I need your opinion.

Hi :slight_smile:

Friend has many links to other websites but this website(wxxxxw.indomatrix.com) has been blocked by Avast.

http://www.UnmaskParasites.com/security-report/?page=www.indomatrix.com

http://wepawet.iseclab.org/view.php?hash=cd66e8a624b4847ed3201de093d5c964&t=1271171408&type=js

http://www.google.com/safebrowsing/diagnostic?site=www.indomatrix.com/

http://anubis.iseclab.org/?action=result&task_id=11bfd00cc7e0ebc54f5db2ef1767e0f91&format=html

http://scanner.novirusthanks.org/analysis/7c16377d7e10322c5e2221a432ddfe2f/d3d3LmluZG9tYXRyaXguY29t/

What do you recommend?

Have a nice day. :wink:

Looks like the site has been hacked, there is a hidden iframe tag inserted within another tag < ul > one (without the spaces).

See VT results and it is pretty clear cut, http://www.virustotal.com/analisis/bec142b892109133f5311f0346cbb106c538ed756b66625420e8ce6ccd224d7c-1271179755 with 17 of 40 scanners detecting something.

This is where the iframe attempts to take you, thedeadpit.com.

See, http://www.mywot.com/scorecard/thedeadpit.com for info.

As far as I understand this site(indomatrix) is not infected but contains infected site?

Can you tell me how you checked this website with VT?

Well check out my image 1 as that clearly shows the inserted iframe tag in the indomatrix.com index/home page, which is pointing to the malicious site. The VT results are for the indomatrix.com home page with that inserted iframe tag.

So to my understanding the site is clearly infected (been hacked) and is trying to access a malicious site, images 2 and 3 show avast and the firefox safe browsing consider a malicious/attack site.

Hi

The hidden link on the page is pointing to a malicious site - thedeadpit dot com.
This site has been infecting 439 domains, e.g.: usmgl.com/, 203.114.105.0/, eva.ge/
For 203.114.105.0 we get 79 pages that have been downloading and installing malcode without user consent. Last time suspicious content was found on this site was on 2010-04-07.
Malicious software includes 268 trojans.

Malicious software has been hosted on 2 domains, e.g.: thedeadpit.com/, internetcountercheck.com/.

This site was hosted on 1 network including AS9737 (TOTNET).
Here it seems clean now:
http://scanner.novirusthanks.org/analysis/6a0a2bd1c04fedb4cb0974acbf878d6c/aW5kZXg=/

polonus