Author Topic: avast reports virus on my website but I can´t detect any infection. Please check (Read 3352 times)

REDACTED · « **on:** February 12, 2016, 12:18:44 PM »

A customer using avast was so kind to report virus infection:
Please check www.mastering-academy.de and www.mastering-academy.com

My virus program and and online virus scan can´t find any problems.
But I would like to get rid of that problem.
Can you give me advice which file may be infected or is causing this problem so that I can figure out to remove it manually.

Thank you for your support.

Friedemann Tischmeyer

Pondus · « **Reply #1 on:** February 12, 2016, 12:19:50 PM »

what does the message from avast say?

Asyn · « **Reply #2 on:** February 12, 2016, 12:22:40 PM »

-> https://sitecheck.sucuri.net/results/www.mastering-academy.de/
-> https://sitecheck.sucuri.net/results/www.mastering-academy.com/

Pondus · « **Reply #3 on:** February 12, 2016, 12:30:33 PM »

HTML code scan

https://www.virustotal.com/en/file/28a0a37fa9f541b102bda88a2cf49bba1d19bc675f5c8445409d42b442143d90/analysis/1455276500/

https://www.virustotal.com/en/file/c2d2a39bd0173e99c6183e20b6887fe969c8f31a661c7aa3c55e4fc0b496cc6f/analysis/1455276569/

polonus · « **Reply #4 on:** February 12, 2016, 01:55:53 PM »

I see two vulnerable libraries flagged here:
-http://www.mastering-academy.com
Detected libraries:
jquery-migrate - 1.2.1 : -http://www.mastering-academy.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.11.3 : (active1) -http://www.mastering-academy.com/wp-includes/js/jquery/jquery.js?ver=1.11.3
jquery.prettyPhoto - 3.1.2 : (active1) -http://www.mastering-academy.com/wp-content/themes/infocus/lib/scripts/prettyphoto/js/jquery.prettyPhoto.js?ver=2.3
Info: Severity: high
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6837&cid=3
Info: Severity: high
https://github.com/scaron/prettyphoto/issues/149
https://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto
(active) - the library was also found to be active by running code
2 vulnerable libraries detected

Isue and warning here: https://mxtoolbox.com/domain/www.mastering-academy.com/

This link? -> http://toolbar.netcraft.com/site_report?url=http://online-sale24.com is flagged:
Javascript included from a blacklisted domain. Details: http://sucuri.net/malware/entry/MW:BLK:2
Javascript: online-sale24.com but it does not resolve now, no response: https://urlquery.net/report.php?id=1455281096382
So I see no active malware now.

CMS issues to mitigate:
WordPress Version
4.4.1
Version does not appear to be latest 4.4.2 - update now.

WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

jquery-featured-content-gallery   latest release (1.2)
http://www.cibydesign.co.uk/resources-and-downloads/
all-in-one-seo-pack 2.2.7.5   latest release (2.2.7.6.2) Update required
http://semperfiwebdesign.com
facebook-likes-you 1.5.4   latest release (1.5.4)
http://wolnaelekcja.pl/wp-facebook-likes-you

Warning User Enumeration is possible
The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   None   wp_admin

Should come disabled.

Another issue: 50% of the trackers on this site could be protecting you from NSA snooping. Tell mastering-academy.com to fix it.
Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.

d5fb79cb40414a3091dxxxxxxxxae2ac1a1445965753 local.adguard.com __cfduid

At least 8 third parties know you are on this webpage.

-Google
-Google
-Facebook
-Google
-www.mastering-academy.com
-online-sale24.com (this was at the culprit of your malware infection, Avast flagged as HTML:Script-inf, aka Sucuri'sreports at: http://sucuri.net/malware/entry/MW:BLK:2 )
-local.adguard.com
-www.mustbebuilt.co.uk -www.mustbebuilt.co.uk

polonus (volunteer website security analyst and website error-hunter)

Pondus · « **Reply #5 on:** February 12, 2016, 03:53:54 PM »

F-Secure lab confirms infections

==========================================================
The file you sent (academy.com) was found to be malicious.

We will be detecting the sample you submitted as Trojan.HTML.Agent.MG
===========================================================
The file you sent (academy.de) was found to be malicious.

We will be detecting the sample you submitted as Trojan.HTML.Agent.MF
============================================================

REDACTED · « **Reply #6 on:** February 12, 2016, 04:49:49 PM »

Quote from: Pondus on February 12, 2016, 12:19:50 PM

what does the message from avast say?

It says: Infection Type: HTML:Script-inf
The complete message is German. It says that the URL has a malicious code

Asyn · « **Reply #7 on:** February 12, 2016, 04:51:08 PM »

Well, the infection has been confirmed, you've to clean it.

Pondus · « **Reply #8 on:** February 12, 2016, 05:01:37 PM »

if you need help Sucuri will do it for a fee >> https://sucuri.net

Author Topic: avast reports virus on my website but I can´t detect any infection. Please check (Read 3352 times)

REDACTED

avast reports virus on my website but I can´t detect any infection. Please check

Pondus

Re: avast reports virus on my website but I can´t detect any infection. Please check

Asyn

Re: avast reports virus on my website but I can´t detect any infection. Please check

Pondus

Re: avast reports virus on my website but I can´t detect any infection. Please check

polonus

Re: avast reports virus on my website but I can´t detect any infection. Please check

Pondus

Re: avast reports virus on my website but I can´t detect any infection. Please check

REDACTED

Re: avast reports virus on my website but I can´t detect any infection. Please check

Asyn

Re: avast reports virus on my website but I can´t detect any infection. Please check

Pondus

Re: avast reports virus on my website but I can´t detect any infection. Please check