Malware on a WordPress theme

Thanks for the quick reply Jan. Below is the complete details of the incident.

Regards,

Jovel

————————-

Dear Jovel,

We have received a complaint regarding magicmelt.com which has been compromised. With this, we have temporarily suspended the hosting account. Please let us know when you are ready to fix the site so we can unsuspend. Below is the report.

—————————————————————–
—- Original message —-

> This is an automated email alert; please do not reply to this email as
> replies will not be answered. To get in contact with us, use the links
> and contact details, mentioned in the text below instead!
>
> ************************************************************************
>
> TO WHOM IT MAY CONCERN:
>
> The security experts of cyscon GmbH like to ask you to remove/review
> the below mentioned file from/on your servers. At least one of our
> scanners detect it, and we consider it as malicious:
>
> ########################################################################
> # begin logs
>
> IP: 67.215.234.180
> URL: http://magicmelt.com/blog/
> Port: 80
> Tested on: Sat, 29 Sep 2012 12:33:19 +0200
> Result: JS/Redirect.CG
>
> # end logs
> ########################################################################
>
> Also, please check if your machine has been compromised and is now
> being used by intruders in malicious activities, or if a legitimate
> user is engaged in activity that is probably in violation of your
> terms of service agreement. In either case, please investigate this
> matter. Further details on this project & advisories may be found
> here: http://www.c-sirt.org/faq-section/
>
> The incident is already solved? Then just visit the following url and
> trigger a rescan of your file:
> http://www.c-sirt.org/incident/?incident=da11a27d14a5c0cca800f9255956eee5
> When the problem is solved the field “Solved” will be set and
the
> color changes to green. If this does not happen, a virus-scanner still
> detects malicious content.
>
> You received this message because you are listed as the contact for
> this network (AS# AS29761). This message is intended for the person
> responsible for computer security at your site. If this is not the
> correct address, please forward this message to the appropriate party.
>
> Please note: If more than one IP address at your site is involved, or
> malicious code/malware is detected in more than one file, you may/will
> receive more than one message, each one with different content.
> Additionally you may found a X-ARF report attached to this document,
> with all relevant details for automated complaint parsing. Learn more
> about X-ARF: http://www.x-arf.org/specification.html
>
> We hope this important information regarding the security of your
> customers/clients content is/was useful/helpful for you. In case of
> further questions, of if you need any help in resolving this issue,
> please feel free to contact us at <sitesecurity@cyscon.de>. We, the
> C-SIRT team of cyscon GmbH, will assist you in any questions regarding
> this incident [SIRT#0001208564].
—————————————————————–

########################################################################
# begin logs

IP: 67.215.234.180
URL: http://magicmelt.com/
Port: 80
Tested on: Sat, 29 Sep 2012 12:33:44 +0200
Result: Redirects.To.JS/Redirect.CG

# end logs
########################################################################