Many websites with counter.yadro dot ru malware, here is one!

polonus · 2015-05-05T12:45:56.000Z

-counter.yadro.ru,88.212.201.195,Multiple IPs,
88.212.196.124 → http://urlquery.net/report.php?id=1430828062628
history-news dot org,212.193.229.222,ns3.nic.ru,Parked/expired,
Stealth Name Servers: http://www.dnsinspect.com/nic.ru/1430828857
Fortinet’s Webfilter Malware Alerts 2 2015-05-05 2 -counter.yadro.ru/hit?t50.1;r;s117688524;uhtxp%3A//history-news.org/;0.7981324612639449 Malware
2015-05-05 2 -counter.yadro.ru/hit?q;t50.1;r;s117688524;uhtxp%3A//history-news.org/;0.7981324612639449 Malware
Netcraft Website Rep Status 1 red out of 10: http://toolbar.netcraft.com/site_report?url=http://history-news.org
Encryption (HTTPS) (1) - static assigned Cable/DSL IP address
Communication is NOT encryptedPossible Frontend SPOF from:

fonts.googleapis.com - Whitelist
(98%) -
vk.com - Whitelist
(48%) -
pagead2.googlesyndication.com - Whitelist
(15%) -
Javascript check: suspicious: …
Included Scripts: Suspect - please check list for unknown includes

Suspicious Script:
history-news.org///vk.com/js/api/openapi.js?98

Suspicious 404 Page:

Warning: Directory Indexing Enabled

Also blocked by any decent adblocker = htxp://top-fwz1.mail.ru/ and htxp://hit10.hotlog.ru/

Javascripts included:
-http://history-news.org/wp-includes/js/jquery/jquery.js?ver=1.11.0
-http://history-news.org/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
//vk.com/js/api/openapi.js?98
-http://www.simvolika.org/on.js
-http://pagead2.googlesyndication.com/pagead/show_ads.js
-http://history-news.org/wp-includes/js/masonry.min.js?ver=3.1.2
-http://history-news.org/wp-includes/js/jquery/jquery.masonry.min.js?ver=3.1.2
-http://history-news.org/wp-content/themes/twentyfourteen/js/functions.js?ver=20140319

Infested with malware according to Sucuri’s:
ISSUE DETECTED DEFINITION INFECTED URL
Website Malware malware-entry-mwblacklisted35 htxp://history-news.org ( View Payload )
Website Malware malware-entry-mwblacklisted35 htxp://history-news.org/?p=16490
Website Malware malware-entry-mwblacklisted35 htxp://history-news.org/?cat=4
Website Malware malware-entry-mwblacklisted35 htxp://history-news.org/?p=16418
Website Malware malware-entry-mwblacklisted35 htxp://history-news.org/?p=15998( View Payload )
Suspicious domain detected. Details: http://sucuri.net/malware/malware-entry-mwblacklisted35
<embed src=“htxp://spu7.ru/banner/banner-spu.swf” rel=“nofollow”
Now /export/banners from wXw.slavrus.net →
https://www.mywot.com/en/scorecard/slavrus.net?utm_source=addon&utm_content=popup

122 malicious files → Detected reference to malicious blacklisted domain -top.mail.ru
blacklisted domain: htxp://top.mail.ru/jump?from%3D2093167 (blocked by an extension in client)

polonus

polonus · 2015-05-05T13:12:17.000Z

Same malcode and more malware found up here: http://urlquery.net/report.php?id=1430830715074
Where VT results go silent: https://www.virustotal.com/nl/url/eb9d21f6ca0f75f34faa1561b3bf0f2b3c7b51d78663e8a06f4edc486f8f2669/analysis/
Sucuri finds outdated CMS: Outdated WordPress Found Security Updates WordPress Under 4.2
Web application version:
WordPress version: WordPress 4.1.1
Wordpress version from source: 4.1.1
Wordpress Version 4.1 based on: htxp://www.otoportali.com/wp-includes/js/autosave.js
All in One SEO Pack version: 2.2.5.1
WordPress theme: htxp://www.otoportali.com/wp-content/themes/otomobil/
Version does not appear to be latest 4.2.1 - update now.

PHP vuln: http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-160394/year-2014/opov-1/PHP-PHP-5.5.8.html

Vulnerable: User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.
User ID 1 : admin
User ID 2 : None

linked javascripts:http://www.otoportali.com/wp-content/themes/otomobil/includes/js/jquery.min.js?ver=1.4.2
-http://www.otoportali.com/wp-content/themes/otomobil/includes/js/jquery.tools.js?ver=1.4.2
-http://www.otoportali.com/wp-content/themes/otomobil/includes/js/jcarousellite.js?ver=1.0.1
-http://www.otoportali.com/wp-content/themes/otomobil/includes/js/superfish.js?ver=1.0
-http://www.otoportali.com/wp-content/themes/otomobil/includes/js/custom.js?ver=1.0
-http://adserver.reklamstore.com/reklamstore.js *
-http://adserver.reklamstore.com/reklamstore.js
//pagead2.googlesyndication.com/pagead/show_ads.js
-http://adserver.reklamstore.com/reklamstore.js
-//mc.yandex.ru/metrika/watch.js
-http://cdn.reklamnative.com/reklamnative/js/render.v1.js **

bad web rep: https://www.mywot.com/en/scorecard/adserver.reklamstore.com?utm_source=addon&utm_content=popup
Avast does not give this a bad web rep?
** https://www.virustotal.com/nl/ip-address/188.132.170.35/information/

Website IP badness history:
https://www.virustotal.com/nl/ip-address/77.223.134.131/information/
Consider also: http://urlquery.net/report.php?id=1430682789064 with malcode on same IP address.

polonus (volunteer website security analyst and website error-hunter)

polonus · 2017-11-14T14:07:12.000Z

Update

Still going on, see recent detection here: https://urlquery.net/report/a0906225-a5e1-47e7-9776-eddd24e53007
Consider also rule here: https://supportforums.cisco.com/t5/event-analysis/blacklist-dns-request-for-known-malware-domain-counter-yadro-ru/td-p/3075516

polonus (volunteer website security analyst and website error-hunter)

Announcements