is this a valid alert: mycloud-java.com

system · June 22, 2012, 8:42pm

No other anti-virus apps complain about it except Avast
(Using latest defs and prog)

mycloud-java.com

Thnk you,
Any help appreciated

mchain · June 22, 2012, 8:56pm

Hi joeavastuser987,

See http://zulu.zscaler.com/submission/show/de58024f9f6fc4da2762010b1ba57c25-1340398297 Elevated risk.

Securi http://sitecheck.sucuri.net/results/mycloud-java.com Site with warnings.

system · June 22, 2012, 9:01pm

yea - that’s about as far as I got investigating it.
Not sure if it is because they deny access to all the online scanners so they think it is safe
or if there is a real problem with site that only Avast knows about?

How can I get more details?

Pondus · June 22, 2012, 9:04pm

How can I get more details?

by doing more scans ;)

what info do you want …not much to get here as the site is down http://www.downforeveryoneorjustme.com/mycloud-java.com

urlQuery http://urlquery.net/report.php?id=74004 click picture in top right corner

mchain · June 22, 2012, 9:09pm

Could you attach the .jpg of the Avast warning box? Still do not know what the exact alert is/was.

system · June 22, 2012, 9:11pm

I ran it through everything I can find on the internet yesterday
From what I could tell they all got the 403 error so assume the online stuff was getting blocked before they could investigate

Only Avast complained - so would like to know more info on why Avast alerts on it

system · June 22, 2012, 9:13pm

Infection Details
URL: http://www.mycloud-java.com/gate.php?v
Process: C:\Program Files\Mozilla Firefox\firefox…
Infection: URL:Mal

polonus · June 22, 2012, 9:20pm

Hi joeavastuser987,

Here are the details as far as I could establish for you.

Content after the < /html> tag should be considered suspicious.


8: < !-- a padding to disable MSIE and Chrome friendly error page --> 
9: < !-- a padding to disable MSIE and Chrome friendly error page --> 
10: < !-- a padding to disable MSIE and Chrome friendly error page --> 
11: < !-- a padding to disable MSIE and Chrome friendly error page --> 
12: < !-- a padding to disable MSIE and Chrome friendly error page --> 
13: < !-- a padding to disable MSIE and Chrome friendly error page -->

avast Networkshield flags as URL:Mal (a general detection for access to malicious sites that is being blocked)
Blocked because this is a declared scammer-account and avast still block site because of malware previously resided here:
htxp://www.mycloud-java.com/gate.php?v=361 (found detections for that malware elsewhere and recently reported here)
This malware for this domain has been dead since 2012-06-22 04:31:04, that is why we now will get a “HTTP/1.1 403 Forbidden” (provided by hoster),
avast still blocks via Networkshield, that is why avast is still blocking this site,

polonus

system · June 22, 2012, 9:23pm

Thanx much for the help! -Polonus

polonus · June 22, 2012, 9:38pm

And there is more…
This was the related spammer for that IP
maltibbies AT hotmail dot com (search) La Place, La 184.82.172.2 SM*LL SIZE M A L T E S E P * P P I E S
These scams are pre-texts to infect with malware (e.g. Zeus)
We also had this launched from: htxp://www.jscript-cloud.com/gate.php?v=384 as for htxp://www.jscript-cloud.com/gate.php?v=361
So that malcode was continuously being launched from 184.82.172.2
That was the purpose of that malcode scam campaign, now being halted in its tracks,

polonus

system · June 22, 2012, 9:50pm

Thanks for the update

please keep us informed
http://forums.pcper.com/showthread.php?p=4532504#post4532504

Donovan · June 22, 2012, 10:24pm

polonus post:8:

Content after the < /html> tag should be considered suspicious.


8: < !-- a padding to disable MSIE and Chrome friendly error page --> 
9: < !-- a padding to disable MSIE and Chrome friendly error page --> 
10: < !-- a padding to disable MSIE and Chrome friendly error page --> 
11: < !-- a padding to disable MSIE and Chrome friendly error page --> 
12: < !-- a padding to disable MSIE and Chrome friendly error page --> 
13: < !-- a padding to disable MSIE and Chrome friendly error page -->

If I recall this is the sign of previous (if not current) code injection.

system · June 22, 2012, 10:52pm

Wish I knew

from the forums.pcper.com page source
seems to be part of quantcast advertising

=============================

==================================================

Have no clue what is supposed to happen with above code
so maybe you can explain it for us laymen

(Edit : changed to htxp)

DavidR · June 22, 2012, 11:11pm

It is unwise to post code in the topic use an image example not code (see image, which you can use for your example code), which could result in avast alerting in the topic and no one able to access it.

As and when it is necessary to post links to suspect sites - change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

See http://www.mywot.com/en/scorecard/pixel.quantserve.com user tracking.

Please remove the code example and use an image.

system · June 22, 2012, 11:23pm

I see - so it all comes down to user tracking by quantserve /quantcast

not as big a deal as first imagined- depending on your views of user tracking ofc

DavidR · June 22, 2012, 11:33pm

I believe that is so but I can’t say why the other mycloud-java.com/gate.php?v=361 link does as it is using an active php page and inputting variables.

system · June 22, 2012, 11:40pm

I really appreciate all the help explaining what is going on …you guys rule!

mchain · June 23, 2012, 6:20am

Now you know Avast! rules, and that this was not a fp. Nice to know.

is this a valid alert: mycloud-java.com

Announcements