mchain
October 11, 2014, 7:27am
1
Pondus
October 11, 2014, 8:37am
2
polonus
October 11, 2014, 12:50pm
3
Hi mchain,
See whether this is online the Zeus drop uri:
ZeuS DropURL Status HTTP Status
levintrading.com/js/js/r34d.php online 200
And then contrary to Pondus results (he is looking for the general domain url - which might just be a C&C log-in template) we do get results and two flag: https://www.virustotal.com/nl/url/209db520d146464ed3b7901074b5945e52188c2872f753c0104c65113de13426/analysis/1413031175/
Here the verdict is simple: levintrading.com ,216.238.149.29,NS33.WORLDNIC.com ,Criminals,ZeuS
(according to Kleissner & Associates Virus Tracker results)
And the results we get are:
HTTP/1.1 200 OK
Date: Sat, 11 Oct 2014 12:45:44 GMT
Server: Apache/2.2.15 (CentOS) DAV/2 - vulnerable: http://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=66&version_id=93077&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=23&sha=f3811a977415e66eff5d8b9d9b8c21d064617677
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
We should do an Intellitamper scan to see what more levintrading dot com has on that server,
but that is outside the scope of our third party cold reconnaissance scans.
At least I would flag and block that main domain as long as it is up.
Cannot be trusted → https://www.mywot.com/en/scorecard/levintrading.com?utm_source=addon&utm_content=popup
pol