suspicious warnings

Hi guys,

Users of my site have told me that AVAST virus scanner is highlighting a problem with my domain www.whitbyseaanglers.co.uk

The domain houses 2 installations of wordpress and 1 smf forum at

http://www.whitbyseaanglers.co.uk/

http://www.wcsa.whitbyseaanglers.co.uk/

http://www.whitbyseaanglers.co.uk/forum/index.php

The malware alert says infection url : mal

This shows for every page on each site across the domain.

Google webmaster tools, avg and norton do not show any issue. Ive run the site through several security scanners and they say its clean.

Obviously Im concerned, but Im wondering if this may be an avast false positive ? I want to investigate as I dont want to ignore it an the problem get worse and I get deliested by Google as that will be expensive to me.

Any advise greatly appreciated.

if you think this is wrong…

You can upload and report FP to avast here: http://www.avast.com/contact-form.php
you may add a link to this topic in case they reply here

I have no proof either way really but am concerned. I was inquiring to see if anyone could offer any adice to swing me either way as I dont want to jump in and spend endless hours on the server and site if its a false positive, but conversely I dont want to be band by Google if I ignore the warning.

URL:mal means it is on a block list … for whatever reason

VirusTotal url scan and urlvoid.com say not listed…

sorry for sounding thick. But what does that mean ?

it means this could be a wrong block…

http://www.urlvoid.com/scan/whitbyseaanglers.co.uk/

https://www.virustotal.com/en/url/3ccc76ebd70a7b248affd84e8c3c825904f4b308577b531079e4185a29175103/analysis/

http://sitecheck.sucuri.net/results/www.whitbyseaanglers.co.uk/

sorry, does that mean Avast may have it wrong ??

So what happens when you submit a false posive report ? I submitted a few days back now and it still appears Im blacklisted. No other anti virus or search engine inclusiding google is blocking my site. Avast is makeing me loose customers and income.

They will investigate it. But they are getting probaply millions of Websites and Files to check every day.
So this can take some time.

Ok guys, Here is the current state of play :cry:

Avast came back to me and said Quote - “It’s detected due to this: whitbyseaanglers.co.uk /wp-includes/wp-mail.php%7c%3e%7bgzip%7d”

So I have checked my files on the server and wp-mail.php is not there. Below are 2 screen shots of what is there.

Could someone please advise on what to do next as I am loosing customers and much needed income.

https://sphotos-a-lhr.xx.fbcdn.net/hphotos-ash3/557765_577385115641590_885842656_n.jpg

https://sphotos-a-lhr.xx.fbcdn.net/hphotos-prn2/p480x480/1236710_577385365641565_1589048229_n.jpg

I notified polonus about this, he will check this for you.

He is an website analyst from the forum. :wink:

Thankyou so much for your help, Im sure you appreciate that times like this can be rather stressfull when your site income depends on all possible customers reaching your site.

The avast alert was for hxtp://www.whitbyseaanglers.co.uk/wp-includes/wp-mail.php
Code hick-up
ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js?ver=3.6.1 benign
[nothing detected] (script) ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js?ver=3.6.1
status: (referer=wXw.whitbyseaanglers.co.uk/wp-includes/wp-mail.php)saved 92629 bytes ae49e56999d82802727455f0ba83b63acd90a22b
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
suspicious:
Read how your site might have been infected: http://digwp.com/2009/06/xmlrpc-php-security/
Core code from WP is mostly secure and updated regularly against insecurities and vulnerabilities,
but there are many plug-ins and extemsions for WP that are less secure and may be vulnerable.
The xmlrpc-php-security issues should be taken up with your hoster as these are web server attacks.
See code
46:< link rel=“EditURI” type=“application/rsd+xml” title=“RSD” href=“htxp://www.whitbyseaanglers.co.uk/xmlrpc.php?rsd” />
47:< link rel=“wlwmanifest” type=“application/wlwmanifest+xml” href=“htxp://www.whitbyseaanglers.co.uk/wp-includes/wlwmanifest.xml” />
There is also an issue with this backlink: https://www.eff.org/https-everywhere/atlas/domains/vimeocdn.com.html
see:
GET /p/flash/moogaloop/5.5.0b29/moogaloop.swf?clip_id=62537288 HTTP/1.1
Host: a.vimeocdn.com
HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash

polonus

Sorry but I am not understanding what you are saying. Are you saying my site IS ? or Is Not ? affected ?

Surely the screen dumps above show that the file does not exist ??

Hi glennk,

If you cannot trace this: administrator/plugins/system/pc_includes/ajax_1 2.js%7C%3E%7Bgzip%7D|>{ gzip} then you are not affected by what avast flags,
else your site was maliciously hacked and infested with an image hack. If you are free of this you can file a FP report,

polonus

Sorry to be a pain, I already logged false positive and they emailed me back saying - “It’s detected due to this: whitbyseaanglers.co.uk /wp-includes/wp-mail.php%7c%3e%7bgzip%7d”

However when I look on my server that file does not exist.

administrator/plugins/system/pc_includes/ajax_1 2.js%7C%3E%7Bgzip%7D|>{ gzip}

Please could you help me by advising where I find that. Is it in public_html/wp-content/plugins or is it somewhere else because I dont know where to find administrator/plugins/system/pc_includes

Right guys Ive spoken to a lot of people including wordpress. They say this is false positive. I am beginning to get a little angry now as this has rumbled on for over a week and we are no further forward. Avast are costing my customers and Money. This is the latest response from a moderator at Wordpress support

I am saying I don't show you hacked and neither do 8 other sources according to Securi.

If Avast is the only one showing a problem then they are better than all the rest or it is a false positive.

Please can you advise on how to move forwards please.

This seems like your site was hacked (usually through outdated WP, link seems like a part of blackhole ) but now it seems to be clear so I changed detection and it should be OK in next VPS

Won’t the two factor authentication avoid hacking in WordPress blogs?

No alerts here.