Site blocked - MAL:Url - but can't find any infection

Hi guys,

Currently getting MAL:Url on www.fancyladyindustries.com but I can’t seem to find the infection.

http://sitecheck.sucuri.net/scanner/?scan=www.fancyladyindustries.com comes up clean.

http://www.UnmaskParasites.com/security-report/?page=www.fancyladyindustries.com suggests it is clean too.

If anyone has any idea what might be triggering it would appreciate some pointers.

URL:mal mean it is on a blacklist for whatever reason…does not have to be infected

virustotal URL scan
https://www.virustotal.com/nb/url/43c7586efdca0494be6e58f9a699ee9152096b4d8da5b4b700a1c443bd6d95f4/analysis/

check here. http://urlquery.net/report.php?id=3657401. Recent reports on same IP/ASN/Domain

like this one http://urlquery.net/report.php?id=3605430. suricata and snort filter report exploitkit blackhole landing page

if you think the blocking is wrong, report it here. http://www.avast.com/contact-form.php
you may add a link to this topic in case they reply here

WP software not consistent Wordpress Version 3.5 based on: htxp://www.fancyladyindustries.com//wp-admin/js/common.js
Suspicious scan here: http://zulu.zscaler.com/submission/show/381584d58224a330135fb5a14d87fa7b-1373580116
iFrame malcode, see: http://jsunpack.jeek.org/?report=7fdbaa85885f9d44e1f2e44ed04903e84c9570c4
(view link with NoScript enabled and in a VM/sandbox - for security researchers only)
Some website security recommendations
→ The common website insecurities (please report to your site admin or hoster): https://asafaweb.com/Scan?Url=http://www.fancyladyindustries.com

polonus

Oh and from the iFrame there is this vuln found: http://bugs.jqueryui.com/ticket/6016 (hope the plug-in version does not have that)
https://account.optionsxpress.com/inc/js/plugins/jquery.blockUI.js previous next
Some example -
Summary
Severity: Information
Confidence: Certain
Host: https://account.optionsxpress.com
Path: /inc/js/plugins/jquery.blockUI.js
Issue detail
The following cookies were issued by the application and do not have the secure flag set:

* TLTHID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com
* TLTSID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

polonus

I visually checked the version on the site and the vestion in the latest.zip downloaded from wordpress.org. Identical files.

It seems where I buy my server from is considered risky. But if the site is clean is that a reason to be blacklisted?

The iframe is part of the jquery.blockui code base. I don’t see how thiat is an exploit.

I’m not even sure what this has to do with my site

I can well imagine that you cannot imagine what that all has to do with your site. It is with your hoster, where they did sloppy IT managment.
That server has serious security issues to be abused by attackers. You have to take this issue up with them.
By the way burleigh dot ohbees dot com dot au is also being blocked by avast webshield as URL:Mal…web shell vulnability…>
http://www.w3bsecurity.com/warning-wordpress-plugins-vulnerability-list-from-2004-to-2013/

polonus

Is there a simple way to scan which plugins may be an issue? perhaps something I can run server side?

You could do a scan with this: http://wordpress.org/plugins/exploit-scanner/ download from: http://downloads.wordpress.org/plugin/exploit-scanner.1.3.3.zip
check also on the server: open mysql MySQL (unauthorized)

Server should be hardened not to be so loud with header info (attackers get far too much info that way):

  1. Server: Apache/2.2.22 (@RELEASE@)

  2. X-Powered-By: PHP/5.3.3
    It looks like 2 cookies are being set without the “HttpOnly” flag being set (name : value):

  3. woocommerce_items_in_cart : 0

  4. woocommerce_cart_hash : 0

How to do this, you could read here: http://www.shanison.com/2012/07/05/unset-apache-response-header-protect-your-server-information/
link article from Shanison software engineer…

polonus

Thanks. I ended up using wordfence (http://wordpress.org/plugins/wordfence/) and found something on one of the sites. doh
Just sorted out the firewall so the only things externally available are http, dns, mail and ssh. I’ll look at the http headers now. Can’t change the cookies though, as they are used to store cart information used by jscript - at least that is my understanding.

