Hello,
I really need someone to test this website for me in a virtual environment because I think that the java script that loads with the client is malicious.
The website is the most popular runescape private server and I have concerns that it might be infected.
If someone could help me test this I’d be really greatfull.
For who’s interested the link is:
xxx.soulsplit.com/play/(just choose to play through browser and it will start loading)
I’m sorry for not being able to test this for myself but I don’t really think that virustotal is accurate when it comes to this website.
Thanks in advance
hey acoording to zulu its risky
http://zulu.zscaler.com/submission/show/a4080a30b30cc215adef8844cea6b08c-1370768780
find nothing
sucuri / quttera / urlvoid / urlquery / virustotal … all say clean
Hi Pondus,
Yes I get similar results, but the page certainly was being attacked because I see htxp://soulsplit.com/test404page.js 404 Not Found
Content-Length: 1173 Content-Type: text/html Sure sign! I do not know if cleansing has already taken place…
see smart error code from Cloudflare for htxp://forum.soulsplit.com/f/viewforum.php?id=4
See why, read: http://pastebin.com/s4xK1Tcr
polonus
Thanks for the info guys, I think i’m just gonna stay away from it because I think that it might be infected.
Oh and the reason I asked you guys to help me figure out if this site is malicious or not is because around 4 months ago avast detected a java exploit coming from this webclient and I wasn’t sure if it was a false positive or not, if you want me to I can go check the avast logs and give you the exact url and everything that avast said at the time.
if you want me to I can go check the avast logs and give you the exact url and everything that avast said at the time.You may do that.....
Here it is:
11/2/2012 9:47:20 PM hxxp://soulsplit.com/play/loader.jar|>a.class [L] Java:CVE-2012-1723-OG [Expl] (0)
*
Thank you guys for your help and have a nice day.
Thank you a bunch, Jstore, we can now confirm that java malware is dead as a doornail or the proverbial herring,
see: http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&domain=wiki.soulsplit.com
Here we can see it in retrospect with the safe virus viewer: htxp://support.clean-mx.de/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fsoulsplit.com%2Fplay%2Floader.jar (for the security aware only, use script blocking and a VM or similar here:
htxp://jsunpack.jeek.org/?report=104c7ad419b7e2012c04d9f802a4e60407908ed9 (visit with script blocker active and in a VM)
On that java malware: https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-February/017519.html
polonus
Thank you so much Polonus, I’m really glad to know that the website is safe to visit right now and that I can play on the client without any concerns so far.
If it’s not to much could you please explain to me what NoScript is and if there’s a way to find out who added that malicious line of code at the time? I remember the owner of the server saying that he got hacked but I wasn’t sure if i should trust him or not.
Once again, thank you so much for your help and have a nice day!
if there's a way to find out who added that malicious line of code at the time?If they dont leave a signature, i guess close to impossible
If you want info about website malware, read sucuri blog. http://blog.sucuri.net/category/malware
And to check for infection, Sucuri url scanner. http://sucuri.net/
Well seen from the past and further IDS alerts the java malcode came via a *.tk domain, clearly hostile
probably we would have found a “ET CURRENT_EVENTS HTTP Request to a *.tk domain” alert…just my likely speculation.
NoScript is a known script blocker add-on/extension for the firefox browser. For Google Chrome use ScriptSafe extension with Better PoP Up Blocker extension,
polonus