avast blocked my wordpress site

Hi,

I need help with my website isue.

Avast blocked it and said, that there is something called js:Redirector-NT [Trj] :-\

Result from http://sitecheck.sucuri.net:
http://sitecheck.sucuri.net/results/http://www.banknieruchomosci.suwalki.pl/

VirusTotal:
https://www.virustotal.com/url/58fe3e3717c61759f49f7b143ef2c0f229651f7905c8ae0b1e3e5508e6ba9324/analysis/

and Wepawet:
http://wepawet.iseclab.org/view.php?hash=ae715db1345938abdef3d0420a2eabb9&t=1328653379&type=js

Why does Avast still block my website ?

VirusTotal - 4/43
https://www.virustotal.com/file/02a8f4f839f02cf2528e5509f4f12c6db42445856c52d5cc7f2c0734dbfd19c7/analysis/1328653795/

This page seems to be 1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.banknieruchomosci.suwalki.pl

Hi TuneR,

I see an issue in the code here: suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
-www.banknieruchomosci.suwalki.pl/js/mootools.js suspicious
[suspicious:2] (ipaddr:46.4.118.84) (script) -www.banknieruchomosci.suwalki.pl/js/mootools.js
status: (referer=www.banknieruchomosci.suwalki.pl/)saved 70248 bytes 2bc531db9e66f06b8ed8c191594d7dccbb1e151c
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
suspicious:
Also check the code following ddfs_data . It is given as suspicious here: http://www.unmaskparasites.com/security-report/?page=www.banknieruchomosci.suwalki.pl - but I cannot see any badware redirect or RFI, but check it anyway!

polonus

-www.banknieruchomosci.suwalki.pl/js/mootools.js suspicious
0/43 https://www.virustotal.com/file/775354b2abf55b5528fa230db0aee5f745abdfcc7fb30e79431f5df702447e12/analysis/1328655282/

Thanks, I deleted it but Avast still says that I have trojan on my website :expressionless:
How to rid of it ?

well…that changed the Wepawet result to benign
http://wepawet.iseclab.org/view.php?hash=ae715db1345938abdef3d0420a2eabb9&t=1328656283&type=js

and VirusTotal HTML scan now say clean
https://www.virustotal.com/file/23ee03ac307401aebaad9e640233525a64086c5ddb6ee997b02e470870cd2b28/analysis/1328656472/

Hi Pondus,

There is nothing malcious there per se, just might be unpatched code and/or vulnerabilities.
So it should be reported tp avast and the site can be de-blocked with a coming update…
Well it is jsunpack that flags that bit of code following a hick-up, so there must be some issue. Plug-in code should be checked regularly for RIF.
See: http://www.whitefirdesign.com/resources/check-if-a-web-page-is-redirecting-when-accessed-from-google.html
But as you mentioned this kind of malware is a fast moving circus, so they might already have broken up their tents and keeping show in another place,
e.g. have migrated their malicious activities elsewhere…

polonus

So it’ clear now ? Today I’m gonna update wordpress to 3.3.1 - is it goog idea ?

Yes…it is a good thing to do :slight_smile:

Now my Avast shows something like this:

http://www.imagebanana.com/view/1l3yzv5w/guz.JPG

:-X

(it’s in polish - Zarżenie means infection, Działanie: czynność zablokowano - Action - blocked the action)

Is there any posibility that something is cached ? Because on my second laptop (win 7 and newest Avast) i don’t get such notices :expressionless:

have you tried to get help from Sucuri ?..it is not free http://sucuri.net/signup

First i’ll try to update my wordpress.

I’ve found solution for my trojan issues. After I managed to remove js:Redirector-NT [Trj] in few hours avast said that I have js:Redirector-VR [Trj] or js:Redirector-MR [Trj] trojan on my website :expressionless: So only solution was to upload once again all wordpress files. For 24h I have no trojan alerts!