Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on August 04, 2015, 03:57:56 PM

Title: Bad domain: Unknown TLD for 'besthostingtop.blogspot.com' unknown_html_RFI_shell
Post by: polonus on August 04, 2015, 03:57:56 PM

Flagged: https://www.virustotal.com/nl/url/aa699cd757418ca99a37e81d8a97c79da4b33060cc14612f38c6983680bbeb03/analysis/1438695275/
/2015/07/how-to-choose-best-wordpress-hosting.html
Severity:   Potentially Suspicious
Reason:   Detected potentially suspicious content.
Details:   Detected hidden call to unescape.
File size[byte]:   62955
File type:   HTML
Page/File MD5:   104A0C4E8EDD29D6E11F9303057E7E71
Scan duration[sec]:   0.574000
Missed completely here: https://sitecheck.sucuri.net/results/besthostingtop.blogspot.com#sitecheck-details
and here: http://killmalware.com/besthostingtop.blogspot.com/

Questionable external link to -vassg141.ocsp.omniroot.com -> https://forum.avast.com/index.php?topic=170731.0

Certicate checking from clients1.google.com/ocsp? Issues discussed here: https://trac.torproject.org/projects/tor/ticket/9713

See: http://whois.domaintools.com/blogspot.com   
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fbesthostingtop.blogspot.com

And the flagged URI: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fbesthostingtop.blogspot.com%2F2015%2F07%2Fhow-to-choose-best-wordpress-hosting.html

For the suspicious code see attached

polonus (volunteer website security analyst and website error-hunter)

Title: Re: Bad domain: Unknown TLD for 'besthostingtop.blogspot.com' unknown_html_RFI_shell
Post by: !Donovan on August 04, 2015, 04:05:50 PM

Hi Polonus,

It is a nuisance to see so many websites using jQuery, especially since JavaScript 5.1 (ECMA-262) handles many (if not all) common selectors and event handlers that jQuery uses. It's been around long enough to have full support in all modern browsers (even IE9, sans strict mode), and the extra blob of code formed by jQuery could be removed and replaced with native JavaScript methods and properties that are not only faster, but may also be more secure in some cases.

Donovan

Title: Re: Bad domain: Unknown TLD for 'besthostingtop.blogspot.com' unknown_html_RFI_shell
Post by: polonus on August 04, 2015, 04:36:16 PM

Hi !Donovan,

You are completely right in your critique. Also often existing JQuery code is not updated nor patched or  worse even code is being used that is left (by developers). Complicating factor is that the one JQuery version may be vulnerable or exploitable to some particular threat, while a later or earlier version may not be.  :(
That said the malcode rendered this website more or less useless as we can establich from the tracker tracker report I have attached.

polonus

Title: Re: Bad domain: Unknown TLD for 'besthostingtop.blogspot.com' unknown_html_RFI_shell
Post by: Pondus on August 04, 2015, 05:03:21 PM

besthostingtop.blogspot.com - code_sample scan
https://www.virustotal.com/en/file/45da9c8cf3fd4b1d8a874ae0dac7a8a3eac528b11f308e03122a9241697a645f/analysis/1438700436/

Norman/BlueCoat Autoadded signature as  Decode.A

Title: Re: Bad domain: Unknown TLD for 'besthostingtop.blogspot.com' unknown_html_RFI_shell
Post by: polonus on August 04, 2015, 05:10:28 PM

Hi Pondus,

Thanks for that one, quite revealing. But a pity we do not have Avast detecting this.
I will be reporting,

polonus