Recently one Pakistani guy hacked my web site

Dear Avast Support,

Recently one Pakistani guy hacked my web site : http://buylikesfollowers.org

he messedup my web site.

I have reinstalled wordpress and clean now but still avasta show warning when I access my site.

Please can you check what is wrong.

I have scan all file on local computer via avasta and do not shows any issue but when I access online it warn still.

Please can you fix this.

Thanks.

http://sitecheck.sucuri.net/results/buylikesfollowers.org/
http://zulu.zscaler.com/submission/show/a14ea80b80d0397bb0e48e02ce924cba-1418876546

You have multiple malicious Java Scripts in there!!!

http://buylikesfollowers.org/wp-includes/js/jquery/jquery-migrate.min.js ==> Malicious
http://buylikesfollowers.org/wp-content/plugins/layerslider/static/js/layerslider.kreaturamedia.jquery.js ==> Malicious
http://buylikesfollowers.org/wp-content/plugins/layerslider/static/js/greensock.js ==> Malicious
http://buylikesfollowers.org/wp-content/plugins/layerslider/static/js/layerslider.transitions.js ==> Malicious
http://buylikesfollowers.org/wp-content/themes/Total/js/plugins/html5.js ==> Malicious

Site was already in a spam list: http://www.spamhaus.org/query/domain/buylikesfollowers.org
See: http://sitecheck.sucuri.net/results/www.buylikesfollowers.org/
Vulnerabilities via a plug-in visual composer update notification missed!
http://wptavern.com/critical-security-vulnerability-found-in-wordpress-slider-revolution-plugin-immediate-update-advised
Site flagged: https://www.virustotal.com/nl/url/399fa498d8a2af2f6e9c92616ab5364f2b6fb0ca275c2ce53b8b328d29f33cb5/analysis/
I receive these data now:

 HTTP/1.1 404 Not Found
Date: Thu, 18 Dec 2014 17:57:50 GMT
Server: Apache
Accept-Ranges: bytes
Connection: close
Content-Type: text/html



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
  <head>
    <title>404 Not Found</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <style type="text/css">
        body {
        	font-family: Verdana, Arial, Helvetica, sans-serif;
        	font-size: 12px;
        	background-color:#367E8E;
        	scrollbar-base-color: #005B70;
        	scrollbar-arrow-color: #F3960B;
        	scrollbar-DarkShadow-Color: #000000;
        	color: #FFFFFF;
			margin:0;
        }
        a { color:#021f25; text-decoration:none}
        h1 {
        	font-size: 18px;
        	color: #FB9802;
        	padding-bottom: 10px;
        	background-image: url(sys_cpanel/images/bottombody.jpg);
        	background-repeat: repeat-x;
        	padding:5px 0 10px 15px;
			margin:0;
        }
        #body-content p {
        	padding-left: 25px;
        	padding-right: 25px;
        	line-height: 18px;
        	padding-top: 5px;
        	padding-bottom: 5px;
        }
        h2 {
        	font-size: 14px;
        	font-weight: bold;
        	color: #FF9900;
        	padding-left: 15px;
        }
    </style>
  </head>
  <body>
    <div id="body-content">  
<!-- start content-->

<!-- 
 instead of REQUEST_URI, we could show absolute URL via:
 http://HTTP_HOST/REQUEST_URI
    but what if its https:// or other protocol?
    
    SERVER_PORT_SECURE doesn't seem to be used
    SERVER_PORT logic would break if they use alternate ports
-->

<h1>404 Not Found</h1>
<p>The server can not find the requested page:</p>
  <blockquote>
    (none)/xmlrpc.php (port 80)
  </blockquote> 
<p>
    Please forward this error screen to 184.164.144.133's 
    <a href="mailto:asm@supercloudapps.com?subject=Error message [404] 404 Not Found for (none)/xmlrpc.php port 80 on Thursday, 18-Dec-2014 23:27:50 IST">
    WebMaster</a>.
</p>
<hr />


<!-- end content -->
    </div>
  </body>
</html>

Take this up with whoever hosts that website,

polonus

http://multirbl.valli.org/lookup/buylikesfollowers.org.html
http://multirbl.valli.org/lookup/184.164.144.133.html
http://urlquery.net/report.php?id=1418925924397
https://www.ssllabs.com/ssltest/analyze.html?d=buylikesfollowers.org&ignoreMismatch=on&latest
http://quttera.com/detailed_report/buylikesfollowers.org

Hi Eddy,

The code that Quttera flags reads packed and not packer (the second packer variety is a known malware code)

 eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a etc. etc. 

The results here are weak and F rated SSL scan results, but not per se malicious as such, thousands of sites could be flagged if we used such criteria for insecurity.
Outside the spam issues if still alive and the plug-in patch insecurity if left open, no big issues here.

polonus

no, these script are fine, there is not any issue with these scripts.

