Is this a false positive? Either way, it’s frustrating knowing that possible clients might visit my site and experience this–definitely bad for business.
Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.
I currently see no script that would cause an alert, however since you say that you see intermittent alerts, that could explain why I see nothing right away.
When you next get an alert, could you please provide the full path that is reported within the alert.
Your mention of the js:Redirector type alert is a common one right now. It seems that many have issues at the moment.
And when I go there it's just a plain html page with no code and just the text "GOTCHA!"
If it is the malicious site, then this is a possibility. Very often, the page that loads is dependent on the referrer as to what it shows.
For instance, a while back there was a malicious site which on inspection by someone like you or me, would simply redirect to google.
Give it the right referrer etc, and it spits out the malware. (and this is often supplied by the page/script that it is embedded in.
I scanned with the exploit plugin, but that's all Greek to me. Do you want me to post it?
I am not quite familiar with the plugin, just know that it has helped others recently with similar alerts.
It could be posted, someone may spot something.
Probably worth mentioning, I had an administrator on my WP page that I didn’t recognize named elizabeths. I deleted it a while back, but it showed up recently again.
I’m reading a lot of information saying that this is possibly related to thumb.php and an unintentional exploit that some theme creators allowed. Among them is WooThemes, who I use. In my php code, there is this:
// base64 encoded red image that says 'no hotlinkers'
// nothing to worry about! :)
$imgData = base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");
The fact that it assures me that there is nothing to worry about, complete with a smiley face, worries me quite a bit.
Just as a matter of course, could you remove the code, and post it as images please (similar to how I have done it here)
Just helps prevent potential alerts on avast pages
Thanks.
Yes, Timthumb.php has come up on this detection before…it could be related.
I am not sure about the code that you posted, but it does seem suspicious.
Is that something reported by the exploit scanner?
There is an issue with this: -Wordpress internal path: /home/pmurtha/public_html/wp-content/themes/buro/index.php according to the sucuri scan,
Malware found here: hxxp://murthamergers.com/ re: http://sucuri.net/malware/malware-entry-mwjs6525
Sucuri detected
iframe or javascript that loads the Phoenix Exploit kit to compromise anyone visiting the web site. This type of malware is generally heavily encoded and hidden on javascript files or at the top of the HTML/PHP/ASP pages.
So update your outdated website software and secure your password, Now let us see, we also get a malware detection aler from the M86 Security Secure Browsing scanner for: -murthamergers.com/ask-a-question/ -
for that link this code is found up as suspicious: murthamergers.com/wp-content/plugins/custom-contact-forms/js/custom-contact-forms-datepicker.js?ver=3.3.1 suspicious
[suspicious:2] (ipaddr:50.22.79.64) (script) -murthamergers.com/wp-content/plugins/custom-contact-forms/js/custom-contact-forms-datepicker.js?ver=3.3.1
status: (referer=wXw.murthamergers.com/ask-a-question)saved 124 bytes 197aedbe88643b83a33262c6fc6269011d926b3a
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined function jQuery.noConflict
suspicious:
So work that through the exploit scanner as well.
After doing all of that, I appear to be clean according to Securi and VirusTotal. Can I assume that I’m good now? I’m a bit nervous as securi defined this malware as only acting on the first contact with a particular IP and not on subsequent contacts, which would make sense why it’s only every once in a while since I don’t have a static IP at the office.