Author Topic: Suspicious webpage uri - Emsisoft detects Win32.Sality.N (B)  (Read 939 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
See: http://killmalware.com/guilhermecaps.com/
For the malicious uri -> http://validator.linkeddata.org/vapour?uri=http%3A%2F%2Fwww.hdclipsbr.com%2Fwp-content%2Fplugins%2Fwpccp10951514---%2Finc%2Flayr.js%3Fver%3D4.2.&defaultResponse=dontmind&userAgent=vapour.sourceforge.net
and
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.hdclipsbr.com%2Fwp-content%2Fplugins%2Fwpccp10951514---%2Finc%2Flayr.js%3Fver%3D4.2.2
&
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcdn.jsdelivr.net%2Fwp%2Fwp-slimstat%2Ftrunk%2Fwp-slimstat.min.js

Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Excessive server header info proliferation.
X-Powered-By: PHP/5.4.42 -> ftp://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/lang/php54/README.html
IP Address: 50.62.212.66 -> https://www.virustotal.com/nl/ip-address/50.62.212.66/information/
Provider: GoDaddy.com, LLC

WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

sb-login   latest release (2.5)
htxp://webcarezone.com/projects/sb-login.asp
wpccp10951514---   
contact-form-7   latest release (4.2.1)
htxp://contactform7.com/
simple-ajax-insert-comments
Country: United States

Quttera finds up 19 suspicious files: Detected encoded JavaScript code commonly used to hide suspicious behaviour.
Code: [Select]
[[\x70\x72\x65\x76\x65\x6E\x74\x44\x65\x66]] JSON dump

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!