Hi everyone,

According to several reports, my website is infected — hxxp://wildgrounds.com
Avast says it’s JS:Iframe-EX [Trj]
Kaspersky says it’s HEUR:Trojan.Script.Iframer

So, to find more details, I’ve used several online tools;
https://www.virustotal.com/url/5270b4b018e55dd60546911956a2b2022419a756d9fff267caf6e9b484b39fd3/analysis/1344112173/
http://zulu.zscaler.com/submission/show/e225603d5648a9c16210c0b84c8ba820-1344111932
http://urlquery.net/report.php?id=114528

And nothing was detected.

BUT, then, Sucuri found something;
http://sitecheck.sucuri.net/results/wildgrounds.com

I’ve checked my .htaccess files - no problem, my wordpress folders - deleted/reuploaded some files, updated/deleted plugins or useless files.

But, it seems it’s not enough, the infection is still somwhere according ot Sucuri & Avast.

So, where’s the problem? I can’t see where it comes from, quite frustrating… :-\

Thanks for your help!

yes…there is a detection by sucuricata signatures in the urlquery link you posted

You scanned the site for blacklisting on VirusTotal, not the file itself, hence detection was not found.

Zulu couldn’t get a return from your site, hence “No external elements were found”.

urlQuery never received the iframe write, based on the javascript write results.

These scanners did not detect for a valid reason.

How to edit Wordpress 404 page: http://codex.wordpress.org/Creating_an_Error_404_Page#Editing_an_Error_404_Page

Alright, that would be easy if 404javascript.js was actually on the server, but it’s not. I guess, it’s externally added/pointed by the malicious script. Which is… I don’t know. I’ve run some ssh commands for the usual stuff - eval, preg, hidden - and I’ve deleted some files, but it didn’t change anything in the end.

You’ve mentioned the Wordpress 404 page. So, it’s not a malicious script after all?

What does it mean?

Thanks for your answers

Hi jeronima,

Site was vulnerable via xmlrpc.php through a WordPress flaw,
Earlier IDS alerts for: FILEMAGIC Macromedia Flash data (compressed),
see: http://urlquery.net/report.php?id=114780

polonus

No, quite the opposite.

Wordpress uses a 404.php server-side that gets generated as the return 404. Your site appears to have been hacked. To fix and stop avast’s alerts, you can do one of the following:

• Look for suspicious elements (e.g: long strings of code) in the file and delete them
• Delete the 404.php page and let Wordpress generate a new clean one [recommended]

~!Donovan

Great, I’ve made some changes recommended in this article, seems okay now; http://urlquery.net/report.php?id=114808

Catch-22 here I come!
I still haven’t found any suspicious-malicious elements (!!), and using the thesis framework, I can’t delete nor generate a new clean 404 error page - I can only customize it, but doesn’t change anything.

Could it be a false report, or Sucuri’s cache not cleared yet…?

anyway, thanks for your help.

Jeronima

Site is no longer alerted/flagged by avast, so you have cleansed it.
Keep your website software up to date and fully patched,
stay safe and secure is the wish of,

polonus

polonus,

when you come via google/from an external source, there’s still an alert from avast.

I’ve run a scan of a copy of my site/database on my computer, avast didn’t find anything malicious. :o

That’s quite strange.

Problem solved - clean sucuri report 8)

The infected file was somehow hidden, it was a fake/useless gif named “searchnav” (found in the wordpress theme folder).

Thanks for you help!

;D