Author Topic: Website Blocked (Read 4813 times)

waycoolph · « **on:** March 25, 2011, 02:43:02 AM »

I have already sent e-mail to avast! but still haven't received any reply or resolution.

My site is: http://waycoolph.com

Would appreciate any feedback as to when this can be resolved.

Pondus · « **Reply #1 on:** March 25, 2011, 02:49:13 AM »

URLVoid.com

Report   2011-03-25 03:14:14 (GMT 1)
Website   waycoolph.com
Domain Hash   05a7d0a700e79d75c600a34c82b3951d
IP Address   75.127.114.52 [SCAN]
IP Hostname   rs2.abstractdns.com
IP Country    US (United States)
AS Number   16626
AS Name   GNAXNET-AS - Global Net Access, LLC
Detections   3 / 21 (14 %)
Status   DANGEROUS

Scanning site with:   AMaDa    CLEAN
Scanning site with:   BrowserDefender    DETECTED
Scanning site with:   DNS-BH    CLEAN
Scanning site with:   DShield SDL    CLEAN
Scanning site with:   Google Diagnostic    CLEAN
Scanning site with:   hpHosts    UNRATED
Scanning site with:   joewein.de LLC    CLEAN
Scanning site with:   Malware Domain List    CLEAN
Scanning site with:   Malware Patrol    CLEAN
Scanning site with:   MyWOT    DETECTED
Scanning site with:   Norton SafeWeb    DETECTED
Scanning site with:   ParetoLogic URL Clearing House    CLEAN
Scanning site with:   PhishTank    CLEAN
Scanning site with:   SCUMWARE    CLEAN
Scanning site with:   SpamhausDBL    CLEAN
Scanning site with:   SURBL    CLEAN
Scanning site with:   Threat Log    CLEAN
Scanning site with:   TrendMicro Web Reputation    CLEAN
Scanning site with:   URIBL    CLEAN
Scanning site with:   Web Security Guard    UNRATED
Scanning site with:   ZeuS Tracker    CLEAN

Pondus · « **Reply #2 on:** March 25, 2011, 02:49:46 AM »

Norton safe Web http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwaycoolph.com

and downloaded malware found at those location indicated by Norton

PIC6757624499074533-JPG-www.facebook.com.exe
http://www.virustotal.com/file-scan/report.html?id=de06cdd4a3d579f05a0fb075b2216910eed3709a01672be68265ca2781d4b6ea-1301017964

So as i see it, avast detection / blocking is correct

Lisandro · « **Reply #3 on:** March 25, 2011, 02:58:45 AM »

Nothing evident on http://www.selfseo.com/html_source_view.php
Seems a false positive...

Lisandro · « **Reply #4 on:** March 25, 2011, 03:00:03 AM »

Sorry... Still detected... What could it be?

waycoolph · « **Reply #5 on:** March 25, 2011, 03:03:01 AM »

Anything I can do to resolve this issue?

DavidR · « **Reply #6 on:** March 25, 2011, 03:49:41 AM »

- There is a new on-line contact form, http://www.avast.com/contact-form.php?loadStyles for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Press (Media), issues.

Report that you believe this to be a false positive detection by the Network Shield and ask for them to review the site again. Though the network shield malicious sites list is usually correct and given the other detections is it possible that your site has been hacked or had previously been subject to attack, etc.

Check the links shown in the Norton safe Web link that Pondus gave and see if those urls "waycoolph.com/imagesne.php, etc." exist.

A link to this topic might help.

waycoolph · « **Reply #7 on:** March 25, 2011, 05:04:30 AM »

I just deleted waycoolph.com/imagesne.php and an image file. Will that resolve the issue or will I still need to email avast!?

At first, I could not login via ftp because of incorrect password. However, I did not make any password any changes. I emailed the web host and they checked and said that there were no password changes done nor was there any hacking detected. Anyway, I changed the password and downloaded the php file and a jpeg file. The php file did not show any alert when I scanned via avast! but the image file did. I just deleted both files.

Status: Site still blocked even if php and jpg file was deleted.

