Author Topic: Heavily infected site which is not blocked by Avast  (Read 6135 times)

0 Members and 1 Guest are viewing this topic.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3646
Heavily infected site which is not blocked by Avast
« on: October 08, 2013, 08:58:42 PM »
Website URL: hxxp://www.otrforum.com/

See here:

hxxp://www.quttera.com/detailed_report/www.otrforum.com
hxxp://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.otrforum.com%2F
htxp://www.avgthreatlabs.com/website-safety-reports/domain/otrforum.com/
htxp://www.google.com/safebrowsing/diagnostic?site=otrforum.com
htxps://www.virustotal.com/de/url/155ac3466b557bf4781bbd026f45da167a1e359c0da941f005a709bc1ab6c4c2/analysis/
hxxp://zulu.zscaler.com/submission/show/db1b0a88ea586dd860afd12643412b88-1381258333
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37152
  • Not a avast user
Re: Heavily infected site which is not blocked by Avast
« Reply #1 on: October 08, 2013, 10:01:54 PM »

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3646
Re: Heavily infected site which is not blocked by Avast
« Reply #2 on: October 08, 2013, 10:08:32 PM »
When i go to the Url above it is not blocked.

What have you scanned in Virustotal?
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33647
  • malware fighter
Re: Heavily infected site which is not blocked by Avast
« Reply #3 on: October 08, 2013, 10:23:50 PM »
Steven Winderlich,

You are right avast! Shields aren't alarming, but in firefox or Google Chrome you are bloacked in this way by Google Safebrowsing
Quote
   Warning - visiting this web site may harm your computer!
Suggestions:

    * Return to the previous page and pick another result.
    * Try another search to find what you're looking for.

Or you can continue to http://www.otrforum.com/ at your own risk. For detailed information about the problems we found, visit Google's Safe Browsing diagnostic page for this site.

For more information about how to protect yourself from harmful software online, you can visit StopBadware.org
 
.

If you are the owner of this web site, you can request a review of your site using Google's Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Advisory provided by   Google
Also see: http://scanurl.net/?u=http%3A%2F%2Fwww.otrforum.com&uesb=Check+This+URL#results
A general IP block recommended: https://www.virustotal.com/en/ip-address/217.70.184.38/information/
The live malware situation: http://support.clean-mx.de/clean-mx/viruses.php?ip=217.70.184.38&sort=virusname%20asc
Also lot of PHISHING going on at that AS,

polonus
« Last Edit: October 08, 2013, 10:54:08 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37152
  • Not a avast user
Re: Heavily infected site which is not blocked by Avast
« Reply #4 on: October 08, 2013, 10:40:25 PM »
What have you scanned in Virustotal?
The malicious code ...


Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3646
Re: Heavily infected site which is not blocked by Avast
« Reply #5 on: October 08, 2013, 10:41:43 PM »
I dont know why the website is not blocked then, also there is no malicious code detected..........
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37152
  • Not a avast user
Re: Heavily infected site which is not blocked by Avast
« Reply #6 on: October 08, 2013, 10:44:45 PM »
I dont know why the website is not blocked then, also there is no malicious code detected..........
http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.otrforum.com%2F

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3646
Re: Heavily infected site which is not blocked by Avast
« Reply #7 on: October 08, 2013, 10:50:24 PM »
I dont know why the website is not blocked then, also there is no malicious code detected by Avast..........
Sorry. Wrote that wrong.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33647
  • malware fighter
Re: Heavily infected site which is not blocked by Avast
« Reply #8 on: October 08, 2013, 11:11:27 PM »
Hi Pondus and Steven Winderlich,

Well this report is quite convincing: http://www.google.com/safebrowsing/diagnostic?site=http://www.otrforum.com/&hl=en
Quote
Of the 211 pages we tested on the site over the past 90 days, 98 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-10-08, and the last time suspicious content was found on this site was on 2013-10-07.

