Blacklisted IP - malware on site now closed?

Viruses and worms
1

See: https://www.virustotal.com/nl/url/c448b0d309c89a52c6c6e4ecddc7c0b151f16a3506b077333c36b9edd79d4e6e/analysis/1385218319/
See recent reports for same IP: http://urlquery.net/report.php?id=7893395
This scan is clear: joomla software outdated and javascript malware detected: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fdiscoverpoznan.info%2F
See: http://labs.sucuri.net/db/malware/malware-entry-mwjs2368
Users of Chrome and firefox browser are immediately alerted: https://www.google.com/safebrowsing/diagnostic?site=discoverpoznan.info
Initial malware hoster seems dead now: http://support.clean-mx.de/clean-mx/viruses.php?domain=ddns.info&sort=first%20desc
Code hick-up:
discoverpoznan dot info/modules/lite/assets/js/2.0.0-b2.js benign
[nothing detected] (script) discoverpoznan dot info/modules/lite/assets/js/2.0.0-b2.js
status: (referer=discoverpoznan dot info/)saved 355 bytes f00b5d1b3d6730dd36c400240e1d9da4bf7bd1f3
info: [decodingLevel=0] found JavaScript
suspicious:
Malware now seems closed: http://support.clean-mx.de/clean-mx/viruses.php?ip=79.96.83.230&sort=first%20desc

pol

2

Another example of such a site: Up(nil): unknown_html RIPE US abuse at main-hosting dot com 31.170.163.240 to 31.170.163.240 ias3.com htxp://dgffugd.ias3.com/
See recent reports on same IP: http://urlquery.net/report.php?id=7893741
eval(function(p,a,c,k,e,d) javascript code: http://jsunpack.jeek.org/?report=40ef582bb17c4a750ef7be67166ac859b37eb1d9
Listed as suspicious → https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fdgffugd.ias3.com&hl=en
Injection check → Suspicious Text before HTML
SHell by DarK c0dr hack.

Google Browser Difference:
Not identical

Google: 11205 bytes Firefox: 295 bytes
Diff: 10910 bytes

First difference:
ml> googe docs <link rel=“stylesheet” type=“text/css” href="./remax - secure login_fi…

polonus

3

About what we saw here: http://sitecheck.sucuri.net/scanner/ / http://labs.sucuri.net/db/malware/malware-entry-mwjs2368
Let us inspect this piece of code: http://jsunpack.jeek.org/?report=52ced770f769ce5160927c25faa4e8ece3b66861
(view this in a sand-boxed browser with NoScript and RequestPoicy extensions active)
and to understand the mass infection proble, read: http://blog.sucuri.net/2011/08/mass-infection-of-wordpress-sites-counter-wordpress-com.html
link article author = David Dede. Know that this form of Malware Dunp has been around sincve 2011.
We came across a similar issue earlier here: http://forum.avast.com/index.php?topic=107715.5;wap2

And here we see the hex-decoding: http://ddecode.com/hexdecoder/?results=5d031ad7b2822f26b88b830110745e61

polonus