I was scanning a site (wxw.jellyneo.com) and while I was scanning it with quttera, it said that it was suspicious. Can anyone confirm this? I don’t know much about files so I can’t tell if it is suspicious or not.
Edit:it seems to be an I frame?
comes up clean here now http://urlquery.net/report.php?id=1659002
but earlier scan 2013-03-28 http://urlquery.net/report.php?id=1658970 see “Intrusion Detection Systems” suricata filter detect
OK here http://www.urlvoid.com/scan/jellyneo.com/
but two websites hosted on same IP (click IP adress tab) and scroll down to bottom
I scanned it with Urlquery earlier and it said that it had those suricata warnings. you say that the warning is gone now?
Edit: so in summary, the site is safe? I visited the site yesterday so I don’t know if the warning was there before?
I guess the site is safe and there is nothing wrong with the suspicious i frame from the quttera scan??
I did another urlquery scan and it has those two suricata warnings. Is this ok?
if you look on the first warning “ET RBN Known Malvertiser IP (4)”
then read about it here RussianBusinessNetwork http://en.wikipedia.org/wiki/Russian_Business_Network
So I guess the site is not safe?
well atleast suspicious
Thanks Pondus. So nothing malicious was found on the site except for a warning about that ip?
Quttera give the site as clean now. Content after the < /html> tag should be considered suspicious.
line 438 has been removed
So there was a previous issue that has now been cleansed.
Site not blacklisted…
polonus
Ok thanks. Well I visited the site yesterday and wanted to check if it was safe.
Edit: I checked quttera and it still says it is suspicious because of an iframe?
You’re welcome,
polonus
Replying so you can see the edit I made
Hi TuckerX,
Thanks for your reply. Time to just delve somewhat deeper. Here is what I stumbled upon…
Funny because there are no iFrames according to what evuln dot com reported :
Unmask iframe results: No iframes found!
But there was 1 hidden iFrame detected, see image attached.
This is what is being flagged by Quttera’s but not with newer scans, yours must have been a previous one
For the iFrame destination → http://labs.sucuri.net/?details=clients.bluecava.com
Quttera was right…but malware for bluecava dot com has all been closed or is dead, as you can see here: http://support.clean-mx.de/clean-mx/viruses.php?ip=216.23.166.114&sort=first%20desc
Site was distributing a Zbot trojan in 2011 → http://www.threatexpert.com/report.aspx?md5=e05ed18861f73201314f90194e87b91d
So you were not infested visiting the site through that hidden iFrame,
polonus
Thanks a lot polonus. I am safe from anything suspicous when visiting that site yesterday then.You eased my worries about something being malicious about the site!
Hi TuckerX,
Yes you were right at scanning that link. Use pre-scanning when you are going to an URL you haven’t visited before.
Keep the avast! shields up and running.
NoScript and RequestPoliciy extensions in Firefox will protect you against existing and new threats of this kind.
Thanks again for reporting here,
polonus