See: htxp://urlquery.net/report.php?id=57244
See: htxp://sitecheck.sucuri.net/results/usalii.com/
Get URL:Mal with Networkshield for the iFrame url: bxwtlawdpz.proxydns dot com
Avast keeps us protected,

polonus

The injected iframe’s coding is heavily obfuscated (and will not load with some html viewers) and decodes to your generic blackhole exploit kit. Like most, this one also checks for plugin versions to figure out which exploit(s) to use.

Hi !Donovan,

Here we see another example as how IDS flags this: htxp://urlquery.net/report.php?id=52339 & htxp://zulu.zscaler.com/submission/show/960d8242bd962bcdcbd5cf2046e1716a-1337442693
Site has an outdated vBulletin version…
htxp://sitecheck.sucuri.net/results/www.ebikeforum.com/ with 9 instances of malware found,
also see Zscaler’s external objects scan,
blocked by Google’s safebrowsing: htxp://google.com/safebrowsing/diagnostic?site=ebikeforum.com/
with this as original infecting site: htxp://www.checksitesafe.com/site/directmarketinglead-trade.in/ with a red 5/100 score

polonus

I’am here to confirm it.The source code was heavily obfuscated,malzila did its job though ;D .

http://img685.imageshack.us/img685/4823/20120519201935.png

Site is detected: http://urlvoid.com/scan/yrdvjt.fartit.com/ .

Hi Polonus,

2 different exploit algorithms and 2 different malicious websites. The site needs to remove the scripts, change their passwords, and step up their security.

CheckSiteSafe looks and has fetures related to Webutation? ???

Hi Left123 & !Donovan,

I really like to thank you guys for digging into this, both of you.
A further thanks to all that commit here in these threads,
we are growing into an important knowledge base
how to perform pre-url-scanning to aid avast detection,

polonus