Infection:JS:ScriptIP-inf [Trj] - false positive or not?

Hello, today my Avast warns me that the following website is infected.

xttp://findealz.com (x = h)

Infection: JS:ScriptIP-inf [Trj]

I’ve used some online scanning tools and products there tells me that site isn’t infected. No files were modified last few days (site works perfectly yesterday), so I’m not sure what’s going on.

Site is hosted on VPS.

Any ideas?

Regards, Chris

http://sitecheck.sucuri.net/results/findealz.com

and this

urlquery. http://urlquery.net/report.php?id=147436

Thanks a lot! Very helpful tools!

Regards, Chris

Hi Chris,

You certainly have to update the website software. WordPress version: WordPress
Wordpress version from source: 3.4.1
Wordpress Version 3.3 or 3.4 based on: http://wXw.findealz.com//wp-includes/js/autosave.js
WordPress theme: http://wXw.findealz.com/wp-content/themes/couponpress/ (holed->: http://kb.parallels.com/en/113321)
Plesk version 10 outdated: Upgrade required.
Why old Plesk versions form a risk read here: http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html (article author = daniel cid)
"RedKit"exploit kit seems to just use; Java/Exploit.CVE-2012-0507
Website contains the malicious code.
2012-08-27 12:16:18 htxp://www.findealz.com/ 6A5215709984DFAEFB313F6A20706894 216.224.178.155 US Trojan.JS.Iframe.BRR
2012-08-27 12:16:17 htxp://www.findealz.com/wp-login.php?redirect_to=hxtp://www.findealz.com/wp-admin/ F6450952C2D40CF1D15FBCC8A713DF20 216.224.178.155 US Trojan.JS.Iframe.BRR (avast detects as HTML:RedirME-inf [Trj])

code hick-up here:
(script) wXw.findealz.com/wp-content/themes/couponpress/PPT/js/slide/slider1.js
status: (referer=wXw.findealz.com/)saved 59779 bytes b73b65121178e7221fbe48c75de4036133e0fd05
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable $.fn
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var $.fn = 1; problem with the “$” alias?
error: line:1: …^
suspicious:
Third party requests:

Name Target URL

1 AddThis Analytics http://s7.addthis.com/js/250/addthis_widget.js#username=p
2 AddThis Analytics http://ct5.addthis.com/static/r07/core032.js
3 - ? http://maps.googleapis.com/maps/api/js?sensor=false
4 - ? http://maps.gstatic.com/intl/en_us/mapfiles/api-3/9/13b/m
5 - ? http://google-maps-utility-library-v3.googlecode.com/svn/
6 AddThis Analytics http://ct5.addthis.com/static/r07/sh098.html#iit=13460763… benign

Here site is given as benign: http://zulu.zscaler.com/submission/show/c3c16791c388850d863b7d810291de58-1346076649
Here also: http://wepawet.cs.ucsb.edu/view.php?hash=d8a8f576e22988b2f37055ee3efcd431&t=1346076687&type=js

If you find your website is clean, file a report to avast.
You can report FP here http://www.avast.com/en-no/contact-form.php?noStyles

polonus