Author Topic: Suspicious iFrame on site...we have protection!  (Read 2614 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Suspicious iFrame on site...we have protection!
« on: January 20, 2014, 11:49:33 PM »
See: http://app.webinspector.com/public/reports/show_website?site=http%3A%2F%2Fhnyechun.com
Website Virus Tracker classification: hnyechun dot com,124.173.105.107,ns1.cnolnic dot net,Parked/expired,

2 suspicious files according to Quttera's:
/index.asp
Severity:    Suspicious
Reason:   Detected hidden reference to external web resource. [What's this?]
Details:    Detected hidden iframe tag to '3721job.net'  iFrame-WI
Offset:    8671
Threat dump:   View code on http://jsunpack.jeek.org/?report=f7f8bc9fd64d73a10cd08247296d878b4fa23fc6
File size[byte]:    8755
File type:    ASCII
MD5:    39E34E6BB3C7A1238915B7B7E203D450
Scan duration[sec]:    0.029000

&

/index.html
Severity:    Suspicious
Reason:   Detected hidden reference to external web resource. [What's this?]
Details:    Detected hidden iframe tag to '3721job.net' iFrame-WI
Offset:    8671
Threat dump:   View code on: http://jsunpack.jeek.org/?report=f7f8bc9fd64d73a10cd08247296d878b4fa23fc6
File size[byte]:    8755
File type:    ASCII
MD5:    39E34E6BB3C7A1238915B7B7E203D450
Scan duration[sec]:    0.022000

avast! Webshield protects us against this malcode by blocking access to HTML:iFrame-BLG[Trj] as for site mentionened |{gzip}.
redirect site is not being blocked!

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Re: Suspicious iFrame on site...we have protection!
« Reply #1 on: January 21, 2014, 12:23:32 AM »
There is also a malicious external link going here: htxp://www.0898it.com
No description because of robot.txt  Bitdefender Traffic Light blocks site as malicious, and the WOT webrep is here: https://www.mywot.com/en/scorecard/0898it.com?utm_source=addon&utm_content=popup-donuts (High Risk Domain)
Domain classification: wXw.0898it.com,121.197.14.82,,Cybercriminals,
Description:
5年来中企在线专注于海南网站建设、网络推广,是拥有最多推广平台、最多客户案例、最多设计和销售客服队伍、最多政府授牌资质的优秀企业。
code hick-up:
wXw.0898it.com/js/jquery.js benign
[nothing detected] (script) wXw.0898it.com/js/jquery.js
     status: (referer=wXw.0898it.com/)saved 72328 bytes 6ab320a0421a75731233a3f6ec4f4f906b903dac
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     info: [decodingLevel=0] found JavaScript
     suspicious:
Also suspicious external links found.
See: https://www.virustotal.com/nl/url/83f764c5a93c49da9ee46fc3eebc05b14cea1fcbdc8898e1e7e16620dc4e0fa9/analysis/1390259468/
filescan probably harmless? Given clean here: http://maldb.com/www.0898it.com/
Given as blacklisted and likely compromised here: http://sitecheck.sucuri.net/results/www.0898it.com
Because of sloppy IT-security managment, see:
Asafaweb result, which  are flagging various insecurities via this scan: https://asafaweb.com/Scan?Url=www.0898it.com

1. Internal server error messages exposed externally -
2. Stack trace information being spread could expose code-level information - extremely dangerous!
3. Excessive header warning - Info also available to attackers:
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET, UrlRewriter.NET 2.0.0
X-AspNet-Version: 2.0.50727

4. Clickjacking Warning

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!