Avast WEBforum
Other => Viruses and worms => Topic started by: polonus on August 04, 2015, 03:57:56 PM
-
Flagged: https://www.virustotal.com/nl/url/aa699cd757418ca99a37e81d8a97c79da4b33060cc14612f38c6983680bbeb03/analysis/1438695275/
/2015/07/how-to-choose-best-wordpress-hosting.html
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected hidden call to unescape.
File size[byte]: 62955
File type: HTML
Page/File MD5: 104A0C4E8EDD29D6E11F9303057E7E71
Scan duration[sec]: 0.574000
Missed completely here: https://sitecheck.sucuri.net/results/besthostingtop.blogspot.com#sitecheck-details
and here: http://killmalware.com/besthostingtop.blogspot.com/
Questionable external link to -vassg141.ocsp.omniroot.com -> https://forum.avast.com/index.php?topic=170731.0
Certicate checking from clients1.google.com/ocsp? Issues discussed here: https://trac.torproject.org/projects/tor/ticket/9713
See: http://whois.domaintools.com/blogspot.com
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fbesthostingtop.blogspot.com
And the flagged URI: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fbesthostingtop.blogspot.com%2F2015%2F07%2Fhow-to-choose-best-wordpress-hosting.html
For the suspicious code see attached
polonus (volunteer website security analyst and website error-hunter)
-
Hi Polonus,
It is a nuisance to see so many websites using jQuery, especially since JavaScript 5.1 (ECMA-262) handles many (if not all) common selectors and event handlers that jQuery uses. It's been around long enough to have full support in all modern browsers (even IE9, sans strict mode), and the extra blob of code formed by jQuery could be removed and replaced with native JavaScript methods and properties that are not only faster, but may also be more secure in some cases.
Donovan
-
Hi !Donovan,
You are completely right in your critique. Also often existing JQuery code is not updated nor patched or worse even code is being used that is left (by developers). Complicating factor is that the one JQuery version may be vulnerable or exploitable to some particular threat, while a later or earlier version may not be. :(
That said the malcode rendered this website more or less useless as we can establich from the tracker tracker report I have attached.
polonus
-
besthostingtop.blogspot.com - code_sample scan
https://www.virustotal.com/en/file/45da9c8cf3fd4b1d8a874ae0dac7a8a3eac528b11f308e03122a9241697a645f/analysis/1438700436/
Norman/BlueCoat Autoadded signature as Decode.A
-
Hi Pondus,
Thanks for that one, quite revealing. But a pity we do not have Avast detecting this.
I will be reporting,
polonus