Most scanners do not detect this website malware....

See: http://sitecheck.sucuri.net/results/tohouri.com
ISSUE DETECTED DEFINITION INFECTED URL
Website Malware malware-entry-mwblacklisted35 htxp://tohouri.com/en/publications ( View Payload )
Suspicious domain detected. Details: http://sucuri.net/malware/malware-entry-mwblacklisted35
Location: htxp://ibontu.25u.com/
SE visitors redirects
Visitors from search engines are redirected
to: htxp://ibontu.25u.com/
9775 sites infected with redirects to this URL
List of blacklisted external links: 1
htxp://twitter.com/share
List of blacklisted external links: 1
htxp://twitter.com/share

CMS issue: Web application details:
Application: Drupal - http://www.drupal.org
Google Analytics installed: UA-3720428-2
Running cPanel 11.42.1.29: tohouri dot com:2082
Drupal not updated. We recommend versions 6.33 or 7.32 (or higher).
Outdated Drupal Found: Drupal under 6.31 or 7.27

The weatherstickers could be broken by extensions or ad-blocked:
http://help.wunderground.com/knowledgebase/articles/129031-why-are-the-weather-sticker-images-broken

polonus

Scan resultrs banners dot wunderground dot com

tarting 5.51 ( ScanVerify.com ) at 2014-11-27 09:12 CST
scan report for banners.wunderground.com (38.102.136.101) → ip/38.102.136.101.json
Re: https://www.robtex.com/en/advisory/ip/38/102/136/101/
Host is up (0.044s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 1.3.42 ((Unix) PHP/5.3.2)
| http-methods: Potentially risky methods: TRACE
|_See ScanVerify.com/nsedoc/scripts/http-methods.html
|_http-title: 403 Forbidden
443/tcp closed https
this is a whitelist of known legitimate email servers to reduce the chances of false
Trusted Forwarder SPF Global Whitelist Bonded Sender

sbl.spamhaus.org link Direct UBE sources, verified spam services and ROKSO spammers
xbl.spamhaus.org link Illegal 3rd party exploits, including proxies, worms and trojan exploits

pol

no malicious code … just a URL
https://www.virustotal.com/nb/file/f8e038c63c5173f984a84821bb46b58ebb0819459022302a80fb2a48c5885b43/analysis/1417101431/
https://www.virustotal.com/nb/file/ded72d40dc3c05524809eda33f1930890839add4af7930e6e184dfae83a8031a/analysis/1417101577/

Hi Pondus,

I trust Sucuri here, moreover considering the IP badness history: https://www.virustotal.com/en/ip-address/192.254.224.61/information/

VT results are important and often redommended standard,
but it is known to me that (bad hat) SEO Spam and defacements/hacks are very often not being flagged by VirusTotal.
What is the criterium here? That code must be infectious as such and hacks also?
Well, fraudulent redirects (spam fraud, defacement) etc. are not considered malicious in this strict sense here :o

I think this is a big blind spot where VT is concerned, same goes for some other scanners that miss SEO Spam for instance.
Killmalware is a good exeption to that rule. Quttera is also gettting better and better in detecting these various forms of abuse.

Also adware that is hidden but not malign as such is often spared by AV solutions,
even in PUP scannningm often because of legit implications.
That is for instance why several forms of Conduit crapware is being missed by major AV.
So here this is a grey area but the undetected is out there, the so-called virus X-Files ;D :wink:

polonus

polonus

tohouri.com/ give no redirect when entering

ibontu.25u.com/ redirects to june26.com/

Here I give an example of abuse that is there, but that VT ignores or does not detect (I do not know what to think of this):
Been defaced/hacked since 22 hours ago: http://sitecheck.sucuri.net/results/karismahairdressing.com
Exploit used: http://marc.info/?l=full-disclosure&m=106365781917123&w=2
Flagged and description here: http://killmalware.com/karismahairdressing.com/#
Missed: https://www.virustotal.com/en/url/0e59b420676f20ce3be67aecfd0099b5ae656a26062adaf1d2e2cb8c35b26fa1/analysis/1417104200/
Missed: http://quttera.com/detailed_report/karismahairdressing.com
Even here external element mentioned but not flagged :o →
http://zulu.zscaler.com/submission/show/c5addaf3657eeaa53edc6ae8bc09a5bf-1417104462
http://urlquery.net/report.php?id=1417104659774
So do not leave this link: https://www.facebook.com/permalink.php?id=197705186938936&story_fbid=554733231236128
DrWeb URL scanning extensions flags clicking that external link (to defaced site).

polonus