system
1
Hello!
I have a problem with my blog (hxxp://blogdesuperheroes.es/). Google doesn’t detect anything, but a few readers told me Avast shows a message.
I’ve installed free version of Avast, and when I enter in the site, Avast block it with the next message:
Objet: 91.196.216.20/url.php [That’s the IP of my blog]
Infection: URL:MAL
I’ve looked for the file in my FTP but it doesn’t exist. I’ve uploaded a empty url.php, but there weren’t consequences.
Could you help me trying to find out the problem?
Thanks in advance.
Pondus
2
system
3
Thanks you!! I was looking for a website like sucuri to scan my website. Now I know it.
I’ve solved the problem.
Thanks you very much!! 
Here are the iFrame scan results of the site:
No zeroiframes detected!
Check took 5.53 seconds
(Level: 0) Url checked:
-http://blogdesuperheroes.es
Google code detected (Ads, not a cheater)
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
-http://blogdesuperheroes.es/wp-includes/js/l10n.js?ver=20101110
Blank page / could not connect
No ad codes identified
Flagged by sucuri scan according to previous posting by Pondus
(Level: 1) Url checked: (script source)
-http://blogdesuperheroes.es/wp-includes/js/jquery/jquery.js?ver=1.6.1
Zeroiframes detected on this site: 0
No ad codes identified
ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
error: undefined function a.getElementsByTagName
error: undefined variable a
(Level: 1) Url checked: (script source)
-http://blogdesuperheroes.es/wp-content/plugins/wordpress-comment-images/js/comment-images.js?ver=1.4
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
-http://blogdesuperheroes.es/wp-content/plugins/vslider/js/vslider.js?ver=3.2.1
Zeroiframes detected on this site: 0
No ad codes identified
undefined variable jQuery
error: undefined variable $.fn
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var $.fn = 1;
error: line:1: …^
(Level: 1) Url checked: (script source)
-http://blogdesuperheroes.es/wp-includes/js/tw-sack.js?ver=1.6.1
Zeroiframes detected on this site: 0
No ad codes identified
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
file: 85e00c13c4e0563b889799e6e8378ca3448c55dd: 3619 bytes
(Level: 1) Url checked: (script source)
-http://www.google-analytics.com/urchin.js
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
Blank page / could not connect
No ad codes identified
(Level: 1) Url checked: (script source)
Blank page / could not connect
No ad codes identified
(Level: 1) Url checked: (script source)
Blank page / could not connect
No ad codes identified
(Level: 1) Url checked: (script source)
-http://contadores.miarroba.com/ver.php?id=458197
Zeroiframes detected on this site: 0
No ad codes identified
OK
polonus
Pondus
5
Sucuri say clean now…that was a quick clean ;D
Hi Pondus,
That was rewarding for you, Pondus.
Really superfast, as I scanned the site, it was already cleansed,
polonus
system
7
I also got this on my blog h XX p://www.krypinaturen.se, Weapawet says nothing there, see the screen shot.
I got much problems lately with my blog and I have been take away strange kod in both my theme and in wp-includes and in the map JS there are .php files I took away.
What can I do to not get hacked of it? 
I get problems in the admin panel in wordpress, very strange things happens.
I am not so good on this so I hope anyone can help me. Sorry for my bad english, are from sweden. 
Pondus
8
system
9
Ok, where is the ? can’t see where it is and how do I get rid of it? 
in one report it says:
“ClamAV 0.97.0.0 2011.08.30 PUA.HTML.Infected.WebPage-2”
and what is that, how can I get rid of it?
thanks for your help, 
Pondus
10
i will PM Scott, he will tell you where it is when he arrive here…it may take some time
system
11
ok, great, thank you very much 
system
12
Hi krypinaturen, welcome to the forum 
First,
Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.
I can’t see any scripts that would cause an alert.
I imagine that the site is blocked by the network shield because it was previously hacked, there were a few cases of wordpress blogs specifically being targeted. The sucuri blog covers it quite well.
http://blog.sucuri.net/2011/08/mass-infection-of-wordpress-sites-counter-wordpress-com.html
You will have to report it to avast as a False Positive before being removed. That can be done by the online form:
http://www.avast.com/contact-form.php?loadStyles
Choose: Report False virus alert on website and include any information that may help. (A link to here may not go a miss either ;))
Virustotal.
For whatever reason, ClamAV is alerting on the script included at about line 748…I don’t really know why, or whether there is any real merit in the detection (I am guessing that it may be a FP)
The UnmaskParasites warning about the script ouside of the html block.
I don’t think this script is bad per say (no hits on VT), I think that Unmask is just warning about the fact that it is not in the right place.
Generally there shouldn’t be anything after the closing html tags ( )
Scott
DavidR
13
This is the complete script tag (on your home page) which is outside of the closing HTML tag (generally suspicious as it isn’t standards compliant), see image, click to expand. This is the one that UnmaskParasites is suspicious about.
Now avast isn’t alerting on that page with firefox 6.0 and NoScript (but allowed on that page). I also use RequestPolicy (protects against cross site scripting) and I see lots of scripts for other sites (image2) one of which is just an IP address and that always makes me twitch. I hate things masked in this way, and this IP is In Russia, see image3. Does this ring any bells ?
system
14
hello again and thank you for your helps here.
I have change the webadress here, I don’t want anyone to get infected, I have also report to Avast as your suggestion.
I have take away the Java script from my theme as index.php, single.php and page.php, and I have inactivate the plugin wp highslide.
NOW I want to know how I can found the russian ip-adress and blocked it from my blog?
How do I protect me in the future?
I am very grateful for al your help here. 
DavidR
15
Well I can’t see any direct reference to the IP, e.g. is isn’t structured in the IP address format. So it is somehow obscured, this normally happens in script tags or iframe tags (none), but I don’t see anything in your home page.
EDIT:
So I’m just wondering if the IP address checker I used might not have got it wrong as being in Russia. Having read over the topic again, the original poster was saying that that IP address was his blog.
Yet a whois on the domain name given blogdesuperheroes.es returns a different IP 87.106.56.146.
However, I still get the reference to that 91.196.216.20 IP in RequestPolicy add-on.
system
16
ok that sounds good, but something is wrong. I have change theme and avast did not warn but in the admin panel it warns, so I found in wp-includes/js/jquary.js?ver=1.6.1 and I took away jquary.js but now it warns again both in the admin panel and on the blog. 
Sucuri still finds the issues here: Web application version:
Wordpress version: WordPress 3.2.1
Wordpress Version 3.2 based on: -http://krypinaturen.se//wp-includes/js/autosave.js
Wordpress theme: -http://krypinaturen.se/wp-content/themes/palnila/
Wordpress internal path: -/home/web34138/domains/krypinaturen.se/public_html/wp-content/themes/palnila/index.php
Malware found on javascript file:
-http://krypinaturen.se/wp-includes/js/l10n.js?ver=20101110
Known javascript malware, the fil l10n.jsver=20101110 is detected as HTML/Crypted.Gen
also known as counter Wordpress hack,
polonus
system
18
Have got some help from my webhotell and they say many files is infected, but has not get in to the deepest database and they help me to clean it for me.
many thanks for your help and answers here, they have been worth gold for me. 
DavidR
19
You’re welcome, good luck with the cleaning.
Pondus
20
Sucuri scanner is now working again…see attached screen shot (click to enlarge)
Malware entry: MW:JS:2368 http://sucuri.net/malware/malware-entry-mwjs2368