See: http://sitecheck.sucuri.net/results/www.nhj8889.com/ 巧博网,轻松日赚300-1000
Anomaly behavior detected (possible malware). Details: http://sucuri.net/malware/malware-entry-mwanomalysp8
not analyzed] wXw.nhj8889.com/
status: (referer=http:/www.ask.com/web?q=puppies)failure: [Errno 104] Connection reset by peer
Nott detected: https://urlquery.net/report.php?id=1415200343750
Warnings and not tested 404 - 找不到文件或目录 → https://asafaweb.com/Scan?Url=www.nhj8889.com
DNS SOA warnings: http://www.dnsinspect.com/nhj8889.com/1415200919
External link from code XSS vuln. Results from scanning URL: http://s0.wp.com/wp-content/js/devicepx-jetpack.js?ver=201445
Number of sources found: 3
Number of sinks found: 2
Results from scanning URL: http://s.gravatar.com/js/gprofiles.js?ver=2014Novaa
Number of sources found: 14
Number of sinks found: 17
This for htxp://v1.cnzz.com/z_stat.php vulnerable to bootrom exploit via MISS TCP_MISS dirn:-2:-2 Tengine cache server.
Badness history with Virut → https://www.virustotal.com/nl/ip-address/42.156.140.11/information/
avast detects Win32:Virtu-A. Malware or viruses - bad web rep: https://www.mywot.com/en/scorecard/v1.cnzz.com?utm_source=addon&utm_content=popup
pol
Rehistered and no website: http://whois.domaintools.com/nhj8889.com
Peter Kleissner’s VirusTracker detect active and up malware: www.nhj8889.com ,112.218.71.152,Criminals,
See this results from ZeroCERT: http://zerocert.org/?code=8daa9e2a22b4e5063ab8ffd712337d247132f655214232eddc130ff889266bf0
Result: htxp://hannuri.info/popup/popup_c1.htm - 1건 발견
[script] htxp://hannuri.info/popup/popup_c1.htm → Malware url
→ user tracking code (google-analytics.com ) → http://jsunpack.jeek.org/?report=736a03b2c3008a8f0451dffd72b5706a0e0f1f56
http://zerocert.org/?code=8daa9e2a22b4e5063ab8ffd712337d247132f655214232eddc130ff889266bf0
External code leading to: htxp://www.organicxml.info/re.php?var=Fgz51S39VoCqT8zqT8G9r80RdynqbA0UVkn9bDW%3D
Infested with HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.4976951 (B) (Emsisoft), Trojan.Generic.4976951 (AdAware), Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win3TROJAN.GENERIC.4976951_1643C13B342.Sasfis.FD, VirTool.Win32.DelfInject.FD, PackedMysticCompressor.YR (Lavasoft MAS) Behaviour: Banker, Trojan, Packed, VirTool, TROJAN.GENERIC.4976951_1643C13B34 (lavasoft)
polonus
There is an external link to this site: https://www.mywot.com/en/scorecard/c.cnzz.com?utm_source=addon&utm_content=popup
Flagegd as advert and tracking site in this list here: http://hosts-file.net/?s=c.cnzz.com
and listed here: http://rbls.org/w.cnzz.com blacklisted in HostKarma Junk Email Filter Bad & Blacklisted.
Also blacklisted here - https://www.mywot.com/en/scorecard/w.cnzz.com
Quote from luntrus (an alter-ego)
link to trojan downloader found on site: w.cnzz.com/q_stat.php%3Fid%3D1000001593%26l%3D2 ’ type=‘text/javascript’%3E%3C/script%3E")); launches a trojan downloader. flagged by avast! av as JS:ScriptIP-inf [Trj] "
So we are being protected for that external link. Also a decent ad-blocker extension with a malware domain list blocks this tracking.
pol
Pondus
November 5, 2014, 4:58pm
4
I get this from scanning, server redirect status → code: 0, Content cannot be read! for www.nhj8889.com.htm
Name error! Could not get delegation from parent servers. Non-existent domain name?
http://www.nhj8889.com/ resolves
http://www.dnsinspect.com/nhj8889.com/1415222246
Styles
-> @charset "utf-8";
/*å…¬å…±æ ·å¼*/
*{margin:0; padding:0;}
body{margin:0px; padding:0px; font-family: Arial,"微软雅黑"; background:#840a1b url(bg.jpg) repeat-x 0 0; }
a{text-decoration:underline;color:#00ffff;}
a:hover{color:#3bff97;}
ul,li,img,dl,dd,dt,div{margin:0px; padding:0px; border:0px; list-style:none;}
.clear{clear:both; height:0px; overflow:hidden; line-height:0px; font-size:0px;}
.main1{background: url(main1.jpg) no-repeat top center; height:545px;}
.cont{width:960px; margin:0px auto;}
.main1 p{width:324px; height:40px; font-size:22px;line-height:40px; text-align:center; color:#FFFF00; font-weight:bold; padding:325px 0px 0px 436px;}
.main1 p span,.boxm .m1 p span,.bot p span{color:#00ffff;}
.boxm{background:url(boxm.jpg) repeat-y 0 0; width:962px; margin:0px auto;}
.boxm .m1{background:url(t1.png) no-repeat 0 0; height:138px; width:880px; margin:0px auto;}
.boxm .m1 p,.bot p{width:270px; height:30px; font-size:20px;line-height:30px; text-align:center; color:#FFFF00; font-weight:bold; padding:105px 0px 0px 312px;}
.boxm .m2{background:url(xw.png) no-repeat 0 0;width:880px; margin:10px auto 0px auto; height:100px;}
.boxm .m3{overflow:hidden;zoom:1; width:880px; margin:0px auto;}
.boxm .m3 p{float:left; width:360px; margin-right:70px; padding-left:10px;}
.boxm .m3 p b{font-size:18px; color:#fff;}
.boxm .m3 p b span{color:#FFFF00;}
.boxm .m3 p a{font-size:12px; color:#FFFF00;}
.boxm .m3 p a:hover{color:#00ffff;}
.bot{background:url(main2.jpg) no-repeat 0 0; height:304px; width:962px; margin:0px auto;}
.bot p{padding:260px 0px 0px 22px;}
For 403 errors see: https://asafaweb.com/Scan?Url=www.nhj8889.com
For Apache Apache: 2.4.9, 2.2.26
A flaw was found in mod_log_config. A remote attacker could send a
+specific truncated cookie causing a crash. This crash would only be a
+denial of service if using a threaded MPM.
pol
Pondus
November 6, 2014, 7:48am
6
Sucuri was correct. BlueCoat/Norman added detection as nhj8889.com.htm: Redirector.PU
site nhj8889.com seems to be down now
Hi Pondus,
Good we acted persistently, even when down we now know we reported towards protection: http://totalhash.com/analysis/6d8d7089424717d68edf676f9ffcf0aef0b564a5
Avast should detect Shell-DC [Trj]
polonus
Site is up but not flagged by avast Webshield :
pol