Blacklisted domain (now scrubbed)

Hi there I was hired to clean up this guy’s site because of some black listing issues

The url: http://humirajustice.com

seotechd@EdenII /tmp/guy/logs $ cat humirajustice.paxildefects.com | grep 404
208.80.194.35 - - [08/Jun/2011:20:44:47 -0500] “GET /images/sev.exe HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 3.5.20706; .NET CLR 3.0.590)”
208.80.194.30 - - [08/Jun/2011:20:47:00 -0500] “GET /images/web.exe HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; IEMB3; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990)”
208.80.194.30 - - [08/Jun/2011:20:47:01 -0500] “GET /images/web.exe HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; libero; ImageShack Toolbar 3.0.3; ImageShack Toolbar 3.0.6)”
208.80.194.30 - - [08/Jun/2011:20:51:36 -0500] “GET /images/rich.exe HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; ZangoToolbar 4.8.3)”
208.80.194.30 - - [08/Jun/2011:20:51:40 -0500] “GET /images/rich.exe HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; SIMBAR=0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)”
174.51.234.252 - - [08/Jun/2011:22:52:11 -0500] “GET /favicon.ico HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1”
193.71.68.2 - - [09/Jun/2011:00:15:26 -0500] “HEAD /us1.exe HTTP/1.1” 404 - “” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.4) Gecko/20100513 Firefox/3.6.4”
193.71.68.2 - - [09/Jun/2011:00:15:26 -0500] “GET /us1.exe HTTP/1.1” 404 - “” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.4) Gecko/20100513 Firefox/3.6.4”
193.71.68.2 - - [09/Jun/2011:00:28:20 -0500] “HEAD /pdf/us1.exe HTTP/1.1” 404 - “” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.4) Gecko/20100513 Firefox/3.6.4”
193.71.68.2 - - [09/Jun/2011:00:28:20 -0500] “GET /pdf/us1.exe HTTP/1.1” 404 - “” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.4) Gecko/20100513 Firefox/3.6.4”
163.231.6.65 - - [09/Jun/2011:01:02:01 -0500] “GET /favicon.ico HTTP/1.0” 404 - “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 (.NET CLR 3.5.30729)”
163.231.6.70 - - [09/Jun/2011:01:47:36 -0500] “GET /favicon.ico HTTP/1.0” 404 - “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17 (.NET CLR 3.5.30729)”
163.231.6.70 - - [09/Jun/2011:01:47:39 -0500] “GET /favicon.ico HTTP/1.0” 404 - “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17 (.NET CLR 3.5.30729)”
84.42.39.77 - - [09/Jun/2011:03:50:17 -0500] “GET /us1.exe HTTP/1.0” 404 - “-” “Wget/1.10.2”
84.42.39.77 - - [09/Jun/2011:04:12:31 -0500] “GET /pdf/us1.exe HTTP/1.0” 404 - “-” “Wget/1.10.2”
90.222.184.134 - - [09/Jun/2011:04:50:56 -0500] “GET /favicon.ico HTTP/1.1” 404 - “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Sky Broadband; FBSMTWB; GTB7.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”
