Author Topic: Website blocked (Read 4071 times)

REDACTED · « **on:** February 09, 2016, 08:52:45 AM »

Hello,

My website got hacked and avast blocked. What can i do to unblock my website?
http://www.sverigeforaren.se

Pondus · « **Reply #1 on:** February 09, 2016, 08:56:26 AM »

It is infected, see info here >> https://sitecheck.sucuri.net/results/www.sverigeforaren.se

REDACTED · « **Reply #2 on:** February 09, 2016, 08:59:23 AM »

I hired a guy to fix this. He found all the infected files and deleted them. Why is the scan still showing that the site is infected? Can it be a redis/nginx cache problem?

Pondus · « **Reply #3 on:** February 09, 2016, 09:00:35 AM »

i guess some code is still there ... see the report from sucuri posted above

what does the block message from avast say?

contact avast >> https://support.avast.com/support/home >> submit a ticket

Eddy · « **Reply #4 on:** February 09, 2016, 01:34:50 PM »

I wonder why a Swedish site is linking to to a Russian one through links like this :
hxxp://zaymi.org --> 'ð¼ð¸ðºñð¾ð·ð°ð'
That sure does look suspicious to say the least.
http://www.web-malware-removal.com/website-malware-virus-scanner/?url=www.sverigeforaren.se

Blacklisted :
http://multirbl.valli.org/lookup/62.210.127.76.html
http://urlquery.net/report.php?id=1455020540770
http://urlquery.net/report.php?id=1455020846834

Infected with SEO spam :
https://sitecheck.sucuri.net/results/www.sverigeforaren.se

JQuery insecurity (could be the cause of why the infection took place) :
http://retire.insecurity.today/#!/scan/085e2e8f259dc675f92d5477cbcc3f8e0123e1c8c2e52ec06c3e69cbd75c8482

I hope you didn't payed that guy because he did not do a proper job.

REDACTED · « **Reply #5 on:** February 09, 2016, 03:55:29 PM »

Thanks for your reply. I kinda did pay him haha. Well atleast now i know that the website is still infected.
What do you guys think i should do?

Eddy · « **Reply #6 on:** February 09, 2016, 04:08:42 PM »

- Update JQuery
- Remove the links to that Russian site (I guess you didn't placed them on your website)
- Check all pages for code that doesn't belong in them

polonus · « **Reply #7 on:** February 09, 2016, 04:55:00 PM »

Hej Legendaryz,

You could check here and have it analyzed: https://aw-snap.info/file-viewer/
Do a check on these external links:
Please check this list for unknown links on your website:

-http://klatterforum.se/ --> 'klã¤tterforum'
-http://zaymi.org --> 'ð¼ð¸ðºñð¾ð·ð°ð'
-http://zaymi.org --> 'ð¼ð¸ðºñð¾ð·ð°ð'
-http://zaymi.org --> 'ð¼ð¸ðºñð¾ð·ð°ð'
-http://zaymi.org --> 'ð¼ð¸ðºñð¾ð·ð°ð'
-http://zaymi.org --> 'ð¼ð¸ðºñð¾ð·ð°ð'
-http://zaymi.org --> 'ð·ð°ð¹ð¼ñ ð¾ð½�'
-http://zaymi.org --> 'ññð¾ñð½ñðµ �'
-http://zaymi.org --> 'ð·ð°ð¹ð¼ñ ð¾ð½�'
-http://zaymi.org --> 'ññð¾ñð½ñð¹ �'
-http://zaymi.org --> 'ð¼ð¸ðºñð¾ð·ð°ð'
-http://zaymi.org --> 'ð·ð°ð¹ð¼ñ ð½ð° '
-http://zaymi.org --> 'ð¼ð¸ðºñð¾ðºñð'
-http://zaymi.org * --> 'ð¼ð³ð½ð¾ð²ðµð½ð'
* MBAM blocks this * -http://zaymi.org as a hostile malicious domain!!
Could have been an Oman based hacker attack....

See http://fetch.scritch.org/%2Bfetch/?url=+http%3A%2F%2Fwww.sverigeforaren.se&useragent=Fetch+useragent&accept_encoding=

See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.sverigeforaren.se%2F

hxtp://www.sverigeforaren.se
Detected libraries:
jquery-migrate - 1.2.1 : -http://www.sverigeforaren.se/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.11.3 : (active1) -http://www.sverigeforaren.se/wp-includes/js/jquery/jquery.js?ver=1.11.3
(active) - the library was also found to be active by running code
1 vulnerable library detected

SaferChrome: Insecure login: Password will be transmited in clear to -http://www.sverigeforaren.se/wp-login.php detected (see report) Insecure login (1)
Password will be transmited in clear to -http://www.sverigeforaren.se/wp-login.php
Check your free WordPress plug-ins for latest versions, disable user enumeration and directory listing.

Another insecurity: PHP Version: 5.4.16 (Outdated)

Above cold reconnaissance report for your website comes from:

polonus (volunteer website security analyst and website erro-hunter)

polonus · « **Reply #8 on:** February 10, 2016, 12:36:17 AM »

Just came in results of the SRI Report Scan for http://www.sverigeforaren.se
https://sritest.io/#report/3f671159-878b-478f-8dce-2de61c18f03e

I detected a SRI issue with a script tag:
Tag Result
<script type="text/javascript" src="-http://maps.google.com/maps/api/js?sensor=true&language=en&ver=4.3.1"></script> Missing SRI hash (important detection only for non-dynamic websites)

I hided the results from Statistics,

polonus (volunteer website security analyst and website error-hunter)

REDACTED · « **Reply #9 on:** February 10, 2016, 09:39:54 AM »

I think i got it all fixed. Thanks for your help

Pondus · « **Reply #10 on:** February 10, 2016, 09:48:00 AM »

Sucuri is now all green, Grattis Grabben

REDACTED · « **Reply #11 on:** February 10, 2016, 10:42:48 AM »

Tack!

Author Topic: Website blocked (Read 4071 times)

REDACTED

Website blocked

Pondus

Re: Website blocked

REDACTED

Re: Website blocked

Pondus

Re: Website blocked

Eddy

Re: Website blocked

REDACTED

Re: Website blocked

Eddy

Re: Website blocked

polonus

Re: Website blocked

polonus

Re: Website blocked

REDACTED

Re: Website blocked

Pondus

Re: Website blocked

REDACTED

Re: Website blocked