Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on July 17, 2012, 09:11:08 PM

Title: Ambiquous query terms found?
Post by: polonus on July 17, 2012, 09:11:08 PM

See: http://zulu.zscaler.com/submission/show/78e6d9ea7fd8cb82dd0e904b36d39624-1342551094
See: http://zulu.zscaler.com/submission/show/77882267cc1085f18f83273df9ef6372-1342551319
See: http://zulu.zscaler.com/submission/show/d9664f0b41aba50ae531d98b7ff21029-1342551420
Nasty ads script not-out-of-the-box VBulletin code running on port "37935" is suspicous: -> htXp://127.0.0.1:37935/xpopup.js
(inserting some security JS?)
IP has live  PHP shell code malware
Certainly PHISHING going on: http://urlquery.net/report.php?id=94374
AS has malicious URLs? Yes 
...badware? Yes 
...botnet C&C servers? Yes 
...exploit servers? No 
...Zeus botnet servers? Yes 
...Current Events? Yes 

polonus

Title: Re: Ambiquous query terms found?
Post by: !Donovan on July 17, 2012, 09:44:01 PM

See my PM ;)

Title: Re: Ambiquous query terms found?
Post by: polonus on July 17, 2012, 11:21:31 PM

More about the nature of the scan can be concluded from this: http://urlquery.net/report.php?id=94210
Known RBN IP, to what the nature of the 404's were that we found.
I have reason to assume that on that Vietnamese site once there was detected PHP:Agent-HK[Trj] malware in ->/plugins/content/avreloaded/silverlight.js
avast Web Sield will allert to this {gzip}as  PHP:Agent-HK[Trj]  ...
And here we have what serious injection vulnerability could have been abused: http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/3955 link author Fritz Elfert  (or in combination with a more recent Joomla vulnerability)

polonus