90.222.184.134 - - [09/Jun/2011:04:50:57 -0500] “GET /url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADgAAAAOCAYAAAB6pd%2buAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A%2fwD%2foL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9oGAhENK17O5ogAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAD6UlEQVRIx82WXWxTdRjGf6fndO3adbZ0VLoP9gFMXZQFNgSWDEkEYtSQkNVg4o2JH9NGJTMk6k01vTIhXshFzTCKE5NFORoXXDBs4nTMZHMzSETHDKyQyb7Xbu36dc7p8aaQZm5GNzd8rk7evOf%2fz%2fM%2bz%2f99X4E1htcn68v5742mffVRJd19uucqH539lSq3yKuHtlDmkPj99aPYe39kfRoMOqgCJHSdJNRL3AEE%2fB7h3xZFgO6JuRQdl6PE8zfRPzlF71CEojoXFc%2b9SPy3KxjCc%2bgCpIE0IilB65YWHFQBfAbUZEIDQGPA7xngDsNgMpFUY0Q0ESHHhKbkM3A9yoFqDceGQpTijWjhXxCAtC6gCWk0BAwLzqkAQsC6TJVDGcKrZdeDXp%2fcvki8zeuTH8uO6ehYzRJumxEUBUkyMa%2baUDWBVDLNnJJgNE9ixGZiOlckaQAVAWmBdTqBzqxQJ%2fD2KgrTCDzq9clywO%2fxZMi1AgcBBbhNPhyJ47TlsGuzjaHRSRRdoKq8AF3XOdvZw1BMQneUMl9iZN4eo3AmRWVwFulvqusAngBOryLBY0AcaPD65LeAFPAk0BLwe57OTnz3i4sc3ruFx2s24MwzoWgaW4tNnPn0JLt37KJ2zwGMgk5X3zd8ONJOX7mGvcK5OEGvT94HNGcs2rjSzrhUUwn4PV1AV4bcm5nwkYDfc3xhbs%2bVWQZH%2btlekc%2fDtRupKrub1uYT7NhWw9bde%2fl2REUSRR56pJT0lxofhM8xaheXVPA1oDPg9zT%2bExmsDqF8hUqmlvi%2bDUs6RWhW5Ov%2bKaxmK5XFLkIzIe7f%2fiBtwypPVZqIRWJ8Ny6x09OEJJs5rrTxn4yJY00NwRU0mtaMLY9kyL3n9clVAb%2fnley8wnyBkkIHrgILm925JGPTJONRDHqaHDQmx2a4Ph4hpFkpcZqZmBhHtbI4wYDfs3%2bNhn5bpqG03LKl1ydXAS97fXJ%2b9jv0Hq6lyK5C%2fBJ6PEjyj2nW2VQGLw5gLKqn92YSxWgjbrRy89ogVosFoyT%2bZUzcurjD65M71oDjCeDzbCIZ5VqAk9mJm9w5zAdPkRx%2bB3H6Y3Kj7TxQMkzLqfe5V71GvttFiduOa3aQc58E6JseJJXSEVhjeH2yvpxN5qVnygj%2fdJQCWxjBAOm0gVRC5MLPdoZnt2F3rsdisTAV7MBlusT3oVK6TOriCv4fIZnsSDlu1IQRNWVGV83kYKFuZzX7PQ1MFOg0j53nh%2bg8qpLg2eogeyJ53JFddDkLtyiZ6%2b%2b674Vu5cZXiIkJdAEMjnvIqzjEjVCS7rmrhOwC0Vwn58fqkIIXeL72Mn8CJn6UfKGeNt4AAAAASUVORK5CYII%3d) HTTP/1.1” 404 - “http://www.humirajustice.com/faq.html” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Sky Broadband; FBSMTWB; GTB7.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”
208.80.194.34 - - [09/Jun/2011:08:41:52 -0500] “GET /images/rich.exe HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; {8FC5ADB1-4493-C7F3-0DCE-29A04F22882B}; FunWebProducts)”
208.80.194.34 - - [09/Jun/2011:08:41:57 -0500] “GET /images/rich.exe HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; IEMB3; SpamBlockerUtility 4.8.4; ZangoToolbar 4.8.2; IEMB3)”
208.80.194.34 - - [09/Jun/2011:08:45:27 -0500] “GET /images/web.exe HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; DigExt; (R1 1.5))”
208.80.194.34 - - [09/Jun/2011:08:45:29 -0500] “GET /images/web.exe HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; JSRCC Academic; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)”
208.80.194.34 - - [09/Jun/2011:08:50:07 -0500] “GET /images/sev.exe HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30)”
93.163.67.230 - - [09/Jun/2011:10:46:15 -0500] “GET /images/rich.exe HTTP/1.1” 404 - “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)”
93.163.67.230 - - [09/Jun/2011:14:14:20 -0500] “GET /pdf/us1.exe HTTP/1.1” 404 - “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)”
208.80.194.30 - - [09/Jun/2011:15:01:56 -0500] “GET /images/rich.exe HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; SIMBAR={EC275FF8-2182-45e8-A194-16EC687B161C}; SIMBAR=0; .NET CLR 1.1.4322)”
208.80.194.30 - - [09/Jun/2011:15:04:07 -0500] “GET /images/web.exe HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; SV1; MSN 9.0;MSN 9.1; MSNbQ002; MSNmen-us; MSNcOTH)”

