Author Topic: ryuutama - F/P? (Read 5312 times)

kyuuketsuki_kurai · « **on:** July 28, 2014, 12:11:21 PM »

Right, so it's not the most savory site, but it's not unsafe, as far as I can tell?
Virustotal clears it, so does Quttera. Sucuri shows a SiteAdvisor blacklisting, but the info page shows no reason?

EDIT: Actually, SiteAdvisor is being all sorts of weird. Pages aren't loading, giving "We have no data for the page you requested. You can check another site using the look up box below.", and then loading on a reload. Any clues what's going on? I can't even request a review?

Pondus · « **Reply #1 on:** July 28, 2014, 12:21:03 PM »

you are missing some vital info here .... what site?

kyuuketsuki_kurai · « **Reply #2 on:** July 28, 2014, 12:35:43 PM »

Derp. Sorry. It was in the title, but I didn't actually put it in the body. Sorry. ^_^;;
hxxp://www.ryuutama.com/

Pondus · « **Reply #3 on:** July 28, 2014, 12:58:31 PM »

yes, but when you google ryuutama you get lots of stuff......

Pondus · « **Reply #4 on:** July 28, 2014, 01:04:14 PM »

VT
https://www.virustotal.com/nb/url/3a56ab4fbb9e7ebca7f4ba98076203fa3ac5922b3696e4b84f1a6830573e3abb/analysis/1406545126/

urlvoid http://www.urlvoid.com/scan/ryuutama.com/

killmalware http://killmalware.com/www.ryuutama.com/

unmask http://www.UnmaskParasites.com/security-report/?page=www.ryuutama.com

Sucuri http://sitecheck.sucuri.net/results/www.ryuutama.com/ / http://www.siteadvisor.com/sites/ryuutama.com

urlquery http://urlquery.net/report.php?id=1406545347320

polonus · « **Reply #5 on:** July 28, 2014, 03:25:14 PM »

Let us check that site. Following issues are being found up by web security test.

iFrame check: Suspicious
<iframe id="rightads" src="" scrolling="no" border="0" frameborder="0" marginheight="0" marginwidth="0" style="width:160
That is a hidden iFrame found.

Javascript check: Suspicious
r") != undefined) { //document.write('<iframe id="bottomads" src="" scrolling="no" border="0" frameborder="0" marginheight="0" marginwidth="0" style="width:824px; height:11... *
* is part of script to test whether visitors have strong ad blocking enabled, see second and third script at: http://fetch.scritch.org/%2Bfetch/?url=www.ryuutama.com&useragent=Fetch+useragent&accept_encoding=
Note - so site established that I have a strong ABP blocking enabled in my browser (note by me, pol)

404 error Check:
Suspicious
Suspicious 404 Page:
document.write('<iframe id="bottomads" src="" scrolling="no" border="0" frameborder="0" marginheight="0" marginwidth="0"

External links check: http://statcounter.com/free-hit-counter/ invisible free tracker, but not malicious as such.

So site may have adware, and it tests visitors against being able to block these ads.

Site is vulnerable, re: https://security-tracker.debian.org/tracker/CVE-2013-2110 &
http://www.security-database.com/detail.php?alert=DSA-2816, also leaking Mongo shell data.

DrWeb's URL checker gives an all green: Checking: htxp://widgets.amung.us/small.js
File size: 4801 bytes
File MD5: 848fe442ae30543c80d9972d35a3e8de
htxp://widgets.amung.us/small.js - Ok

Checking: htxp://www.ryuutama.com//js/jquery-1.8.3.min.js
File size: 91.44 KB
File MD5: e1288116312e4728f98923c79b034b67

htxp://www.ryuutama.com//js/jquery-1.8.3.min.js - archive JS-HTML
>htxp://www.ryuutama.com//js/jquery-1.8.3.min.js/JSTag_1[13407][39be] - Ok
htxp://www.ryuutama.com//js/jquery-1.8.3.min.js - Ok

Checking: hxtp://www.ryuutama.com//js/jquery.lazyload.js
File size: 7837 bytes
File MD5: 873cfb74844b0cf8a5063d58058ead8c
htxp://www.ryuutama.com//js/jquery.lazyload.js - Ok

Checking: htxp://www.ryuutama.com//js/advertisement.js
File size: 58 bytes
File MD5: 3ec054140f246a21fbf55aff6dbea6d6
htxp://www.ryuutama.com//js/advertisement.js - archive JS-HTML
htxp://www.ryuutama.com//js/advertisement.js - Ok

