Re: http://killmalware.com/alter-ed.com/#
Avast detects and DrWeb URL Scan also detects: htxp://alter-ed.com redirects to hxtp://www.alter-ed.com/

Checking: htxps://static.publikeco00.publikeco.com/apps/boot/boot-start.js?cb=8
File size: 1534 bytes
File MD5: ded656b0aa86151af417f6ff7c52fe40

htxps://static.publikeco00.publikeco.com/apps/boot/boot-start.js?cb=8 - Ok

Checking: htxp://www.alter-ed.com/
Engine version: 7.0.11.1300
Total virus-finding records: 5738977
File size: 114.40 KB
File MD5: ec56a3f41879dd0acb2b2116785598ab

htxp://www.alter-ed.com/ - archive JS-HTML

htxp://www.alter-ed.com//JSTAG_1[fd4][1b9bf] infected with VBS.Rmnet.2
htxp://www.alter-ed.com//JSTag_2[fd9][1b9ba] infected with Trojan.Inor
malicious file:

[[DropFileName = “svchost.exe”^^WriteData = ]]

On malicious DNS servers - mail servers: wXw.alter-ed.com - site Ghosted,
http://www.dnsinspect.com/alter-ed.com/1423776080

SSUE DETECTED DEFINITION INFECTED URL
Defacement MW:DEFACED:01 htxp://www.alter-ed.com/
Defacement MW:DEFACED:01 htxp://www.alter-ed.com/404javascript.js
Web site defaced. Details: http://sucuri.net/malware/entry/MW:DEFACED:01

Pop-up adware via htxps://static.publikeco00.publikeco.com

Blacklisted: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=alter-ed.com
Computer threat: http://safeweb.norton.com/report/show?url=alter-ed.com
Alerts like DrWeb’s via Sophos: http://www.yandex.com/infected?url=alter-ed.com&l10n=en

polonus

Update: https://www.mywot.com/en/scorecard/factor10.org?utm_source=addon&utm_content=popup#view
See: http://killmalware.com/madagascarbiodiversity.org/
Why is avast web rep flagging this green?
Avast normally flags as AvastVBS:Agent-KZ [Trj]

polonus

update: http://killmalware.com/zawora.pro/#
and https://www.virustotal.com/en/url/5a6bf714eddc0346703fbfbee94db8317904d97fb24e15da5b03880a6c012aee/analysis/
ISSUE DETECTED DEFINITION INFECTED URL
Defacement MW:DEFACED:01 htxp://zawora.pro
Defacement MW:DEFACED:01 htxp://zawora.pro/404testpage4525d2fdc
Defacement MW:DEFACED:01 htxp://zawora.pro/404javascript.js
Defacement MW:DEFACED:01 htxp://zawora.pro/404javascript.js
Web site defaced. Details: http://sucuri.net/malware/entry/MW:DEFACED:01

Hacked By Thex@b1

index.html
Severity: Malicious
Reason: Detected malicious drive-by-download attack
Details: Malicious obfuscated JavaScript threat

 [[DropFileName = "svchost.exe"^^WriteData = ]] 

http://www.google.com/safebrowsing/diagnostic?site=zawora.pro

• Incident: htxp://zawora.pro/
  Signature: CYSC.MALWARE.EXPLOIT.DRIVEBY-3
  Incident-URL: ‘> htxps://www.c-sirt.org/en/incident/5a6bf714eddc0346703fbfbee94db8317904d97fb24e15da5b03880a6c012aee’
  …

polonus

Update - same Defacement - VBS:Agent-KZ [Trj] → http://killmalware.com/alter-ed.com/#
This signature was found in 16 websites.
See: https://www.virustotal.com/nl/url/6b0196a3d8c22358d16ad84f83c60375380a428717da1e3d49bb87a773f70fcf/analysis/
See: http://whois.india.dj/source/alter-ed.com
/index.html
Severity: Malicious
Reason: Detected malicious drive-by-download attack
Details: Malicious obfuscated JavaScript threat

[DropFileName = "svchost.exe"^^WriteData = ]  

JSON hijacking: https://capec.mitre.org/data/definitions/111.html

JWScript endoded seen more and more inside spam: http://www.veit.nl/150468-jscript-encode

polonus

Update, another such defacement detected: http://killmalware.com/livingcompasspuzzle.com/#
This signature was found in 64 websites.
Avast detects as AvastVBS:Agent-KZ [Trj]. DrWeb detects as htxp://livingcompasspuzzle.com infected with VBS.Rmnet.2
Website blacklisted by Google Safebrowsing and by Yandex: http://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Flivingcompasspuzzle.com&hl=en
Suspicious of Defacement: Suspicion of Spam

description" content=“website hacked by gl0w!ng - f! r3”."/> <link href='htxp://fonts.googleapis.com/css?family=icelan…

Site-wide check: Suspicious

dmin. . . . . [+]your website hacked by gl0w!ng - f! r3. [+]security
doesn&#39;t exist our dictionary. [+]we didn&#

SHELL

<SCRIPT Language=VBScript><!--

DropFileName = “svc******exe”
WriteData = "4D5A90000300000004000000FFFF … trojan dropper code
Info credits go to 600CC_265KMH

polonus