js:Redirector-NT [Trj] trojan problem with Wordpress

[polonus]

Well the sucuri alert is not for an outdated  WordPress version, the alerts is foir that specific theme: wordpress London live theme

Use the Wordpress exploit scanner: http://wordpress.org/extend/plugins/exploit-scanner/
This plugin is far from perfect, so you might have to plough through the code for changes yourself,
You fell victim to a php hack so you have to secure the use of that first,

polonus

[luinwe]

Thank you so much guys... spg SCOTT and polonus... you are great!

I found the problem. It was old timthumb.php file!!!

Exploit Scanner show me all of infected files and now everything is ok with my website...

 

Well the sucuri alert is not for an outdated  WordPress version, the alerts is foir that specific theme: wordpress London live theme

Use the Wordpress exploit scanner: http://wordpress.org/extend/plugins/exploit-scanner/
This plugin is far from perfect, so you might have to plough through the code for changes yourself,
You fell victim to a php hack so you have to secure the use of that first,

polonus

[spg SCOTT]

You're welcome

That is interesting, the timthumb vulnerability again...saw that a while ago with slightly different script infections...

Scott

[polonus]

Well look here: http://urlquery.net/report.php?id=19989
Site is not beyond suspicion to be a phishing site, and re-directs to cellphonetesters dot com
with undefined variable Bootloader found
http://forums.malwarebytes.org/index.php?showtopic=105879  defined there as a scam site,
See the bizimbal report: http://www.bizimbal.com/odb/details.html?id=935134

polonus

[Geography2011]

I am having the exact same problem, exactly what files was infected? Could you please paste their names.

Regards
Rick

[Pondus]

I am having the exact same problem, exactly what files was infected? Could you please paste their names.

Regards
Rick

what is the URL you have problem with ?

[Geography2011]

I am having the exact same problem, exactly what files was infected? Could you please paste their names.

Regards
Rick

what is the URL you have problem with ?

hxxp://www.rawfoodtips.se

[true indian]

Please add hxxp instead of http u dont want any [non-avast user] curious sucker to fall into clicking on that link...

[Pondus]

I am having the exact same problem, exactly what files was infected? Could you please paste their names.

Regards
Rick

what is the URL you have problem with ?

-http://www.rawfoodtips.se

That URL is infected...see attached screenshot

Malware entry: MW:JS:6525 - http://sucuri.net/malware/malware-entry-mwjs6525


virustotal
https://www.virustotal.com/file/14c39310395b97daa655024fb369d588f41b5ce6825be846c361467da01f2b37/analysis/1328870962/

[Geography2011]

I am having the exact same problem, exactly what files was infected? Could you please paste their names.

Regards
Rick

what is the URL you have problem with ?

-http://www.rawfoodtips.se

That URL is infected...see attached screenshot

Malware entry: MW:JS:6525 - http://sucuri.net/malware/malware-entry-mwjs6525


virustotal
https://www.virustotal.com/file/14c39310395b97daa655024fb369d588f41b5ce6825be846c361467da01f2b37/analysis/1328870962/

From that screenshot I cant tell what file is infected, do you see it?

Regards
Rickard

[Pondus]

you may scan it here  http://sucuri.net/

does this help...

wepawet - suspicious
http://wepawet.iseclab.org/view.php?hash=a02592b01fc3b95155ff474f5ac2b4ec&t=1328885455&type=js

[Geography2011]

When I run sucuri.net check it says that the site is ok, but still avast gives me Infection: js:Redirector-NV [Trj]

And I really cant find out what file contains the trojan script.

[Geography2011]

Finally got it, installed the Exploit Scanner plugin for Wordpress and looked through the files it had in the "severe" section and in one of the code was added.

Thanks alot for the help all you guys.

[Render]

I have a similar problem with js:Redirector-NV [Trj].
The url given is hxxp://www.golfvakantieturkije.org/|%3E{gzip}

Exploit scanner gives me 9 severe issues but all of theme are regular files with no strange stringes.

[polonus]

Hi Render,

web site:   wXw.golfvakantieturkije.org
status:   Verified Clean according to Sucuri Scan
web trust:     Not Blacklisted
warn:   WordPress version outdated: Upgrade required.
    *Cached results from a few minutes ago.
This is suspicious in the code:
wXw.golfvakantieturkije.org/wp-content/themes/woostore/includes/js/tabs.js?ver=3.3 suspicious
[suspicious:2] (ipaddr:91.198.106.30) (script) wXw.golfvakantieturkije.org/wp-content/themes/woostore/includes/js/tabs.js?ver=3.3
     status: (referer=wXw.golfvakantieturkije.org/|>{gzip})saved 1073 bytes 813ba92faa731fdce49d619d5e365f66b3c25302
     info: [decodingLevel=0] found JavaScript
     suspicious:

polonus