False Positive?

Avast pops up with js:Redirector-NV [Trj] from time to time when I visit my business’s website hxxp://www.murthamergers.com. Google doesn’t have any issues with the page. http://www.google.com/safebrowsing/diagnostic?site=murthamergers.com

Is this a false positive? Either way, it’s frustrating knowing that possible clients might visit my site and experience this–definitely bad for business.

Thanks,

Patrick

Wepawet - suspicious
http://wepawet.iseclab.org/view.php?hash=811cd9c9ba8f84d981876105b6ba8c1c&t=1329320218&type=js

murthamergers.com.htm - 5/20
http://virusscan.jotti.org/en/scanresult/7e7c8bc8b995c1bd8cebda6ab1893ea0d87476b8

Can you help me fix it?

Lets see if some of the other guys in here can tell you exact where the malicious code is located…

If not i suggest this http://sucuri.net/signup

Hi Patrick, welcome to the forum :slight_smile:

Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.

I currently see no script that would cause an alert, however since you say that you see intermittent alerts, that could explain why I see nothing right away.

When you next get an alert, could you please provide the full path that is reported within the alert.

Your mention of the js:Redirector type alert is a common one right now. It seems that many have issues at the moment.

Try The Exploit Scanner by Wordpress and see if you can pin anything down.
http://wordpress.org/extend/plugins/exploit-scanner/

Scott

I don’t recognize the network activity entry hxtp://lunes.in/in.cgi?2

And when I go there it’s just a plain html page with no code and just the text “GOTCHA!”

Is that it possibly?

I scanned with the exploit plugin, but that’s all Greek to me. Do you want me to post it?

Exploit Scanner had 187 matches by the way

lunes.in/in.cgi?2 that link is dead http://www.downforeveryoneorjustme.com/http://lunes.in/in.cgi?2

but if you enter it a different url will show in your browser - 188.72.213.186/c/ this is where the GOTCHA is, click the picture in urlQuery

urlQuery http://urlquery.net/report.php?id=21805

urlQuery http://urlquery.net/report.php?id=21806

That site rings a bell somewhere…the in.cgi?2 follows the pattern for the infection that I have seen so far (for example, a different site, but same page name: http://forum.avast.com/index.php?topic=93343.msg743100#msg743100)

And when I go there it's just a plain html page with no code and just the text "GOTCHA!"
If it is the malicious site, then this is a possibility. Very often, the page that loads is dependent on the referrer as to what it shows. For instance, a while back there was a malicious site which on inspection by someone like you or me, would simply redirect to google. Give it the right referrer etc, and it spits out the malware. (and this is often supplied by the page/script that it is embedded in.
I scanned with the exploit plugin, but that's all Greek to me. Do you want me to post it?

I am not quite familiar with the plugin, just know that it has helped others recently with similar alerts.
It could be posted, someone may spot something.

Probably worth mentioning, I had an administrator on my WP page that I didn’t recognize named elizabeths. I deleted it a while back, but it showed up recently again.

I’m reading a lot of information saying that this is possibly related to thumb.php and an unintentional exploit that some theme creators allowed. Among them is WooThemes, who I use. In my php code, there is this:

// base64 encoded red image that says 'no hotlinkers'
			// nothing to worry about! :)
			$imgData = base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");

The fact that it assures me that there is nothing to worry about, complete with a smiley face, worries me quite a bit.

Just as a matter of course, could you remove the code, and post it as images please (similar to how I have done it here)
Just helps prevent potential alerts on avast pages :wink:

Thanks.

Yes, Timthumb.php has come up on this detection before…it could be related.

I am not sure about the code that you posted, but it does seem suspicious.

Is that something reported by the exploit scanner?

Exploit Scanner picked up 10 records from thumb.php, and 4 of those were the code I posted before.

Hi pmurtha,

There is an issue with this: -Wordpress internal path: /home/pmurtha/public_html/wp-content/themes/buro/index.php according to the sucuri scan,
Malware found here: hxxp://murthamergers.com/ re: http://sucuri.net/malware/malware-entry-mwjs6525
Sucuri detected

iframe or javascript that loads the Phoenix Exploit kit to compromise anyone visiting the web site. This type of malware is generally heavily encoded and hidden on javascript files or at the top of the HTML/PHP/ASP pages.
So update your outdated website software and secure your password, Now let us see, we also get a malware detection aler from the M86 Security Secure Browsing scanner for: -murthamergers.com/ask-a-question/ -
for that link this code is found up as suspicious: murthamergers.com/wp-content/plugins/custom-contact-forms/js/custom-contact-forms-datepicker.js?ver=3.3.1 suspicious
[suspicious:2] (ipaddr:50.22.79.64) (script) -murthamergers.com/wp-content/plugins/custom-contact-forms/js/custom-contact-forms-datepicker.js?ver=3.3.1
status: (referer=wXw.murthamergers.com/ask-a-question)saved 124 bytes 197aedbe88643b83a33262c6fc6269011d926b3a
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined function jQuery.noConflict
suspicious:
So work that through the exploit scanner as well.

polonus

Ok, so I updated all of my software, and I reinstalled wordpress (I was already up to date).

Can we see if the problem persists?

After doing all of that, I appear to be clean according to Securi and VirusTotal. Can I assume that I’m good now? I’m a bit nervous as securi defined this malware as only acting on the first contact with a particular IP and not on subsequent contacts, which would make sense why it’s only every once in a while since I don’t have a static IP at the office.

I don’t see the lunes link that was in the first wepawet scan, which was the only indicator that I had to go by…

http://wepawet.iseclab.org/view.php?hash=05b853f5e9ad50cadaa71fc2003e1441&t=1329335200&type=js

Well I suppose I’ll chalk it up to bullet dodged?

Does anyone have experience with Securi’s service? It’s worth $90 a year to me if it means peace of mind.

Hi pmurtha,

Seems you are good to go, see no avast alerts now, when going to the site.
Stay safe and secure,

polonus