website is being blocked by avast users

Viruses and worms
1

Hello guys,

I administer a website (xww.idealegc.com.br) and it has been blocked for only avast users.

When they are trying to access the website, the following message is displayed: URL:mal Blocked…

Could you please help me with it?

Thanks

2

There are several suspect java scripts on the page http://zulu.zscaler.com/submission/show/0c20fbc30e48fe1562af8952025f297d-1349208559

3

Hi vitordt,

Break that live link to your site like with wXw, please. Wordpress version from source: 3.4.2 is outdated and needs updating…
Site infected through WP hack…ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP suspicious → htxp://www.idealegc.com.br/xmlrpc.php?rsd
This "xmlrpc.php?rsd"was hacked through a hidden txt in the code, you have to clean up the WordPress header…

polonus

P.S. The link to hxtp://www.adorodesign.com.br/ is going to a site also with outdatred WP version…Wordpress internal path: /home/adorodesign/www/wp-content/themes/imbalance/index.php
WordPress version outdated: Upgrade required!

D

4

Hi Polonus,
Thanks for your feedback.

Isn’t it better for me to clear all files in the ftp and re-install wordpress from scratch?

Regards,
Vítor

5

Hi vitordt,

Yep, that should be better, do not forget to update and change log-in password also see: http://weblogtoolscollection.com/archives/2008/04/26/reset-wp-password-manually/

polonus

6

Polonus,

Again, thanks for the feedback !

It came up another 2 questions though. If I am going to start from scratch:

  1. it means I will have to erase the mysql database as well, haven’t I?
  2. can I export current posts and pages, delete all files in ftp and do I a clean install of wordpress and import posts and pages again? Or this posts and pages also contains links suspicious etc?

:slight_smile:

7

Hi vitordt,

You can reset the the mysql database, restore root privileges…

polonus

8

Hi Polonus, thanks :slight_smile:

I have deleted ALL files in FTP, also deleted entire database (mysql) and ran the test. At this point, there is nothing on the ftp, but it is still showing as suspicious.

Please see: http://zulu.zscaler.com/submission/show/0c20fbc30e48fe1562af8952025f297d-1349302706

Any thoughts?

9

Hi vitordt,

There can be links to sub-domains that are still considered as suspicious. The link to: hxtp://www.adorodesign.com.br/ could also make the main site is considered suspicious stil, but I cannot trace that anymore… Avast Network shield still flags. I see nothing there in the code. Report a FP to avast.
On http://www.kinghost.com.br site there is content after the html tag wgich is suspicious: 574: < !-- 1349303673 →
The following link there is also suspicious, with a bad WOT rep: htxp://s.clicktale.net/WRd.js’%20type=‘text/javascript’%3E%3C/%20sc%E2%80%8Bript%20%3E
tracking code
See: http://www.mywot.com/en/scorecard/s.clicktale.net?utm_source=addon&utm_content=warn-viewsc
Contains: Hijackers, Unwanted Adware/Spyware programs and s listed in OpenDNS’s Block Tool,

polonus

10

Hi Polonus,
What is “report FP to avast”?
How long does it take to clean via avast network shields?

11

You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles