Many websites with counter.yadro dot ru malware, here is one!

[polonus]

-counter.yadro.ru,88.212.201.195,,Multiple IPs,
88.212.196.124 -> http://urlquery.net/report.php?id=1430828062628
history-news dot org,212.193.229.222,ns3.nic.ru,Parked/expired,
Stealth Name Servers: http://www.dnsinspect.com/nic.ru/1430828857
Fortinet's Webfilter Malware Alerts 2 2015-05-05   2   -counter.yadro.ru/hit?t50.1;r;s1176*885*24;uhtxp%3A//history-news.org/;0.7981324612639449   Malware
2015-05-05   2   -counter.yadro.ru/hit?q;t50.1;r;s1176*885*24;uhtxp%3A//history-news.org/;0.7981324612639449   Malware
Netcraft Website Rep Status 1 red out of 10: http://toolbar.netcraft.com/site_report?url=http://history-news.org
Encryption (HTTPS) (1) - static assigned Cable/DSL IP address
Communication is NOT encryptedPossible Frontend SPOF from:

fonts.googleapis.com - Whitelist
(98%) - <link rel='stylesheet' id='twentyfourteen-lato-css' href='//fonts.googleapis.com/css?family=Lato%3A300%2C400%2C700%2C900%2C300italic%2C400italic%2C700italic' type='text/css' media='all' />
vk.com - Whitelist
(48%) - <script type="text/javascript" src="//vk.com/js/api/openapi.js?98">
pagead2.googlesyndication.com - Whitelist
(15%) - <script type="text/javascript" src="htxp://pagead2.googlesyndication.com/pagead/show_ads.js">
Javascript check: suspicious: .....
Included Scripts: Suspect - please check list for unknown includes


Suspicious Script:
   history-news.org///vk.com/js/api/openapi.js?98
   
Suspicious 404 Page:

Warning: Directory Indexing Enabled

Also blocked by any decent adblocker = htxp://top-fwz1.mail.ru/  and  htxp://hit10.hotlog.ru/

Javascripts included:
-http://history-news.org/wp-includes/js/jquery/jquery.js?ver=1.11.0
-http://history-news.org/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
//vk.com/js/api/openapi.js?98
-http://www.simvolika.org/on.js
-http://pagead2.googlesyndication.com/pagead/show_ads.js
-http://history-news.org/wp-includes/js/masonry.min.js?ver=3.1.2
-http://history-news.org/wp-includes/js/jquery/jquery.masonry.min.js?ver=3.1.2
-http://history-news.org/wp-content/themes/twentyfourteen/js/functions.js?ver=20140319

Infested with malware according to Sucuri's:
ISSUE DETECTED   DEFINITION   INFECTED URL
Website Malware   malware-entry-mwblacklisted35   htxp://history-news.org ( View Payload )
Website Malware   malware-entry-mwblacklisted35   htxp://history-news.org/?p=16490
Website Malware   malware-entry-mwblacklisted35   htxp://history-news.org/?cat=4
Website Malware   malware-entry-mwblacklisted35   htxp://history-news.org/?p=16418
Website Malware   malware-entry-mwblacklisted35   htxp://history-news.org/?p=15998( View Payload )
Suspicious domain detected. Details: http://sucuri.net/malware/malware-entry-mwblacklisted35
     <embed src="htxp://spu7.ru/banner/banner-spu.swf" rel="nofollow"
Now /export/banners from wXw.slavrus.net ->
https://www.mywot.com/en/scorecard/slavrus.net?utm_source=addon&utm_content=popup

122 malicious files -> Detected reference to malicious blacklisted domain -top.mail.ru
blacklisted domain: htxp://top.mail.ru/jump?from%3D2093167  (blocked by an extension in client)

polonus

[polonus]

Same malcode and more malware found up here: http://urlquery.net/report.php?id=1430830715074
Where VT results go silent: https://www.virustotal.com/nl/url/eb9d21f6ca0f75f34faa1561b3bf0f2b3c7b51d78663e8a06f4edc486f8f2669/analysis/
Sucuri finds outdated CMS: Outdated WordPress Found   Security Updates   WordPress Under 4.2
Web application version:
WordPress version: WordPress 4.1.1
Wordpress version from source: 4.1.1
Wordpress Version 4.1 based on: htxp://www.otoportali.com/wp-includes/js/autosave.js
All in One SEO Pack version: 2.2.5.1
WordPress theme: htxp://www.otoportali.com/wp-content/themes/otomobil/
Version does not appear to be latest 4.2.1 - update now.

PHP vuln: http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-160394/year-2014/opov-1/PHP-PHP-5.5.8.html

Vulnerable: User Enumeration is possible
The first two user ID's were tested to determine if user enumeration is possible.
User ID 1 : admin
User ID 2 : None

linked javascripts:http://www.otoportali.com/wp-content/themes/otomobil/includes/js/jquery.min.js?ver=1.4.2
-http://www.otoportali.com/wp-content/themes/otomobil/includes/js/jquery.tools.js?ver=1.4.2
-http://www.otoportali.com/wp-content/themes/otomobil/includes/js/jcarousellite.js?ver=1.0.1
-http://www.otoportali.com/wp-content/themes/otomobil/includes/js/superfish.js?ver=1.0
-http://www.otoportali.com/wp-content/themes/otomobil/includes/js/custom.js?ver=1.0
-http://adserver.reklamstore.com/reklamstore.js *
-http://adserver.reklamstore.com/reklamstore.js
//pagead2.googlesyndication.com/pagead/show_ads.js
-http://adserver.reklamstore.com/reklamstore.js
-//mc.yandex.ru/metrika/watch.js
-http://cdn.reklamnative.com/reklamnative/js/render.v1.js **

* bad web rep: https://www.mywot.com/en/scorecard/adserver.reklamstore.com?utm_source=addon&utm_content=popup
Avast does not give this a bad web rep?
** https://www.virustotal.com/nl/ip-address/188.132.170.35/information/

Website IP badness history:
https://www.virustotal.com/nl/ip-address/77.223.134.131/information/
Consider also: http://urlquery.net/report.php?id=1430682789064  with malcode on same IP address.

polonus (volunteer website security analyst and website error-hunter)

[polonus]

Update

Still going on, see recent detection here: https://urlquery.net/report/a0906225-a5e1-47e7-9776-eddd24e53007
Consider also rule here: https://supportforums.cisco.com/t5/event-analysis/blacklist-dns-request-for-known-malware-domain-counter-yadro-ru/td-p/3075516

polonus (volunteer website security analyst and website error-hunter)