False Positive?

[pmurtha]

Avast pops up with js:Redirector-NV [Trj] from time to time when I visit my business's website hxxp://www.murthamergers.com. Google doesn't have any issues with the page. http://www.google.com/safebrowsing/diagnostic?site=murthamergers.com

Is this a false positive? Either way, it's frustrating knowing that possible clients might visit my site and experience this--definitely bad for business.

Thanks,

Patrick

[Pondus]

Wepawet - suspicious
http://wepawet.iseclab.org/view.php?hash=811cd9c9ba8f84d981876105b6ba8c1c&t=1329320218&type=js


murthamergers.com.htm - 5/20
http://virusscan.jotti.org/en/scanresult/7e7c8bc8b995c1bd8cebda6ab1893ea0d87476b8

[pmurtha]

Can you help me fix it?

[Pondus]

Lets see if some of the other guys in here can tell you exact where the malicious code is located....

If not i suggest this  http://sucuri.net/signup

[spg SCOTT]

Hi Patrick, welcome to the forum

Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.

I currently see no script that would cause an alert, however since you say that you see intermittent alerts, that could explain why I see nothing right away.

When you next get an alert, could you please provide the full path that is reported within the alert.

Your mention of the js:Redirector type alert is a common one right now. It seems that many have issues at the moment.

Try The Exploit Scanner by Wordpress and see if you can pin anything down.
http://wordpress.org/extend/plugins/exploit-scanner/

Scott

[pmurtha]

I don't recognize the network activity entry  hxtp://lunes.in/in.cgi?2

And when I go there it's just a plain html page with no code and just the text "GOTCHA!"

Is that it possibly?

I scanned with the exploit plugin, but that's all Greek to me. Do you want me to post it?

[pmurtha]

Exploit Scanner had 187 matches by the way

[Pondus]

lunes.in/in.cgi?2     that link is dead    http://www.downforeveryoneorjustme.com/http://lunes.in/in.cgi?2

but if you enter it a different url will show in your browser  -  188.72.213.186/c/   this is where the  GOTCHA is, click the picture in urlQuery

urlQuery  http://urlquery.net/report.php?id=21805

urlQuery  http://urlquery.net/report.php?id=21806

[spg SCOTT]

I don't recognize the network activity entry  hxtp://lunes.in/in.cgi?2

That site rings a bell somewhere...the in.cgi?2 follows the pattern for the infection that I have seen so far (for example, a different site, but same page name: http://forum.avast.com/index.php?topic=93343.msg743100#msg743100)

And when I go there it's just a plain html page with no code and just the text "GOTCHA!"

If it is the malicious site, then this is a possibility. Very often, the page that loads is dependent on the referrer as to what it shows.
For instance, a while back there was a malicious site which on inspection by someone like you or me, would simply redirect to google.
Give it the right referrer etc, and it spits out the malware. (and this is often supplied by the page/script that it is embedded in.

I scanned with the exploit plugin, but that's all Greek to me. Do you want me to post it?

I am not quite familiar with the plugin, just know that it has helped others recently with similar alerts.
It could be posted, someone may spot something.

[pmurtha]

Probably worth mentioning, I had an administrator on my WP page that I didn't recognize named elizabeths. I deleted it a while back, but it showed up recently again.

I'm reading a lot of information saying that this is possibly related to thumb.php and an unintentional exploit that some theme creators allowed. Among them is WooThemes, who I use. In my php code, there is this:

Code: [Select]

// base64 encoded red image that says 'no hotlinkers'
// nothing to worry about! :)
$imgData = base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");
The fact that it assures me that there is nothing to worry about, complete with a smiley face, worries me quite a bit.

[spg SCOTT]

Just as a matter of course, could you remove the code, and post it as images please (similar to how I have done it here)
Just helps prevent potential alerts on avast pages

Thanks.

Yes, Timthumb.php has come up on this detection before...it could be related.

I am not sure about the code that you posted, but it does seem suspicious.

Is that something reported by the exploit scanner?

[pmurtha]

Exploit Scanner picked up 10 records from thumb.php, and 4 of those were the code I posted before.

[polonus]

Hi pmurtha,

There is an issue with this: -Wordpress internal path: /home/pmurtha/public_html/wp-content/themes/buro/index.php according to the sucuri scan,
Malware found here: hxxp://murthamergers.com/ re: http://sucuri.net/malware/malware-entry-mwjs6525
Sucuri detected

iframe or javascript that loads the Phoenix Exploit kit to compromise anyone visiting the web site. This type of malware is generally heavily encoded and hidden on javascript files or at the top of the HTML/PHP/ASP pages.

  So update your outdated website software and secure your password, Now let us see, we also get a malware detection aler from the M86 Security Secure Browsing scanner for: -murthamergers.com/ask-a-question/ -
for that link this code is found up as suspicious: murthamergers.com/wp-content/plugins/custom-contact-forms/js/custom-contact-forms-datepicker.js?ver=3.3.1 suspicious
[suspicious:2] (ipaddr:50.22.79.64) (script) -murthamergers.com/wp-content/plugins/custom-contact-forms/js/custom-contact-forms-datepicker.js?ver=3.3.1
     status: (referer=wXw.murthamergers.com/ask-a-question)saved 124 bytes 197aedbe88643b83a33262c6fc6269011d926b3a
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined function jQuery.noConflict
     suspicious:
So work that through the exploit scanner as well.

polonus

[pmurtha]

Ok, so I updated all of my software, and I reinstalled wordpress (I was already up to date).

Can we see if the problem persists?

[pmurtha]

After doing all of that, I appear to be clean according to Securi and VirusTotal. Can I assume that I'm good now? I'm a bit nervous as securi defined this malware as only acting on the first contact with a particular IP and not on subsequent contacts, which would make sense why it's only every once in a while since I don't have a static IP at the office.