Is it possible that big site like xinhuanet gets infected by a malaware?

system · 2015-07-09T02:13:43.000Z

Any page of photos clicked from the first page of xinhuanet news paper … makes it to be handled by:

http://sinajs.xdwscache.glb0

Or is it that I am infected and the malaware selects some pages of some sites to attack?

Thanks to avast for notifying me … but what is to be done?

Thank you in advance

Pondus · 2015-07-09T06:19:48.000Z

No website is 100% secure, safe today can be hacked tomorrow

What popup warning does avast give?

If you want a computer check, follow instructions here https://forum.avast.com/index.php?topic=53253.0
When requested logs are attached you will get assistance

polonus · 2015-07-09T09:45:18.000Z

I get “{“result”: 0, “verbose_msg”: “Invalid URL”}”. Forking software site: https://www.virustotal.com/nl/domain/1st.xdwscache.glb0.lxdns.com/information/
Online not to be found only in cache: http://webcache.googleusercontent.com/search?q=cache:0JAJR_HdfGoJ:totalhash.com/network/dnsrr:163.xdwscache.glb0.lxdns.com+&cd=2&hl=nl&ct=clnk&gl=nl
Could be infection with tghis trojan: http://software.sonicwall.com/applications/gav/index.asp?ev=v&v_id=1546
Ask an evaluation from one of our qualified malware removers, see instructions: https://forum.avast.com/index.php?topic=53253.0

Windows IP Configuration
    Host Name . . . . . . . . . . . . : PC2011032516xes

    Primary Dns Suffix  . . . . . . . : 

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : kingnet
Ethernet adapter ±¾µØÁ¬½Ó 3:
    Connection-specific DNS Suffix  . : kingnet

    Description . . . . . . . . . . . : NVIDIA nForce 10/100 Mbps Ethernet 

    Physical Address. . . . . . . . . : 00-24-1D-0D-EF-8D

    Dhcp Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    IP Address. . . . . . . . . . . . : 192.168.1.111

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.1.1

    DHCP Server . . . . . . . . . . . : 192.168.1.1

    DNS Servers . . . . . . . . . . . : 192.168.1.1

    Lease Obtained. . . . . . . . . . : 2011Äê10ÔÂ6ÈÕ 12:39:35

    Lease Expires . . . . . . . . . . : 2011Äê10ÔÂ7ÈÕ 12:39:35
===========================================================================
Interface List
0x1 … MS TCP Loopback interface
0x2 …00 24 1d 0d ef 8d … NVIDIA nForce Networking Controller - Êý¾Ý°ü¼Æ»®³ÌÐòÎ¢ÐÍ¶Ë¿Ú

===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.111 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.111 192.168.1.111 20
192.168.1.111 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.111 192.168.1.111 20
224.0.0.0 240.0.0.0 192.168.1.111 192.168.1.111 20
255.255.255.255 255.255.255.255 192.168.1.111 192.168.1.111 1
Default Gateway: 192.168.1.1

Persistent Routes:
None

Route Table

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 192.168.1.111:139 0.0.0.0:0 LISTENING
TCP 192.168.1.111:2166 113.108.2.198:443 ESTABLISHED
TCP 192.168.1.111:2192 222.73.76.72:443 ESTABLISHED
TCP 192.168.1.111:2652 59.108.49.92:80 CLOSE_WAIT
TCP 192.168.1.111:2653 59.108.49.85:80 CLOSE_WAIT
TCP 192.168.1.111:2655 121.14.98.192:80 CLOSE_WAIT
TCP 192.168.1.111:2656 117.21.180.4:80 CLOSE_WAIT
TCP 192.168.1.111:2718 220.181.126.44:80 TIME_WAIT
UDP 0.0.0.0:445 :
UDP 0.0.0.0:1047 :
UDP 0.0.0.0:1184 :
UDP 0.0.0.0:1863 :
UDP 0.0.0.0:2149 :
UDP 0.0.0.0:2151 :
UDP 0.0.0.0:2157 :
UDP 0.0.0.0:2158 :
UDP 0.0.0.0:2159 :
UDP 0.0.0.0:2161 :
UDP 0.0.0.0:2163 :
UDP 0.0.0.0:2164 :
UDP 0.0.0.0:2168 :
UDP 0.0.0.0:2316 :
UDP 0.0.0.0:2715 :
UDP 0.0.0.0:2717 :
UDP 0.0.0.0:3600 :
UDP 127.0.0.1:123 :
UDP 127.0.0.1:1032 :
UDP 127.0.0.1:1058 :
UDP 127.0.0.1:1900 :
UDP 127.0.0.1:2172 :
UDP 127.0.0.1:2317 :
UDP 127.0.0.1:2713 :
UDP 192.168.1.111:123 :
UDP 192.168.1.111:137 :
UDP 192.168.1.111:138 :
UDP 192.168.1.111:1900 :
“ping updatefirst.syyx.com”

