Script:SNH-gen [Tr] detected on my site?!

[Tapiopix]

Hi folks, I'm looking for some help / guidance here:

I recently went to open the URL www.tapiopix.com and was immediately met with the pinging alarm sound and a notification that Avast had secured a threat (see attached) "We've safely aborted connection on www.tapiopix.com because it was infected with Script:SNH-gen

." The problem is, that is my own photo website, so I need to get this sorted asap I immediately checked the code on my offline copy and checked that there were no extra files on the web version, then I deleted the entire site and re-uploaded from my computer (after running a full Avast scan on my offline files). The warning still came up when I tried to open the site Having read a couple of threads where it was suggested that this could be a false positive, I contacted Customer Support, but got a message back from Ondřej saying: "Thank you for contacting Avast with your concerns. Our virus specialists have been working on this problem and they informed me that this detection is correct." So now I have a problem in that I'm not sure I know what I'm looking for in order to find and remove this threat (if it indeed really is there)... What can I do? What am I looking for? Are there some logs somewhere that will tell me exactly what was detected / what file of the site the code might be hidden in? The only files on the site where I don't really know what the code does are javascript files which come from the photo album creation software JAlbum - I have rebuilt the album and re-uploaded those in case they had been compromised... Thanks for any help! Cheers, Geoff

[Asyn]

-> https://sitecheck.sucuri.net/results/www.tapiopix.com

[Pondus]

HTML scan, 18 detections
https://www.virustotal.com/gui/file/d69f339377e05d231f1b556886d14b1e94b491b980fb448411c890f32f969e32/detection


1 suspicious inline script found.  https://unmask.sucuri.net/security-report/?page=www.tapiopix.com

[polonus]

Malscript like

<script>function PTc(D9,gD,gW){var CKngd,BWVLZ=new Array(),UdWDM="\x64\x47\x76\x2d etc. etc.

has to be cleansed from there ASAP. Script:SNH-gen

is a trojan also known as Trojan: Win32/Wacatac.C!ml. See other recommendations here (244 in all): https://webhint.io/scanner/97049bf5-6e22-469a-a6a8-72af972ce04f Not only avast detects also Trustwave: https://www.virustotal.com/gui/url/d451f533c9e69b224bc0a7589f418640660e4a35678e8bfffdfa0a88fd8d92b5/detection (4 hrs ago). See: https://site-stats.org/tapiopix.com/#server1  hosted: https://www.shodan.io/host/94.136.40.103 Detections on IP relations: https://www.virustotal.com/gui/ip-address/94.136.40.103/relations polonus (volunteer 3rd party cold frecon website security analyst and website error-hunter)

[Tapiopix]

Thanks for the replies. I was, if anything, even more confused concerning the suspicious 'long script' code snippet - I went through and checked every single text based file in the entire site, and that code (or anything like it) does not exist anywhere!

Also though, the problem seems to have gone away, in that Avast no longer flags the site as a problem... I wonder if the issue was actually not in my site and my code was calling some function from somewhere else (JAlbum for example) which had an infection and has dealt with it? Either that, or there was something in the online site that I didn't find, but the re-upload of the clean offline version dealt with it... Anyway, in the absence of a problem, I will leave it for now.

Re. the other recommended fixes - the whole site needs an overhaul and that list gives a really good handle on how to proceed, so thanks for that!

Cheers,
Geoff

[Asyn]

You're welcome.

[polonus]

L.S.

We should also consider the malcode in relation to this: TLP White Message
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a  and Trojan/Win32.Wacatac abused by APT groups.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)