What malware has this script?

[polonus]

See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Faccountdot.com%2Ftripple%2Fjs%2Fpopup.js
Checked the javascript there:

Code: [Select]

found JavaScript
     error: line:4: SyntaxError: missing } after function body:
          error: line:4: ength > 4){ $('#passwordError').fadeOut(50);}      }
          error: line:4: .............................................................^
URL query flags: GET /tripple/js/popup.js HTTP/1.1
Host: -accountdot.com  Google Safebrowsing blacklisted as PHISH.
Netherlands
AS43350 NFOrce Entertainment BV 85.159.237.152
HTTP/1.1 200 OK
Content-Type: application/javascript
N.B.
#4 JavaScript::Script (size: 4029, repeated: 1) - Alert detect on script (Severity: 2) - accountdot dot com/tripple/js/popup.js  85.159.237.152 - SHA256: eab89558b2f84a0c23e870e161a4cc80657cae00eb7c480ea87c786f0afd7242

Avast did not flag 3 weeks ago: https://www.virustotal.com/en-gb/file/eab89558b2f84a0c23e870e161a4cc80657cae00eb7c480ea87c786f0afd7242/analysis/
and see: https://www.hybrid-analysis.com/sample/1b3abaecbd202d7ca076f7b09f9b440162ab0790e608702089792bf47080e143?environmentId=100

IP malware history: https://virustotal.com/en/ip-address/85.159.237.152/information/

pol

[polonus]

When we check on the reversed DNS certificate we get errors: cheapestunlimitedhosting.com

Please contact the Certificate Authority for further verification.
You have 1 error
Wrong certificate installed.
The domain name does not match the certificate common name or SAN.
Warnings
RC4
This server uses the RC4 cipher algorithm which is not secure. Disable the RC4 cipher suite and update the server software to support the Advanced Encryption Standard (AES) cipher algorithm. Contact your web server vendor for assistance.
SSLv3
This server uses the SSLv3 protocol which is not secure. Disable the SSLv3 protocol and enable a higher protocol version. Contact your web server vendor for assistance.
This server is vulnerable to:
Poodle (SSLv3)
This server is vulnerable to a Poodle (SSLv3) attack. If you have not disabled SSLv3 fallback support, disable it now and use TLS 1.2 or higher.
Info
BEAST
The BEAST attack is not mitigated on this server.
Certificate information
This server uses a Domain Validated (DV) certificate. No information about the site owner has been validated. Data is protected, but exchanging personal or financial information is not recommended.
Common name:
 -www.dilkadeal.com  This website probably has been hacked - changed according to Google or with spammy links.
SAN:
 -www.dilkadeal.com, -dilkadeal.com
Valid from:
 2016-Feb-12 14:40:39 GMT
Valid to:
 2017-Feb-12 14:40:39 GMT
Certificate status:
 Valid
Revocation check method:
 OCSP
Organization:
 
Organizational unit:
 Domain Control Validated
City/locality:
 
State/province:
 
Country:
 
Certificate Transparency:
 Not embedded in certificate
Serial number:
 08418c5e50e81ab0
Algorithm type:
 SHA256withRSA
Key size:
 2048
Certificate chainShow details
Go Daddy Root Certificate Authority - G2Intermediate certificate
Go Daddy Secure Certificate Authority - G2Intermediate certificate
www.dilkadeal.comTested certificate

The nameserver certifcate looks better but cannot be scanned fully: https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp

Webserver has extensive server header info proliferation: Apache/2.4.18 Unix OpenSSL/1.0.1e-fips mod_bwlimited/1.4

Re: http://www.dnsinspect.com/accountdot.com/1468965110
Found mail servers with inconsistent reverse DNS entries. You should fix them if you are using those servers to send email.

Again probably GoDaddy abuse. Can we fully trust that Cloud towards Phishing and Spamming, I think we cannot fully.

polonus (volunteer website security analyst and website error-hunter)