Avast WEBforum
Other => Viruses and worms => Topic started by: Secondmineboy on October 08, 2013, 08:58:42 PM
-
Website URL: hxxp://www.otrforum.com/
See here:
hxxp://www.quttera.com/detailed_report/www.otrforum.com
hxxp://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.otrforum.com%2F
htxp://www.avgthreatlabs.com/website-safety-reports/domain/otrforum.com/
htxp://www.google.com/safebrowsing/diagnostic?site=otrforum.com
htxps://www.virustotal.com/de/url/155ac3466b557bf4781bbd026f45da167a1e359c0da941f005a709bc1ab6c4c2/analysis/
hxxp://zulu.zscaler.com/submission/show/db1b0a88ea586dd860afd12643412b88-1381258333
-
Heavily infected site which is not blocked by Avast
detected
https://www.virustotal.com/en/file/f953f65d93288b564c9031e6a37a1ac63b0e8cb78af43ab65fd57ee83a6dedbb/analysis/1381262428/
-
When i go to the Url above it is not blocked.
What have you scanned in Virustotal?
-
Steven Winderlich,
You are right avast! Shields aren't alarming, but in firefox or Google Chrome you are bloacked in this way by Google Safebrowsing
Warning - visiting this web site may harm your computer!
Suggestions:
* Return to the previous page and pick another result.
* Try another search to find what you're looking for.
Or you can continue to http://www.otrforum.com/ at your own risk. For detailed information about the problems we found, visit Google's Safe Browsing diagnostic page for this site.
For more information about how to protect yourself from harmful software online, you can visit StopBadware.org
.
If you are the owner of this web site, you can request a review of your site using Google's Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Advisory provided by Google
Also see: http://scanurl.net/?u=http%3A%2F%2Fwww.otrforum.com&uesb=Check+This+URL#results
A general IP block recommended: https://www.virustotal.com/en/ip-address/217.70.184.38/information/
The live malware situation: http://support.clean-mx.de/clean-mx/viruses.php?ip=217.70.184.38&sort=virusname%20asc
Also lot of PHISHING going on at that AS,
polonus
-
What have you scanned in Virustotal?
The malicious code ...
-
I dont know why the website is not blocked then, also there is no malicious code detected..........
-
I dont know why the website is not blocked then, also there is no malicious code detected..........
http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.otrforum.com%2F
-
I dont know why the website is not blocked then, also there is no malicious code detected by Avast..........
Sorry. Wrote that wrong.
-
Hi Pondus and Steven Winderlich,
Well this report is quite convincing: http://www.google.com/safebrowsing/diagnostic?site=http://www.otrforum.com/&hl=en Of the 211 pages we tested on the site over the past 90 days, 98 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-10-08, and the last time suspicious content was found on this site was on 2013-10-07.
Malicious software includes 200 exploit(s). Successful infection resulted in an average of 2 new process(es) on the target machine.
Malicious software is hosted on 15 domain(s), including kocohandre1983.tk/, googledrive.com/, 1381065003.hopto.org/.
8 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including kocohandre1983.tk/, 1381065003.hopto.org/, 1381075802.hopto.org/.
This site was hosted on 2 network(s) including AS24940 (HETZNER-AS), AS29169 (GANDI-AS).
Certainly not a site I want to visit.
Header response via Redleg's Fileviewer
Header returned by request for: htxp://www.otrforum.com/forum.php?s=c26979e310a52b176aa3b1ca153c055e
HTTP/1.1 302 Moved Temporarily
Server: Varnish
Location: htxp://www.onlinetvrecorder.com/v2/?go=forumwarning/forum.php?s=c26979e310a52b176aa3b1ca153c055e
Note: This line has redirected the request to htxp://www.onlinetvrecorder.com/v2/?go=forumwarning/forum.php?s=c26979e310a52b176aa3b1ca153c055e
Content-Type: text/html; charset=utf-8
Content-Length: 315
Accept-Ranges: bytes
Date: Tue, 08 Oct 2013 21:00:13 GMT
Via: 1.1 varnish
Connection: close
Age: 84
The location line in the header above has redirected the request to: hxtp://www.onlinetvrecorder.com/v2/?go=forumwarning/forum.php?s=c26979e310a52b176aa3b1ca153c055e
Code hick-up
info: [script] wXw.usemax.de/ad.php?userid=1602&wf=1
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
error: line:3: SyntaxError: missing = in XML attribute:
error: line:3: <!DOCTYPE HTML PUBLIC "-/W3C/DTD HTML 4.01/EN">
error: line:3: ...............^
Source code view: http://www.whoisip.co.za/source//www.otrforum.com/forum.php?s=c26979e310a52b176aa3b1ca153c055e
pol
-
This site is really really infected.
I already informed Avast via contact form.
-
Hi Steven Winderlich,
Thanks for reporting, check whether they indeed flag it and block it through Shield Detection in due time
Good it is blocked by Google Safebrowsing, but there are idiots that start to circumvent such warnings and click themselves into an infection anyway.
These folks cannot be helped, but when they have been here (which is very doubtful) they were noticed and only have to blame themselves for not paying attention.
polonus
-
And then are encountering system crashes and other garbage like that.
