Malware site flagged?

See: http://sitecheck.sucuri.net/results/www.nhj8889.com/ 巧博网,轻松日赚300-1000
Anomaly behavior detected (possible malware). Details: http://sucuri.net/malware/malware-entry-mwanomalysp8

not analyzed] wXw.nhj8889.com/
status: (referer=http:/www.ask.com/web?q=puppies)failure: [Errno 104] Connection reset by peer
Nott detected: https://urlquery.net/report.php?id=1415200343750
Warnings and not tested 404 - 找不到文件或目录 → https://asafaweb.com/Scan?Url=www.nhj8889.com
DNS SOA warnings: http://www.dnsinspect.com/nhj8889.com/1415200919

External link from code XSS vuln. Results from scanning URL: http://s0.wp.com/wp-content/js/devicepx-jetpack.js?ver=201445
Number of sources found: 3
Number of sinks found: 2
Results from scanning URL: http://s.gravatar.com/js/gprofiles.js?ver=2014Novaa
Number of sources found: 14
Number of sinks found: 17
This for htxp://v1.cnzz.com/z_stat.php vulnerable to bootrom exploit via MISS TCP_MISS dirn:-2:-2 Tengine cache server.
Badness history with Virut → https://www.virustotal.com/nl/ip-address/42.156.140.11/information/
avast detects Win32:Virtu-A. Malware or viruses - bad web rep: https://www.mywot.com/en/scorecard/v1.cnzz.com?utm_source=addon&utm_content=popup

pol

Rehistered and no website: http://whois.domaintools.com/nhj8889.com
Peter Kleissner’s VirusTracker detect active and up malware: www.nhj8889.com,112.218.71.152,Criminals,
See this results from ZeroCERT: http://zerocert.org/?code=8daa9e2a22b4e5063ab8ffd712337d247132f655214232eddc130ff889266bf0
Result: htxp://hannuri.info/popup/popup_c1.htm - 1건 발견
[script] htxp://hannuri.info/popup/popup_c1.htm → Malware url
→ user tracking code (google-analytics.com) → http://jsunpack.jeek.org/?report=736a03b2c3008a8f0451dffd72b5706a0e0f1f56
http://zerocert.org/?code=8daa9e2a22b4e5063ab8ffd712337d247132f655214232eddc130ff889266bf0
External code leading to: htxp://www.organicxml.info/re.php?var=Fgz51S39VoCqT8zqT8G9r80RdynqbA0UVkn9bDW%3D
Infested with HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.4976951 (B) (Emsisoft), Trojan.Generic.4976951 (AdAware), Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win3TROJAN.GENERIC.4976951_1643C13B342.Sasfis.FD, VirTool.Win32.DelfInject.FD, PackedMysticCompressor.YR (Lavasoft MAS) Behaviour: Banker, Trojan, Packed, VirTool, TROJAN.GENERIC.4976951_1643C13B34 (lavasoft)

polonus

There is an external link to this site: https://www.mywot.com/en/scorecard/c.cnzz.com?utm_source=addon&utm_content=popup
Flagegd as advert and tracking site in this list here: http://hosts-file.net/?s=c.cnzz.com
and listed here: http://rbls.org/w.cnzz.com blacklisted in HostKarma Junk Email Filter Bad & Blacklisted.
Also blacklisted here - https://www.mywot.com/en/scorecard/w.cnzz.com

Quote from luntrus (an alter-ego)

link to trojan downloader found on site: w.cnzz.com/q_stat.php%3Fid%3D1000001593%26l%3D2’ type=‘text/javascript’%3E%3C/script%3E")); launches a trojan downloader. flagged by avast! av as JS:ScriptIP-inf [Trj] "

So we are being protected for that external link. Also a decent ad-blocker extension with a malware domain list blocks this tracking.

pol

nhj8889.com.htm
https://www.virustotal.com/nb/file/1b3f4973a41e997a4bcd2bef632417164d99d1a0654a018037d72762eb285da7/analysis/1415205850/

I get this from scanning, server redirect status → code: 0, Content cannot be read! for www.nhj8889.com.htm
Name error! Could not get delegation from parent servers. Non-existent domain name?
http://www.nhj8889.com/ resolves
http://www.dnsinspect.com/nhj8889.com/1415222246
Styles

-> @charset "utf-8";
/*å…¬å…±æ ·å¼*/
*{margin:0; padding:0;}
body{margin:0px; padding:0px; font-family: Arial,"微软雅黑"; background:#840a1b url(bg.jpg) repeat-x 0 0; }
a{text-decoration:underline;color:#00ffff;}
a:hover{color:#3bff97;}
ul,li,img,dl,dd,dt,div{margin:0px; padding:0px; border:0px; list-style:none;}
.clear{clear:both; height:0px; overflow:hidden; line-height:0px; font-size:0px;}
.main1{background: url(main1.jpg) no-repeat top center; height:545px;}
.cont{width:960px; margin:0px auto;}
.main1 p{width:324px; height:40px; font-size:22px;line-height:40px; text-align:center; color:#FFFF00; font-weight:bold; padding:325px 0px 0px 436px;}
.main1 p span,.boxm .m1 p span,.bot p span{color:#00ffff;}
.boxm{background:url(boxm.jpg) repeat-y 0 0; width:962px; margin:0px auto;}
.boxm .m1{background:url(t1.png) no-repeat 0 0; height:138px; width:880px; margin:0px auto;}
.boxm .m1 p,.bot p{width:270px; height:30px; font-size:20px;line-height:30px; text-align:center; color:#FFFF00; font-weight:bold; padding:105px 0px 0px 312px;}
.boxm .m2{background:url(xw.png) no-repeat 0 0;width:880px; margin:10px auto 0px auto; height:100px;}
.boxm .m3{overflow:hidden;zoom:1; width:880px; margin:0px auto;}
.boxm .m3 p{float:left; width:360px; margin-right:70px; padding-left:10px;}
.boxm .m3 p b{font-size:18px; color:#fff;}
.boxm .m3 p b span{color:#FFFF00;}
.boxm .m3 p a{font-size:12px; color:#FFFF00;}
.boxm .m3 p a:hover{color:#00ffff;}
.bot{background:url(main2.jpg) no-repeat 0 0; height:304px; width:962px; margin:0px auto;}
.bot p{padding:260px 0px 0px 22px;} 

For 403 errors see: https://asafaweb.com/Scan?Url=www.nhj8889.com

For Apache Apache: 2.4.9, 2.2.26
A flaw was found in mod_log_config. A remote attacker could send a
+specific truncated cookie causing a crash. This crash would only be a
+denial of service if using a threaded MPM.

pol

Sucuri was correct. BlueCoat/Norman added detection as nhj8889.com.htm: Redirector.PU

site nhj8889.com seems to be down now

Hi Pondus,

Good we acted persistently, even when down we now know we reported towards protection: http://totalhash.com/analysis/6d8d7089424717d68edf676f9ffcf0aef0b564a5
Avast should detect Shell-DC [Trj]

polonus

Site is up but not flagged by avast Webshield ::slight_smile:

pol