Today I was searching stuff about a Batman comic and trought Google image search I got into forum named “nintenbrony.forumotion.com” and I didn’t seem to get anything weird when visiting the site, but I was a bit curious and decided to check it with few online url scanners (Virustotal, Norton, Mcfree Siteadvisor etc.), but only Sucuri handed me an information that the website was infected with malware (which is little weird since in Virustotal Sucuri SiteCheck also showed that the link was safe) and also on Siteadvisor some malware was seemingly reported by few of the commenters. Can anyone say anything to this?
I use Adblock and Noscript with Avast Online Security on Firefox.
Apparently someone is not doing the job right at Google/Amazon Ashburn server racks,
because abuse is going on there as a potentially dangerous Request.Path value was detected from the client (<)
Well that code that is flagged by Sucuri’s is for Google Asynchronous Tracking Code
Read on issues: http://stackoverflow.com/questions/2538252/what-is-var-gaq-gaq-for
So I very much doubt this is malicious and might be a Sucuri’s misinterpretation of what the code does.
But there is more flagged through this scan report and even more serious requests going on:
See: https://urlquery.net/report.php?id=1443631601366
All either Google and/or Amazon related abuse.
From this you see the misconfiguration at the server with the potentially dangerous request detected.
This should never be returned:
This excessive error-info proliferation is to the world and attackers. With this server properly secured this sensitive information would not be spread.
The technical details of this may go over your head a bit, but there are certainly folks here that understand what I mean to say. What I meant is that that the forum website seems OK, but external links are hosted on servers where to say it politely IT staff did not do an oustanding job. Error-messages from the server were returned spreading info that could mean insecurity. Everyone that has read the server manuals would have known what to do to have that server behave properly.
With the right server configuration this info would never get out and would not mean a security issue.
To say it in a few words the forum website is not to blame, those that monitor or host it should do a better job.
We see this a lot to-day because owners are no longer willing to pay IT staff decently and then you are left with incompetence (and insecurity). Sign of the times.
Have a good night’s rest. Yes they certainly should ask those at Amazon/Google that keep these websites in the air partly via their data centers to monitor what is going on, I could trace part of it back as far as I could see here to some racks in Ashburn Data Center Virginia - but as I have it right, we see an awful lot of click-traffic coming from that place and they had a fire January last, so the circumstances weren’t that ideal either, but that is no excuse for sloppy service. They should come up with some answers.
That makes sense as that script flagged by Sucuri’s is not malicious as such:
var-gaq-gaq-Google Asynchronous Tracking Code.
I said that already earlier, all I am left with is
Link to GET /cpush HTTP/1.1
Host: -rdcdn.com is flagged. Microsoft-IIS/8.0 Theresource can not be found at these Ashburn racks.
Two errors/fails and two warnings: https://asafaweb.com/Scan?Url=rdcdn.com
A potentially dangerous Request.Path value was detected from the client (<).
GET /ppt?v= HTTP/1.1
Host: -pxgp2.adpredictive.com is flagged, but service seems unavailable. *
If there was a threat out there, it is no longer available. What remains is the server misconfigurations found here:
Server: Microsoft-IIS/8.0 | X-Powered-By: Unknown | X-AspNet-Version: 4.0.30319 | X-AspNetMvc-Version: 4.0 | Web forms app: No | ASP.NET site: Yes | ASP.NET version: 4.0.30319.34212 | 5 requests were made by ASafaWeb:
URL Page title Response size Duration
http://rdcdn.com/elmah 403 - Forbidden: Access is denied. 1,233 bytes 29 ms
12,802 bytes 57 ms
Tracing: Pass Custom errors: Fail Stack trace: Fail Request validation: Not tested HTTP to HTTPS: Pass Hash dos patch: Pass ELMAH log: Pass Excessive headers: Warning HTTP only cookies: Pass Secure cookies: Pass Clickjacking: Warning View state MAC: Not tested
and all that does not need to influence that forum website.
What remains at that website is just what a normal adblocker would block also.
Naturally the folks at that Microsoft-IIS/8.0 server running linux should remedy that server’s misconfiguration(s) but that should not give head-aches to the victim.
