Highly suspicious code on website... [SOLVED]

Found here: https://www.virustotal.com/url/2f6f54491bff066cdc8afdd6dc34530594797ba19287b7938bc2cd25c8be2895/analysis/
See: plus.google dot com/s/aumentax
File size[byte]:
177330
Severity:
Potentially Suspicious
Details:
Detected hidden reference to external web resource.
Reason:
Detected generation of hidden DOM element [iframe].
MD5:
5A873284F2C84DC82884078DC46C3E36
Scan duration[sec]:
8.308000
/?m=201002
File size[byte]:
45437
Severity:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar984089910 = eval;
MD5:
B5ABBD14CCA2BA278FF5A1FC685D39B5
Scan duration[sec]:
0.151000
/?m=201201
File size[byte]:
64444
Severity:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method eval _tmpvar101975352 = eval;
MD5:
E95F89BA4D29BCF56076E9F72C90CFD4
Scan duration[sec]:
0.125000
twitter.com/#!/aumentax2
File size[byte]:
68261
Severity:
Potentially Suspicious
Details:
Detected procedure that is commonly used in suspicious activity.
Reason:
Too low entropy detected in string '/[1]*[a-z
----------------------’ of length 213 which may points to obfuscation or shellcode. (name that doesn’t fit naming conventions defined for its object type, via pyLint message)
MD5:
B03D8BB0C791E76CAC095C15387AD908
Scan duration[sec]:
0.064000
/?m=200906
File size[byte]:
41117
Severity:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar1255904747 = eval;
MD5:
12E9B826E365599D350EDF41BF9A8BC0
Scan duration[sec]:
0.120000
/?m=201003
File size[byte]:
90338
Severity:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar1727839343 = eval;
MD5:
8C38117B53F3069EE787A5AD9703FEC2
Scan duration[sec]:
0.131000
/?m=201203
File size[byte]:
45813
Severity:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar451570725 = eval;
MD5:
26724897FB82A5A841BD63E09E5FDF16
Scan duration[sec]:
0.138000
/?m=200812
File size[byte]:
41031
Severity:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar1440197804 = eval;
MD5:
9B53489BAF103C65BFDE90CDC8E59B49
Scan duration[sec]:
0.117000
/?tag=aumento-pecho
File size[byte]:
73369
Severity:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar1919785369 = eval;
MD5:
02CDE097B93EA5D3FB0BC61BE3EAEEA8
Scan duration[sec]:
0.147000
/?m=201208
File size[byte]:
44451
Severity:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar306755997 = eval;
MD5:
AD9C10CD32687161166FB441E2364E2A
Scan duration[sec]:
0.115000
/?m=201006
File size[byte]:
69390
Severity:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar1505407362 = eval;
MD5:
ACE76383FF4E1D3E05B4A50F13295552
Scan duration[sec]:
0.130000
/?m=201009
File size[byte]:
44655
Severity:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar1076042327 = eval;
MD5:
582B7C38A7C82C4BCA1885DCCC3396C0
Scan duration[sec]:
0.129000
/?m=200905
File size[byte]:
42098
Severity:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar188007109 = eval;
MD5:
A8032D7B1E4966415D7429BC48587E01
Scan duration[sec]:
0.159000
/?m=200907
File size[byte]:
40227
Severity:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar571738867 = eval;
MD5:
1D4373588BC53057DED41E140942C676
Scan duration[sec]:
0.138000
/?m=200903
File size[byte]:
40448
Severity:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar1017855753 = eval;
MD5:
84578E4267689A0585CF39754ECEB90B
Scan duration[sec]:
0.118000
Quttera scan data…

polonus


  1. a-z0-9_------------------------------------------------------------- ↩︎

Avast Webshield detects this object as JS;Iframe-TD[Trj]. We are being protected!
Avast Webshield also detects JS;Redirector-AB[Trj] on that site and blocks it…

polonus

Sucuri
http://sitecheck.sucuri.net/results/blog.aumentax.com/xmlrpc.php

urlQuery
http://urlquery.net/report.php?id=566739
http://urlquery.net/report.php?id=566746
http://urlquery.net/report.php?id=566754

urlVoid
http://urlvoid.com/scan/blog.aumentax.com/

URLscan
http://vscan.novirusthanks.org/analysis/f9a5b76990a28ad669e12c3acf4754d4/aW5kZXg=/
https://www.virustotal.com/file/fec8947917b4ed486aeb8e1aaaae07446848aad23751d114e129dba48f45ca7e/analysis/1356998763/

Hi Pondus,

Thanks for the evaluation. Good that avast flags and blocks the malware that looks to exploit and abuse vulnerable Adobe on a user’s comp when site is being visited (iFrame malware injection with Blackhole),

polonus

Does avast block this also? http://zulu.zscaler.com/submission/show/88435262c0f6ba52b9e2960678cc0d22-1357851368
See: http://quttera.com/detailed_report/www.rcf.fr
Quttera flags /misc/jquery.js?G
Severity:
Potentially Suspicious
Reason:
Detected potentially suspicious content.
Details:
Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar747113010 = eval;

polonus