Unexpected malware alert in Wordpress theme

Infection: Other: Malware-gen [Tri]
URL: …/wp-content/themes/read/js/modernizr.js
File: {gzip}
Process: /Applications/Firefox.app/Contents/MacOS/firefox

I’ve been using the commercial Wordpress theme “Read” v 4.4.1 by Pixelwars (http://themeforest.net/item/read-wp-responsive-html5-minimalist-theme/4004353) for my personal website. It’s been working fine for several months, but a few days ago I suddenly got a malware alert from Avast for Mac (see above). The same alert appeared when I scanned the hard drive; high-lighting modernizr.js in the theme zip-file.

I contacted the theme support. They advised me to turn off all plugins and update to the newest version (4.4.2) of the theme. I did that – but the alert kept coming. The same file (modernizr.js) is highlighted by Avast (also in the downloaded zip-file). However, for some reason the alert does not occur when I enter their demo site: http://themes.pixelwars.org/?theme=read-wp

Now I have temporarily switched theme to one of the default ones in Wordpress. When I enter the site now there are no alerts from Avast.

Any idea of what is going on? The authors of the “Read” theme told me to ask you guys. :frowning:

What is the your site´s url? So we can have a look what´s to be retired there.
Probably it is with your header.php file.

polonus

http://erikdelareguera.com/

I’ve changed it back to the Read theme now – and it’s still activating Avast alerts.

Any thoughts?

You need to update Apache.

USER ENUMERATION IS POSSIBLE!!!

JQuery needs to be retired: http://retire.insecurity.today/#!/scan/391f7ff3977be59fc9e08f26d8a2cc47cbebc8135b4e9ad004deaa4ea6e57973

Ok, thanks, I’ve installed a plugin to stop user enumeration now. Hope that works.

Sorry to ask (feeling stupid here), but how can i “retire Jquery”?

Stop using it

Ok, since this seems to be a problem in the theme (right?), I will convey this to the theme author Pixelwars. One more thing: is this directly related to the Avast alert about “modernizr.js”?

As said earlier update Apache, Ubuntu and PHP with all updates, you may want to stick with PHP5.6.19 hence 7.0.4 has a few bugs that need to be fixed.
Maybe you want to move to NGINX (Free) or LiteSpeed (Payware).

YOU NEED TO WORK ON YOUR HEADERS: https://securityheaders.io/?q=http%3A%2F%2Ferikdelareguera.com%2F
Look here: https://scotthelme.co.uk/hardening-your-http-response-headers/#server

You may want to add an SSL Certificate: https://letsencrypt.org/ (This one is free but has to be renewed every 90 days.)

You may also want to consider a CDN, my recommendation: Incapsula

https://www.incapsula.com/

Thanks Steven.

Still wondering about the Avast alert though. What’s wrong with “modernizr.js”?

Modernizr is a legit library: https://modernizr.com/

I have no clue and as it looks like you run a Mac dont you?

Its a bit Off-Topic but these tools help you to keep your Mac more secure:

https://objective-see.com/products.html

There are more to come soon, keep an eye out for them :slight_smile:

Could this alert for “modernizr.js” be a false positive? Anyone? And it that case, is there someone from Avast here that could do something about it?

Strange, when I open up this scan: http://www.domxssscanner.com/scan?url=http%3A%2F%2Ferikdelareguera.com%2Fwp-content%2Fthemes%2Fread%2Fjs%2Fmodernizr.js Avast does not alert on the code, but let us check where it lands for me
at:
Results from scanning URL: -http://www.bkh.co.th/conf/webboard/home.php?mod=misc&ac=sendmail&rand=1459120909
and
Results from scanning URL: -http://discuz.gtimg.cn/cloud/scripts/discuz_tips.js?v=1
Number of sources found: 56
Number of sinks found: 65

Going to your site I get a Avast alert for a trojan in the browser executable. We just have to wait for an Avast Team Member to either confirm a rightful detection or a FP. At the moment only Avast flags the download: -modernizr.custom.63321.js
https://www.virustotal.com/nl/file/c7c52c3a0101aa351f3e134aacf58e4870b6403a2c9bb6d6d7f90c6333745961/analysis/1458852540/ Same file is not flagged here at http://www.bysofa.com/ ???

You also have to consider unfriendly and blacklisted or detected neighbours on that IP: https://www.virustotal.com/nl/ip-address/188.95.227.20/information/

Also reverse DNS server and nameserver vulnerable to DROWn exploit and MiM attacks: https://test.drownattack.com/?site=atdns01.citynetwork.se ,so City Network Hosting is setting you out against risks!

polonus (volunteer website security analyst and website error/hunter)

P.S. Here is another one that flags that file: https://www.metadefender.com/#!/results/file/c7f9766937944029a3d3164babc171c0/regular

Thanks polunus. Is there any way I can alert a member of the Avast team (other than posting here and wait)?

https://support.avast.com

Thanks! Have opened a ticket now.

Hi Ename,

Share the eventual outcome with us here, won´t you?

polonus

It turns out it was a false positive! Thanks to all of you who answered me (I got a free security course, ha). :smiley:

Below the message from Avast support.

Hello again,

It was a false positive. It should be fixed in the new virus definitions update.
To update virus definition: open Avast and go to > Settings (gear icon) > Update > Virus Definitions - click “Update”

note: if it is still detected, please allow few hours (up to 24 hrs) and check again

You still need to do some updates on the site and server :slight_smile: