My website is being blocked

Viruses and worms
1

As I understand it, it’s best not to paste the actual link to the actual site to keep it from being clickable, so here it is in a code block:

http://www.wickens.ws

Any help here? I created a portal for myself and friends, and now Avast thinks there’s malware on the site, and all sub-domains.

My webhost WAS hacked, but it looks as if they only created a folder full of spam websites, cgi-scripts, and changed the htaccess file. I believe I’ve resolved the problem (old version of Wordpress installed with everything set to 777), but would like to have my site reconsidered/rechecked. There are several other subdomains that are used by a bunch of other people, so it’s not just affecting me.

???

2

Only?! ONLY?! :o ??? ::slight_smile:

Oh. And do you think that webpages are supposed to change proxy settings in your browser? ???

http://anubis.iseclab.org/?action=result&task_id=1608aa314f59e90f45d254c78072fb45a&format=html


- Registry Values Modified:	 
Key	Name	New Value
HKLM\​SYSTEM\​CURRENTCONTROLSET\​HARDWARE PROFILES\​CURRENT\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings   	ProxyEnable 	0 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders 	Common AppData 	C:\​Documents and Settings\​All Users\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders 	AppData 	C:\​Documents and Settings\​Administrator\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings   	MigrateProxy 	1 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings   	ProxyEnable 	0

http://support.microsoft.com/default.aspx?scid=kb;en-us;819961

3

Ha. I guess let me rephrase, I could only seem to find a folder of files and my htaccess changed. Nothing more appeared to be affected.

As for the report you linked showing me that it was modifying registry files. i’m not sure that is correct. In trying to figure out what was going wrong, i did a report on google.com and it say that there site is changing dozens of more registry entries than mine. Does that mean they are hacked too?

I’m not sure if this is finding false positives or what. I’ve never used the scanner website before.

http://anubis.iseclab.org/?action=result&task_id=1d4acf1bbef772224f1ef1efcd424bc70&format=html

	- Registry Values Modified: 	 
Key 	Name 	New Value
HKLM\​SYSTEM\​CURRENTCONTROLSET\​HARDWARE PROFILES\​CURRENT\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info 	ProxyEnable  	0 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  	Common AppData  	C:\​Documents and Settings\​All Users\​Application Data 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  	Common Desktop  	C:\​Documents and Settings\​All Users\​Desktop 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  	Common Documents  	C:\​Documents and Settings\​All Users\​Documents 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  	Common Start Menu  	C:\​Documents and Settings\​All Users\​Start Menu 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  	CommonMusic  	C:\​Documents and Settings\​All Users\​Documents\​My Music 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  	CommonPictures  	C:\​Documents and Settings\​All Users\​Documents\​My Pictures 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  	CommonVideo  	C:\​Documents and Settings\​All Users\​Documents\​My Videos 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths  info 	Directory  	C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths  info 	Paths  	4 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path1  info 	CacheLimit  	40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path1  info 	CachePath  	C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache1 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path2  info 	CacheLimit  	40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path2  info 	CachePath  	C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache2 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path3  info 	CacheLimit  	40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path3  info 	CachePath  	C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache3 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path4  info 	CacheLimit  	40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path4  info 	CachePath  	C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache4 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Main  info 	FullScreen  	no 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Main  info 	Window_Placement  	0x2c0000000200000003000000ffffffffffffffffffffffffffffffff2c00 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Toolbar  info 	Locked  	1 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Toolbar\​WebBrowser  info 	ITBarLayout  	0x110000004c00000000000000340000001f00000052000000010000002007 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Toolbar\​WebBrowser  info 	{01E04581-4EEE-11D0-BFE9-00AA005B4383}  	0x8145e001ee4ed011bfe900aa005b4383100000000000000001e032f40100 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Toolbar\​WebBrowser  info 	{0E5CBF21-D15F-11D0-8301-00AA005B4383}  	0x21bf5c0e5fd1d011830100aa005b438322001c0008000000060000000100 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVers\​Explorer\​MenuOrder\​Favorites\​Links  	Order  	0x08000000020000007c000000010000000100000070000000000000006200 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MenuOrder\​Favorites\​Links  	Order  	0x08000000020000007c000000010000000100000070000000000000006200 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{a1094da8-30a0-11dd-817b-806d6172696f}\​  	BaseClass  	Drive 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{a1094daa-30a0-11dd-817b-806d6172696f}\​  	BaseClass  	Drive 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  	AppData  	C:\​Documents and Settings\​Administrator\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  	Cache  	C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  	Cookies  	C:\​Documents and Settings\​Administrator\​Cookies 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  	Desktop  	C:\​Documents and Settings\​Administrator\​Desktop 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  	Favorites  	C:\​Documents and Settings\​Administrator\​Favorites 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  	History  	C:\​Documents and Settings\​Administrator\​Local Settings\​History
4

The web address you gave above is still infected as of now.

