(Level: 0) Url checked:
-http://blogdesuperheroes.es
Google code detected (Ads, not a cheater)
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
-http://blogdesuperheroes.es/wp-includes/js/jquery/jquery.js?ver=1.6.1
Zeroiframes detected on this site: 0
No ad codes identified
ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
error: undefined function a.getElementsByTagName
error: undefined variable a
I also got this on my blog h XX p://www.krypinaturen.se, Weapawet says nothing there, see the screen shot.
I got much problems lately with my blog and I have been take away strange kod in both my theme and in wp-includes and in the map JS there are .php files I took away.
What can I do to not get hacked of it?
I get problems in the admin panel in wordpress, very strange things happens.
I am not so good on this so I hope anyone can help me. Sorry for my bad english, are from sweden.
Choose: Report False virus alert on website and include any information that may help. (A link to here may not go a miss either ;))
Virustotal.
For whatever reason, ClamAV is alerting on the script included at about line 748…I don’t really know why, or whether there is any real merit in the detection (I am guessing that it may be a FP)
The UnmaskParasites warning about the script ouside of the html block.
I don’t think this script is bad per say (no hits on VT), I think that Unmask is just warning about the fact that it is not in the right place.
Generally there shouldn’t be anything after the closing html tags ( )
This is the complete script tag (on your home page) which is outside of the closing HTML tag (generally suspicious as it isn’t standards compliant), see image, click to expand. This is the one that UnmaskParasites is suspicious about.
Now avast isn’t alerting on that page with firefox 6.0 and NoScript (but allowed on that page). I also use RequestPolicy (protects against cross site scripting) and I see lots of scripts for other sites (image2) one of which is just an IP address and that always makes me twitch. I hate things masked in this way, and this IP is In Russia, see image3. Does this ring any bells ?
Well I can’t see any direct reference to the IP, e.g. is isn’t structured in the IP address format. So it is somehow obscured, this normally happens in script tags or iframe tags (none), but I don’t see anything in your home page.
EDIT:
So I’m just wondering if the IP address checker I used might not have got it wrong as being in Russia. Having read over the topic again, the original poster was saying that that IP address was his blog.
Yet a whois on the domain name given blogdesuperheroes.es returns a different IP 87.106.56.146.
However, I still get the reference to that 91.196.216.20 IP in RequestPolicy add-on.
ok that sounds good, but something is wrong. I have change theme and avast did not warn but in the admin panel it warns, so I found in wp-includes/js/jquary.js?ver=1.6.1 and I took away jquary.js but now it warns again both in the admin panel and on the blog.
Have got some help from my webhotell and they say many files is infected, but has not get in to the deepest database and they help me to clean it for me.
many thanks for your help and answers here, they have been worth gold for me.
