« previous next »
Pages: [1]   Go Down

Author Topic: JS.ScriptIP site blocked by Netcraft and BitdefenderTrafficLight, not by avast!  (Read 1301 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34054
  • malware fighter
JS.ScriptIP site blocked by Netcraft and BitdefenderTrafficLight, not by avast!
« on: January 15, 2014, 06:24:22 PM »
Suxcuri gives the site an all green. Site security is questionable and site may be compromised because of this external link: htxp://squeezewayl.net/test404page.js  see the case of http://urlquery.net/report.php?id=7623934

IDS alert for ET "RBN Known Russian Business Network IP group 400" (Be aware site with adult content links)
http://urlquery.net/report.php?id=8827872
See: https://www.virustotal.com/nl/url/6a8188dd45ae3764610dae80806e69977ef625d014bad76b65b175e03ebb94db/analysis/1389805221/
JavaScript check: Suspicious

ion+xml" href="htxp://linksfun dot ru/engine/opensearch.php" title="ðàçâëå÷åíèÿ îíëàéí äëÿ âàñ.ñìåøíîå âèäåî ïðèêîëû." /> <link rel="alternate" type="application/rss+xml" title="ðàçâë...
Spam Check: Suspicion of Spam
htxp://linksfun.ru/video/44759-porno-s-pevitsoj-svetoj.html">ïîðíî ñ ïåâèöîé ñâåòîé</a></h2> <div class="postdate"> ...

Included script:
Suspect - please check list for unknown includes
Suspicious Script:
   linksfun dot ru/engine/classes/js/dle_js.js
   .ru/whois/?ip='+a+'" target="_blank">'+b+"</a>";e[1]='<a href="'+dle_root+dle_admin+"?mod=iptools&ip="+a+'" target="_blank">'+c+"</a>";e[2]=

Code hick-up in jsunpack:
xoliter dot com/60h16f5fc94/5db91/4/ecd.js benign
[nothing detected] (script) xoliter dot com/60h16f5fc94/5db91/4/ecd.js
     status: (referer=linksfun.ru/2011/10/09/)saved 15423 bytes 14bbedabc310fb974c44495aca2fcbe8851f1098
     info: [javascript variable] URL=
     info: [decodingLevel=0] found JavaScript
external link to c.teromil dot com - no description because of robot.txt -> SMS fraud site?
     error: undefined variable padid
     error: undefined variable blockid
     info: [var appendChildsrc] URL=/wp-includes/js/jquery/jquery.js
     info: [var appendChildsrc] URL=c.teromil.com/s/0/1.js
     info: [element] URL=/wp-includes/js/jquery/jquery.js
     info: [element] URL=c.teromil.com/s/0/1.js
     info: [decodingLevel=1] found JavaScript
     error: undefined variable show1
     error: undefined function show1
     suspicious:

Netcraft detect is because of PHISHING!!

The malware detection is found here: http://support.clean-mx.de/clean-mx/viruses?id=16594627
Missed by avast!->  https://www.virustotal.com/nl/file/c20e0ab27a67d197ab6476ae59970ea8291a4ac1f65cfa4fe36d6b3f9c236611/analysis/

The malware is long OVERDUE! alive & up and running now for 1847.6 hrs!

pol
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »