suspicious warnings

[glennk]

Hi guys,

Users of my site have told me that AVAST virus scanner is highlighting a problem with my domain www.whitbyseaanglers.co.uk

The domain houses 2 installations of wordpress and 1 smf forum at

http://www.whitbyseaanglers.co.uk/

http://www.wcsa.whitbyseaanglers.co.uk/

http://www.whitbyseaanglers.co.uk/forum/index.php

The malware alert says infection url : mal

This shows for every page on each site across the domain.

Google webmaster tools, avg and norton do not show any issue. Ive run the site through several security scanners and they say its clean.

Obviously Im concerned, but Im wondering if this may be an avast false positive ? I want to investigate as I dont want to ignore it an the problem get worse and I get deliested by Google as that will be expensive to me.

Any advise greatly appreciated.

[Pondus]

if you think this is wrong....

You can upload and report FP to avast  here: http://www.avast.com/contact-form.php
you may add a link to this topic in case they reply here

[glennk]

I have no proof either way really but am concerned. I was inquiring to see if anyone could offer any adice to swing me either way as I dont want to jump in and spend endless hours on the server and site if its a false positive, but conversely I dont want to be band by Google if I ignore the warning.

[Pondus]

URL:mal means it is on a block list ..... for whatever reason

VirusTotal url scan and urlvoid.com say not listed....

[glennk]

sorry for sounding thick. But what does that mean ?

[Pondus]

it means this could be a wrong block....

http://www.urlvoid.com/scan/whitbyseaanglers.co.uk/

https://www.virustotal.com/en/url/3ccc76ebd70a7b248affd84e8c3c825904f4b308577b531079e4185a29175103/analysis/

http://sitecheck.sucuri.net/results/www.whitbyseaanglers.co.uk/

[glennk]

sorry, does that mean Avast may have it wrong ??

[glennk]

So what happens when you submit a false posive report ? I submitted a few days back now and it still appears Im blacklisted. No other anti virus or search engine inclusiding google is blocking my site. Avast is makeing me loose customers and income.

[Secondmineboy]

They will investigate it. But they are getting probaply millions of Websites and Files to check every day.
So this can take some time.

[glennk]

Ok guys, Here is the current state of play 

Avast came back to me and said Quote - "It's detected due to this: whitbyseaanglers.co.uk /wp-includes/wp-mail.php%7c%3e%7bgzip%7d"

So I have checked my files on the server and wp-mail.php is not there. Below are 2 screen shots of what is there.

Could someone please advise on what to do next as I am loosing customers and much needed income.

[Secondmineboy]

I notified polonus about this, he will check this for you.

He is an website analyst from the forum.

[glennk]

Thankyou so much for your help, Im sure you appreciate that times like this can be rather stressfull when your site income depends on all possible customers reaching your site.

[polonus]

The avast alert was for hxtp://www.whitbyseaanglers.co.uk/wp-includes/wp-mail.php
Code hick-up
ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js?ver=3.6.1 benign
[nothing detected] (script) ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js?ver=3.6.1
     status: (referer=wXw.whitbyseaanglers.co.uk/wp-includes/wp-mail.php)saved 92629 bytes ae49e56999d82802727455f0ba83b63acd90a22b
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     info: [decodingLevel=0] found JavaScript
     suspicious:
Read how your site might have been infected: http://digwp.com/2009/06/xmlrpc-php-security/
Core code from WP is mostly secure and updated regularly against insecurities and vulnerabilities,
but there are many plug-ins and extemsions for WP that are less secure and may be vulnerable.
The xmlrpc-php-security issues should be taken up with your hoster as these are web server attacks.
See code
46:< link rel="EditURI" type="application/rsd+xml" title="RSD" href="htxp://www.whitbyseaanglers.co.uk/xmlrpc.php?rsd" />
47:< link rel="wlwmanifest" type="application/wlwmanifest+xml" href="htxp://www.whitbyseaanglers.co.uk/wp-includes/wlwmanifest.xml" />
There is also an issue with this backlink: https://www.eff.org/https-everywhere/atlas/domains/vimeocdn.com.html
see:
GET /p/flash/moogaloop/5.5.0b29/moogaloop.swf?clip_id=62537288 HTTP/1.1
Host: a.vimeocdn.com
HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash

polonus

[glennk]

Sorry but I am not understanding what you are saying. Are you saying my site IS ? or Is Not ? affected ?

Surely the screen dumps above show that the file does not exist ??

[polonus]

Hi glennk,

If you cannot trace this: administrator/plugins/system/pc_includes/ajax_1 2.js%7C%3E%7Bgzip%7D|>{ gzip} then you are not affected by what avast flags,
else your site was maliciously hacked and infested with an image hack. If you are free of this you can file a FP report,

polonus