an alert on the home page, so there is something present and not just a block on IP address. No reference to the file you mentioned.

I captured and uploaded the element that avast was alerting on to virustotal, VT Results, only avast alerting. But it is a script injection it shows and I can't see any script tags on that page which appear to be pointing at malicious sites of calling a .php page.

[polonus]

Hi nicholosophy,

This should not appear in your code:  - wp-admin/admin-ajax.php?action=wordfence_logHuman&hid=EB7BA865DC8DC9C09DCEB364AE8F48F1
You may want to create a robots.txt file that blocks access to /wp-admin/ so Google doesn’t index these and other internal URL

Damian

[nicholosophy]

Thanks. robots.txt added.

Feel like I'm hitting my head against a wall. If anyone else spots anything I'll do whatever I need to do to clean the site/server.

Last thing I want is an infected server or site.

[jefferson sant]

Site is listed as suspicious by mcafee

http://www.siteadvisor.com/sites/fancyladyindustries.com

Blackhole Exploit Kit

http://www.avgthreatlabs.com/website-safety-reports/domain/fancyladyindustries.com/

[nicholosophy]

Site is listed as suspicious by mcafee

http://www.siteadvisor.com/sites/fancyladyindustries.com

Blackhole Exploit Kit

http://www.avgthreatlabs.com/website-safety-reports/domain/fancyladyindustries.com/

Thanks. Asked Mcafee to review and avg says it is clean now but wasn't 16 days ago. So that's something...

[polonus]

Site has been unblocked by avast I assume, because I do not see any alerts now,

polonus

[nicholosophy]

Site has been unblocked by avast I assume, because I do not see any alerts now,

polonus

Can I ask what version db update you have? I'm still getting alerts with 130716-0

[polonus]

Same, you are right it is still being blocked...

polonus

[!Donovan]

Has anything been done to solve the issue with q.php?

[nicholosophy]

Has anything been done to solve the issue with q.php?

I've replaced core, theme and plugin files with fresh downloaded versions; scanned the site with clamav, maldet, wordfence and others; moved from shared server to one I control and locked down the firewall; checked the database for suspicious code.

If there is malware on the site, I don't know of it and I'm happy to be pointed to it. And if there is something, some tips on how to clean it up would be useful too.

The thing now is that since the server is blacklisted, not just the domain, clean-mx lists another domain as infected. I've taken the same steps as noted above for that site so it should be clean as well.

It's frustrating because I want it clean and I want it secure. I appreciate the advice I've been given so far.

[DavidR]

Have you checked all of the script tags, as I still get an alert by the web shield (if the network shield is disabled) and it is the same alert HTML:Script-inf which is a suspect script, that avast thinks was injected.

[polonus]

See here: IP block for http://www.urlvoid.com/ip/176.31.248.63 e.g. http://www.urlvoid.com/ip/176.31.248.63 on that IP
australianfatshion dot com
Even this is flagged by avast! Web Shield: http://global.sitesafety.trendmicro.com/result.php for australianfatshion dot com
as infected by JS:ScriptIP-Inf[Trj]
JS:ScriptIP-Inf is through web server infection. It exploits security faults on target host and installs the harmful script. It is designed to run automatically once it senses a visitor and instantly infects the Internet browser. There are no reports however that JS:ScriptIP-Inf can spread on local and network computers.
This scan of your site is clean: http://evuln.com/tools/malware-scanner/www.fancyladyindustries.com/rescan/
This is a code hick up I see with jsunpack:
wXw.fancyladyindustries.com/wp-content/themes/mystile/includes/js/third-party.js?ver=3.5.2 benign
[nothing detected] (script) wXw.fancyladyindustries.com/wp-content/themes/mystile/includes/js/third-party.js?ver=3.5.2
     status: (referer=wXw.fancyladyindustries.com/)saved 4392 bytes 63a630d7b1f2453844862334ebfd23797273bbcf
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined variable a.fn
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var a.fn = 1;
          error: line:1: ....^
     suspicious:

polonus

[nicholosophy]

Even this is flagged by avast! Web Shield: http://global.sitesafety.trendmicro.com/result.php for australianfatshion dot com
as infected by JS:ScriptIP-Inf[Trj]
JS:ScriptIP-Inf is through web server infection. It exploits security faults on target host and installs the harmful script. It is designed to run automatically once it senses a visitor and instantly infects the Internet browser. There are no reports however that JS:ScriptIP-Inf can spread on local and network computers.

Not sure how  the fact that trendmicro's site comes uip as infected is relevant. When I disable the network scan and use only web scan I get the URL:Mal on all sites on the server, so I'm guessing IP Block.

Also scanned the other site and it is clean:

http://evuln.com/tools/malware-scanner/www.australianfatshion.com/rescan/