JS:Redirector-NT [Trj on my worpress site. Please Help.

[3ukman]

Avast is reporting JS:Redirector-NT [Trj on my site , can you please take a look and point me what code may be wrong ? the site is WEBKINSON.COM

What code is supposed to be wrong ?

[polonus]

@true_indian,

The user opened up a new topic because his was just added to another user's. Why do you interfere, as you do not understand what is going on?

@ 3ukman
This part of your code is found suspicious:
-www.webkinson.com/wp-content/themes/inspire/includes/js/jquery.prettyPhoto.js?ver=3.3.1 suspicious
[suspicious:2] (ipaddr:74.53.187.69) (script) -www.webkinson.com/wp-content/themes/inspire/includes/js/jquery.prettyPhoto.js?ver=3.3.1
     status: (referer=-WEBKINSON.COM/)saved 31837 bytes 999f6c5b54e2cbc923bb8c1f42f396748d43fb8f
     info: [img] -www.webkinson.com/wp-content/themes/inspire/includes/js/
     info: [embed] -www.webkinson.com/wp-content/themes/inspire/includes/js/{path}
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     suspicious:

pol

[3ukman]

@true_indian,

The user opened up a new topic because his was just added to another user's. Why do you interfere, as you do not understand what is going on?

@ 3ukman
This part of your code is found suspicious:
-www.webkinson.com/wp-content/themes/inspire/includes/js/jquery.prettyPhoto.js?ver=3.3.1 suspicious
[suspicious:2] (ipaddr:74.53.187.69) (script) -www.webkinson.com/wp-content/themes/inspire/includes/js/jquery.prettyPhoto.js?ver=3.3.1
     status: (referer=-WEBKINSON.COM/)saved 31837 bytes 999f6c5b54e2cbc923bb8c1f42f396748d43fb8f
     info: [img] -www.webkinson.com/wp-content/themes/inspire/includes/js/
     info: [embed] -www.webkinson.com/wp-content/themes/inspire/includes/js/{path}
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     suspicious:

pol

Hello ,

We were in touch with woothemes a very reputable themes provider for wordpress. And they have numerous websites using the theme but  the problem is only present on my site at webkinson.com

For example this demo site also uses the same code but is not being reported as  a virus.
http://demo.woothemes.com/inspire/

Is it possible it is another part of the code that is fishy ?

[spg SCOTT]

Hi 3ukman, thank you for making your own thread, it makes it easier to follow the topic

This issue results in a script being added near the top of pages that are loaded...(seen in the image)

From what I can tell from another thread or two...it could be related to theming...and one thread suggested that it was a file called timthumb.php (this has come up before, and was the result of a lot of detections)

Polonus had a link to a scanner that helped identify the issue, it may be of some help to you:

...

I found the problem. It was old timthumb.php file!!!

Exploit Scanner show me all of infected files and now everything is ok with my website...

Well the sucuri alert is not for an outdated  WordPress version, the alerts is foir that specific theme: wordpress London live theme

Use the Wordpress exploit scanner: http://wordpress.org/extend/plugins/exploit-scanner/
This plugin is far from perfect, so you might have to plough through the code for changes yourself,
You fell victim to a php hack so you have to secure the use of that first,

polonus

Scott

[polonus]

Hi 3ukman,

Next to what spg SCOTT reports I see the following:
Sucuri gives out a warning on: -home/ukman3/public_html/webkinson.com/wp-content/themes/inspire/index.php
I get a "Call to undefined function  get_header() in <b>-/home/ukman3/public_html/webkinson.com/wp-content/themes/inspire/index.php"
Your site apparently was Tag_blue hacked...
There is a link to referer=figu.at.vc/in.cgi?2 see: GET /in.cgi?2 HTTP/1.1 Host: -figu.at.vc flagged by avast webshield as JS:redirector-NT[Trj]]
redirectiong to spamming from  v i a g r a l e v i t r a testosterone dot com 
See here for the evidence: http://urlquery.net/report.php?id=20366
I get this at wepawet analysis: -http://figu.at.vc/in.cgi?2   Empty   N/A   Could be that "figu dot at vc" is not longer responding or was taken down.
The in.cgi2 hack was an intrusion via an injected iFrame.
but you have to cleanse and remove that vulnerability, then there was network activity for about:blank   200   text/html (not longer there),

polonus

[spg SCOTT]

Hey Polonus,

There is an active link that slipped through there
You got it before my post


Scott

[polonus]

Hi spg SCOTT,

Well broke it as soon as I spotted it, thanks for the heads up and all your valuable script analysis contributions. So you must have seen that the php security of this site has been questionable for quite some time. That is what caused these the various issues in the first place - a hacker got a tiny foothold to further invade the website with additional malcode. There are more vulnerabilities than that active malicious one that avast webshield flags. RFI malware is becoming a trend, we see loads of vicitim sites affected here in the "virus and worms", as we also see a lot of so-called "weak PHP hacks", like small PHP etc. etc.. So, dear webmasters, check the integrity of your code continuously  against malcode intrusing input!

polonus