Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on November 21, 2015, 11:01:37 PM

Title: What unknown malware resides here?
Post by: polonus on November 21, 2015, 11:01:37 PM

See: https://www.virustotal.com/nl/url/24c00245366c563011c21cecc4b9ec5aedcc618da65e1831f692b118e4fe8503/analysis/1448142272/
Sucuri does not detect, Quttera neither.

Script loaded: -http://s11.cnzz.com/stat.php?id=1254870232&web_id=1254870232
Script loaded: -http://c.cnzz.com/core.php?web_id=1254870232&t=z  blocked by uMatrix.

Domain info and badness history: https://www.virustotal.com/nl/domain/600mi.com/information/
-> http://toolbar.netcraft.com/site_report?url=http://res1.600mi.com
Re: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.600mi.com
Probably Rackspace abuse: http://toolbar.netcraft.com/site_report?url=http://firewall.systemarts.com
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.8

Result
It looks like a cookie is being set without the "HttpOnly" flag being set (name : value):

session : 65f2e06ff97b342b6c9a07faf7696679
Unless the cookie legitimately needs to be read by JavaScript on the client, the "HttpOnly" flag should always be set to ensure it cannot be read by the client and used in an XSS attack.

Clickjacking warning given...

polonus