Scanned the follwing proxy, see https://www.virustotal.com/nl/url/5fcc8af9c3321518a26b895f1491eacfcee0bf95e7517c4391f3f4cd25196e31/analysis/1399657503/
Suspicious file found up by Quttera: /includes/main.js
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [[‘.$1=parseurl(r)rl(r)rl(r)rl(r)rl(r)rl(r)rl(r)rl(r)rl(r)rl(r)rl(r)rl(r)rl(r)rl(r)rl(r)rl(r)rl(r)rl(r)’]] of length 1526 which may point to obfuscation or shellcode.
Threat dump: View code-> http://jsfiddle.net/GUaE7/
Threat dump MD5: 9EE7AA83BB508D02C7D0196AEC153B4C
File size[byte]: 34610
File type: ASCII
MD5: A9F18CB4851176EF994DD010B975FF08
Scan duration[sec]: 1.753000
This site was blocked by that proxy: htxp://watchseries.lt/ in a likewise mode
��eks�6�s;//////�����ʞ3I��$vb;Nz���I��z��HH�M*J�u������[$EJ�$��L/m#��],��ދ�_.��~��"����///////w?_ ô�ϝ۾��D{{w���&�1u�m�~o �brj۳�̚u,����I�%���&Wc,Ox��-J���/a�~���ɉ_��앻T��" �g,\ݒ��~�4b1ń��$�P�<����ݳ5�U�!I M�[B�}��E�D¼�O��\��e�|�����q̉////////���2� d��pH����t"(� �fJ6�g��Lt��"��Yދt��8����#%�uQ��Q�a2����Z/���a���7e�`���dxO\���@PL����< �'$`t����Ïɨo�o[�Y��v֑�Y,�D �Jei ���j��@�#<�H��"d�^݊�!���sYF[|q2�x�u����ތF�//////Ys�\�}�&yk���/��lM�B�k�"���{na{�=7�瓺�-!�� ///////i��t�7������X]0fnT�I��i�^�@��.v�i��K��k��'q � L��W��̒a�Ҏ�L��,V�z���m /////�H�p�p��������3E���\�1�&��H���TS�6�v� #>�Q6Tm���~`//////m���{���4) �U+U�e`���l
/// broken by me pol.
Is this a PHP response in a string? See the browseblock javascript here:
http://t2bat0072.cmsaf.mit.edu:50075/browseBlock.jsp?blockId=-2207501180185205990&blockSize=134217728&filename=%2Fcms%2Fstore%2Fdata%2FRun2012D%2FHTMHTParked%2FAOD%2F22Jan2013-v1%2F10001%2FC6A3B48B-2A88-E211-A7D2-80000048FE80.root&datanodePort=50010&genstamp=17625268&namenodeInfoPort=50070&chunkSizeToView=32768
pol