JS with Mal:URL (solved)

[capiscuas]

Hi,
our site hxxp://www.thevenusproject.com/

the Avast is still showing it as containing a URL:Mal , is it a blacklist of Avast?

Not other Antivirus are detecting anything now. Also this is proof of the lack of any infection right now.
hxxp://www.virustotal.com/url-scan/report.html?id=90f7a614204bf287dc6f062421a25b17-1292780099

Thanks in advance.

[igor]

When I enter that URL, I do get a warning - however not on the thevenusproject.com domain, but on a completely different (and highly suspicious one, I'd say) domain.

I didn't check any further, but it doesn't look like a false alarm to me.

[spg SCOTT]

Hi capiscuas, welcome to the forum

It seems that something on the website is trying to connect to a site that is blacklisted in avast!

The image is the alert I get when trying to load the site.

Also, please deactivate the link (change http to hXXp) to prevent others potentially becoming infected. Thanks.

Scott

[capiscuas]

Fixed the hxxp link, sorry.

The site was hacked around the 9th of December and probably got the infection. Then it was down for 1 day and the hosting provider (godaddy) said they had cleaned up the malicious things, and we upgraded to latest version of the CMS.

Not other software is showing the site containing any malicious url, also that url checking from totalvirus says it's clean. Is there anybody could point too (if is) where is the redirection being produced?

Thanks in advance.

[spg SCOTT]

I am looking at it now, and I am guessing that it is in some scripting part of the site, as it shows under NoScript.

[spg SCOTT]

Ok, so from my limited knowledge,it could be this:

Code: [Select]

wXXw.thevenusproject.com/templates/thevenusprojectlight/js/jquery-tooltip/lib/jquery.dimensions.js
At the end of this file, it appears as though there is a  long script on one line that doesn't seem to belong there...

However I could be wrong, and would like an avast! team member to confirm/deny...

Scott

EDIT: Judging from the results of the latest test, it would appear that I was correct. See how the code unpacks to the site that is in the network shield alert.

Also, I will report this to avast! since the web shield hasn't caught the script, as is usually the case.

[capiscuas]

Thanks a lot, I fixed the malicious script hacked in.

[PaCKINheAT]

that blackoutmpn site virus total says its clean. it shows just a blank page with no codes. was it shut down possibly

[spg SCOTT]

You're welcome, glad to help

I don't get an alert on the site any more.

@PaCKINheAT,

Regardless of whether someone has got there first and shut down the site, avast! still blocks the attempt to connect. How can avast! know? Better to be safe than sorry.

Scott

[REDACTED]

Hello. I have the same problem with my web hxxps://www.multiencargos.com

Could you help me for to solve it please

[Pondus]

Hello. I have the same problem with my web hxxps://www.multiencargos.com

Could you help me for to solve it please

you are posting in a topic that is 6 years old

for help, always start your own topic

https://virustotal.com/nb/url/cec7418020aa17f8b68d0b2ef89aa9458a8080396af344fe3aeee683d6a89a83/analysis/1468281604/


html scan
https://virustotal.com/nb/file/323489a1bbcb5a6f123874d01c6e5c65a18278dcab50f89f79dc0b68807187f3/analysis/1468281886/