See: http://zulu.zscaler.com/submission/show/f2fd0a397066e4649aacd079b7581c57-1360332954
and
http://sitecheck.sucuri.net/results/rubashkoff.ru/administrator/bannerkw3j.php
and
https://www.virustotal.com/url/6e38c7b0b591795330251adce8e77a7f38c9acea2ad020c9dfa4d771bfd1caff/analysis/1360332794/
nothing here: http://urlquery.net/report.php?id=961407
IP flagged here: https://zeustracker.abuse.ch/monitor.php?ipaddress=195.208.1.102
Malware active there from 2013-02-08 01:00:59
detected log:
<meta http-equiv="refresh" content="5;url=download.php">
<title>Adobe - У��анови�� Adobe Flash Player</title>
returned on request: 1: FreeBSD10+cfcd208495d565ef66e7dff9f98764da (/modules/wp/installwx1.php)
There are known issues installing ports on FreeBSD 10+ due to
bogus assumptions by various build scripts. This will not be fixed
until 9-RELEASE is released. (credit goes to freebsd’s Armin Pirkovitsch) → Syntax error: word unexpected -
polonus
I think it is a suspicious banner php being flagged here, considering: index.php?gmode=index&guild_id=47413]
http://htxp ://img527.imageshack.us/img527/6771/bannerkw3.jpg
[/url] for Kashimashi guild…
we can check this here: http://www.phpkode.com/source/p/afterlogic-webmail-lite-php/webmail/lang/Ukrainian.php
polonus
Another one here: https://www.virustotal.com/url/60d4af35339802d5803dad7d426148490ba037535f16098cb7675f56f1758b1b/analysis/1360336526/
Content returned: Linux10+cfcd208495d565ef66e7dff9f98764da
Multiple hack described here: http://wordpress.org/support/topic/site-hacked-multiple-times (link post author = AlisonMooreSmith)
existing PHP spam script description: http://www.webhackblog.com/2011/10/phpspam-sm3-script/ (been uploaded to root folder to send spam)
Bad webhost report: http://www.scumware.org/report/115.47.68.46
Blackhole 2 galore: http://urlquery.net/report.php?id=838792
What we sure have is a compromised server due to holes in a web application combined with bad security settings, that should be nuked and being rebuilt -
could be checked with this: http://ideone.com/9gfjDd
polonus
system
February 8, 2013, 4:03pm
4
Hi Dim@rik,
Thank you for checking this out and the additional info. Sometimes avast even flags a third party scan, like this one: htxp://urlquery.net/report.php?id=963105
[gzip] for JS:Decode-JR[Trj] in the browser executable… JS/Expack.VU.1 and JS/RunForest.C.1 both actively spread from that site…avast detects as JS:Agent-ADY [Trj] as you have seen this before and reported in this thread: http://forum.avast.com/index.php?topic=106428.0
As recently experienced over and over, some form of exploit kit code…
polonus
This site has many issues and many IDS alerts, see: http://urlquery.net/report.php?id=968350
That is why it has been blocked by Google Safebrowsing.
URL: htxp://khachsannhatrang.net
Redirects: 301 → htxp://vibewpav.ru/count24.php
details: http://www.google.com/safebrowsing/diagnostic?site=khachsannhatrang.net
see: http://zulu.zscaler.com/submission/show/5c31867e2c9f6ff1358109628367c65f-1360415272
and https://www.virustotal.com/url/5ba6aa0eb0da3072c68354683959f096c14a5c15ed141ec19814aff6f974dbd3/analysis/
The sucuri report for the site at htxp://sitecheck.sucuri.net/results/khachsannhatrang.net/
is blocked by avast Web Shield for JS:Agent-AZU[Trj]
Potentially suspicious: /js/Menu.js
Severity:
Potentially Suspicious
Reason:
Detected procedure that is commonly used in suspicious activity.
Details:
Too low entropy detected in string [[‘%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbsp;%26nbs’]] of length 2436 which may point to obfuscation or shellcode. (according to me normal benign code used for slide sharing - pol)
/themes/hv_nhatrang/images/sep-search.gif
Severity:
Potentially Suspicious
Reason:
Suspicious JavaScript code injection.
Details:
Detected hidden potentially suspicious procedure [replace]
Coinditional redirect found: Location: htxp://vibewpav.ru/count24.php
The location line in the header above has redirected the request to: htxp://vibewpav.ru/count24.php
given as benign: http://www.avgthreatlabs.com/sitereports/domain/vibewpav.ru/count24.php
Flagged here: http://sitecheck.sucuri.net/results/vibewpav.ru/
because of → http://labs.sucuri.net/?blacklist=vibewpav.ru
But IDS alert for Detected a TDS URL pattern, see here: http://pastebin.com/Sj22HbWb/ (example code from 2011 by anonymous)
see alerted here: http://urlquery.net/report.php?id=968502
Well all in all, we are being protected as avast Web Shield will protect us from connecting there!
polonus