Malware - redirect adware and spam...

See: http://urlquery.net/report.php?id=1430156297996
See: https://www.virustotal.com/nl/domain/irvasa.ru/information/
and https://www.virustotal.com/nl/url/ba53cb4bf7a202f32cfb2309d08e0f8659ea33c2109c63bb0b91d69a28aa596b/analysis/1430156460/
Warnings and issues: http://www.dnsinspect.com/irvasa.ru/1430156422
WordPress version outdated: Upgrade required.
Outdated WordPress Found: WordPress Under 4.2
ISSUE DETECTED DEFINITION INFECTED URL
Website Malware MW:JS:GEN2?v10 http://irvasa.ru/wp-content/themes/MyMenu/menu/mootools-1.2.1-core-yc.js ( View Payload )
Known javascript malware. Details: http://sucuri.net/malware/entry/MW:JS:GEN2?v10
Code: [Select]
var Va3dbaf37 = dujfyh5736fhhiky.qyhey35he89(‘PGEgaHJlZj0iaHR0cDovL3d3dy50ZWNobm9sb2d5dHJpY2tzLmNvbS90ZWNoaWZpZWQtanVzdC1hbm90aGVyLXByZW1pdW0td29yZHByZXNzLXRoZW1lcy8iPlRlY2hpZmllZDwvYT4gdGhlbWUgYnkgPGEgaHJlZj0iaHR0cDovL3d3dy5pZnJlZWNlbGxwaG9uZXMuY29tLyI+Q2VsbCBQaG9uZXM8L2E+LiBTdXBwb3J0ZWQgYnkgPGEgaHJlZj0iaHR0cDovL3d3dy5pZnJlZWNlbGxwaG9uZXMuY29tL2NoZWFwLXZlcml6b24td2lyZWxlc3MtcGhvbmVzLmFzcCI+VmVyaXpvbiBXaXJlbGVzczwvYT4sIDxhIGhyZWY9Imh0dHA6Ly93d3cuaWZyZWVjZWxscGhvbmVzLmNvbS9jaGVhcC10LW1vYmlsZS1waG9uZXMuYXNwIj5ULU1vYmlsZTwvYT4gJmFtcDsgPGEgaHJlZj0iaHR0cDovL3d3dy5pZnJlZWNlbGxwaG9uZXMuY29tL2NoZWFwLXNwcmludC1wY3MtcGhvbmVzLmFzcCI+U3ByaW50PC9hPg==’);
→ Read: https://productforums.google.com/forum/#!msg/webmasters/tTJGEytg-mA/weyojDSXfQAJ
Two instances detected of see: https://www.mywot.com/en/scorecard/counter.yadro.ru?utm_source=addon&utm_content=popup (this is a redirect adware)
The reason for adding in Blacklist: Unknown Spam Bot masking himself as a normal user → http://myip.ms/view/blacklist/1547002514/Blacklist_IP_92.53.98.146
Re: http://malwarefixes.com/remove-counter-yadro-ru-virus/

Historical detection: http://www.projecthoneypot.org/ip_92.53.98.146

polonus

Website Malware MW:JS:GEN2?v10 hxxp://irvasa.ru/wp-content/themes/MyMenu/menu/mootools-1.2.1-core-yc.js ( View Payload )
https://www.virustotal.com/nb/file/d123ffb2faa09e8480cba59e26bfe38e3462cebec2b602f690e2cefd51b50648/analysis/1430157404/

Message fom F-secure lab

========================================
The file you submitted is clean. It is not malicious.

hmmm … but Norman/BlueCoat dont like it and added detection

mootools-1.2.1-core-yc.js JSDecode.A

Hi, file contains small obfuscated javascript. After decryption, there are few links to (technologytricks.com and ifreecellphones.com) but it is writen as a signature from word press theme. Except from the awful obfuscation and unfortunate location of this script, i cant find any malicious behavior.

Tondah