Another detetion Up(nil): unknown_html_RFI_eval RIPE RU abuse at yandex dot ru 213.180.204.46 to 213.180.204.46 narod dot ru htxp://narod.ru/disk/54550387001.6c5f571d860d8fe5601f1a090e9ec359/FortiClient_Help_ru.zip.html
Error: Supplied URL could not be fetched.Error: Supplied URL could not be fetched.
On hxtp://css.yandex.net/css/narod/disk/jquery.comments.js?v5 there is eval(function(p,a,c,k,e,r) code found…also on: htxp://narod.ru/js/jquery.flash.js
IDS flagged earlier for
3 FILEMAGIC Macromedia Flash data (compressed), all closed/dead after a maxumum of 2.2 hrs…
See two detections here:
https://www.virustotal.com/url/d8d8762927ca30a50ea65e1e9947f4e890932d717641bf4f741c6ff80f598326/analysis/1358714646/
see the suspicious code image attached…also see:
http://anubis.iseclab.org/?action=result&task_id=1d8085d7890903be4e5e6273c47a743f7
polonus
Pondus
January 20, 2013, 8:57pm
2
Hi Pondus,
What about this? https://www.virustotal.com/url/d8d8762927ca30a50ea65e1e9947f4e890932d717641bf4f741c6ff80f598326/analysis/1358714646/
and this? http://zulu.zscaler.com/submission/show/1828800622c93e67bc39559fa6ec5a8d-1358714051
see: htxp://jsunpack.jeek.org/?report=dd2ca3df05b97001d02ebb0b56a8b25dee92759e (for the security aware only -view with NoScript active and in a VM)
Or is this just obfuscated eval packer protection for the yandex tracking script code, which is suspicious but benign…
polonus
Pondus
January 20, 2013, 9:19pm
4
well Zulu is supicious to russian IP and server
Geo-location Risk Risk associated with country location of server: RU (Russia)
Zscaler IP Reputation IP address has been identified as risky by one/more sources
Comodo site inspector http://siteinspector.comodo.com/public/reports/8831440
The only issue was that the start url was directed to another page of the website: http://narod.yandex .
And again I get a
eError: Supplied URL could not be fetched.Error: Supplied URL could not be fetched
generated DOM source from there is
<html><head></head><body></body></html>
nothing more…
href, location & data found as sinks in the code,
polonus