Is this site being flagged?

[polonus]

See: http://zulu.zscaler.com/submission/show/f2fd0a397066e4649aacd079b7581c57-1360332954
and
http://sitecheck.sucuri.net/results/rubashkoff.ru/administrator/bannerkw3j.php
and
https://www.virustotal.com/url/6e38c7b0b591795330251adce8e77a7f38c9acea2ad020c9dfa4d771bfd1caff/analysis/1360332794/
nothing here: http://urlquery.net/report.php?id=961407
IP flagged here: https://zeustracker.abuse.ch/monitor.php?ipaddress=195.208.1.102
Malware active there from 2013-02-08 01:00:59
detected log:

Code: [Select]

<meta http-equiv="refresh" content="5;url=download.php">
        <title>Adobe - УÑ�Ñ�ановиÑ�Ñ� Adobe Flash Player</title> returned on request: 1: FreeBSD10+cfcd208495d565ef66e7dff9f98764da (/modules/wp/installwx1.php)
There are known issues installing ports on FreeBSD 10+ due to
bogus assumptions by various build scripts. This will not be fixed
until 9-RELEASE is released. (credit goes to freebsd's Armin Pirkovitsch) -> Syntax error: word unexpected -

polonus

[polonus]

I think it is a suspicious banner php being flagged here, considering: index.php?gmode=index&guild_id=47413][/url] for Kashimashi guild....
we can check this here: http://www.phpkode.com/source/p/afterlogic-webmail-lite-php/webmail/lang/Ukrainian.php

polonus

[polonus]

Another one here: https://www.virustotal.com/url/60d4af35339802d5803dad7d426148490ba037535f16098cb7675f56f1758b1b/analysis/1360336526/
Content returned: Linux10+cfcd208495d565ef66e7dff9f98764da
Multiple hack described here: http://wordpress.org/support/topic/site-hacked-multiple-times (link post author = AlisonMooreSmith)
existing PHP spam script description: http://www.webhackblog.com/2011/10/phpspam-sm3-script/  (been uploaded to root folder to send spam)
Bad webhost report: http://www.scumware.org/report/115.47.68.46
Blackhole 2 galore: http://urlquery.net/report.php?id=838792
What we sure have is a compromised server due to holes in a web application combined with bad security settings, that should be nuked and being rebuilt -
could be checked with this: http://ideone.com/9gfjDd

polonus

[REDACTED]

See: http://zulu.zscaler.com/submission/show/f2fd0a397066e4649aacd079b7581c57-1360332954
and
http://sitecheck.sucuri.net/results/rubashkoff.ru/administrator/bannerkw3j.php
and
https://www.virustotal.com/url/6e38c7b0b591795330251adce8e77a7f38c9acea2ad020c9dfa4d771bfd1caff/analysis/1360332794/
nothing here: http://urlquery.net/report.php?id=961407
IP flagged here: https://zeustracker.abuse.ch/monitor.php?ipaddress=195.208.1.102
Malware active there from 2013-02-08 01:00:59
detected log:

Code: [Select]

<meta http-equiv="refresh" content="5;url=download.php">
        <title>Adobe - УÑ�Ñ�ановиÑ�Ñ� Adobe Flash Player</title> returned on request: 1: FreeBSD10+cfcd208495d565ef66e7dff9f98764da (/modules/wp/installwx1.php)
There are known issues installing ports on FreeBSD 10+ due to
bogus assumptions by various build scripts. This will not be fixed
until 9-RELEASE is released. (credit goes to freebsd's Armin Pirkovitsch) -> Syntax error: word unexpected -

polonus

Hi Polonus,

http://zulu.zscaler.com/submission/show/f2fd0a397066e4649aacd079b7581c57-1360332954

 

External elements (URL)
hххp://flash-files.ru/update/download.php ---->> Redirections: - >>>  flash_player_installer.jar

https://www.virustotal.com/file/fa4d8b244e74c6e54a3a34b8396b577fe4514d968461fbd173685c73d043ba87/analysis/1360338856/

 

[polonus]

Hi Dim@rik,

Thank you for checking this out and the additional info. Sometimes avast even flags a third party scan, like this one: htxp://urlquery.net/report.php?id=963105
[gzip] for JS:Decode-JR[Trj] in the browser executable.. JS/Expack.VU.1 and  JS/RunForest.C.1 both actively spread from that site...avast detects as JS:Agent-ADY [Trj] as you have seen this before and reported in this thread: http://forum.avast.com/index.php?topic=106428.0
As recently experienced over and over, some form of exploit kit code...

polonus

[polonus]

This site has many issues and many IDS alerts, see: http://urlquery.net/report.php?id=968350
That is why it has been blocked by Google Safebrowsing.
URL:    htxp://khachsannhatrang.net
Redirects:    301 -> htxp://vibewpav.ru/count24.php
details: http://www.google.com/safebrowsing/diagnostic?site=khachsannhatrang.net
see: http://zulu.zscaler.com/submission/show/5c31867e2c9f6ff1358109628367c65f-1360415272
and https://www.virustotal.com/url/5ba6aa0eb0da3072c68354683959f096c14a5c15ed141ec19814aff6f974dbd3/analysis/
The sucuri report for the site at htxp://sitecheck.sucuri.net/results/khachsannhatrang.net/
 is blocked by avast Web Shield for JS:Agent-AZU[Trj]
Potentially suspicious: /js/Menu.js
Severity:   
Potentially Suspicious
Reason:   
Detected procedure that is commonly used in suspicious activity.
Details:   
Too low entropy detected in string [['%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbs']] of length 2436 which may point to obfuscation or shellcode. (according to me normal benign code used for slide sharing - pol)
/themes/hv_nhatrang/images/sep-search.gif
Severity:   
Potentially Suspicious
Reason:   
Suspicious JavaScript code injection.
Details:   
Detected hidden potentially suspicious procedure [replace]
Coinditional redirect found: Location: htxp://vibewpav.ru/count24.php
The location line in the header above has redirected the request to: htxp://vibewpav.ru/count24.php
given as benign: http://www.avgthreatlabs.com/sitereports/domain/vibewpav.ru/count24.php
Flagged here: http://sitecheck.sucuri.net/results/vibewpav.ru/
because of -> http://labs.sucuri.net/?blacklist=vibewpav.ru
But IDS alert for Detected a TDS URL pattern, see here: http://pastebin.com/Sj22HbWb/ (example code from 2011 by anonymous)
see alerted here: http://urlquery.net/report.php?id=968502
Well all in all, we are being protected as avast Web Shield will protect us from connecting there!

polonus