Pinging 1st.xdwscache.glb0.lxdns.com [119.84.66.17] with 32 bytes of data:

Reply from 119.84.66.17: bytes=32 time=11ms TTL=59

Reply from 119.84.66.17: bytes=32 time=10ms TTL=59

Reply from 119.84.66.17: bytes=32 time=10ms TTL=59

Reply from 119.84.66.17: bytes=32 time=10ms TTL=59

Ping statistics for 119.84.66.17:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 11ms, Average = 10ms
“ping client.syyx.com”

Pinging 06811.xdwscache.glb0.lxdns.com [119.84.66.17] with 32 bytes of data:

Reply from 119.84.66.17: bytes=32 time=11ms TTL=59

Reply from 119.84.66.17: bytes=32 time=10ms TTL=59

Reply from 119.84.66.17: bytes=32 time=11ms TTL=59

Reply from 119.84.66.17: bytes=32 time=11ms TTL=59

Ping statistics for 119.84.66.17:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 11ms, Average = 10ms
"ping update02.syyx.com "

Pinging 1st.dl.glb0.lxdns.com [61.188.186.25] with 32 bytes of data:

Reply from 61.188.186.25: bytes=32 time=21ms TTL=58

Reply from 61.188.186.25: bytes=32 time=21ms TTL=58

Reply from 61.188.186.25: bytes=32 time=21ms TTL=58

Reply from 61.188.186.25: bytes=32 time=23ms TTL=58

Ping statistics for 61.188.186.25:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 21ms, Maximum = 23ms, Average = 21ms
Pinging 121.9.245.159 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 121.9.245.159:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Server: UnKnown
Address: 192.168.1.1

Name: 1st.xdwscache.glb0.lxdns.com
Address: 119.84.66.17
Aliases: updatefirst.syyx.com, updatefirst.syyx.com.cdn20.com

Server: UnKnown
Address: 192.168.1.1

Name: 1st.dl.glb0.lxdns.com
Address: 61.188.186.25
Aliases: update02.syyx.com, update02.syyx.com.cdn20.com

Server: UnKnown
Address: 192.168.1.1

Name: 06811.xdwscache.glb0.lxdns.com
Address: 119.84.66.17
Aliases: client.syyx.com, client.syyx.com.cdn20.com

Tracing route to 1st.xdwscache.glb0.lxdns.com [119.84.66.17]

over a maximum of 30 hops:

1 10 ms 10 ms 10 ms 14.104.128.1

2 11 ms 12 ms 11 ms 222.176.20.165

3 11 ms 13 ms 11 ms 222.176.22.14

4 12 ms 12 ms 12 ms 119.84.17.18

5 10 ms 11 ms 10 ms 119.84.79.134

6 11 ms 11 ms 11 ms 119.84.66.17

Trace complete.

Tracing route to 1st.dl.glb0.lxdns.com [61.188.186.25]

over a maximum of 30 hops:

1 26 ms 50 ms 10 ms 14.104.128.1

2 11 ms 38 ms 11 ms 222.176.18.233

3 16 ms 17 ms 17 ms 222.176.9.49

4 21 ms 21 ms 21 ms 222.213.14.53

5 20 ms 20 ms 20 ms 118.121.0.54

6 22 ms 21 ms 21 ms 61.188.186.102

7 23 ms 22 ms 21 ms 61.188.186.25

Trace complete.

“tracert shenyang unicom”

Tracing route to 114.112.48.33 over a maximum of 30 hops

1 10 ms 10 ms 10 ms 14.104.128.1

2 10 ms 10 ms 10 ms 222.176.20.153

3 16 ms 17 ms 16 ms 222.176.9.41

4 62 ms 63 ms 61 ms 202.97.66.33

5 50 ms 50 ms 50 ms 220.181.0.6

6 53 ms 61 ms 63 ms 220.181.70.98

7 91 ms 90 ms 88 ms 220.181.70.190

8 52 ms 52 ms 52 ms 114.112.48.33

Trace complete.

“ping shenyang unicom”

Pinging 114.112.48.33 with 1400 bytes of data:

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=86ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=84ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=86ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=90ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=86ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=86ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=86ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=86ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=86ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=86ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=86ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=86ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=87ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=86ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=86ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=84ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=89ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=86ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Reply from 114.112.48.33: bytes=1400 time=85ms TTL=246

Ping statistics for 114.112.48.33:
Packets: Sent = 40, Received = 40, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 84ms, Maximum = 90ms, Average = 85ms</blockquote>
.达米安
polonus (volunteer website security analyst and website error-hunter)

system · 2015-07-17T15:20:00.000Z

Thank you very much Pondus and Polonus

I attached here the popup warning.

