Author Topic: False Positive ? qrjuice.com (Read 5060 times)

Biox · « **on:** December 22, 2011, 10:51:01 PM »

A site that I receive RSS feeds from has started showing up as having a Trojan however the name seems to change. I have tried contacting the site in question qrjuice.com however no response.

I'm wondering if this is just a false positive. Appreciate any feedback and comments.

thanks

Pondus · « **Reply #1 on:** December 22, 2011, 10:52:43 PM »

what is the full avast message....can you attach a screenshot ?

Pondus · « **Reply #2 on:** December 22, 2011, 10:55:03 PM »

Jotti: http://virusscan.jotti.org/en-gb/scanresult/3c962e89641522c22837dda1147f9df192d90ab0
metascan: http://www.metascan-online.com/results.cgi?uid=rlxeh30b21fyoms20dzi9ihxf16g7w3m

Sucuri say - infected
see screen shot - click to enlarge

Malware info: http://sucuri.net/malware/malware-entry-mwjsdepack

Quote

Description:Encoded javascript using a packer by Dean Edwards. This packer can be used on legitimate applications, but is often deployed by attackers to hide their scripts.

Wepawet
-http://wepawet.iseclab.org/view.php?hash=3c8edf5696bb22b85178531bc6c75a54&t=1324591024&type=js

polonus · « **Reply #3 on:** December 23, 2011, 12:01:22 AM »

Hi Pondus,

You should put a - to -http://wepawet.iseclab.org/view.php?hash=3c8edf5696bb22b85178531bc6c75a54&t=1324591024&type=js
because our unaware users with the avast shields up get an alert on the malcode, namely for
JS:ScriptSH-inf[Trj]
suspicious =
-qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/jquery.fancybox-1.3.4.pack.js?ver=1.3.4 suspicious
[suspicious:2] (ipaddr:216.172.185.51) (script) -qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/jquery.fancybox-1.3.4.pack.js?ver=1.3.4
status: (referer=-qrjuice.com/)saved 15624 bytes caeb31e930068ce5820b239d44d8415f95957138
info: [embed] -qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/
info: [iframe] -qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable Image
error: line:22: TypeError: Image is not a constructor
suspicious incomplete....

polonus

Biox · « **Reply #4 on:** December 29, 2011, 12:57:57 AM »

Thank you for that swift reply.

Apologies for my late reply, I didn't see an alert that someone had responded already.

I'll upload a screen within the day.

thanks

JPMIddleton · « **Reply #5 on:** January 14, 2012, 11:07:52 PM »

The site in question is owned by me. QrJuice.com.

Whilst most of this conversation has gone completely over my head, I can tell you the malware has been removed.

polonus · « **Reply #6 on:** January 14, 2012, 11:36:53 PM »

Hi you siteowner,

Your site may be clean(sed) now, there is still an alert that your Wordpress version is outdated according to sucuri's: Wordpress internal path: /home/qrjuice/public_html/wp-content/themes/Polished/index.php
That means you could be re-infected again, other recommendations is for the website server. That server gives away a full version number of the server software. This should be avoided, so would-be-hackers would not know what exploits would work against it. It is a bit like in Little Red Ridinghood's fairytale - just pull the cord hanging out the door and you can come in...and then they could,

Stay safe and secure is the wish of,

polonus

Author Topic: False Positive ? qrjuice.com (Read 5060 times)

Biox

False Positive ? qrjuice.com

Pondus

Re: False Positive ? qrjuice.com

Pondus

Re: False Positive ? qrjuice.com

polonus

Re: False Positive ? qrjuice.com

Biox

Re: False Positive ? qrjuice.com

JPMIddleton

Re: False Positive ? qrjuice.com

polonus

Re: False Positive ? qrjuice.com