Hi nicholosophy,

But after cleansing, you also have to deal with the blacklisting,

polonus

Indeed. Where do I start? CLEAN MX for starters I guess…

Just a note that the offending site (definatalie dot com) and associated server (burleigh dot ohbees dot com dot au) are still blacklisted in avast. Sadly this sees me readded to the CLEAN-MX list. (https://www.virustotal.com/en-gb/file/88aee051c595ee99cb146f88b2c32578f2aa04691865badec5821dec361c4c85/analysis/)

Scanned with maldet and clamscan this morning and both report that it is clean. Also clean at http://www.unmaskparasites.com/security-report/?page=www.definatalie.com and http://sitecheck.sucuri.net/scanner/?scan=www.definatalie.com

http://zulu.zscaler.com/submission/show/c74a308349cec9304f3b9996226bb454-1373862802

You could always ask avast to make an exclusion for your domain on that IP.
Contact virus AT avast dot com.
Because this is the domain that is causing all the trouble for you with it’s Blackhole exploit kit Landing page …
http://urlquery.net/report.php?id=3605430
You should report this to the folks at WebNX, Inc., so they can close that malware or take care it is cleansed and dead!
Point this thread here out to them - their server was hacked via SQL…
This domain, similar infection: http://urlquery.net/report.php?id=3392176
So these domains on that IP you share were infested with Blackhole!
And they are flagged by avast for going here: htxp://areacner.immaculateconception.com.au/ avast! Web Shield URL:Mal alert
And that malware is long, long overdue! over 599.8 hours! → http://support.clean-mx.de/clean-mx/viruses?id=12230378
How and why the infection, see: http://support.clean-mx.de/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fservisracunalnikov.com%2F
see also: http://urlquery.net/queued.php?id=33569484 - seems cleansed now!
also flagged by avast = htxp://www.servisracunalnikov.com/wp-includes/js/hoverIntent.min.js?ver=r6 (see safe virusviewer report)

polonus

I gave up on my host and moved to a dedicated server, so I’m not associated with that infected machine any more. Funny because it was my host who alerted me to being infected in the first place but keep telling me those other sites have nothing to do with it. Which you and I both know isn’t true.

Right now avast have told me that fancyladyindustries.com is infected at /54a8c1fbdabde31d03dcb1c4ea249031/54a8c1fbdabde31d03dcb1c4ea249031/q.php?jnlp=3de182668d but I can’t see it, so I’m hoping that’s an old hit.

Having switched host, it may take a little time before all DNS servers reflect your new IP address - Strange that it is still present on a .php file that you can’t find. I would check your php templates and see if there isn’t something in there inserting and running the q.php file on page creation.

I visited the site and got a network shield alert, but if I disable the network shield I get an alert on the home page, so there is something present and not just a block on IP address. No reference to the file you mentioned.

I captured and uploaded the element that avast was alerting on to virustotal, VT Results, only avast alerting. But it is a script injection it shows and I can’t see any script tags on that page which appear to be pointing at malicious sites of calling a .php page.

Hi nicholosophy,

This should not appear in your code: - wp-admin/admin-ajax.php?action=wordfence_logHuman&hid=EB7BA865DC8DC9C09DCEB364AE8F48F1
You may want to create a robots.txt file that blocks access to /wp-admin/ so Google doesn’t index these and other internal URL

Damian

Thanks. robots.txt added.

Feel like I’m hitting my head against a wall. If anyone else spots anything I’ll do whatever I need to do to clean the site/server.

Last thing I want is an infected server or site.

Site is listed as suspicious by mcafee

http://www.siteadvisor.com/sites/fancyladyindustries.com

Blackhole Exploit Kit

http://www.avgthreatlabs.com/website-safety-reports/domain/fancyladyindustries.com/

Thanks. Asked Mcafee to review and avg says it is clean now but wasn’t 16 days ago. So that’s something…