As you can see by the other malware spiders, there are no executables being hosted on there anymore, his FTP information has been changed with a secure password and the code has been fuzzed down to make sure they can’t drop anything else.

Can you please take humirajustice.com off your domain black list now? Thanks ^^

I don’t know where you get the idea that avast has blacklisted this site ?

I have just visited it (using avast 6.0.1125 and firefox 4.0.1) and the only thing that popped up was a WOT reputational alert, no doubt due to old infections/malware.

Bypassing WOT and I can access the home page and a number of the other heading pages no avast alert/blocking of the site.

Hi seotechi,

A lot of links to malware on your domain now seems dead. Site has a high risk history with
TR/Hijacker.Gen, SpyEye (AMaDa records- status offline), also see:
http://www.malware-control.com/statics-pages/9fd3c5f9e2e5595b620fa199c7a29c83.php
and
http://www.threatexpert.com/report.aspx?md5=8998bcf5f3502c4aa0dcbe1bf9b12e95
Sucuri gives the site as green: -http://humirajustice.com/
Here it is still flagged: http://hosts-file.net/?s=humirajustice.com
webutation: http://www.webutation.net/go/review/humirajustice.com 2 x very poor but 80 out of 100 points
SOSWebScan: URL http://humirajustice.com has been successfully scanned. And No Malware or badwares found.
Spamcheck is secure, versionnumber of the used server software should not be transmitted!
System info - makes the site exploitable!
Sites uses Flash so danger of Flash cookies,
Scripts found -swfobject.js
-http://server4.web-stat.com/wtslog.pl?al192509,3
-http://output42.rssinclude.com/output?type=js&id=145894&hash=131d834771d4c0309d126dd8bd28081d
-http://output13.rssinclude.com/output?type=js&id=41490&hash=8518ca639c866c02b4979fda80f41035
-http://online.us.drweb.com/result/ says clean,

polonus

http://www.onlinecrypter.com/scan_results.php?id=26142

Avast5.

Well that doesn’t say anything as there is no info about what the submission was it is just shows that the domain was scanned and avast doesn’t scan domains, but traffic on the http stream. What was submitted ?

If something was found avast would alert and say what was found, so these results are somewhat strange as it just says FOUND, no reference to what was found.

To me this seems like some sort of collation as it isn’t saying exactly what has been found. We tend to have people submit files to virustotal.com with 43 scanners (which is a free service, but you have to upload a sample not just a domain and that actually reports a) the name of the file submitted and b) the actual malware name/s of what was found and not just found.

The avast web shield is a real-time scanner and as I have said I found nothing whilst browsing in real time with avast 6.0.1125 and essentially it uses the same virus database as avast 5.x. There is no indication of what version (build and virus database version in use) on that site and I can’t see how you can actually submit a file if you haven’t paid for the service.

Engine Signature ver Last updated.
Avast 5.0.677 2011-06-10

Is the database version and it definitely is blocking it.

Hi seotechi,

I haven’t any influence on the definitions of Online Crypter scan, but my avast has no problems with your site, nothing flagged…
It had once: http://www.virustotal.com/file-scan/report.html?id=5cbedadd1942480cc62c7dde39da17fd386436d89c8445e2a927c5f27ce34c92-1290455771
but it is from a date in the past …2010-11-22 19:56:11

The Malware domain list find for FOUND(trojan SpyEye) from Online Crypter, not actual because link is dead now. Also McAfee SiteAdvidor’s find is a dubious one. Categorization in URL Filter database version ‘86274’ URL Status Categorization Reputation -http://humirajustice.com Categorized URL - Malicious Sites High Risk (McAfee Trusted Source)

When doing a VT url scan, I get these results:
http://www.virustotal.com/url-scan/report.html?id=26aeff5e7513585fbd47c5f8e3089143-1307722160
The site is detected (do not know on what the detection is based on) by BitDefender, G-Data, ParetoLogic, TrendMicro and Websense ThreatSeeker.
If this is not longer there, see: http://www.malwareblacklist.com/searchClearingHouse.php?search=humirajustice.com I mean this trojan -/us1.exe that it once had, you should report the cleansing there as well for a re-evauation.

Honestly I think you are barking at the wrong tree here and should question Online Crypter about the actual validity of their site scan results,

polonus

They’re valid… But this has been removed within the past 24 hours, I also sent an email to virus@avast.com because just yesterday all the avast 5.0.677 were going off on this site; thanks anyway.

Look I found nothing on your site, avast is a real time scanner. If it has been removed in the last 24hors then being a ‘real-time’ scanner it wouldn’t find anything.

The only element to block would be the network shield blocking known malicious sites and this clearly isn’t happening.

Sending an email isn’t going to resolve a problem on a ‘file’ detection (avast isn’t blocking/blacklisting the site), then avast need the sample to analyse. This is why I have been banging on about the source of the detection, e.g. what was submitted to this onlinecryptor site (which prior to this topic I had never heard of and as you can see we use a lot of sites when trying to analyse samples, etc.).

Hi seotechi,

Keep the site clean and update the web application software regularly, so site will not be re-owned by malcreants again. Also do not spread the website server version info, it is given away too much
as I have said in a former posting. Stay safe and secure online,

polonus