Infinite picture blocked in a few chinese websites...

Flase positive or not?
Domain: hxxp://img.58cdn.com.cn/
VT: https://www.virustotal.com/zh-tw/url/bc3eb21bd89752628293932d3132cb88125372f67de9723c40ff9a170777f320/analysis/1411832643/
download htm that contain picture content loaded from that domain and scanned in virscan.org
avast does not detect, not even qihoo360, unlike 4399.com and 9669.com

  1. http://r.virscan.org/report/d5a8f64c9d933bf94137f2d652d6295e
  2. http://r.virscan.org/report/b276c0f0e942eade2f616e5024a3b5c3
  3. http://r.virscan.org/report/ed111ca8f5ffb03f49c50554b77e908d
  4. http://r.virscan.org/report/3b5def8dfeb7fac4f3866b58e96b5d0e
  5. http://r.virscan.org/report/98613f92792a866740bfd01d8c6e195d

A search in google with “img.58cdn.com.cn” reveal a lot of website load image from this domain

Found a description of the problem (in chinese) and a sample popup here: http://tieba.baidu.com/p/3309059968

PS: I don’t know, but I got some kind of inbound malware site connect blocked by malwarebyte shortly after downloading the htm file with the proocess svchost as shown in the attached picture. Is it hacker trying to connect or mlavertising try to get in?

http://sitecheck.sucuri.net/results/img.58cdn.com.cn
http://zulu.zscaler.com/submission/show/01fc8a0712276d22f2b362d703af2a99-1411833626

Ip blocked by Malwarebytes is blaclisted by apews.org

Oooops 80.82.78.166 is currently listed in APEWS :-( Entry matching your Query: E-898313 80.82.78.0/24 CASE: C-1416 [b]Spammer or scammer or scanner or zombie PC or other within this CIDR[/b] History: Entry created 2013-12-13

Metasca https://www.metascan-online.com/en/ipscan/ODAuODIuNzguMTY2

Malwarebytes info to read
https://blog.malwarebytes.org/development/2013/05/oh-the-sites-you-will-never-see/

Stay away folks, and good it is being blocked.
You, rickyyeung, you deserve some extra bonus points for raising these questions and for the general heads-up on this. You are a responsible user of the Interwebs and we should praise your attentiveness
and helping towards secure internet in mainland china as hosted in USA. :wink: :stuck_out_tongue:

IP badness history: https://www.virustotal.com/nl/ip-address/203.130.61.21/information/
See: http://urlquery.net/report.php?id=1411833873600

The site you mention is a ops-wan-proxy2-2
Better stay away as site is likely
Compromised: n\n\x20\n\n\n\n
\xb4\xed\xce\xf3
SF:
\xc4\xfa\xcb\xf9\xc7\xeb\xc7\xf3\xb5\xc4\xcd\xf8\xd6\xb7\xa3\xa8URL
SF:\xa3\xa9\xce\xde\xb7\xa8\xbb\xf1\xc8\xa1

SF:n
\n\nInvalid\x20Request\n
\n\xce\xde\xd0\xa7\xb5\xc4\xc7
SF:\xeb\xc7\xf3\n\n
Missing\x20or\x20unknown\x20request\x
SF:20method\n
\xc8\xb1\xc9\xd9\xc7\xeb\xc7\xf3\xb7\xbd\xca\xbd\xbb\xf2
SF:xce\xb4\xd6\xaa\xb5\xc4\xc7\xeb\xc7\xf3\xb7\xbd\xca\xbd\n
Missing\x2
SF:0URL\n
\xc8\xb1\xc9\xd9\xcd\xf8\xd6\xb7\n
Missing\x20HTTP\x20Iden
SF:tifier\x20(HTTP/1.0)\n
\xc8\xb1\xc9\xd9\x20HTTP\x20\xb1\xea\xca\x
SF:b6\xa3\xa8HTTP/1.0\xa3\xa9\n
Request\x20is\x20to");

and likewise patterns of this caused by an empty icon are found, I won’t go into details, but some cleansing should be doneasap by the guys from 54994 (MILEWEB, INC.) and those of WANGSU-US - Chinanetcenter (USA),US for 203.130.61.17-BJ-CNC site compromised in Tianshui Mainland China

polonus