Hi,
I own a site xxx and today I get it blocked by Avast. It says it is infected with html:script-inf but using Dr. Web online scanner the site appears to be clean.
The site is a wordpress, it has not been hacked nor modified in the last weeks and I’m using a security plugin to avoid any attack.

Hello,

Your website is infected → contains injected script tag that refers to superpuperdomain.com which is known malicious domain.

You will have to fix that and check how was your server hacked/infected.

Regards

see attached screenshot ( click to enlarge )

Malware info: Malware entry: MW:JS:67473
http://sucuri.net/malware/malware-entry-mwjs67473

Just to add:
(Mainly)
If the mods haven’t done it yet, Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.


(Aleady Covered) The script is located at the end of the page, and this seems to be a rather directed attack on wordpress sites. You are not the first. Overall detection at VT: http://www.virustotal.com/file-scan/report.html?id=3819afed8e3b325b75196977324f753dac173fba6cdfa1ba0c7cbe2cbc4a58c8-1314111077

Scott

Thank you guys. Do you have any idea about how it can attacked? I’m ussing a wordpress plugin that protects the site against XSS, CSRF, Base64_encode and SQL Injection and has httaccess protection.

Should I change my webhost or it’s a WP vulnerability?

Apparently it is to do with a theme/plugin vulnerability:
http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain-com-attacking-timthumb-php.html
http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html

Thank you again Scott.

Hi YunShui,

Site seems now cleansed, see: http://urlquery.net/report.php?id=1948

There is still a theme issue here: Wordpress theme: -http://bichi-web.com/wp-content/themes/bichi/
Wordpress internal path: -/home/bichiweb/public_html/wp-content/themes/bichi/index.php

Your website makes use of cookies without Platform for Privacy Preferences Project (www.w3.org/P3P/)
The website gives away that the content is being generated dynamically through the “X-Powered-By” HTTP Header. It is a better security policy to remove this header.
The website makes use of a tracking graphical.
The server gives away details of the server software version, this should be avoided, so hackers won’t be any the wiser,

Spam Check and Safe browsing status green, Child safety rate a non critical 0.28 % hit.

Stay safe and secure online is the wish of,

polonus