Blocked my three sites:
hxtp://butkovski.com.ua/
hxtp://www.muz-shkola.com/
hxtp://narodnyj-dim.org.ua/

However, other antiviruses do not see the virus on the site: Kaspersky sees no virus sites, Dr.Web virus does not see the sites, not Google or Yandex do not report that my sites are dangerous.
My hosting sites checked for viruses and found none.
How do I solve this question???
I read on the “black list” Avast, maybe these sites yakymis way got there???
Help me solve this problem.
Thank you.
Sorry for my bad English.

Hi ppkvest,

Make the links non-click-through, please. Warning is for Wordpress internal path: - /home/zoloch/public_html/butkovski.com.ua/wp-content/themes/FOTO/index.php
Update Wordpress
Same here: Wordpress internal path: -/home/zoloch/public_html/muz-shkola.com/wp-content/themes/muz-shkola/index.php
Wordpress internal path: /home/zoloch/public_html/narodnyj-dim.org.ua/wp-content/themes/Zl-RND/index.php
Wordpress version outdated: Upgrade required.
Phishing has been going on from IP 46.4.74.213
This on the code is suspicious:
-butkovski.com.ua/wp-content/plugins/jquery-colorbox/js/jquery-colorbox-wrapper-min.js?ver=4.2 suspicious
[suspicious:2] (ipaddr:46.4.74.213) (script) -butkovski.com.ua/wp-content/plugins/jquery-colorbox/js/jquery-colorbox-wrapper-min.js?ver=4.2
status: (referer=-butkovski.com.ua/)saved 5262 bytes 0080381abcb35876d5b5e924b1035a62feb4a262
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined function jQuery
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes

-www.muz-shkola.com/wp-content/plugins/easy-fancybox/fancybox/jquery.easing-1.3.pack.js?ver=1.3 suspicious
[suspicious:2] (ipaddr:46.4.74.213) (script) -www.muz-shkola.com/wp-content/plugins/easy-fancybox/fancybox/jquery.easing-1.3.pack.js?ver=1.3
status: (referer=-www.muz-shkola.com/)saved 6717 bytes 55d99c8d1e3e5867724a274df57ad05e3168a5cc
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes

-narodnyj-dim.org.ua/wp-includes/js/jquery/jquery.js?ver=1.6.1 suspicious
[suspicious:2] (ipaddr:46.4.74.213) (script) -narodnyj-dim.org.ua/wp-includes/js/jquery/jquery.js?ver=1.6.1
status: (referer=-narodnyj-dim.org.ua/)saved 91363 bytes b9847b48c43ace3a30b5efe117e10d58c975ec95
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
error: undefined function a.getElementsByTagName
error: undefined variable a
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes

Malicious 1 suspicious inline script found.^!–scounter–^^script -eval(function(p,a,c,k,e,r) etc. JS-Redirector-MR[Trj] detected see: Unmasked Parasites Report…

polonus

I visited all three sites with firefox and NoScript plus RequestPolicy security add-ons. I selectively allowed Scripts and then cross site scripting to try and pinpoint the area being alerted on.

Site 1. The problem appears to be with the cross site scripting to i.ua and back to your site.
See http://www.urlvoid.com/scan/butkovski.com.ua.

Site 2. I had no alert on this site when scripts and cross site scripting allowed.
See http://www.urlvoid.com/scan/muz-shkola.com.

Site 3. I got an immediate alert by avast on this site even before I even alloed any scripts.
See http://www.urlvoid.com/scan/narodnyj-dim.org.ua.

http://www.virustotal.com/file-scan/report.html?id=2ddbc65bdb88b889d93fc476dcea15c5b7791d71e57d97c63018b7e87c0ab9db-1323355681

Whilst urlvoid finds nothing (on any of the sites), it is only looking locally and not on any off site content. But avast seems to have a problem with embedded content [Embedded:DeanEdwards], seeing it as a javascript Redirector (image1), this was the same with the first site when i.ua was allowed.

This needs to be reported for further analysis:

• There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

• If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review, etc. A link to this topic also wouldn’t hurt.

Thank you very much for your reply.