Malicious software includes 200 exploit(s). Successful infection resulted in an average of 2 new process(es) on the target machine.

Malicious software is hosted on 15 domain(s), including kocohandre1983.tk/, googledrive.com/, 1381065003.hopto.org/.

8 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including kocohandre1983.tk/, 1381065003.hopto.org/, 1381075802.hopto.org/.

This site was hosted on 2 network(s) including AS24940 (HETZNER-AS), AS29169 (GANDI-AS).
Certainly not a site I want to visit.

Header response via Redleg's Fileviewer
Header returned by request for: htxp://www.otrforum.com/forum.php?s=c26979e310a52b176aa3b1ca153c055e

HTTP/1.1 302 Moved Temporarily
Server: Varnish
Location: htxp://www.onlinetvrecorder.com/v2/?go=forumwarning/forum.php?s=c26979e310a52b176aa3b1ca153c055e
Note: This line has redirected the request to htxp://www.onlinetvrecorder.com/v2/?go=forumwarning/forum.php?s=c26979e310a52b176aa3b1ca153c055e
Content-Type: text/html; charset=utf-8
Content-Length: 315
Accept-Ranges: bytes
Date: Tue, 08 Oct 2013 21:00:13 GMT
Via: 1.1 varnish
Connection: close
Age: 84

The location line in the header above has redirected the request to: hxtp://www.onlinetvrecorder.com/v2/?go=forumwarning/forum.php?s=c26979e310a52b176aa3b1ca153c055e

Code hick-up
 info: [script] wXw.usemax.de/ad.php?userid=1602&wf=1
     info: [decodingLevel=0] found JavaScript
     suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
     error: line:3: SyntaxError: missing = in XML attribute:
          error: line:3: <!DOCTYPE HTML PUBLIC "-/W3C/DTD HTML 4.01/EN">
          error: line:3: ...............^

Source code view: http://www.whoisip.co.za/source//www.otrforum.com/forum.php?s=c26979e310a52b176aa3b1ca153c055e

pol
« Last Edit: October 08, 2013, 11:13:14 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3646
Re: Heavily infected site which is not blocked by Avast
« Reply #9 on: October 08, 2013, 11:13:06 PM »
This site is really really infected.

I already informed Avast via contact form.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33647
  • malware fighter
Re: Heavily infected site which is not blocked by Avast
« Reply #10 on: October 08, 2013, 11:17:29 PM »
Hi Steven Winderlich,

Thanks for reporting, check whether they indeed flag it and block it through Shield Detection in due time
Good it is blocked by Google Safebrowsing, but there are idiots that start to circumvent such warnings and click themselves into an infection anyway.
These folks cannot be helped, but when they have been here (which is very doubtful) they were noticed and only have to blame themselves for not paying attention.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3646
Re: Heavily infected site which is not blocked by Avast
« Reply #11 on: October 08, 2013, 11:21:57 PM »
And then are encountering system crashes and other garbage like that.

My computer just crashed a few minutes ago. The Notification service for system messages killed the system.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3646
Re: Heavily infected site which is not blocked by Avast
« Reply #12 on: October 08, 2013, 11:25:32 PM »
A week ago i had the same issues, i reinstalled Chrome and then they were gone. I will see if these happen again.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33647
  • malware fighter
Re: Heavily infected site which is not blocked by Avast
« Reply #13 on: October 09, 2013, 12:12:48 AM »
Hi Steven Winderlich,

You have to start MyEventViewer and look at the events log to get at the source of these errors. It can be interaction between the Microsoft Windows Security Auditing (windows FW notification error) and a specific dll. MalwareBytes Anti-Exploit tool is great at alerting these and on previous beta versions the blocks were also circumvented - this is malcode circumvention at work. It brought MBAE.exe to its knees and I had to restart it manually.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3646
Re: Heavily infected site which is not blocked by Avast
« Reply #14 on: October 09, 2013, 12:18:40 AM »
In this case it was svchost.exe which had an error.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10