IDS alerts - outdated software and Avast detects HTML:Dropper-R [Trj]!

See: https://www.virustotal.com/en/url/8da9ca907cad27e1d2dc2e904c94379697e6a298f204dcbede154a30a93837d4/analysis/1453929529/
Detected: https://www.virustotal.com/en/file/098ff60d78080185bce5414b949559ee85b9f83e90edc84fd5f533ae6fdc049b/analysis/1452979429/
IDS alerts: https://urlquery.net/report.php?id=1453929673709
90/100% malicious: http://zulu.zscaler.com/submission/show/26de511c7c53a6ce1497905aaf89e971-1453929635

Consider: http://119.97.185.179/
Server: Apache HTTP Server 2.2.27 (Outdated)
Operating System: Windows
PHP Version: 5.2.17 (Outdated) Cannot start session without errors, please check errors given in your PHP and/or webserver log file and configure your PHP installation properly. Also ensure that cookies are enabled in your browser.

Unique IDs about your web browsing habits have been insecurely sent to third parties. d5fb79cb40414aXXXXXXXXX651ae2ac1a1445965753 → http://toolbar.netcraft.com/site_report?
url=http://119.97.185.179

Blacklisted: Google Safe Browse reports Possible infection with malware
Phishtank reports URL not found
Site Advisor reports This link might be dangerous. We tested it and found security risks. Beware.
Apache/2.2.27 Win32 PHP/5.2.17 Windows server 2003…

polonus (volunteer website security analyst and website error-hunter)

Hello

Result of detection old shown here

http://killmalware.com/xy3fk.com/plhcfwak

File is detected and blocked then by avast

plhcfwak[1].htm

https://www.virustotal.com/en/file/ca45dbdf5ed0eae7ef631f1d68dea0533380498d6afdb9f301f406c115dbb1b9/analysis/1453932336/

This is a recent malicious link there: -http://xy3fk.com/zhuanjiatuandui/4.html is in Dr.Web malicious sites list!

Checking: -http://xy3fk.com/templets/xyck/js/newswt.js
File size: 6125 bytes
File MD5: d07fe68a3d976edbbf7cc17f591f8dee

-http://xy3fk.com/templets/xyck/js/newswt.js - archive JS-HTML

-http://xy3fk.com/templets/xyck/js/newswt.js/JSFile_1[0][17ed] - Ok
-http://xy3fk.com/templets/xyck/js/newswt.js - Ok

Checking: -http://xy3fk.com/templets/xyck/js/ask_web.js
File size: 7095 bytes
File MD5: 4af32a1b5ba17cf6820f2a4ae82a47b5

-http://xy3fk.com/templets/xyck/js/ask_web.js - Ok

Checking: -http://xy3fk.com/templets/xyck/js/jquery-1.8.0.min.js
File size: 90.39 KB
File MD5: 3a728460147fb9af7faf0e587b9fbf42

-http://xy3fk.com/templets/xyck/js/jquery-1.8.0.min.js - archive JS-HTML

-http://xy3fk.com/templets/xyck/js/jquery-1.8.0.min.js/JSTag_1[13032][3959] - Ok
-http://xy3fk.com/templets/xyck/js/jquery-1.8.0.min.js - Ok

Checking: -http://xy3fk.com/templets/xyck/js/yunqi.js
File size: 29.92 KB
File MD5: 53b01cdddfee370aaae69e66e99ba8b6

-http://xy3fk.com/templets/xyck/js/yunqi.js - archive JS-HTML

-http://xy3fk.com/templets/xyck/js/yunqi.js/JSFile_1[0][77b1] - Ok
-http://xy3fk.com/templets/xyck/js/yunqi.js - Ok

Checking: -http://xy3fk.com/templets/xyck/js/ycq.js
File size: 2955 bytes
File MD5: bddd47a7e64c74e24481eb00e38e8725

-http://xy3fk.com/templets/xyck/js/ycq.js - archive JS-HTML

-http://xy3fk.com/templets/xyck/js/ycq.js/JSFile_1[0][b8b] - Ok
-http://xy3fk.com/templets/xyck/js/ycq.js - Ok

Checking: -http://s11.cnzz.com/z_stat.php?id=1254112726&web_id=1254112726
File size: 9941 bytes
File MD5: ce19ac1e3b782791dff93a710afc01e7

-http://s11.cnzz.com/z_stat.php?id=1254112726&web_id=1254112726 - archive JS-HTML

-http://s11.cnzz.com/z_stat.php?id=1254112726&web_id=1254112726/JSFile_1[0][26d5] - Ok
-http://s11.cnzz.com/z_stat.php?id=1254112726&web_id=1254112726 - Ok

Checking: -http://xy3fk.com/zhuanjiatuandui/4.html
Engine version: 7.0.17.11230
Total virus-finding records: 6833062
File size: 140.72 KB
File MD5: c32aab3c7313d48f073369d649bb4758

-http://xy3fk.com/zhuanjiatuandui/4.html - archive JS-HTML

-http://xy3fk.com/zhuanjiatuandui/4.html/JSTAG_1[12c3][c8] - Ok
-http://xy3fk.com/zhuanjiatuandui/4.html/JSTAG_2[3aae][436] - Ok
-http://xy3fk.com/zhuanjiatuandui/4.html/JSTAG_3[772b][f5] - Ok
-http://xy3fk.com/zhuanjiatuandui/4.html/JSTAG_4[7916][1b9bf] infected with VBS.Rmnet.2 *
-http://xy3fk.com/zhuanjiatuandui/4.html/JSTag_5[791b][1b9ba] infected with Trojan.Inor **

Reported earlier here: https://forum.avast.com/index.php?topic=152504.0
** 27 examples here: https://vxheaven.org/vl.php?dir=Trojan-Dropper.VBS.Inor

polonus

This file is no longer available
I have tried to access this website however I couldn’t load the website anymore.

some of these undetected was passed
for the analyst and there was detection examples,but I did not have time to check all.

This seems the latest there: https://www.virustotal.com/en/file/8fb8890e2411feefb0420c3261975abbc2d67638a65a0a41f7fbe1446d90b67a/analysis/1453934223/
We have detection!

polonus

OK
I see now that this detection presented this on the homepage hxxp:xy3fk.com ; )