@ppkvest,

Apparently the issue is with a decompressing p,a,c,k,e,d javascript
The Dean Edwards online packer can be found here: http://dean.edwards.name/packer/
also read: http://www.red-root.com/code/decompressing-packed-javascript-files/
link author = Luke Williams aka redroot.

@DavidR,
Is it the dean edwards packed script that is being flagged by avast?

polonus

That is what is in the avast alert image I posted.

You wrote that the reason for blocking the site in this script

-www.muz-shkola.com/wp-content/plugins/easy-fancybox/fancybox/jquery.easing-1.3.pack.js?ver=1.3 suspicious
[suspicious:2] (ipaddr:46.4.74.213) (script) -www.muz-shkola.com/wp-content/plugins/easy-fancybox/fancybox/jquery.easing-1.3.pack.js?ver=1.3
status: (referer=-www.muz-shkola.com/)saved 6717 bytes 55d99c8d1e3e5867724a274df57ad05e3168a5cc
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes

All files with the plugin easy-fancybox I deleted, but Avast will still blocking the site because of a virus.
Help!

Hi ppkvest,

It is the dean edwards packed counter script file that is being flagged by avast, code starts with
→ eval(function(p,a,c,k,e,r) etc
See here, where I gave it in for de-obfuscation: http://jsunpack.jeek.org/?report=4c3150f39b8abe2491923fdb67c966974145948e (go there only if security savvy enough and with noscript extension installed and active and inside a VM (sandboxed)).
It is flagged by avast because it is being used as a mass Wordpress injection attack,
Read from Dean Edwards: http://www.stopthehacker.com/tag/dean-edwards/

There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

polonus

Hi,

same happening to two of my websites: www.biotechnologistes.fr
www.esbsalumni.net

Cannot find any problem with Sucuri or any other tool, only a user telling my that avaast blocks the site with a JS:Redirector-NT [Trj] message - false positive?

Fast help would be great!

Best

Sebastian

Site has been hacked, see: http://urlquery.net/report.php?id=19283

-www.biotechnologistes.fr/wp-content/themes/canvas/includes/js/feedback.js?ver=3.3.1 suspicious
[suspicious:2] (ipaddr:82.165.88.227) (script) -www.biotechnologistes.fr/wp-content/themes/canvas/includes/js/feedback.js?ver=3.3.1
status: (referer=-www.biotechnologistes.fr/)saved 1509 bytes a470c4c7cce338d0ebd80cf52c1caa247879939b
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined function jQuery
suspicious:

Also read this: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/ link comes from wpmu.org, link article author siobhan mckeown,

polonus

Hi @Polonus,

its not a free theme, I am paying a woothemes membership fee for it…

Thanks a lot for your help, but the site you are referencing says Status Report complete.
Alerts - No alerts detected.

The JS you referenced seems to be fine:

jQuery(document).ready(function($){

/-----------------------------------------------------------------------------------/
/* Feedback slide/fade setup. /
/-----------------------------------------------------------------------------------*/
if ( jQuery( ‘.feedback’ ).length ) {
jQuery( ‘.feedback’ ).each( function () {
var effect = ‘none’;

		if ( jQuery( this ).hasClass( 'fade' ) ) { effect = 'fade'; }
		
		if ( effect != 'none' ) {
			jQuery( this ).slides({
				container: 'feedback-list', 
				next: 'btn-next', 
				prev: 'btn-prev', 
				effect: effect, 
				play: 5000, 
				fadeSpeed: 350, 
				autoHeight: true, 
				generatePagination: false, 
				hoverPause: true, 
				animationComplete: function () { jQuery( this ).stop(); }, 
				slidesLoaded: function () { jQuery( '.feedback-list .slides_control' ).css( 'height', jQuery( '.feedback-list .quote:first' ).height() ); }
			});
		}
	});
}				

/-----------------------------------------------------------------------------------/
/* Make sure feedback widgets have the correct width on each feedback item. /
/-----------------------------------------------------------------------------------*/

if ( jQuery( '.widget_woo_feedback .feedback-list' ).length ) {
	jQuery('.widget_woo_feedback .feedback-list' ).each( function () {
		var width = jQuery( this ).parent().width();
		if ( width ) {
			jQuery( this ).find( '.quote' ).css( 'width', width + 'px' );
		}	
	});
}

}); // End jQuery()

I still dont see why the page would be pirated. On urlquery, it shows however the j.mp-links from the newsletter and from Twitter as suspicious, maybe deleting them from the post helps?

