Avast community forum
Home
Help
Search
Login
Register
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
What is being flagged here?
« previous
next »
Print
Pages: [
1
]
Go Down
Author
Topic: What is being flagged here? (Read 1265 times)
0 Members and 1 Guest are viewing this topic.
polonus
Avast Überevangelist
Probably Bot
Posts: 34051
malware fighter
What is being flagged here?
«
on:
September 15, 2015, 11:07:16 PM »
See:
https://www.virustotal.com/nl/url/7fafab779c4960f890d495971cdf6afbce7da5e27d6567237ca900cb1309ef6d/analysis/1442350313/
VW Archives has Up: unknown_html.
Nothing here:
http://quttera.com/detailed_report/turtlehull.blogspot.com
and here:
https://sitecheck.sucuri.net/results/turtlehull.blogspot.com
blog website has changed destination: -nanalittlekitchen.wordpress.com
From:
http://toolbar.netcraft.com/site_report?url=http://turtlehull.blogspot.com
to:
http://toolbar.netcraft.com/site_report?url=nanalittlekitchen.wordpress.com
with same website risk status.
The following plugins were detected by reading the HTML source of the WordPress sites front page.
WordPress Theme
The theme has been found by examining the path /wp-content/themes/ *theme name* /
h4
ie-sitemode
Compromised sites will often be linked to malicious javascript in an attempt to attack users of your WordPress installation. Look over the listed javascript, you should be familiar with all scripts and investigate ones you are not sure. In addition removal of unneeded javascript will speed up your website.
-https://s2.wp.com/_static/??-eJyNjtEOgjAMRX/IbYL4wIPxWyZU6Nw6XIcEv96ayIORqEmT5rbn3tZMg0Jq/NgCGyd1HSHNr6Ydb8w3QAXsks2gA9ICN5EyUH6yIZ7QgxoZku1kJkHnuMINkXMAZoFWtu8vId0Qpp+YgzzY5qISMN4/UnMPcs/0lfGWWqRusVmacy+aPbaQ/raBZVG60KVYjuFQVLt6X2zLunIPPMyC5w==
-//0.gravatar.com/js/gprofiles.js?ver=201538x
-https://s2.wp.com/wp-content/mu-plugins/gravatar-hovercards/wpgroho.js?m=1380573781g
-https://s0.wp.com/_static/??-eJyVizsOgzAMQC/U1KIwkAFxFghWcbBDVAfC8Rs26Nb1fSBH49aQMCTwChPu5DAeT68PuCjZTOTtTUHBrSIFGaYF9XyYRtBMEf+ZbuB3TDNKyebmLFUGZnUfxFC6XrqqednW1lVr/RePRkWD
//-stats.wp.com/w.js?48
Consider:
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fturtlehull.blogspot.com%2F2014%2F10%2Fsugar-free-latte-syrup-collection.html
and on new site:
http://www.domxssscanner.com/scan?url=https%3A%2F%2Fs2.wp.com%2F_static%2F%3F%3F-eJyNjtEOgjAMRX%2FIbYL4wIPxWyZU6Nw6XIcEv96ayIORqEmT5rbn3tZMg0Jq%2FNgCGyd1HSHNr6Ydb8w3QAXsks2gA9ICN5EyUH6yIZ7QgxoZku1kJkHnuMINkXMAZoFWtu8vId0Qpp%2BYgzzY5qISMN4%2FUnMPcs%2F0lfGWWqRusVmacy%2BaPbaQ%2FraBZVG60KVYjuFQVLt6X2zLunIPPMyC5w%3D%3D
-> Entity: line 12: parser error : EntityRef: expecting ';' [APP/controllers/frontend_controller.php,
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
polonus
Avast Überevangelist
Probably Bot
Posts: 34051
malware fighter
Re: What is being flagged here?
«
Reply #1 on:
September 15, 2015, 11:12:01 PM »
Some baddies on that same IP:
https://www.virustotal.com/nl/ip-address/192.0.78.12/information/
Don't believe this only 1 malicious URL on that Autonomous System, a joke? ->
http://sitevet.com/db/asn/AS2635
and only one with badware? And Avast detects VBS:Dropper-DF [Trj] there.
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
polonus
Avast Überevangelist
Probably Bot
Posts: 34051
malware fighter
Re: What is being flagged here?
«
Reply #2 on:
September 15, 2015, 11:48:06 PM »
Sharing the same server and also flagged for a similar issue is this website:
https://www.virustotal.com/nl/url/9db2746d1f3a5a116331baabff5673cb98f4e026024651abd4e973493bff66b7/analysis/1442352848/
Nothing given here:
http://zulu.zscaler.com/submission/show/ea4274a91af561b3b277adf328e4155d-1442352941
Quttera is the one to flag this and whatr we have there? 2 malicious files detected:
2013/05/respect-authority.html#comment-form
Severity: Malicious
Reason: Detected reference to blacklisted domain
Details: Detected reference to malicious blacklisted domain -www.leesburgfire.org
File size[byte]: 74316
File type: HTML
Page/File MD5: DE827830AFE24B431BF3ECD951D5EB66
Scan duration[sec]: 0.277000
&
2013/05/respect-authority.html
Severity: Malicious
Reason: Detected reference to blacklisted domain
Details: Detected reference to malicious blacklisted domain -www.leesburgfire.org
File size[byte]: 74316
File type: HTML
Page/File MD5: DE827830AFE24B431BF3ECD951D5EB66
Scan duration[sec]: 0.233000
Consider:
http://www.domxssscanner.com/scan?url=http%3A%2F%2Ftroop1138.blogspot.com
and
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.leesburgfire.org
Furthermore 4 suspicious files: Severity: Suspicious
Reason: Detected reference to blacklisted domain
Details: Detected reference to suspicious blacklisted domain -www.idalee.org
See:
https://webtrac.idalee.org/wbwsc/webtrac.wsc/wbsearch.html?wbsi=a8a747d8-2ac2-4e8e-e511-6941b303f4a1&xxmod=ar
A filter stopped this from loading: uBlock₀ has prevented the following page from loading:
-http://s21.sitemeter.com/js/counter.js?site=s52troop1138
Likes Google+ and PinIt are also normally blocked in my browser as replaced by Privacy Badger extension (note from me, pol).
See website risk status 7 red out of 10 here:
http://toolbar.netcraft.com/site_report?url=http://troop1138.blogspot.com
polonus (volunteer website security analyst and website error-hunter)
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
Print
Pages: [
1
]
Go Up
« previous
next »
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
What is being flagged here?