My computer just crashed a few minutes ago. The Notification service for system messages killed the system.
-
A week ago i had the same issues, i reinstalled Chrome and then they were gone. I will see if these happen again.
-
Hi Steven Winderlich,
You have to start MyEventViewer and look at the events log to get at the source of these errors. It can be interaction between the Microsoft Windows Security Auditing (windows FW notification error) and a specific dll. MalwareBytes Anti-Exploit tool is great at alerting these and on previous beta versions the blocks were also circumvented - this is malcode circumvention at work. It brought MBAE.exe to its knees and I had to restart it manually.
polonus
-
In this case it was svchost.exe which had an error.
-
One of the tasks of System Attendant's is being blocked.
This can be caused by a variety of problems.
Check for other alerts that will provide a clearer idea of the problem,
such as failures in Mail Flow or MAPI logon or failure of database maintenance to run.
polonus
-
Seems some progress is being made at this site:
http://urlquery.net/report.php?id=6574369 (http://urlquery.net/report.php?id=6574369)
http://zulu.zscaler.com/submission/show/db1b0a88ea586dd860afd12643412b88-1381436626 (http://zulu.zscaler.com/submission/show/db1b0a88ea586dd860afd12643412b88-1381436626)
Also an apparent redirect in place by site admins here: http://www.onlinetvrecorder.com/v2/?go=forumwarning (http://www.onlinetvrecorder.com/v2/?go=forumwarning) German version only. Use Google Translate for English or other.
Multiple blacklisted sites on this one IP address alone: http://www.urlvoid.com/ip/217.70.184.38 (http://www.urlvoid.com/ip/217.70.184.38)
-
Well there is still excessive information spread from the site: System Details:
Running on: Varnish
Powered by: PHP/5.3.2-1ubuntu4.18
Via proxy: 1.1
/ad.adnet.de/adc.php?s=23643;wxh=728x90 - further links see: http://www.ranks.nl/cgi-bin/ranksnl/tools/checklink.cgi?uri=www.otrforum.com
broken links and redirects.
Only scanner to flag this site as suspicious among the major website scanners is Comodo Siteinspector on VT, but the actual scan is all green now:
http://app.webinspector.com/public/reports/17728037
Quttera's still flags the conditional redirect: index
Severity: Suspicious
Reason: Detected suspicious redirection to external web resources at HTTP level.
Details: Detected HTTP redirection to http://www.onlinetvrecorder.com/v2/?go=forumwarning.
File size[byte]: 4294967295
File type: Unknown
MD5: 00000000000000000000000000000000
Scan duration[sec]: 0.001000
This suspicious file flag denotes, mchain, that they are "not out of the woods" yet at that site, well I mean this security wise...
This file is being flagged by Quttera as it is found a top-level-document at HTTP level, and as such this is very dangerous practice,
because that way it grants the script maximum permissions allowed to control the web page in the browser (by malcreants).
This insecurity could lead to serious security and privacy breaches!
polonus
-
Pol,
Never said 'out of the woods'. ;) This sort of mess is going to take awhile to clean up.
As you say, seems their situation is due to lax or simply bad security practices, and so was a relatively easy target for a hacker(s). That this is so bad we're talking privacy and security breaches in one breath, and it is really a shame as the common user really does not think about these or such issues before they visit.
It is only a matter of time before lax policy enforcement will come and bite you!
Some sys admins do not know what they are doing, and they (may) never will. Hard lesson to learn; this is always bad for innocent site visitors.
-
Yep, mchain, fully agree there.
That is why I cannot understand that some will criticize Quttera and say they won't trust their scans (even here in the forums).
That is totally wrong and proof that they do not understand what a gold mine the Quttera scan results can be for the security apt website admin
that knows about bad and/or insecure coding practices like modifiers, scripts in top level documents in HTTP, unchecked (eval) for dynamic content, etc. etc. etc.
I worked myself through all the appropriate SANS reader pdf documents info on the subject, for instance the "Innocent Code" one is a must top read and then wrote all relevant info down for myself in one of my writing books as that is the way for me at least to get familiar with these malcode hick-ups and learn them by heart so to spot them out at once as they come by. So my forehead start to wrinkle now at every |%3C I come accross. Else my Malware Script Detector extension will alarm when I feed part of some malcode into my search engine of choice.
But not knowing a thing about all this and keeping websites up that come to grossly endanger innocent and unaware users and actually could be considered as putting the data of website visitors at risk.
Good avast! provides us with the Shields and the detection rate goes up and up.
polonus
P.S. Seems there is some insight coming at the site as they take this seriously. Good, that is why we do it. They give users the advice not to visit the site as
they are trying to solve the problems. The message is in German, it goes like this:
Sehr geehrter Nutzer des OTR-Forums (www.otrforum.com)
Es gibt derzeit technische Probleme, daher können wir Ihnen zum Erfahrungsaustausch derzeit nur den Support-Chat anbieten.
Wir hoffen, dass wir das Problem innerhalb dieser Woche lösen können.
Damian