Hi Pondus,
Well done, and as always coming up with the right details to enable polonus to get a bit nearer to the root of the evil. And why, Pondus, because at the end of the wepawet page you provided for us, we can now take that MD5 hash and then we land here through a simple google query:
Now we can see what is really out there or rather was out there as the link may no longer be up or dead:
http://amada.abuse.ch/?search=e8935d47df2caa9aecf5dc5b7ee48cc5 Flash malware - probably not longer there? The second string provided there is a complicated password string and when reversing I get "d41d8cd98f00b204e9800998ecf8427e -
The string provided is not a true MD5 hash. Please try again.
MD5 encoding is d41d8cd98f00b204e9800998ecf8427e
CRC32 encoding is 0
SHA1 encoding is da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64 encoding is null" -http://bs.serving-sys.com/BurstingPipe/adServer.bs
has a very poor WOT reputation
And this is what goes on there XSS header injection, see this report:
http://xss.cx/examples/html/bs.serving-sys.com-http-header-injection.htmlreport source: -http://xss.cx/sitemap.aspx
Interesting, Pondus, interesting....
polonus
