window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"0","bdSize":"32"},"share":{}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='htxp://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new Date()/36e5)];
See: https://www.virustotal.com/nl/url/447a8d14dd1ce275dde1f1af6f67acc397720e3ef641d36c401477f1c813e4d4/analysis/1431874102/
No vulnerable libraries found - is this a FP?
Might have been taken down I get htxp://www.baidu.com/search/error.html
Here we see: http://labs.sucuri.net/db/malware/malware-entry-mwanomalysp8
Compare:
<script>window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"0","bdSize":"16"},"slide":{"type":"slide","bdImg":"7","bdPos":"right","bdTop":"146.5"}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='htxp://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new Date()/36e5)];</script>
JavaScript malware-based attacks now account for a large fraction of successful mass-scale exploitation happening today.
Also read here: https://wordpress.org/support/topic/modify-twenty-fourteen-child-theme-singlephp
and see: https://github.com/nihgwu/iZhihu/blob/master/views/story.ejs
Part of this javascript code also found in a Cookie Cheat - body).appendChild(createElement(‘script’)).src =
The bookmarklet has been taken off.
Nameserver error on baidu dot com: http://www.dnsinspect.com/baidu.com/1431876457
FAIL: While quering domain’s records, some of your name servers didn’t responded. Name servers which didn’t responded:
udp4:61.135.165.235 → htxp://mx.n.shifen.com./ → http://mx.n.shifen.com./favicon.ico with a error 403
and WARNING: Found CNAMEs in MX records, invalid MX records: for mx.n.shifen.com: http://toolbar.netcraft.com/site_report?url=http://mx.n.shifen.com.
polonus
I found this at “4399 xiao you xi” as well 9669.com (a game market for android)
see: http://killmalware.com/a.4399.cn/
(here you can see a lot of
ã5.15ä¸å¨æ¸¸æç²¾éã4399ææºæ¸¸æä¸ºä½ æ¨èæ¯å¨ææ°æ好ç©æ精彩çä¸å¨ç²¾éæ游ï¼...
, which I belive is the discription of the ad content. Also,
“bdPic”:“htxp://f1.img4399.com/ma~29_20150515145436_5555982c7c6f4.jpeg”
This one actually load a image for the content successfully!)
and http://killmalware.com/www.9669.com/ (This is the short one you get) appearently removed NOT when I scan again, this time with 2 instead of 1
This look like it is somewhere in the banner ad
Might have been taken down I get htxp://www.baidu.com/search/error.html
You always have to consider that in normal browsing, you are not allow to access some ad directly. What I mean is that some ads content load only within a website. If you access it directly, you will usually get a "403 Forbidden" page or the error page.
[b]So it have not been taken down.[/b]
http://labs.sucuri.net/db/malware/malware-entry-mwanomalysp8
I also get this usually when scanning Chinese site that look suspicious to me. What does this mean?
Edit:
This should be the script of a share content (using something) button. The file name [b]share.js[/b] proof this fact.
Hi rickyyeung,
Thanks for delving into this with me - as we analyze the Baidu code: http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js this is launching POP-UP ads.
Scanned against this retire.insecurity scanner scanning for javaScript libraries with known vulnerabilities,
: http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js
Detected libraries:
No vulnerable libraries found
Scanner output:
Scanning http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js …
Script loaded: http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js
Status: success
Load time: 2791ms
So the code may be secure, some users that do not like pop-up ads may want to block this.
Been with this adware before: https://forum.avast.com/index.php?topic=168170.0
polonus
Hi rickyyeung,
It is good to see that Avast Online Security now alerts -a.4399.cn/mobile/ajax/special-index-id-89-lastId-.html for example.
Sucuri flags: ISSUE DETECTED DEFINITION INFECTED URL
Website Malware malware-entry-mwanomalysp8 htxp://a.4399.cn
Anomaly behavior detected (possible malware). Details: http://sucuri.net/malware/malware-entry-mwanomalysp8
System Details:
Running on: nginx/1.4.1
Via proxy: 1.1
Outdated Web Server Nginx Found: nginx/1.4.1 exploitable: http://nginx.org/en/security_advisories.html
Netcraft Risk Status 1 red out of 10: http://toolbar.netcraft.com/site_report?url=a.4399.cn
Funny Quttera does not detect anything: http://quttera.com/detailed_report/a.4399.cn
polonus
Consider this malware detected 1 day ago: http://killmalware.com/a.4399.cn/
Consider for example: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Fa.4399.cn%2Fgame-id-47750.html&useragentheader=&acceptheader=
See: http://forum.wenming.cn/posts/00/13/8A/9B/Ac1f79541-1a28-440f-bc6e-58def787ab1f.dat
Detected as Adware: http://lavasoft.com/mylavasoft/malware-descriptions/blog/GenVariantFakeAlert9600956e5276
response body → var a=0; etc. could be part of JS:HideLink-A [Trj] (Event Object) → jss/trace_news.js?2015051417114
going to htxp://tracenews.5054399.com/trace.js?addd=“+a+”&uddd=“+escape(u)+”&tddd= tracing to chromium/webkit/javascript. This has Trojan/Android.Agent = Trojan.DR.Agent!/zs0u3nU1qk
fake pokemon game…where rickyyeung reported about here: https://forum.avast.com/index.php?topic=155727.0
So still around.
polonus