A Bitdefender false positive?

Viruses and worms
1

See: https://www.virustotal.com/nl/url/48d5d08077dc6003b80c7688ca317ddfa38387070ccacf7f52a6c830ab58dbc2/analysis/1405793122/
All OK: http://sitecheck.sucuri.net/results/gdoly.com/
But here errors and warnings: https://asafaweb.com/Scan?Url=gdoly.com
Custom erros: Fail - Excessive Headers Warning and Clickjacking Warning.
URL Page title Response size Duration

  1. htxp://gdoly.com/ 广东顺德壹光年环保科技有限公司 5,132 bytes 6,700 ms
  2. htxp://gdoly.com/trace.axd ÔËÐÐʱ´íÎó 2,663 bytes 776 ms
  3. htxp://gdoly.com/< 无法找到该页 1,081 bytes 511 ms
  4. htxp://gdoly.com/Index.html (POST 1,001 params) 该页无法显示 1,028 bytes 1,623 ms
  5. htxp://gdoly.com/elmah.axd ÔËÐÐʱ´íÎó 2,663 bytes 1,873 ms
  6. htxp://gdoly.com/elmah 无法找到该页 1,081 bytes 490 ms
    13,648 bytes 11,973 ms
    Given benign here: http://zulu.zscaler.com/submission/show/efd056679f40661eb42fe37ccc371cf3-1405793513

unknown_html APNIC CN anti-spam at ns.chinanet.cn dot net 61.152.93.39 to 61.152.93.39 gdoly dot com htxp://gdoly.com/

Spammer: First Bad Host Appearance approximately 3 years, 11 months, 3 weeks ago
Last Bad Host Appearance within 3 years, 9 months, 1 week
Bad Host Appearances 3 appearance(s) in spam e-mail or spam post urls

IP badness history on VT: https://www.virustotal.com/nl/ip-address/61.152.93.39/information/

polonus

2

this one certainly is not: https://www.virustotal.com/nl/url/1fcbf6c9413c8ef94b5af13b13ff6e99641e0ea1919820b5d1f0e422f7b32683/analysis/1405866184/
See: http://www.urlvoid.com/scan/yyl.hxedu.tj.cn/ & http://www.urlvoid.com/scan/yyl.hxedu.tj.cn/
and http://www.scumware.org/search.scumware
18 suspicious files flagged by Quttera’s: http://quttera.com/detailed_report/yyl.hxedu.tj.cnFile
name: /index.php?tj=14


[[\x3c\x73\x63\x72\x69\x70\x74\x73\x72\x63]]

fake obfuscation of javascript.

polonus

3

Only Bitdefender seems to flag this one:
Also on VirusWatch archives as unknown_html malware.
Missed here? → http://zulu.zscaler.com/submission/show/75f1cb87f1d7c7b0f0b2d61759b1e4f0-1405868617
and http://quttera.com/detailed_report/y5h6o.hevnsx.com & http://sitecheck.sucuri.net/results/y5h6o.hevnsx.com
See response body: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=y5h6o.hevnsx.com&useragentheader=&acceptheader=
added as an attachment

pol

4

FP or really malicious?

See: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=www.xzk.me&useragentheader=&acceptheader=
and https://www.virustotal.com/nl/url/ac9b140fb01914a720961d854bf3d4c1274683da4995f030bb2057102bb79133/analysis/1405871152/
flagged at VirusWatch archives: http://lists.clean-mx.com/pipermail/viruswatch/20130807/077856.html
Well at least website server software is found to be vulnerable: Outdated Web Server Nginx Found Vulnerabilities on nginx nginx/1.0.15
There is a remote security vulnerability using a new attack technique called BROP (Blind ROP), also vulnerable to stress tool PHP attacks.

See attached image and then consider the info found here: https://www.virustotal.com/nl/domain/init.phpwind.net/information/

pol