Author Topic: Blacklisted IP - malware on site now closed?  (Read 1774 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Blacklisted IP - malware on site now closed?
« on: November 23, 2013, 04:02:45 PM »
See: https://www.virustotal.com/nl/url/c448b0d309c89a52c6c6e4ecddc7c0b151f16a3506b077333c36b9edd79d4e6e/analysis/1385218319/
See recent reports for same IP: http://urlquery.net/report.php?id=7893395
This scan is clear: joomla software outdated and javascript malware detected: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fdiscoverpoznan.info%2F
See: http://labs.sucuri.net/db/malware/malware-entry-mwjs2368
Users of Chrome and firefox browser are immediately alerted: https://www.google.com/safebrowsing/diagnostic?site=discoverpoznan.info
Initial malware hoster seems dead now: http://support.clean-mx.de/clean-mx/viruses.php?domain=ddns.info&sort=first%20desc
Code hick-up:
discoverpoznan dot info/modules/lite/assets/js/2.0.0-b2.js benign
[nothing detected] (script) discoverpoznan dot info/modules/lite/assets/js/2.0.0-b2.js
     status: (referer=discoverpoznan dot info/)saved 355 bytes f00b5d1b3d6730dd36c400240e1d9da4bf7bd1f3
     info: [decodingLevel=0] found JavaScript
     suspicious:
Malware now seems closed: http://support.clean-mx.de/clean-mx/viruses.php?ip=79.96.83.230&sort=first%20desc

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Blacklisted IP - malware on site now closed?
« Reply #1 on: November 23, 2013, 04:20:58 PM »
Another example of such a site: Up(nil):   unknown_html   RIPE   US   abuse at main-hosting dot com   31.170.163.240    to 31.170.163.240   ias3.com   htxp://dgffugd.ias3.com/
See recent reports on same IP: http://urlquery.net/report.php?id=7893741
eval(function(p,a,c,k,e,d)  javascript code: http://jsunpack.jeek.org/?report=40ef582bb17c4a750ef7be67166ac859b37eb1d9
Listed as suspicious -> https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fdgffugd.ias3.com&hl=en
Injection check -> Suspicious Text before HTML <!-- saved from url=(0026)htxp://tfiledata.com/rema/ -->
SHell by DarK c0dr hack.

Google Browser Difference:
Not identical

Google: 11205 bytes       Firefox: 295 bytes
Diff:         10910 bytes

First difference:
ml><head><meta http-equiv="content-type" content="text/html; charset=utf-8"> <title>googe docs</title> <link rel="stylesheet" type="text/css" href="./remax - secure login_fi...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Blacklisted IP - malware on site now closed?
« Reply #2 on: November 23, 2013, 06:37:17 PM »
About what we saw here:  http://sitecheck.sucuri.net/scanner/http://labs.sucuri.net/db/malware/malware-entry-mwjs2368
Let us inspect this piece of code: http://jsunpack.jeek.org/?report=52ced770f769ce5160927c25faa4e8ece3b66861
(view this in a sand-boxed browser with NoScript and RequestPoicy extensions active)
and to understand the mass infection proble, read: http://blog.sucuri.net/2011/08/mass-infection-of-wordpress-sites-counter-wordpress-com.html
link article author = David Dede. Know that this form of Malware Dunp has been around sincve 2011.
We came across a similar issue earlier here: http://forum.avast.com/index.php?topic=107715.5;wap2

And here we see the hex-decoding: http://ddecode.com/hexdecoder/?results=5d031ad7b2822f26b88b830110745e61

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!