Contradictory scan results...

  1. http://scanurl.net/?u=http%3A%2F%2Fmobilorder.com%2Fimages%2Fwp-gdt.php&uesb=Check+This+URL#results
    and
  2. http://siteinspector.comodo.com/public/reports/15052938
    against this: http://urlquery.net/report.php?id=3225070 and http://wepawet.iseclab.org/view.php?hash=9471c0b404b02c5ca40be73056f1bcb0&t=1371679584&type=js
    See: http://jsunpack.jeek.org/?report=5c1d23502095b37213748d668ffd099c5248c7d2 (visit with active script blocker and in a VM)
    eval function p.a.c.k.e.d malware → http://support.clean-mx.de/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fmobilorder.com%2Fimages%2Fwp-gdt.php (http://wepawet.iseclab.org/view.php?hash=9471c0b404b02c5ca40be73056f1bcb0&type=js)
    Redirected to:hxtp://celebritygroups.biz/closest/ …404 not found Servererror
    An invalid reaction during loading htxp://celebritygroups.biz/closest/i9jfuhioejskveohnuojfir.php. Server could be offline for maintanace or misconfigured.
    closest/i9jfuhioejskveohnuojfir.php HTTP/1.1
    Host: celebritygroups.biz with Potentially Damaging Content, detected by Websense ThreatSeeker
    see php code as image attached…

polonus

Here on one of the spam links out, scanned here: http://urlquery.net/report.php?id=3180371
http://forums.whatthetech.com/index.php?s=305165fedeaad5a62a27f26a49a6a25a&showtopic=94109&pid=824965&st=960&#entry824965
http://blog.dynamoo.com/2013/06/neweggcom-spam-profurnitureecom.html
The reanalyzed Wepawet scan: http://wepawet.iseclab.org/view.php?hash=9471c0b404b02c5ca40be73056f1bcb0&t=1371680254&type=js
going to: http://wepawet.iseclab.org/view.php?type=js&hash=551cdf0eaea10e6d9fd00e75dffc9c92&t=1371679204

polonus

htxp://jsunpack.jeek.org/?report=5c1d23502095b37213748d668ffd099c5248c7d2

Detected as a cross site scripting attack: === Triggered rule ===
alert(url_content:“%3CSCRIPT”; nocase; msg:“ tags GET request cross site scripting attempt”; url_re:“/%3Cscript.*%3E/i”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

polonus

Another one: unsure verdict, some IDS alerts, given as with unknown_html_google_malware; IDS (twice): http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED (severity 3) see: http://www.snort.org/search/sid/120-10 → Http Inspect will also detect consecutive whitespace and normalize it to a single space. The config option “max_javascript_whitespaces” determines the maximum number of consecutive whitespaces allowed within the Javascript.
; blacklisted - yes: http://quttera.com/detailed_report/www.51-help.comhttp://www.yandex.com/infected?url=51-help.com&l10n=en
Security warning according to Sucuri’s: http://sitecheck.sucuri.net/results/www.51-help.com/ /service/index.htm & service/main.htm & solution//index.hrm
hidden iFrames: http://sucuri.net/malware/entry/MW:IFRAME:HD202
See also: http://scanurl.net/?u=http%3A%2F%2Fwww.51-help.com%2F&uesb=Check+This+URL#results
Verdict: Main URL: http://www.51-help.com is suspicious → http://evuln.com/tools/malware-scanner/www.51-help.com/

polonus

Here is demonstrated how soon the threat landscape can change…
See recent scan, clean: http://urlquery.net/report.php?id=3241197http://evuln.com/tools/malware-scanner/canadianhomeleisure.com/
and http://siteinspector.comodo.com/public/reports/15081761
Previous situation with IDS alerts: redkit * malicious iFrame: http://urlquery.net/report.php?id=2572066
Potentially suspicious is /misc/jquery.js?.1.8.8 with Shell upload vulnerabilities
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar1755052859 = eval;
packed to save bandwith…
Foud by Quttera’s here: http://quttera.com/detailed_report/canadianhomeleisure.com
a WordpRees theme hack? http://wordpress.org/support/topic/theme-hacked - posted by iamgiant
The malicious javascript detected and identified with redkit iframe=

<iframe name=Twitter scrolling=auto frameborder=no align=center height=2
width=2 src=htxp://decktech.org/chhs.html?j=1286003> 301 Moved Permanently and a 404 Not Found  now 
</iframe>

src url is blocked by Bitdefender TrafficLight, but given clean here: http://sitecheck.sucuri.net/results/www.decktech.org
On IP now found

|_http-title: Coming Soon page
Running on Apache httpd 2.2 Google Analytics installed: UA-2898485-20

pol

Here we find redirecting to a relative URL in JavaScript: http://urlquery.net/report.php?id=3241686
Tp see this we explore with jsunpack →

 <html><body><script>document.cookie='yyyyyyy=2cab1371yyyyyyy_2cab1371; path=/';window.location.href=window.location.href;</script></body></html>

here document.location.href = ‘/path’; //relative to domain
is being used.
These is the IDS alert we meet for the URL: http://doc.emergingthreats.net/bin/view/Main/2012593 and http://rules.emergingthreats.net/changelogs/snort-2.4.0.etpro.2011-05-19T22:12:29.txt (source=oinkmaster)
Here we read on the abuse of these Non-chargeable domains by cybercriminals: http://www.spamfighter.com/News-17018-Cyber-criminals-choosing-Non-chargeable-“cems”-Domains-Reports-Zscaler.htm (on spamfighter news)

polonus

See: Up(nil): unknown_exe ARIN US engineering at gnax dot net 64.22.111.82 to 64.22.111.82 jamondetrujillo dot com htxp://www.jamondetrujillo.com/toolbariber34/lentils.exe
https://www.virustotal.com/nl/url/a0c6128b08a676ea2906778fa8b4787ba7e6996b67ef65e0b6bfb475a6baba1f/analysis/ 3 detection
url detected by Bitdefender’s TrafficLight and flagged by WOT → http://urlquery.net/report.php?id=3276569
Seems an overdue! PHISH page…http://www.mywot.com/en/scorecard/64.22.111.82?utm_source=addon&utm_content=popup-donuts
Why? See: http://sameid.net/ip/64.22.111.82/ & http://www.projecthoneypot.org/ip_64.22.111.82
Page has no title and page has no description Text may be too short Spiders see 21 words MZ L This program cannot be run in DOS mode. Yq q q q t p p p Richq PEL D
One potential suspicious here: /plugins/system/rokbox/rokbox.js
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected potentially suspicious initialization of function pointer to JavaScript method write __tmpvar446851846 = write;
Threat dump: see: http://jsunpack.jeek.org/?report=e706f5a7e310c8a19e051f958ce70177ebf1ab02 (open with active script blocker and in a VM)
File size[byte]: 20276
File type: ASCII
MD5: A9D7CD66A9C1C6A5995CC9BE2D689331

polonus