See Sucuri’s findings: avast detects as JS:HideLink-A [Trj]

ISSUE DETECTED DEFINITION INFECTED URL
SEO Spam MW:SPAM:SEO?g12 htxp://www.brugnetti.com/prodotti.htm
SEO Spam MW:SPAM:SEO?g12 htxp://www.brugnetti.com/prodotti/alexia.htm
SEO Spam MW:SPAM:SEO?g12 htxp://www.brugnetti.com/prodotti/delta.htm
SEO Spam MW:SPAM:SEO?g12 htxp://www.brugnetti.com/prodotti/takeaway.htm
SEO Spam MW:SPAM:SEO?g12 htxp://www.brugnetti.com/prodotti/compactde.htm
Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO?g12
t=‘’;}}x[l-a]=z;}document.write(‘<’+x[0]+’ ‘+x[4]+’>.‘+x[2]+’{‘+x[1]+’}</‘+x[0]+’>');}dnnViewState();
blacklisted domains by Quttera’s: wXw.autson.com
wXw.brugnetti.com
Web application version:
Joomla Version 1.5.18 - 1.5.26 for: htxp://www.brugnetti.com/media/system/js/caption.js
Joomla Version 1.5.18 to 1.5.26 for: htxp://www.brugnetti.com/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.26 or 3.3.5

XSS vuln: Results from scanning URL: hxtp://www.brugnetti.com/cache/widgetkit/widgetkit-49b606cf.js
Number of sources found: 63
Number of sinks found: 28

DNS report: http://www.dnsinspect.com/brugnetti.com/1415295820
Security Header Check: Result Category Name Actual Value Our Recommendation
Missing Framing X-Frame-Options Use ‘sameorigin’ Details
Missing Transport Strict-Transport-Security Use ‘max-age=31536000; includeSubDomains’
Missing Content X-Content-Type-Options Use ‘nosniff’
Correct Content Content-Type text/html; charset=utf-8 Use ‘text/html;charset=utf-8’
Missing XSS X-XSS-Protection Use ‘1; mode=block’
Warning Cookies Set-Cookie e9be2e64351aab648c06…VvRhO96YoRg1; path=/ Add ‘secure; httponly;’
Warning Cookies Set-Cookie lang=deleted; expire…00:00:01 GMT; path=/ Add ‘secure; httponly;’
Warning Cookies Set-Cookie jfcookie=deleted; ex…00:00:01 GMT; path=/ Add ‘secure; httponly;’
Warning Cookies Set-Cookie jfcookie[lang]=delet…00:00:01 GMT; path=/ Add ‘secure; httponly;’
Warning Caching Cache-Control post-check=0, pre-check=0 Add ‘no-cache, no-store, must-revalidate’
Correct Caching Pragma no-cache Use ‘no-cache’
Correct Caching Expires Mon, 1 Jan 2001 00:00:00 GMT Use ‘-1’. Currently, expiration is current time minus -436988742 seconds.
Missing Access Control X-Permitted-Cross-Domain-Policies Use ‘master-only’
Missing Content Security Policy Content-Security-Policy Try Content-Security-Policy-Report-Only to start. Include default-src ‘self’, avoid ‘unsafe-inline’ and ‘unsafe-eval’
Warning Privacy P3P CP=“NOI ADM DEV PSAi…UR OTRo STP IND DEM” Remove obsolete header

There certainly should be some attention given to Server configurations and CMS update routines to make website more secure!.

IP badness: https://www.virustotal.com/nl/ip-address/208.113.168.184/information/
Re: http://sameid.net/ip/208.113.168.184/
Phishing on same IP: http://support.clean-mx.de/clean-mx/phishing.php?review=208.113.168.184&sort=id%20DESC

polonus

What this site had in store for the innocent visitors recently can be seen here:
Latest detected files that were downloaded from this domain
Latest files that are detected by at least one antivirus solution and were downloaded by VirusTotal from the domain provided.
22/54 2014-11-04 20:10:04 93cc758db6c4ca00b74e43cbf5f161a92049e002cbd9e6df01b9d4f0d425258d
20/55 2014-09-22 09:00:43 6edce987d400c66067f767d1a830a0fbb4bcd5f9f2770f62102db7ebc50f5871
11/55 2014-08-24 17:54:58 798c5ea31a608c5bdd6ffcfcd3380d706267e6141597d9bbf3c296a320b0a4a4

All detected by avast as JS:HideLink-A [Trj]
When you are on avast you are being protected, folks!

Update for this SEO Spam malcode!
Similar website similar SEO spam malware: https://www.virustotal.com/nl/url/c8d923f52b15c785e63cc6246b2b2d84bfcc646e2a5a05bb2e697e9fbe2ef569/analysis/
Potentially suspicious files 2: http://quttera.com/detailed_report/434342.ru
→ http://sitecheck.sucuri.net/results/434342.ru#sitecheck-details
CMS Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.26 or 3.3.5
100/100% malicious: http://zulu.zscaler.com/submission/show/e8254bc5d4f9c555b30bab98cf4346fd-1422356442
Object detected: Name: TrojWare.JS.Agent.caa - avast! detects as: JS:HideMe-J [Trj]
also see: https://forum.avast.com/index.php?topic=152464.0

polonus

Alive and up, examples of this JS:HideLink-A Trj…
http://support.clean-mx.de/clean-mx/viruses.php?virusname=JS:HideLink-A%20Trj&sort=id%20DESC
with good overall detection status.

polonus