Website blocked, false positive

[ChrisGR70]

My website, abwoon.org is blocked by Malwarebytes but this is a false positive. Please can this site be unblocked?

Google Safe Browsing and Sucuri - both have the website marked as safe:

https://transparencyreport.google.com/safe-browsing/search?url=abwoon.org&hl=en_GB
https://sitecheck.sucuri.net/results/abwoon.org

[ChrisGR70]

I attach my log file.

mbst-grab-results.zip

[Zynthesist]

Hello,

Looks like these files were reported: 

http://abwoon.org/wp-content/plugins/youtube-embed-plus/scripts/ytprefs.min.js

Reported here:
https://www.virustotal.com/gui/file/c7ef34ac1f0761c62602fd8ebdce318fb6efd70d016492a62ee6e5dce4ce6044/detection

http://abwoon.org/wp-includes/js/jquery/ui/core.min.js

Reported here:
https://www.virustotal.com/gui/file/4b7492aa1621a2a1c936c08e163604cefe7edfaa6c8c989b08acaa3bc724ec7b/detection

 

[ChrisGR70]

Thanks, Zynthesist.

So now I'd like to remedy those, but not sure the best way to do it. I have only the simplest understanding of scripts like those, but would I be right in thinking that if the one on the server is a bigger filesize than the one one my backup, it has extra code injected, and that could be the trojan(s), within the javascript code?

If I simply replace the bigger one with the smaller one, is that likely to solve the trojan problem, and if it does, will Malwarebytes immediately stop detecting it and stop blocking the site?

Or is there a more logically safe and effective approach to take? I'm not certain that any file I use to replace with will be the latect or most compatible version of the file, or if it might break the way the original script is meant to function, if I use an out of date file.

Secondly, many of the files have two versions, eg core.js (48KB) and core.min.js (21KB), with the second about half the size of the first. Is the .min version the same code but formatted without spaces and line breaks, to minimise the filesize? If so, should I assume the core.js is also injected with the same trojan, and should I therefore replace those as well? In fact, do I even need the larger core.js at all - can I delete the larger of a pair, if I have the .min version installed? My backup has only .min versions and the site works.

Sorry, lots of questions :-)

[Dashke]

Hi ChrisGR70,

The best way would be to contact your webmaster/webhosting and ask them for help in cleaning up your website.

As I can see now, this file has been cleaned -

http://abwoon.org/wp-includes/js/jquery/ui/core.min.js

but this malicious file still remains -

http://abwoon.org/wp-content/plugins/youtube-embed-plus/scripts/ytprefs.min.js

I would recommend you to remove that folder completely and reinstall the plugin or try to replace it with this file (this is for the version 13.4.2 of the Embed Plus for YouTube plugin).

ytprefs.min.js.7z

[ChrisGR70]

Hi Dashke, thanks.

I'm confused if you say the file has been cleaned. As I look at the filesizes, the core.js.min is still 21KB on the server (the core.js is still 48KB) but on all the other wordpress sites I own core.js.min is only 4KB.

I'll try deleting the Youtube plugin and reinstalling, if deleting it allows me to get logged back into the dashboard.

[ChrisGR70]

I've deleted the youtube plugin and reinstalled it. I ignored the core.js.min file as you said it was clean - and now the website loads properly again. It's not being blocked by Malwarebytes browser guard or by AVG Web Shield.

I think that's fixed it!

I don't know if there are any scans that will show up any other malware, but it's great that it works for me now. Thanks for the help - I'd never have known where to look without it.

Chris.