5

I’d like to resolve it, but I don’t understand the difference between the report that is showing for my site, and the one i posted for google. If I could figure out the differences (or how to read the report better), then I’d have a better chance of solving the problem.

Or if you can tell me what it’s doing wrong that would be even better. If my site is still serving up malware or whatnot I definitely don’t want it out there. :slight_smile:

6

Well, like… go, wipe Wordpress, install the latest version (properly, not world-writeable), restore DB from backup which was done before it was infected?

7

i deleted wordpress yesterday when i started getting the warning. I didn’t need it anymore on the server anyway and haven’t reinstalled it. I was going to start a blog a long time ago, but wound up abandoning that project. So really there’s not much left on the server.

I guess the question is, does Avast do a real-time check on the website, or does it do a database lookup of known malware sites? And if it is getting it from a database, how often do they rescan sites? Or how do I get them to recheck it?

8

Both. I do not have time to ponder about this. If you think it is clean, then http://www.avast.com/contact-form.php?loadStyles

What’s this crap e.g.?


<script src="../scriptaculous/prototype.js" type="text/javascript"></script>
<script src="../scriptaculous/scriptaculous.js" type="text/javascript"></script>

Etc. Go wipe the site clean.

9

The site is still blocked because of Mal-URL there: htxp://taylor.wickens.ws/
Sucuri scan does not give any hick-ups:
Running on: Apache/2.2.11
System info: (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
Powered by: PHP/5.2.9
List of links found
mortgage/mortgage.html
htxp://taylor.wickens.ws/weather/fullWeather.php?id=38017
List of javascripts included
…/scriptaculous/prototype.js
…/scriptaculous/scriptaculous.js
The unmasked parasites report has verdict “suspicious” and 162 hidden external links found.
iFrame scan:
(Level: 0) Url checked:
httx://www.wickens.ws
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.wickens.ws/…/scriptaculous/prototype.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.wickens.ws/…/scriptaculous/scriptaculous.js
Blank page / could not connect
No ad codes identified
M86 scan gives an all green now…
Malware could have originated much like this: hxtp://sharecash.org/scriptaculous/src/scriptaculous.js

polonus

10

If you want to scrupulously (conscentious and exact) scan the sourcecode without being alerted by av open up here:
view-source: http://www.idoproxy.com/browse.php?u=Oi8vdGF5bG9yLndpY2tlbnMud3M%3D&b=34

Idoproxy is a safe way of inspecting source code of infected sites.
It has these [options] aboard…
Encode Page Allow Cookies Remove Scripts Remove Objects Block EXEs Block Exploits Block PDFs Block .RU Block .CO.CC Block .IN Block .INFO Block .CZ.CC Block .TK Block .CN Block .BIZ Block Ports No Referrer

Good to have for every malware scanning enthusiast,

pol

11

Thanks Polonus. I’ve removed the …/ in front of the scriptaculous scripts listed below. So hopefully that shouldn’t be a problem with it anymore. I tried running my site on the Sucuri website, but I couldn’t seem to find anywhere to paste it. Must be a paying member?

…/scriptaculous/prototype.js
…/scriptaculous/scriptaculous.js

And doktor, Scriptaculous/Prototype are famous javascript libraries in the web programming world. It’s alot like JQuery if you’ve heard of it.
http://script.aculo.us/

12

Hi wicketr,

Site is cleansed, everything opens up fine, http://www.urlvoid.com/scan/taylor.wickens.ws

web site:
taylor.wickens.ws
status:
Site verified to be secure and free of malware.
web trust:
Site not blacklisted. Sucuri scan
http://taylor.wickens.ws
mortgage/mortgage.html
http://taylor.wickens.ws/weather/fullWeather.php?id=38017
scriptaculous/prototype.js
scriptaculous/scriptaculous.js

Stay secure and malware free, is the wish of,

polonus