Unknown_html_RFI_shell malware on website detected

polonus · 2015-05-18T14:48:10.000Z

Re: https://www.virustotal.com/nl/url/20ebeebf2390aaea2cd6e1cf9ece4f3e6f1bb01b489d8d62ba1edf2fda91ff49/analysis/1431959471/
Re: ISSUE DETECTED DEFINITION INFECTED URL
Website Malware mwjs-iframe-injected691?v27 htxp://adishaktibrasil.com
Website Malware mwjs-iframe-injected691?v27 htxp://adishaktibrasil.com/index.html
Website Malware mwjs-iframe-injected691?v27 htxp://adishaktibrasil.com/quem-somos.html
Website Malware mwjs-iframe-injected691?v27 htxp://adishaktibrasil.com/calderon-subiabre-jeanaina-jivan-shakti-kaur.html
Website Malware mwjs-iframe-injected691?v27 htxp://adishaktibrasil.com/anand-alok.html
Website Malware mwjs-iframe-injected691?v27 htxp://adishaktibrasil.com/kadja.html
Known javascript malware. Details: http://labs.sucuri.net/db/malware/mwjs-iframe-injected691?v27
script no longer there?
See: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Fdanieldamian.ro%2Fwp-content%2Fthemes%2Ftwentythirteen%2Fvbxm2nbp.php%3Fid%3D16793&useragentheader=&acceptheader=

44 malcious files and 2 potentially suspicious files flagged by Quttera’s: http://quttera.com/detailed_report/adishaktibrasil.com

Yandex blacklisted: https://yandex.com/infected?l10n=en&url=adishaktibrasil.com&redircnt=1431960378.1
and here: http://www.google.com/safebrowsing/diagnostic?site=adishaktibrasil.com

polonus

polonus · 2015-05-18T15:17:20.000Z

In this case here Avast has detection as JS:HideLink-A [Trj] here: https://www.virustotal.com/nl/url/d64a5680b4cca1b5a5c95f3d2a6b256ee0fc18feceb0cdac135d09175c60061d/analysis/1431960986/ unknown_html_RFI_shell
Fortinet’s Webfilter flags here: http://urlquery.net/report.php?id=1431961152691
WordPress Version 4.0.5
Version does not appear to be latest 4.2.2 - update now.
The theme has been found by examining the path /wp-content/themes/ theme name /
Zack 990 1.1 http://andreamignolo.com/zack-990/ Is no longer maintained nor updated, might be vulnerable:
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fpnts.us
https://code.google.com/p/owasp-wte/source/browse/conversion/wpscan/contents/opt/owasp/wpscan/data/themes.txt

Warning: User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.
User ID 1 : admin
User ID 2 : None

Infected with SEO Spam: Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO?g12
t=‘’;}}x[l-a]=z;}document.write(‘<’+x[0]+’ ‘+x[4]+’>.‘+x[2]+’{‘+x[1]+’}</‘+x[0]+’>');}xViewState();

Detection missed here grand scale: http://zulu.zscaler.com/submission/show/cb9bf509727763964b05ff093cf357ae-1431961178

Read here: https://wordpress.org/support/topic/unable-to-find-and-remove-mwspamseo

And from little old me: https://forum.avast.com/index.php?topic=169263.0

polonus (volunteer website security analyst and website error-hunter)

Announcements