Avast Constantly Reports on my Wordpress websites

[ninjauk]

OK , Somethings gotta give!!

I have been running Avast for a while now, and recommend it to everyone I know, however just recently, on various machines, on various networks, I seem to be getting problems with my wordpress sites, and Avast reporting Malware, which is NOT true...

For example the most recent >


Its the LATEST Wordpress installation and all latest plugins (both of them!), I also get warnings on other WP sites I use on the same server (different domains) , mostly when using the wp-admin area (administration side), the entire server is swept for malware and I know the server admin very well, who assures me it is a AVAST issue.

One of my main concerns is the amount of customers I could be losing because of these false positives that are being reports (my livelyhood depends on some of my websites hosted!)

Please investigate as soon as and let me know what I can do , and is it an avast issue or the host, if its the host, why?
Many thanks

[Asyn]

Report    2011-08-21 13:29:26 (GMT 1)
Website    concretecancer.co.uk
Domain Hash    82574e424e146a11cb76b62a30b1650f
IP Address    188.165.227.101 [SCAN]
IP Hostname    node2.exoware.net
IP Country    FR (France)
AS Number    16276
AS Name    OVH OVH Systems
Detections    0 / 23 (0 %)
Status    CLEAN

Report    2011-08-21 14:21:08 (GMT 1)
IP Address    188.165.227.101
IP Hostname    node2.exoware.net
IP Country    FR
AS Number    N/A
AS Name    N/A
Detections    0 / 26 (0 %)
Status    CLEAN

You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles

[ninjauk]

That is the same report I get when running it through AVG online checker.

I am at a loss as to what is the problem

[Asyn]

You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles

Did you read this..??

[ninjauk]

yes

and did act accordingly so ...

was wondering if anyone else had any inputs ?

[ninjauk]

again , more so in back end then front end.....

[Asyn]

yes
and did act accordingly so ...

Good.
I'm quite sure that you also get more input soon...

[polonus]

The page has issues, given green by Sucuri, but the software is not been updated, so vulnerable here: Web application details:
Application: WordPress 3.2.1 - -http://www.wordpress.org

Web application version:
Wordpress version: WordPress 3.2.1
Wordpress version from source: 3.2.1
Wordpress Version 3.2 based on: -http://www.concretecancer.co.uk//wp-includes/js/autosave.js
Wordpress directory: -http://www.concretecancer.co.uk/wp-content
Wordpress theme: -http://www.concretecancer.co.uk/wp-content/themes/jazz/
Wordpress internal path: -/home/concrete/domains/concretecancer.co.uk/public_html/wp-content/themes/jazz/index.php

So site should be backed-up and after that the software should be updated
Analyzing the code I found the following issue, see attached, also
see: http://wepawet.iseclab.org/view.php?hash=0ea07dcfbfa55ae5c3f2c7c8e4cacc16&t=1313937612&type=js
Dasient gives the site as clean: http://wam.dasient.com/wam/diagnose?URL=http://www.concretecancer.co.uk/

polonus

[ninjauk]

The page has issues, given green by Sucuri, but the software is not been updated, so vulnerable here:

polonus

What are the issues ?

The site IS running the LATEST download of Wordpress, so cant be vulnerable in the eyes of any current check.

[polonus]

Hi ninjauk,

Sucuri scan says that you have the latest Wordpress, but there is still a theme with vulnerabilities, go over it again. There is a vulnerability with the following theme: Wordpress theme: -http://www.concretecancer.co.uk/wp-content/themes/jazz/
Wordpress internal path: /home/concrete/domains/concretecancer.co.uk/public_html/wp-content/themes/jazz/index.php  (index.php is vulnerable on line 163)
Read on these issues: http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/ (link author = mark maunder)

polonus

[ninjauk]

Line 163

Code: [Select]

<div class="wrapper">
RWJ Allen (c)2011 Artwork by <a href="http://www.blogohblog.com" title="WordPress Themes">Blog Oh! Blog</a> Hosted and Engineered by <a href="http://www.nixta.co.uk" title="website design weston-super-mare">Nixta Services</a>
Hardly any malicious code there....

I recently wrote an article on timthumb issue, and this site is NOT using any timthumb.php

I appreciate your answers and responses, but I do feel this is something to do with Avast blacklisting something on my host.  I have installed latest Wordpress along with the default theme (unaffected by timthumb) and have STILL had malware warning pop up randomly whilst in the back end (wp-admin) .  I appreciate this is an isolated incident and I am hoping for a response from the Avast team themselves with the FP report I have put in, when I get one I WILL paste it here for you to view.

Again I thank you for your input and help

[DavidR]

I don't know if this is the case here or not:
Do you happen to show any example code on the concretecancer.co.uk site as if this isn't in image form, then avast's web shield may well alert on the example.

When enough web shield alert hits on the site from avast users reach a tipping point, then the domain would be added to the network shields malicious sites list as a part of the avast CommunityIQ function. Before you ask I don't know what that number might be.

As suggested you can use on-line contact form, but if you didn't give much information on the original report, I would do it again http://www.avast.com/contact-form.php?loadStyles for:  * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Press (Media), issues.

- If you are reporting an FP, then you get another input field open, click Browse button and  enter the web URL for the site you wish to submit for review (Network Shield), etc.
A link to this topic in the 'Your message' text input filed wouldn't hurt.

[ninjauk]

YAY !! Reply from Avast

Hello,

it was a false positive and will be fixed in the next VPS.

Best regards

Alena *******

On 21.8.2011 20:24, Michal **** wrote:
> diky :-)

Hopefully this is all the domains on the host not just the one, however i can do them manually if need be...

Thank You Avast !!!

[DavidR]

That was a quick reply.

If the alert is only on a domain, then I don't know if it would spill over to the Host as the host wasn't specified in the alert was it ?

[ninjauk]

When I put the report in , I did specify the whole hosts of domains,
we can only but see

Thanks everyone