Author Topic: Suspicious redirect on site - avast does not block! (Read 2750 times)

polonus · « **on:** December 04, 2013, 05:58:36 PM »

Detected as suspicious: http://scanurl.net/?u=zhenzen.com&uesb=Check+This+URL#results
See: index
Severity: Suspicious
Reason: Detected suspicious redirection to external web resources at HTTP level. see below at *1
Details: Detected HTTP redirection to htxp://www.dsparking.com/?a_id=132061%26domainname=zhenzen.com.
File size[byte]: 4294967295
File type: Unknown
MD5: 00000000000000000000000000000000
Scan duration[sec]: 0.001000

Benign -> http://zulu.zscaler.com/submission/show/04ba083211b33aa07a80dbff390eb433-1386175775
However NoScript blocks htxp://zhenzen.com/zhenzen.com
http://sp3.yousee.com/?dm=zhenzen.com&acc=EA06C966-B960-42A4-A0AC-08AC900CA947&drid=as-drid-2798160901731256&ref=https%3A%2F%2Fixquick.com%2F&session= (fake domains redirecting to pay-per-click scam sites) *1
*1 -> https://www.mywot.com/en/scorecard/zhenzen.com?utm_source=addon&utm_content=popup-donuts
Bitdefender's TrafficLight flags search result also as malicious.

Well the risk is obvious from these results: http://sameid.net/ip/199.231.184.222/

polonus

polonus · « **Reply #1 on:** December 04, 2013, 11:36:32 PM »

Webutation and Bitdefender TrafficLight: d.html?url=http://www.webutations.net/go/review/sp3.yousee.com?req=chrome
Mainly WOT web rep 40/100 there,

polonus

polonus · « **Reply #2 on:** December 04, 2013, 11:47:47 PM »

Here is another one: http://maldb.com/markusbrehm.com/#
Redirect no longer available: Sorry, the GeoCities website you were trying to reach is no longer available,
but might be available via htxp://archive.org/web/web.php%C2%A0%C2%A0--%3E%C2%A0%C2%A0'besuchen%20sie%20archive.org'
Nothing flagged here: http://urlquery.net/report.php?id=8158603
Browser difference: Not identical

Google: 6627 bytes Firefox: 6736 bytes
Diff: 109 bytes

First difference:
tenschutz.html">datenschutzbestimmungen</a></li> </ul> </font> </div> </div> </div> </body> </html> ...

Malware on same IP: http://support.clean-mx.de/clean-mx/viruses.php?review=89.31.143.5&sort=email%20asc

pol

polonus · « **Reply #3 on:** December 05, 2013, 03:48:12 PM »

See: http://www.websicherheit.at/en/security-tools/web-security-test-scan-results/
and http://maldb.com/k-010.com/
Scan for redirect: http://urlquery.net/report.php?id=8168462 and here: https://asafaweb.com/Scan?Url=kmlps.mrslove.com
-> <customErrors mode="RemoteOnly" defaultRedirect="~/Error" />

IDS alert for Detected a Dynamic DNS URL - site not being blocked by avast!
here blacklisted twice, see: http://www.urlvoid.com/scan/kmlps.mrslove.com/
detected: http://sitecheck.sucuri.net/results/k-010.com
Code hick-up: suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
error: line:3: SyntaxError: missing = in XML attribute:
error: line:3: <!DOCTYPE html PUBLIC "-/W3C/DTD XHTML 1.0 Strict/EN" "http:/www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
error: line:3: ...............^ according to: http://jsunpack.jeek.org/?report=06a9269f5dcd6c14537eceb2eb57ef7733b8646f

DrWeb's URL checker misses detection:

Checking: htxp://k-010.com/base/js/base.js
File size: 30.40 KB
File MD5: fe3ae6ce29afd0f99e728abf0ae01143

htxp://k-010.com/base/js/base.js - Ok

Checking: htxp://k-010.com/base/js/common.js
File size: 10.50 KB
File MD5: 05ce5a3f427a1cedccff3799d7202a52

htxp://k-010.com/base/js/common.js - Ok

Checking: htxp://k-010.com/menu/js/channelmenu_6.js
File size: 698 bytes
File MD5: 92b87ff94d82ddd6109abd849067a2d3

htxp://k-010.com/menu/js/channelmenu_6.js - archive JS-HTML
>htxp://k-010.com/menu/js/channelmenu_6.js/JSFile_1[0][2ba] - Ok
htxp://k-010.com/menu/js/channelmenu_6.js - Ok

Checking: htxp://k-010.com/shop/js/cart.js
File size: 2741 bytes
File MD5: 33ffbb9908b9b4c6c100f8d4c274f618

htxp://k-010.com/shop/js/cart.js - Ok

Checking: htxp://k-010.com/base/js/blockui.js
File size: 12.22 KB
File MD5: fce160cbb72d8f79b92f489385489039

htxp://k-010.com/base/js/blockui.js - Ok

Checking: htxp://k-010.com/base/js/form.js
File size: 15.95 KB
File MD5: bdfe1e3269a12c25842a84f81bbea39d

htxp://k-010.com/base/js/form.js - Ok

Checking: htxp://k-010.com/
Engine version: 7.0.6.10310
Total virus-finding records: 4751950
File size: 79.15 KB
File MD5: 396fa61d1e484548eca71984a0dce28d

htxp://k-010.com/ - archive JS-HTML
>htxp://k-010.com//JSTAG_1[84d][5a] - Ok
>htxp://k-010.com//JSTAG_2[a50d][1d7] - Ok
>htxp://k-010.com//JSEvent_3[66] - Ok
>htxp://k-010.com//JSEvent_4[ab] - Ok
htxp://k-010.com/ - Ok

Low level of confidence in website status 22,2% -> http://wscheck.com/trust-report/k-010.com
and http://web-sniffer.me/sniffer/27479736-www.k-010.com.html

polonus

polonus · « **Reply #4 on:** December 08, 2013, 01:15:55 AM »

Url empty: http://wepawet.iseclab.org/view.php?hash=b49f872bb0e4ccfa307af3b6499c0fe2&t=1355645392&type=js

polonus

Author Topic: Suspicious redirect on site - avast does not block! (Read 2750 times)

polonus

Suspicious redirect on site - avast does not block!

polonus

Re: Suspicious redirect on site - avast does not block!

polonus

Re: Suspicious redirect on site - avast does not block!

polonus

Re: Suspicious redirect on site - avast does not block!

polonus

Re: Suspicious redirect on site - avast does not block!