Sirmer · « **Reply #8 on:** March 25, 2011, 09:38:51 AM »

Hello,
this site is still infected. problem is in hxxp://waycoolph.com/images771.exe?=fdgfdgh.
Best Regards

Pondus · « **Reply #9 on:** March 25, 2011, 10:11:09 AM »

Quote from: Sirmer on March 25, 2011, 09:38:51 AM

Hello,
this site is still infected. problem is in hxxp://waycoolph.com/images771.exe?=fdgfdgh.
Best Regards

images771.exe - 19/43
http://www.virustotal.com/file-scan/report.html?id=542fc00f4384ed8bba7537f676162ba371f5005f672d572bc454da2e72cc0edb-1301043796

DavidR · « **Reply #10 on:** March 25, 2011, 03:40:11 PM »

Quote from: waycoolph on March 25, 2011, 05:04:30 AM

I just deleted waycoolph.com/imagesne.php and an image file. Will that resolve the issue or will I still need to email avast!?

At first, I could not login via ftp because of incorrect password. However, I did not make any password any changes. I emailed the web host and they checked and said that there were no password changes done nor was there any hacking detected. Anyway, I changed the password and downloaded the php file and a jpeg file. The php file did not show any alert when I scanned via avast! but the image file did. I just deleted both files.

Status: Site still blocked even if php and jpg file was deleted.

You are going to have to dig deeper as it is pretty clear that your site has been hacked otherwise how could this "waycoolph.com/imagesne.php, etc." have been placed there and the later infected file mentioned by Sirmer (from avast! Virus Labs team). Simply removing the infected files we mentioned, is a short term thing as it doesn't resolve the underlying problem of how your site was hacked, see #### below.

I think you are going to have to let your host know that the site has probably been hacked, so at the very least you should change your administrative and ftp passwords to something a little stronger.

####
Hacked Sites - This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.

Quote

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rogue" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

polonus · « **Reply #11 on:** March 25, 2011, 03:56:48 PM »

Hi waycoolph,

You will get a lot of info from the free sucuri scan. Go to http://sitecheck.sucuri.net/scanner/#
Site is blacklisted by Norton Safe Web as well,

Vulnerable is your Wordpress theme: htxp://waycoolph.com/wp-content/themes/default/
Wordpress internal path: /home/waycoolp/public_html/wp-content/themes/default/index.php
Wordpress internal path: /home/waycoolp/public_html/wp-content/themes/default/index.php
Wordpress version outdated: Upgrade required.

Threat report Norton Safe Web:

Total threats found: 6

    Drive-By Downloads
Threats found: 5

Threat Name:   HTTP Malicious Toolkit Variant Activity 12
Location:    htxp://waycoolph.com/imagesne.php?=safdsdfgfdgfg

Threat Name:   HTTP Malicious Toolkit Variant Activity 12
Location:    htxp://waycoolph.com/imagesne.php?=d?=56768768678

Threat Name:   HTTP Malicious Toolkit Variant Activity 12
Location:    hxtp://waycoolph.com/imagesne.php?=j?=5tr4ytry

Threat Name:   HTTP Malicious Toolkit Variant Activity 12
Location:    htxp://waycoolph.com/imagesne.php?=

Threat Name:   HTTP Malicious Toolkit Variant Activity 12
Location:    htxp://waycoolph.com/imagesne.php?=y5et6wt

    Viruse
Threats found: 1

Threat Name:   Trojan.ADH.2
Location:    htxp://waycoolph.com/imagesne.php

Your site was hacked with malicious software that has been intentionally mutated or morphed by attackers, and then hackers attempted to download exploits from a malicious toolkit which may compromise a computer through various vendor vulnerarabilities,

polonus

waycoolph · « **Reply #12 on:** March 25, 2011, 04:56:54 PM »

Thanks for your help guys. I will try to follow the tips you have provided and see if I can resolve this problem of mine. Will post an update as soon as I can.

DavidR · « **Reply #13 on:** March 25, 2011, 05:30:37 PM »

You're welcome, good hunting.

Author Topic: Website Blocked (Read 4813 times)

waycoolph

Website Blocked

Pondus

Re: Website Blocked

Pondus

Re: Website Blocked

Lisandro

Re: Website Blocked

Lisandro

Re: Website Blocked

waycoolph

Re: Website Blocked

DavidR

Re: Website Blocked

waycoolph

Re: Website Blocked

Sirmer

Re: Website Blocked

Pondus

Re: Website Blocked

DavidR

Re: Website Blocked

polonus

Re: Website Blocked

waycoolph

Re: Website Blocked

DavidR

Re: Website Blocked