Checking: htxp://www.ryuutama.com//js/jquery.autocomplete.js
File size: 21.56 KB
File MD5: 2f34815c575309b41a04e3719a35c683
htxp://www.ryuutama.com//js/jquery.autocomplete.js - Ok

Checking: htxp://www.ryuutama.com//js/constants.js
File size: 23 bytes
File MD5: fb472f60ac7cb92ac23c4c13c374b1ed

htxp://www.ryuutama.com//js/constants.js - Ok

Checking: htxp://www.statcounter.com/counter/counter.js
File size: 9028 bytes
File MD5: 389f1acf246618ba207b9122dfbc57a8
htxp://www.statcounter.com/counter/counter.js - Ok

Checking: htxp://www.ryuutama.com/
Engine version: 7.0.9.4080
Total virus-finding records: 5391009
File size: 60.68 KB
File MD5: 0ea515f0d3e41508bf8cf5067bdf4c7f

htxp://www.ryuutama.com/ - archive JS-HTML
>htxp://www.ryuutama.com//JSTAG_1[410][4ab] - Ok
>htxp://www.ryuutama.com//JSTAG_2[15df][36f] - Ok
>htxp://www.ryuutama.com//JSTAG_3[eb4d][30a] - Ok
>htxp://www.ryuutama.com//JSTAG_4[f015][5a] - Ok
htxp://www.ryuutama.com/ - Ok

polonus

polonus · « **Reply #6 on:** July 28, 2014, 03:47:47 PM »

Just some observations. "An sich" this site may not bring harm, but the adblock tester is a rather aggressive and unfriendly way of approaching unaware visitors of the site.
I would not like to come to such a site with a stealth adblock tester, just a question of principle.
Normally I do not block main site ads and even allow script to run when I have found a site to be benign and secure enough to visit.
Also for reasons of security I block all third party ads & scripts. We had a lot of issues with Dutch sites spreading malcode through infested banner ads. Blocking these is a way to keep malvertisers at bay. I can understand a main site wants to spread ads, they need a base and income to uphold the site, but I am not going to enable click fraud, SEO spam etc. to support cybercrime and co earning from my clicks. Not saying that this site is anyway into these practices, no way, but that adblock tester got on my nerves somehow. Be open and frank about what you like to do, but do not adblock test stealthily behind my back.

polonus

mchain · « **Reply #7 on:** July 28, 2014, 04:16:12 PM »

Found this result, thanks polonus: http://guess.scritch.org/%2Bguess/?url=http%3A%2F%2Fwww.ryuutama.com%2F

Apparent non-30X redirect result when site scanned using their Guess tool or is the result of anomalous (non-standard) configuration.

polonus · « **Reply #8 on:** July 28, 2014, 04:28:16 PM »

Hi machain,

Wants some other angles to catch, see here: http://builtwith.com/ryuutama.com
Revealing is n't it, all technologies used on that site in one,

polonus

mchain · « **Reply #9 on:** July 28, 2014, 04:38:44 PM »

Interesting. Really, what is the true purpose of this site?

kyuuketsuki_kurai · « **Reply #10 on:** July 28, 2014, 05:39:37 PM »

The same as most sites. To make money.

So... We've determined that they really really want their ad money, and they're vulnerable, but still...
It doesn't actually seem like there's anything malicious. Just obnoxious. If we blocked every vulnerable site, we'd be blocking a large portion of the internet. XD

jefferson sant · « **Reply #11 on:** August 02, 2014, 04:11:16 PM »

Quote from: kyuuketsuki_kurai on July 28, 2014, 12:35:43 PM

Derp. Sorry. It was in the title, but I didn't actually put it in the body. Sorry. ^_^;;
hxxp://www.ryuutama.com/

hello

I got an answer to this problem

Quote from: Sirmer on August 02, 2014, 07:50:22 AM

site was removed from our black list

polonus · « **Reply #12 on:** August 02, 2014, 04:15:02 PM »

Confirmed, no longer being blocked by avast!.

polonus

Author Topic: ryuutama - F/P? (Read 5312 times)

kyuuketsuki_kurai

ryuutama - F/P?

Pondus

Re: ryuutama - F/P?

kyuuketsuki_kurai

Re: ryuutama - F/P?

Pondus

Re: ryuutama - F/P?

Pondus

Re: ryuutama - F/P?

polonus

Re: ryuutama - F/P?

polonus

Re: ryuutama - F/P?

mchain

Re: ryuutama - F/P?

polonus

Re: ryuutama - F/P?

mchain

Re: ryuutama - F/P?

kyuuketsuki_kurai

Re: ryuutama - F/P?

jefferson sant

Re: ryuutama - F/P?

polonus

Re: ryuutama - F/P?