Author Topic: Why does VT not flag this? Malcode taken down? (Read 1196 times)

polonus · « **on:** October 04, 2019, 02:37:45 PM »

See: https://www.virustotal.com/gui/url/765b0b6c899548ea0487b896abee5c612461184d54f29fd16c5d98c3125265b2/details
Detections on IP relations: https://www.virustotal.com/gui/ip-address/51.89.7.30/relations
Fortinet's detection: https://urlquery.net/report/c7ae0cb3-42b1-4e70-b364-2c826e9d077c (malware)

Now hive.html been taken down? -> https://sitecheck.sucuri.net/results/bitcoin-cash-generator.com/src/hive.html
https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Ylt0Xl1bbi1efHNoLWd7bnt9fHRdfS5eXW0%3D~enc
finding up: - < iframe width=1 height=1 src=src/hive.html scrolling=no frameborder=0> < / iframe >

Quote

Content that was returned by your request for the URL: -http://bitcoin-cash-generator.com/src/hive.html

1: < !DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
2: < html> < head>
3: < title> 404 Not Found< /title>
4: < /head> < body>
5: < h1> Not Found< /h1>
6: < p> The requested URL was not found on this server.< /p>
7: < p> Additionally, a 404 Not Found
8: error was encountered while trying to use an ErrorDocument to handle the request.< /p>
9: < /body> < /html>

polonus

Michael (alan1998) · « **Reply #1 on:** October 04, 2019, 02:48:15 PM »

XForce classified that IP has a botnet at one point. Detection was removed as of Sept 28, 2019 @ 8:48PM.

XFE >> https://exchange.xforce.ibmcloud.com/ip/51.89.7.30

polonus · « **Reply #2 on:** October 04, 2019, 10:10:39 PM »

@ Michael (alan1998),

Thanks for supporting that idea, the hive.html file has been removed.
So, does that mean without this file is that site more secure now?

Client Pull, CGI , Perl & Gzip trechnology, see https://toolbar.netcraft.com/site_report?url=-s81.fastserver.club
1 red out of 10 netcraft risk rate.
Ransomware IP address: -51.89.7.30
ransomwaretracker.abuse.ch
Associated Ransomware Infrastructure. The table below shows all Ransomware infrastructure that is associated with the IP address -51.89.7.30.
-fapplepie - AbuseIPDB User Profile
www.abuseipdb.com
-51.89.7.30, 24 Sep 2019. 51.89.7.30 - - - [24/Sep/2019:08:25:19 +0000] "GET /wp -login.php HTTP/1.1" 404 162 "-" "Mozilla/5.0 ... show more51.89.7.30 ...
-drharrymorganssdsolution.com (Black Money Scam) - Stop 419 ...
-www.stop419scams.com
Sep 19, 2019 ... wXw.drharrymorganssdsolution.com. Scam Domain - Read Scam Websites 51.89.7.30. Domain Name: -DRHARRYMORGANSSDSOLUTION.
-puritygem.xyz - URLhaus
-urlhaus.abuse.ch
Aug 15, 2019 ... Firstseen (UTC), IP address, Hostname, SBL, ASN, Country, Active? 2019-08-15 21:44:04, 51.89.7.30,
-s81.fastserver.club, Not listed, AS16276 ...
-unboamefinancebk.com (Fake Bank Fraud Scam) - Stop 419 Scams ...

Quite some malware launched from that IP address: https://www.virustotal.com/gui/ip-address/51.89.7.30/relations

json

Quote

{
"asn": "AS16276",
"city": "",
"country": "Germany",
"country_code": "DE",
"hostname": "s81.fastserver.club",
"ip": "51.89.7.30",
"latitude": 51.2993,
"longitude": 9.491,
"organization": "OVH SAS"
}

On that webserver Apache - Linux - unknown owner (PrivacyGuardian dot org shielded off):

Quote

OpenSSH 7.4 (protocol 2.0) fingerprint-strings: | FourOhFourRequest, HTTPOptions: Server: imunify360-webshield/1.7
protection, that can be closed through this malware, read: https://otx.alienvault.com/indicator/ip/94.73.151.100
Closed on Linux server:
443 header: HTTP/1.1 200 OK Date: Wed 10 Jul 2019 07:26:16 GMT Content Type: text/html Connection: close Server: imunify360 webshield/1.7 Expires: Wed 10 Jul 2019 07:26:15 GMT Cache Control: no cache

Interesting general details, isn't it?

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)