« previous next »
Pages: [1]   Go Down

Author Topic: Malicious suspicious defacement on website!  (Read 1991 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33900
  • malware fighter
Malicious suspicious defacement on website!
« on: April 26, 2015, 05:06:04 PM »
See: http://killmalware.com/themoviemonk.com/
found on 144 websites.
2 detections on VT: https://www.virustotal.com/nl/url/d24f2948daa88538251cca2addf81f119d5680bb04dd60a4f2d0c8c50840c309/analysis/#additional-info
One malicious file detected: index.html
Severity:   Malicious
Reason:   Detected known malicious content.
Details:   Threat detected according to previously retrieved information
File size[byte]:   57754
File type:   ASCII
Page/File MD5:   DC14FD90739734A11C2D31C76C5701B8
Scan duration[sec]:   0.001000  View code attached

Sucuri scan gives: Unable to properly scan your site

IP badness history: https://www.virustotal.com/nl/ip-address/74.220.215.206/information/

See: http://www.ip-finder.me/74.220.215.203/

Detected IP in here: https://malwr.com/analysis/NmVkMWQ5Y2U1ZTAyNGNmNTk1OWNlMGQyMTJhZmVhZDQ/

DrWeb detects as SCRIPT.Virus

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33900
  • malware fighter
Re: Malicious suspicious defacement on website!
« Reply #1 on: April 26, 2015, 05:23:27 PM »
Vulnerable is WordPress Version
3.4
Version does not appear to be latest 4.1.2 - update now.

Received data GET: HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 15:16:12 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Code: [Select]
<HTML>
<HEAD>
<TITLE>HostMonster - Web hosting</TITLE>
<style type="text/css">
<!--
body {
margin-top: 0px;
}
.style2 {font-family: Arial, Helvetica, sans-serif; color: #033b73}
-->
</style>
</HEAD>

<BODY bgcolor="#FFFFFF">
<table border="1" align="center" cellpadding="0" cellspacing="0" bordercolor="b7dc73" bgcolor="#EFEFEF">
  <tr><td>
<TABLE width="790" border=0 align="center" cellPadding=0 cellSpacing=0>
        <TBODY>
        <TR>
          <TD width=163><img height=98 src="http://www.hostmonster.com/media/shared/general/_hm/logo.jpg" width=163></TD>
          <TD vAlign=top>
            <TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
              <TBODY>
              <TR>
                <TD><img height=31 src="http://www.hostmonster.com/media/shared/general/_hm/web-hosting-curve.jpg" width=627></TD></TR>
              <TR>
                <TD>
                  <TABLE cellSpacing=0 cellPadding=0 width="627" border=0>
                    <TBODY>
                    <TR>
                      <TD width="627" background="http://www.hostmonster.com/media/shared/general/_hm/web-hosting-top-gradient.jpg">
        <div style="visiblity: hidden; height: 67px; width: 1px;" /></TD>
</TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
</td></tr>
<tr><td>
<br>
<!-- SHTML Wrapper - Bounce Sniffer -->
<!-- Main site not installed -->
<div align="center">
                  <h3 class="style2">There is no website configured at this address.</h3>
                  <p class="style2"><font size=-1>
You are seeing this page because there is nothing configured for the site you have requested.<br></font>
<font size=-2>If you think you are seeing this page in error, please contact the site administrator or datacenter
responsible for this site.</font><br>
<BR></p>


  <table cellspacing="8" width="65%">
 <tbody>
  <tr>
   <td width="49%" height="50" onMouseOver="this.style.cssText+='; background-color: #ffffff ; border: Solid 1px #b7dc73  ';this.firstChild.style.color='#5f9c00'" onMouseOut="this.style.cssText+='; background-color: #ffffff ; border: Solid 1px #b7dc73 ';this.firstChild.style.color='#033a72'" onClick="if(this.firstChild.target!='_blank')location.href=this.firstChild.href" style="border: 1px solid #b7dc73; padding: 4px; font-family: 'Arial'; font-weight: bold; font-size: 16px; text-align: center; background-color: #ffffff;"><a href="https://www.hostmonster.com/cgi-bin/cplogin" style="color: #033a72; text-decoration: none; white-space: nowrap; cursor: pointer;">Login to your Account</a>
   </td>
   <td height="40" onMouseOver="this.style.cssText+='; background-color: #ffffff ; border: Solid 1px #b7dc73  ';this.firstChild.style.color='#5f9c00'" onMouseOut="this.style.cssText+='; background-color: #ffffff ; border: Solid 1px #b7dc73 ';this.firstChild.style.color='#033a72'" onClick="if(this.firstChild.target!='_blank')location.href=this.firstChild.href" style="border: 1px solid #b7dc73; padding: 4px; font-family: 'Arial'; font-weight: bold; font-size: 16px; text-align: center; background-color: #ffffff;"><a href="http://helpdesk.hostmonster.com" style="color: #033a72; text-decoration: none; white-space: nowrap; cursor: pointer;">Support Center</a>
   </td>
  </tr>
 </tbody>
</table>
  </div></td></tr>
<tr><td bgcolor="#b7dc73">
  <div align="right" class="style2">&copy; 2009 HostMonster.com</div></td>
</tr>
</table>

<script>
  var gaJsHost = ("https:" == document.location.protocol) ? "https://ssl." : "http://www.";
  document.write("<scr"+"ipt src='" +gaJsHost+ "google-analytics.com/ga.js'></scr"+"ipt>");
</script>
<script>
  var pageTracker = _gat._getTracker("UA-9156498-2");
  pageTracker._initData();
  pageTracker._trackPageview("/user_box/index.html");
</script>
<!--- $Id: default.shtml,v 1.10 2010/06/01 20:03:46 sj Exp $ --->

</BODY>
</HTML>
Kleissner's VirusTracker states there is active and up malware there:
themoviemonk dot com,74.220.215.206,ns2.hostmonster dot com,Criminals,

ns2.hostmonster.com is a bad zone, main domain scan: Found mail servers with inconsistent reverse DNS entries. You should fix them if you are using those servers to send email. -> http://www.dnsinspect.com/hostmonster.com/1430061584
Reverse entries for MX records.
htxp://submission.antispamcloud.com./ -> SaferChrome: Insecure login: Password will be transmited in clear to htxp://submission.antispamcloud.com./index.php detected (see report) Login padlock icon
submission.antispamcloud.com.
Alerts (1)
Insecure login (1)
Password will be transmited in clear to htxp://submission.antispamcloud.com./index.php
-> submission.antispamcloud.com.,,,Ghosted,

polonus (volunteer website security analyst and website error-hunter)
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37532
  • Not a avast user
Re: Malicious suspicious defacement on website!
« Reply #2 on: April 26, 2015, 07:43:08 PM »
themoviemonk.com.htm
https://www.virustotal.com/en/file/09c4638b2f2dff12de9999fc20f1e25c336cebf89fc37cba5d857b9a467320ba/analysis/1430070107/


detection confirmed and added by Norman/BlueCoat   themoviemonk.com.htm  HackScript.B


F-Secure detection added as Trojan.JS.Agent.JOE
« Last Edit: April 28, 2015, 07:49:10 AM by Pondus »
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33900
  • malware fighter
Re: Malicious suspicious defacement on website!
« Reply #3 on: April 27, 2015, 09:51:26 PM »
Thanks, Pondus, we have detection now.

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »