Additional scan facts for latest malicious activity.

Viruses and worms
1

Sometimes a Sucuri scan and others scans do not provide the full threat and risk spectrum for a particular url/uri/IP.
In that case we can use some specific scanners to get to these scan results.
We have seen recent malicious activity from this IP: 123.30.136.221
We can check here: https://www.firyx.com/whois
and we see it is little involved in spam: http://www.reputationauthority.org/lookup.php?ip=123.30.136.221&Submit.x=13&Submit.y=11&Submit=Search
But it was acting as bad web host aprrox. 1 year ago: http://www.projecthoneypot.org/ip_123.30.136.221
and we always return to the VT results for that IP: https://www.virustotal.com/en/ip-address/123.30.136.221/information/
We see we have 106 websites on that IP: http://sameid.net/ip/123.30.136.221/
Here we see what malicious activity goes on: http://urlquery.net/report.php?id=1802840
Via Astaro rules we get here: http://thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html
Name of the game PHISHING and the recent activity came from here: http://support.clean-mx.de/clean-mx/phishing.php?id=3801309

polonus

2

And now for the good news avast! is among those solutions that detects:
First we get: https://www.virustotal.com/en/url/a0d423f8124b4b0d25c6c056cd79454b7cf7165bff24169868623a84fd030171/analysis/1385064770/
and the accompanying file scan results:
https://www.virustotal.com/en/file/03b80f45444be15fdc01c6f00241bbd70bc1d279453462e4bb199aff9c5b1f6b/analysis/1384032810/
avast! flags this as HTML:Phishing-R [Trj]
We are being protected,

Damian

3

Here we start from this scan: https://www.firyx.com/whois?ip=77.108.103.66
to arrive here: http://urlquery.net/report.php?id=7858223http://jsunpack.jeek.org/?report=3a339bb2b610441e0359ad982dc1ad2ad8a9be31
and http://urlquery.net/report.php?id=8985
Suspicious scan results: http://zulu.zscaler.com/submission/show/0e8680555326d3b62b17383f8b3c77a1-1385070661
At the root of this is outdated software: http://sitecheck.sucuri.net/results/www.santehsnab.ru/
Suspicious javascript check delivered: Suspicious

x-pingback: htxp://santehsnab.ru/xmlrpc.php vary: accept-encoding ð�ð¾ð±ñ�ð¾ ð¿ð¾ð¶ð°ð»ð¾ð²ð°ñ�ñ�! ð�ð°ð³ð°ð·ð¸ð½ ñ�… XML-RPC server accepts POST requests only.

And Suspicious 404 Page:
.ru/ expires: wed, 11 jan 1984 05:00:00 gmt cache-control: no-cache, must-revalidate, max-age=0 pragma: no-

The abuse for remote code injection: http://blogs.reliablepenguin.com/2013/05/28/wordpress-xmlrpc-php-pingback-vulnerability
article author = Leerb (protect code provided)
and POC http://www.securityfocus.com/bid/14088/exploit (author = dukenn)

pol