The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
I can well imagine that you cannot imagine what that all has to do with your site. It is with your hoster, where they did sloppy IT managment.
That server has serious security issues to be abused by attackers. You have to take this issue up with them.
By the way burleigh dot ohbees dot com dot au is also being blocked by avast webshield as URL:Mal…web shell vulnability…> http://www.w3bsecurity.com/warning-wordpress-plugins-vulnerability-list-from-2004-to-2013/
Thanks. I ended up using wordfence (http://wordpress.org/plugins/wordfence/) and found something on one of the sites. doh
Just sorted out the firewall so the only things externally available are http, dns, mail and ssh. I’ll look at the http headers now. Can’t change the cookies though, as they are used to store cart information used by jscript - at least that is my understanding.
You could always ask avast to make an exclusion for your domain on that IP.
Contact virus AT avast dot com.
Because this is the domain that is causing all the trouble for you with it’s Blackhole exploit kit Landing page …
→ http://urlquery.net/report.php?id=3605430
You should report this to the folks at WebNX, Inc., so they can close that malware or take care it is cleansed and dead!
Point this thread here out to them - their server was hacked via SQL…
This domain, similar infection: http://urlquery.net/report.php?id=3392176
So these domains on that IP you share were infested with Blackhole!
And they are flagged by avast for going here: htxp://areacner.immaculateconception.com.au/ avast! Web Shield URL:Mal alert
And that malware is long, long overdue! over 599.8 hours! → http://support.clean-mx.de/clean-mx/viruses?id=12230378
How and why the infection, see: http://support.clean-mx.de/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fservisracunalnikov.com%2F
see also: http://urlquery.net/queued.php?id=33569484 - seems cleansed now!
also flagged by avast = htxp://www.servisracunalnikov.com/wp-includes/js/hoverIntent.min.js?ver=r6 (see safe virusviewer report)
I gave up on my host and moved to a dedicated server, so I’m not associated with that infected machine any more. Funny because it was my host who alerted me to being infected in the first place but keep telling me those other sites have nothing to do with it. Which you and I both know isn’t true.
Right now avast have told me that fancyladyindustries.com is infected at /54a8c1fbdabde31d03dcb1c4ea249031/54a8c1fbdabde31d03dcb1c4ea249031/q.php?jnlp=3de182668d but I can’t see it, so I’m hoping that’s an old hit.
Having switched host, it may take a little time before all DNS servers reflect your new IP address - Strange that it is still present on a .php file that you can’t find. I would check your php templates and see if there isn’t something in there inserting and running the q.php file on page creation.
I visited the site and got a network shield alert, but if I disable the network shield I get an alert on the home page, so there is something present and not just a block on IP address. No reference to the file you mentioned.
I captured and uploaded the element that avast was alerting on to virustotal, VT Results, only avast alerting. But it is a script injection it shows and I can’t see any script tags on that page which appear to be pointing at malicious sites of calling a .php page.
This should not appear in your code: - wp-admin/admin-ajax.php?action=wordfence_logHuman&hid=EB7BA865DC8DC9C09DCEB364AE8F48F1
You may want to create a robots.txt file that blocks access to /wp-admin/ so Google doesn’t index these and other internal URL