Author Topic: Web Shield says our website is malicious, but it's not!!! (Read 4822 times)

kiernan7 · « **on:** April 04, 2014, 01:20:51 AM »

My Avast Web Shield says all of the sub-domains that are part of our main website are hacked.

They are not!!! I checked with Google Webmaster Tools and it tells me the entire website is fine.

we DID get hacked a while ago, but things have been okay for a while. how do we get off Avast's s**t list?

Thanks in advance!

Para-Noid · « **Reply #1 on:** April 04, 2014, 02:47:43 AM »

What is your website? Make it a dead link by using "htxp" or "hxxp".
What is your website IP?

Our website analysts use various scanners to determine a websites safety/security.

Pondus · « **Reply #2 on:** April 04, 2014, 07:13:59 AM »

Quote

how do we get off Avast's s**t list?

unless you tell us what URL it is..... avast dont know what URL to take of the list

Eddy · « **Reply #3 on:** April 04, 2014, 08:24:52 AM »

His second post here.
Again using bad language.
And he never responded to his previous post.
If he is the admin/webmaster, he should change his attitude imho.

Para-Noid · « **Reply #4 on:** April 04, 2014, 03:50:03 PM »

I made my post yesterday evening giving the OP plenty of time to respond. I did so knowing that there
are plenty of forum members able to run the many tests to check his website. Instead of getting his
issue cleared up he wanted to rant. Personally I wanted to do some website analysis for my own
curiousity.

kiernan7 · « **Reply #5 on:** April 04, 2014, 07:05:51 PM »

Okay guys... in reading your posts I realized one important thing:

I AM A MORON (for not including the URL).

Here are a few of the sub-domains:
http://triadig.oagroups.org/
http://elpaso.oagroups.org/
http://oabronx.oagroups.org/

Thanks in advance!

AdrianH · « **Reply #6 on:** April 04, 2014, 07:14:07 PM »

There is your answer http://sitecheck2.sucuri.net/results/triadig.oagroups.org

infected with malware.

Polonus will be along later, he is the man you need to check this for you.

polonus · « **Reply #7 on:** April 04, 2014, 07:41:23 PM »

There is an issue here: http://dnscheck.pingdom.com/?domain=triadig.oagroups.org%2F&timestamp=1396631371&view=1

Potential suspicious file flagged by Quttera's: /wp-content/plugins/fckeditor-for-wordpress-plugin/ckeditor/ckeditor.js?ver=3.5.1
Severity:    Potentially Suspicious
Reason:    Detected procedure that is commonly used in suspicious activity.
Details:   Too low entropy detected in string [['<a id="cke_elementspath_undefined_18446744073709551615" href="javascript:void(\'_cke_real_element_ty']] of length 177590 which may point to obfuscation or shellcode. *
Threat dump:   View code - http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Felpaso.oagroups.org%2F&useragent=Fetch+useragent&accept_encoding=
Threat dump MD5:    CA7EA1A52E036B0B7E65C3D630548131
File size[byte]:    268039
File type:    ASCII
MD5:    0EB8C0D4FF340B1BDD7FA209D6121A05
Scan duration[sec]:    73.920000

Malicious script detected: htxp://abtt.tv/modules/mod_servises/ua.js   script   Malicious - cannot connect Can't fetch file pointed by your url.
-> http://sucuri.net/malware/malware-entry-mwblacklisted35
avast flags JS:Includer-ANC[Trj] on site * -> http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Felpaso.oagroups.org%2F

Reason for infection outdated CMS, that is outdate - WordPress version: WordPress 3.5.1
Wordpress version from source: 3.5.1
Wordpress Version 3.5 based on: htxp://elpaso.oagroups.org//wp-admin/js/common.js
WordPress theme: htxp://elpaso.oagroups.org/wp-content/themes/twentyten/
WordPress version outdated: Upgrade required.

polonus

Para-Noid · « **Reply #8 on:** April 04, 2014, 07:48:26 PM »

And here
http://dnscheck.pingdom.com/?domain=triadig.oagroups.org
http://zulu.zscaler.com/submission/show/7cf366d1e79cd0c00d0c2ad8ace8522c-1396632361
https://asafaweb.com/Scan?Url=triadig.oagroups.org

Your website definitely has issues.

And polonus was quicker than me...

!Donovan · « **Reply #9 on:** April 04, 2014, 10:30:06 PM »

Hello,

As Polonus states, there are remains of the hack remaining. For a similar (if not the same) issue, please see: http://stackoverflow.com/questions/16013544/

The "abtt.tv" is supposedly malicious. Do you have any connections with them?

@Para-Noid I recommend direct analysis over "automated scanning". Sure you can use them for guidance, but you should never fully rely on them.

@kiernan7 Sorry for the inconvenience. Just a heads up that you have the right to not post confidential e.g: website urls on public forums.

Regards,
~!Donovan

Pondus · « **Reply #10 on:** April 04, 2014, 11:33:03 PM »

Jotti
http://virusscan.jotti.org/en/scanresult/d00f876c12b43e7603503d57b9da6ed38761618d
http://virusscan.jotti.org/en/scanresult/64289d2784a1f51aaa842dd6dd8ed332b0f80701
http://virusscan.jotti.org/en/scanresult/6b17eec1b32947dd2375987ff742ef39b9924195

Eddy · « **Reply #11 on:** April 04, 2014, 11:59:48 PM »

Would not surprise me if the problem is caused by using the old wordpress version.

polonus · « **Reply #12 on:** April 05, 2014, 12:13:38 AM »

Well Eddy, we could even be somewhat more precise and bet on this wordpress theme - themes/twentyten/ -
and it is a truly a good candidate to get us into trouble.
Read how that came backdoored, yep, by the developer I mean: http://wordpress.org/support/topic/security-issue-with-twentyten
So with free themes we have to be extremely cautious what we are actually installing

polonus