The “logs to assist in cleaning” tells me to open “Malwarebytes Anti-Malware” and you ask me, Pondus, about the popup warning, so before opening it, I rather wait for your answear about the popup.

It is curious that not always the popup appears in the articles or photos of Xinhua and after I move downward the display of an interior page to continue the reading, the pop up may not appear anymore for other pages.

Polonus thank you, any additional clue to interpret and use your information?

Thank you again for your kind help.

polonus · 2015-07-17T22:27:48.000Z

The one site is a malformed IP4 address, the other IP6 address should be: -sinajs.xdwscache.glb0.lxdns.com.sixxs.org (Ghosted).
Suspicious pattern found: http://zulu.zscaler.com/submission/show/099ab821d6856cceea3f0078473670f7-1437171205
→ http://www.allesedv.at/IPv6/host/sinajs.xdwscache.glb0.lxdns.com
→ http://quttera.com/detailed_report/sinajs.xdwscache.glb0.lxdns.com.sixxs.org
Unable to properly scan your site. Site returning error (40x): HTTP/1.1 404 Could not gateway IPv6->IPv4: Empty reply from server
Not in namespace, that means been taken down.
Re: http://isithacked.com/check/sinajs.xdwscache.glb0.lxdns.com.sixxs.org
bad zone: Could not get name servers for ‘sinajs.xdwscache.glb0.lxdns.com.sixxs.org’.

polonus

polonus · 2015-07-17T22:41:51.000Z

The one site is a malformed IP4 address, the other IP6 address should be: -sinajs.xdwscache.glb0.lxdns.com.sixxs.org (Ghosted).
Suspicious pattern found: http://zulu.zscaler.com/submission/show/099ab821d6856cceea3f0078473670f7-1437171205
→ http://www.allesedv.at/IPv6/host/sinajs.xdwscache.glb0.lxdns.com
→ http://quttera.com/detailed_report/sinajs.xdwscache.glb0.lxdns.com.sixxs.org
Unable to properly scan your site. Site returning error (40x): HTTP/1.1 404 Could not gateway IPv6->IPv4: Empty reply from server
Not in namespace, that means been taken down.
Re: http://isithacked.com/check/sinajs.xdwscache.glb0.lxdns.com.sixxs.org
bad zone: Could not get name servers for ‘sinajs.xdwscache.glb0.lxdns.com.sixxs.org’.
Anonymous proxy: https://urlquery.net/report.php?id=1437172173280
Zero Sized Reply - almost like it is blocked. 9 out of 10 red riskstatus: http://toolbar.netcraft.com/site_report?url=http://8.37.231.20
Poodle vulnerable site: http://toolbar.netcraft.com/site_report?url=https://www.quantil.com
Site is not being blocked by Chinese Authorities: http://viewdns.info/chinesefirewall/?domain=http%3A%2F%2Fsinajs.xdwscache.glb0.lxdns.com.sixxs.org%2F
So could it be the other way round, blocked outside mainland China.
Netcraft risk status 9 red out of 10: http://toolbar.netcraft.com/site_report?url=116.255.235.199

polonus (volunteer website security analyst and website error hunter)

Pondus · 2015-07-17T22:47:17.000Z

The "logs to assist in cleaning" tells me to open "Malwarebytes Anti-Malware" and you ask me, Pondus, about the popup warning, so before opening it, I rather wait for your answear about the popup.

as i said above [b]IF[/b] you want a check of your computer, follow instructions in that guide and from the avast popup you attached above, it seems you may have some crap in your computer

the guide will tell you to download Malwarebytes and Farbar Recovery Scan Tool
when you have done a scan with these tools (according to instructions), they will provied scan log(s) … 3 logs total
These logs you attach here for a malware expert to see … he will then give instructions on how to remove any infections, if he see any

system · 2015-07-18T17:27:15.000Z

Thank you very much Pondus.

I did apply the Malaware bytes and had to stop there.

After executing Malaware bytes I went to xinhuanet.com and tested … opening a page from xinhua appeared another pop up -attached it here-, and tried other pages and there were no more pop ups

Then I closed and reopen xinhuanet and did the same … then closed the browser reopened it and entered xinhuanet.com, tried a page from it and no more pop ups in neither cases

I then tried to download FRST at bleepercomputer -as instructed- … but there emerged another pop up detecting “harmful web page file” … that I attached here also

Pondus · 2015-07-18T19:39:54.000Z

I then tried to download FRST at bleepercomputer -as instructed- .. but there emerged another pop up detecting "harmful web page file" .. that I attached here also

yes that is normal, just allow the download .... and attach Malwarebytes log and the two logs from FRST when done

Announcements