Jump to content

Website blocked, false positive


Recommended Posts

  • Staff

Hello,

Looks like these files were reported: 

http://abwoon.org/wp-content/plugins/youtube-embed-plus/scripts/ytprefs.min.js

Reported here:
https://www.virustotal.com/gui/file/c7ef34ac1f0761c62602fd8ebdce318fb6efd70d016492a62ee6e5dce4ce6044/detection

http://abwoon.org/wp-includes/js/jquery/ui/core.min.js

Reported here:
https://www.virustotal.com/gui/file/4b7492aa1621a2a1c936c08e163604cefe7edfaa6c8c989b08acaa3bc724ec7b/detection

 

Link to post
Share on other sites

Thanks, Zynthesist.

So now I'd like to remedy those, but not sure the best way to do it. I have only the simplest understanding of scripts like those, but would I be right in thinking that if the one on the server is a bigger filesize than the one one my backup, it has extra code injected, and that could be the trojan(s), within the javascript code?

If I simply replace the bigger one with the smaller one, is that likely to solve the trojan problem, and if it does, will Malwarebytes immediately stop detecting it and stop blocking the site?

Or is there a more logically safe and effective approach to take? I'm not certain that any file I use to replace with will be the latect or most compatible version of the file, or if it might break the way the original script is meant to function, if I use an out of date file.

Secondly, many of the files have two versions, eg core.js (48KB) and core.min.js (21KB), with the second about half the size of the first. Is the .min version the same code but formatted without spaces and line breaks, to minimise the filesize? If so, should I assume the core.js is also injected with the same trojan, and should I therefore replace those as well? In fact, do I even need the larger core.js at all - can I delete the larger of a pair, if I have the .min version installed? My backup has only .min versions and the site works.

Sorry, lots of questions :-)

Link to post
Share on other sites

  • Staff

Hi ChrisGR70,

The best way would be to contact your webmaster/webhosting and ask them for help in cleaning up your website.

As I can see now, this file has been cleaned -

http://abwoon.org/wp-includes/js/jquery/ui/core.min.js

but this malicious file still remains -

http://abwoon.org/wp-content/plugins/youtube-embed-plus/scripts/ytprefs.min.js

I would recommend you to remove that folder completely and reinstall the plugin or try to replace it with this file (this is for the version 13.4.2 of the Embed Plus for YouTube plugin).

ytprefs.min.js.7z

Link to post
Share on other sites

Hi Dashke, thanks.

I'm confused if you say the file has been cleaned. As I look at the filesizes, the core.js.min is still 21KB on the server (the core.js is still 48KB) but on all the other wordpress sites I own core.js.min is only 4KB.

I'll try deleting the Youtube plugin and reinstalling, if deleting it allows me to get logged back into the dashboard.

Link to post
Share on other sites

I've deleted the youtube plugin and reinstalled it. I ignored the core.js.min file as you said it was clean - and now the website loads properly again. It's not being blocked by Malwarebytes browser guard or by AVG Web Shield.

I think that's fixed it!

I don't know if there are any scans that will show up any other malware, but it's great that it works for me now. Thanks for the help - I'd never have known where to look without it.

Chris.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.