Hi folks,

Like to get information on this detection, please? http://siteinspector.comodo.com/public/reports/show_log?id=663184
Action: Inject code to other applications also check link to -s0.2mdn dot net
see: http://www.mywot.com/en/scorecard/s0.2mdn.net
Sucuri does not find anything suspicious".
Given clean here: http://urlquery.net/report.php?id=8266
Suspicious part:
-www.nu.nl/scripts-cache/xtclicks.js suspicious
[suspicious:2] (ipaddr:62.69.179.12) (script) -www.nu.nl/scripts-cache/xtclicks.js
Can anyone confirm?

polonus

VirusTotal - xtclicks.js
http://www.virustotal.com/file-scan/report.html?id=f42e52d0bc82281c32a0faa39b0f815ca3bed9074149fb5d82499f6d8e7fcd55-1321144501

Wepawet report have potential malware links at the bottom
http://wepawet.iseclab.org/view.php?hash=110eba5f8772213e2ba4d89029e68c06&t=1321145081&type=js

Hi Pondus,

Well done, and as always coming up with the right details to enable polonus to get a bit nearer to the root of the evil. And why, Pondus, because at the end of the wepawet page you provided for us, we can now take that MD5 hash and then we land here through a simple google query:
Now we can see what is really out there or rather was out there as the link may no longer be up or dead:
http://amada.abuse.ch/?search=e8935d47df2caa9aecf5dc5b7ee48cc5 Flash malware - probably not longer there? The second string provided there is a complicated password string and when reversing I get “d41d8cd98f00b204e9800998ecf8427e -
The string provided is not a true MD5 hash. Please try again.
MD5 encoding is d41d8cd98f00b204e9800998ecf8427e
CRC32 encoding is 0
SHA1 encoding is da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64 encoding is null” -http://bs.serving-sys.com/BurstingPipe/adServer.bs
has a very poor WOT reputation
And this is what goes on there XSS header injection, see this report:
http://xss.cx/examples/html/bs.serving-sys.com-http-header-injection.html
report source: -http://xss.cx/sitemap.aspx

Interesting, Pondus, interesting…

polonus