Getmadd.com JS:ScriptIP-inf [Trj]

[akwey]

I've tried searching for more information about this but I can't really find anything so it makes me think this is a false flag whenever I try to connect to Getmadd.com.  Anyone know anything about this?

[CharleyO]

***

Welcome to the forums, akwey.   

The source code for the page shows script outside of <HTML>...</HTML> block.

This is not proper and is suspicious.

Click the below link for more information :

http://www.UnmaskParasites.com/security-report/?page=www.getmadd.com


***

[spg SCOTT]

Hi akwey, Welcome to the forum

This website uses the webstat counter:

Hello,

It is probably not hacked - but it uses webstat.net which is blocked. Please switch to some other statistic, because webstat.net was distributing malware in the past.

Best Regards

It is also outsite of the html block, which is against general web standards.
I think this is most likely the reason for the alert, and without that in the source code there is no alert - I have tested this.

-Scott-

[edit] Oops, CharleyO posted before...
[edit2]Found another post about webstat, from one of the ALWIL virus team, definitely dodgy...:

The site in question is using webstat.net, which we block. Can you get in the contact with the owners and ask them if they're sure about webstat.net credibility and if they have the contact with them?

The scripts of webstat.net are very suspicious, they have no contacts, no about us, no ToS and the email used in domain registration is invalid.

UPDATE: Sent mail to 9 different @webstat.net addresses, all of them returned as non-deliverable. Scripts are three times obfuscated, with the bottom layer having iframe somewhere to China.

[polonus]

Hi akwey,

This is the script in question:

Code: [Select]

Writes

^img alt="Free Hit Counter" width="0" height="0" border="0" hspace="0" vspace="0" src=
"htXp://wXw.webstat.net/basic/counter.php?i=12156&r=&n=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3 ^^^^
B%20Windows^^^^%20NT%205.1%3B%20.NET%20CLR%201.1.4322%29&p=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3^=====^
B%20Windows%20NT%205.1%3B%20.^^NET%20CLR%201.1.4322%29&g=htXp%3A//getmadd.com&sd=24&sw=1024x768"^ ^script broken by me- pol
 Last time webstat has suspicious content was on 2009-10-03.
Malicious software includes 437 scripting exploits.

This site was hosted on 1 network(s) including AS21844 (THEPLANET).
Also seen this code in the past there:

Code: [Select]

^script language="JavaScript" type="text/javascript"^
^!--
  // Hit counter code for Webstat.net
  var data = '&r=' + escape(document.referrer)
+ '&n=' + escape(navigator.userAgent)
+ '&p=' + escape(navigator.userAgent)
+ '&g=' + escape(document.location.href);
  if (navigator.userAgent.substring(0,1)>'3')
    data = data + '&sd=' + screen.colorDepth
+ '&sw=' + escape(screen.width+'x'+screen.height);
  document.write('^i[b]mg alt[/b]="Website Counter" width="0" height="0" border="0" hspace="0" '+'vspace="0" src="hxtp://wXw.webstat.net/basic/counter.php?i=21095' + data + '">');
// --^...........
/script webstat.net is on a block malware list, so the webadmin/hoster should consider another tracker...

polonus