Best

S.

Dear Polonus and avast community,

would you mind checking again if the two websites www.biotechnologistes.fr and www.esbsalumni.net are indeed being flagged by avast! rightfully? I am on a Mac here and cannot reproduce the problem reported by the users, nor find any problematic scripts nor any test website reporting me a problem…

Best

Sebastian

Wepawet - suspicious
http://wepawet.iseclab.org/view.php?hash=40211c085b8fd81ec7f3ef0cda249a07&t=1328628045&type=js

Wepawet - benign
http://wepawet.iseclab.org/view.php?hash=0bf776d3319a5e7e64f3663ef4bf8c7a&t=1328628083&type=js

biotechnologistes.fr.htm - 4/43
https://www.virustotal.com/file/1dee4d016a03850288ffb4c10ddd25e0b3604e23ce355d5bffcadf3a36db6502/analysis/

esbsalumni.net.htm - 0/43
https://www.virustotal.com/file/7dc8902de0f4e267923deb48c5bd7e9fdd6f4d3b69d88d944f8cacbfc8cd56be/analysis/

@sol777,

Well the plug-in is a paid for custom one, OK, but it comes flagged in the VT additional data as

MIMEType.................: text/html ContentType..............: text/html; charset=UTF-8 Generator................: WooFramework 4.8.3 Title....................: Nouvelle G n ration des Biotechnologistes | NGB - la communaut des jeunes biotechnologistes francophones FileType.................: HTML Robots...................: index, nofollow

When using such a plugin, you should always check on the number of database queries that are made while the index page, archive page, single post, etc are being displayed… That could be helpful to discover any strange/weird (meaning: not expected) database queries and malcode inside the plugins or templates,

@Pondus, thanks for the confirmation via the scanning,

polonus

No detection on VT today…
https://www.virustotal.com/file/b34e9faf1d886f56730a026227b7a62edbf20e8c322c492158c0b1bc0d083990/analysis/1328650848/

well i can´t understand why avast is blocking my sites and some of my clients sites. none of them have any virus or any tipe of worm… Avast is blocking javascripts libraries like prototype and scriptaculos. i’ll have to alter my scripts (i’ll find out how) and i’ll uninstall and delete any trace of avast from my computer (i’ll setup a virtual machine to debug any problem), from my clients computers (yes i have been installing in a lot of them since i also do IT) and advising everyone i can, not to use avast. This is no way to secure users from malicious code. It’s javascript: block it… webdesigners have already to put up with browser stupidities and now we have to mind windows antivirus software too?

Yes. Did you think you were getting into a cakewalk? Maybe you think everyone should make your work easier?

Naturally, this is not the answer. You have to meet in the middle somewhere.

As long as sites have vulnerabilities and get hacked, you will have to put up with the opposite, the people trying to prevent it.

It would be nice if you posted a broken link to these sites. There are people here who can check such things.

are you serious? a cakewalk? i’m driving it for more than 10 years now, i have no problem with it! maybe i think that no one should make my work harder, specially if they don’t have to…

this is no vulnerability, nothing got hacked… the only thing avast is trying to do, it’s to prevent mall-intentioned people to put up sites with mallware/spyware… in my opinion badly. What avast is blocking it’s compression (in my case), gzip server side javascript. The files are not encrypted. avast just don’t care, it’s gzip, it’s bad. thou it reduces 10 times my files size.

maybe the people trying to prevent things like this should, block windows from loading up… ho wait, that will defeat the propose of any antivirus…

Well, you’re not only one who uses gzip to reduce transported data, that’s not the problem for sure!

Please give us the domains so we can check what’s going on and potentially fix the false positive detections.

Regards

hxxp://wxw.sedonalibrary.org is blocked too. Any thoughts on why?