Also I have scanned all files on my local computer and avasta do not show any virus.

I have current version of avasta and scaned all files on my local PC and avasta do not show any problem.

As I explained above.

polonus

I have removed all these script and layerslider.

http://buylikesfollowers.org/wp-includes/js/jquery/jquery-migrate.min.js ==> Malicious
http://buylikesfollowers.org/wp-content/plugins/layerslider/static/js/layerslider.kreaturamedia.jquery.js ==> Malicious
http://buylikesfollowers.org/wp-content/plugins/layerslider/static/js/greensock.js ==> Malicious
http://buylikesfollowers.org/wp-content/plugins/layerslider/static/js/layerslider.transitions.js ==> Malicious
http://buylikesfollowers.org/wp-content/themes/Total/js/plugins/html5.js ==> Malicious

hope my site should be clean now.

You also have to remove this blacklisting: http://www.spamhaus.org/dbl/removal/record/buylikesfollowers.org
via http://www.spamhaus.org/dbl/removal/form/buylikesfollowers.org

pol

Quttera still flags three suspicious file: htxp://quttera.com/detailed_report/buylikesfollowers.org
/wp-content/plugins/layerslider/static/js/layerslider.kreaturamedia.jquery.js
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [[‘17 bM(e,t,n){16 r;6(1W e==“64”){r=3I(“#”+e)}19 6(1W e==“bD”){r=e}16 i,s;2y(t){1l"8A":i=“fw 3I aE”;s=’]] of length 50105 which may point to obfuscation or shellcode.
&
/wp-content/plugins/layerslider/static/js/greensock.js
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [[‘(17(e){“4V 4U”;19 t=e.5Z||e;1a(!t.5f){19 n,r,i,s,o,u=17(e){19 n,r=e.1t(“.”),i=t;1b(n=0;r.1c>n;n++)i[’]] of length 45707 which may point to obfuscation or shellcode.
&
wp-content/plugins/layerslider/static/js/layerslider.transitions.js
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [[‘20 1Z={27:[{j:“13 N E”,d:1,g:1,f:{e:0,i:“o”},c:{n:“W”,b:“1e”,a:G,h:“r”}},{j:“13 N r”,d:1,g:1,f:{e:0,’]] of length 19856 which may point to obfuscation or shellcode.

But I explained these might be benign after all. Consider: http://jsunpack.jeek.org/?report=32fbe04c53b46f31a9ecf8ac2ad0ab16dbd3b481
Link for security research only, open inside browser qwith NoScript extension active and inside a VM/sandbox!

For the redirect _re%3D%2F%5E(%3F%3A(%3F%3A%5B%5E%3A%5C%2F%3F%23%5D%2B)%3A)%3F(%3F%3A%5C%2F%5C%2F(%3F%3A%5B%5E%5C%2F%3F%23%5D*))%3F(%5B%5E%3F%23%5D*)(%3F%3A%5C%3F(%5B%5E%23%5D*))%3F(%3F%3A%23&oq=redirect%3Alogin"%3Bvar+uri_re%3D%2F%5E(%3F%3A(%3F%3A%5B%5E%3A%5C%2F%3F%23%5D%2B)%3A)%3F(%3F%3A%5C%2F%5C%2F(%3F%3A%5B%5E%5C%2F%3F%23%5D*))%3F(%5B%5E%3F%23%5D*)(%3F%3A%5C%3F(%5B%5E%23%5D*))%3F(%3F%3A%23&aqs=chrome…69i57j69i58&sourceid=chrome&es_sm=93&ie=UTF-8 consider this
http://www.rapidtables.com/web/dev/url-redirect.htm#301-redirect

Code hick-up: buylikesfollowers dot org/wp-content/themes/Total/js/total-min.js benign
[nothing detected] (script) buylikesfollowers dot org/wp-content/themes/Total/js/total-min.js
status: (referer=buylikesfollowers dot org/wp-content/themes/Total/js/plugins/html5.js)saved 274540 bytes f4eb415baf665c47e5366c3b68d45aa81337b3d8
info: [javascript variable] URL=wXw.facebook.com/share.php?v=4&src=bm&u={URL}
info: [img] buylikesfollowers dot org/wp-content/themes/Total/js/
info: [iframe] about:blank
info: [iframe] wXw.youtube.com/embed/
info: [iframe] player.vimeo dot com/video/
info: [decodingLevel=0] found JavaScript
suspicious
error here"(iframe) about:blank/
status: (referer=buylikesfollowers dot org/wp-content/themes/Total/js/total-min.js)failure: nonnumeric port: ‘blank’

pol

Nice to use: http://www.justarrangingbits.org/firefox-magic-decoding-address-bar/index.html?test=%40%23%24%25%26%3D%3A%2F%2C%3B%3F%2B

pol