Web Shield says our website is malicious, but it's not!!!

My Avast Web Shield says all of the sub-domains that are part of our main website are hacked.

They are not!!! I checked with Google Webmaster Tools and it tells me the entire website is fine.

we DID get hacked a while ago, but things have been okay for a while. how do we get off Avast’s s**t list?

Thanks in advance!

What is your website? Make it a dead link by using “htxp” or “hxxp”.
What is your website IP?

Our website analysts use various scanners to determine a websites safety/security.

how do we get off Avast's s**t list?
unless you tell us what URL it is..... avast dont know what URL to take of the list ;)

His second post here.
Again using bad language.
And he never responded to his previous post.
If he is the admin/webmaster, he should change his attitude imho.

I made my post yesterday evening giving the OP plenty of time to respond. I did so knowing that there
are plenty of forum members able to run the many tests to check his website. Instead of getting his
issue cleared up he wanted to rant. Personally I wanted to do some website analysis for my own
curiousity.

Okay guys… in reading your posts I realized one important thing:

I AM A MORON (for not including the URL).

Here are a few of the sub-domains:
http://triadig.oagroups.org/
http://elpaso.oagroups.org/
http://oabronx.oagroups.org/

Thanks in advance!

There is your answer http://sitecheck2.sucuri.net/results/triadig.oagroups.org

infected with malware.

Polonus will be along later, he is the man you need to check this for you.

There is an issue here: http://dnscheck.pingdom.com/?domain=triadig.oagroups.org%2F&timestamp=1396631371&view=1

Potential suspicious file flagged by Quttera’s: /wp-content/plugins/fckeditor-for-wordpress-plugin/ckeditor/ckeditor.js?ver=3.5.1
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [[‘<a id=“cke_elementspath_undefined_18446744073709551615” href="javascript:void('_cke_real_element_ty’]] of length 177590 which may point to obfuscation or shellcode. *
Threat dump: View code - http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Felpaso.oagroups.org%2F&useragent=Fetch+useragent&accept_encoding=
Threat dump MD5: CA7EA1A52E036B0B7E65C3D630548131
File size[byte]: 268039
File type: ASCII
MD5: 0EB8C0D4FF340B1BDD7FA209D6121A05
Scan duration[sec]: 73.920000

Malicious script detected: htxp://abtt.tv/modules/mod_servises/ua.js script Malicious - cannot connect Can’t fetch file pointed by your url.
http://sucuri.net/malware/malware-entry-mwblacklisted35
avast flags JS:Includer-ANC[Trj] on site * → http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Felpaso.oagroups.org%2F

Reason for infection outdated CMS, that is outdate - WordPress version: WordPress 3.5.1
Wordpress version from source: 3.5.1
Wordpress Version 3.5 based on: htxp://elpaso.oagroups.org//wp-admin/js/common.js
WordPress theme: htxp://elpaso.oagroups.org/wp-content/themes/twentyten/
WordPress version outdated: Upgrade required.

polonus

And here
http://dnscheck.pingdom.com/?domain=triadig.oagroups.org
http://zulu.zscaler.com/submission/show/7cf366d1e79cd0c00d0c2ad8ace8522c-1396632361
https://asafaweb.com/Scan?Url=triadig.oagroups.org

Your website definitely has issues.

And polonus was quicker than me…

Hello,

As Polonus states, there are remains of the hack remaining. For a similar (if not the same) issue, please see: http://stackoverflow.com/questions/16013544/

The “abtt.tv” is supposedly malicious. Do you have any connections with them?

@Para-Noid I recommend direct analysis over “automated scanning”. Sure you can use them for guidance, but you should never fully rely on them.

@kiernan7 Sorry for the inconvenience. Just a heads up that you have the right to not post confidential e.g: website urls on public forums.

Regards,
~!Donovan

Jotti
http://virusscan.jotti.org/en/scanresult/d00f876c12b43e7603503d57b9da6ed38761618d
http://virusscan.jotti.org/en/scanresult/64289d2784a1f51aaa842dd6dd8ed332b0f80701
http://virusscan.jotti.org/en/scanresult/6b17eec1b32947dd2375987ff742ef39b9924195

Would not surprise me if the problem is caused by using the old wordpress version.

Well Eddy, we could even be somewhat more precise and bet on this wordpress theme - themes/twentyten/ -
and it is a truly a good candidate to get us into trouble.
Read how that came backdoored, yep, by the developer I mean: http://wordpress.org/support/topic/security-issue-with-twentyten
So with free themes we have to be extremely cautious what we are actually installing ::slight_smile:

polonus