See: http://killmalware.com/nfirrupend.land.ru/#
Blocked by Google Safebrowsing: https://www.virustotal.com/nl/url/25048938565218f6667efb97686ce98f9b8aae96b76bdedd650b03cbfd682a8f/analysis/1421270505/
DataLife Engine exploit PHP code injection!
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=nfirrupend.land.ru

IP badness info: https://www.virustotal.com/nl/ip-address/80.68.248.45/information/
iframe urlopen error! http://jsunpack.jeek.org/?report=e4448d311e56bdb51959621ae8907f55026d5015

attack-counter-code bad Web rep: hxtp://www.tns-counter.ru/V13a***R> https://www.mywot.com/en/scorecard/tns-counter.ru?utm_source=addon&utm_content=popup

Could not get domain’s name servers from parent servers for sub-domain → not particularly good results: http://www.dnsinspect.com/land.ru/1421271107 Web servers using private IPs can’t be reached from the Internet.
Re: https://www.robtex.com/en/advisory/dns/ru/land/nfirrupend/ nfirrupend.land.ru,Ghosted,
IDS alert for "ET INFO SimpleTDS go.php (sid)"on IP.

polonus

others have followed … but not avast :-\

nfirrupend.land.ru.htm
https://www.virustotal.com/nb/file/36a05944260b9da528e83ad84d7b5148ab3563759126b8d0d3e998f912da9d90/analysis/1421272439/

Looks like the other scanners are detecting it too now ! Quttera alredy flagged it https://www.virustotal.com/de/url/25048938565218f6667efb97686ce98f9b8aae96b76bdedd650b03cbfd682a8f/analysis/1421272395/

=EDIT=
https://www.virustotal.com/de/url/25048938565218f6667efb97686ce98f9b8aae96b76bdedd650b03cbfd682a8f/analysis/1421274236/ Well Pondus I think that avast will get scans on the site, because all the scanners are quickly detecting it now.

Hi Georgie123,

Helped the avast team by pointing this thread out at virus AT avast dot com.
Be asured that avast team members follow the postings that are of interest to them.
And that is one of our main aims here as avast enthusiasts.

polonus

The file detected by Quttera’s as malicious: /drupal.js
Severity: Malicious
Reason: Detected known malicious content.
Details: Threat detected according to previously retrieved information
File size[byte]: 766
File type: ASCII
Page/File MD5: 0AD5773457289878E852D02142C6E460
Scan duration[sec]: 0.001000
blacklisted external links:
List of blacklisted external links: 3
htxp://ad.adriver.ru/cgi-bin/rle.cgi?sid%3D1&%3Bad%3D267162&%3Bbt%3D21&%3Bpid%3D658698&%3Bbid%3D1291282&%3Bbn%3D1291282&%3Brnd%3D1540072335
htxp://ad.adriver.ru/cgi-bin/rle.cgi?sid%3D1&%3Bad%3D267162&%3Bbt%3D21&%3Bpid%3D658698&%3Bbid%3D1291282&%3Bbn%3D1291282&%3Brnd%3D1162543355
htxp://ad.adriver.ru/cgi-bin/rle.cgi?sid%3D1&%3Bad%3D267162&%3Bbt%3D21&%3Bpid%3D658698&%3Bbid%3D1291282&%3Bbn%3D1291282&%3Brnd%3D707919684
Blocked by an extension for me.
Google drupal.js malware and you get quite some hits!

polonus

drupal.js
https://www.virustotal.com/nb/file/20bdf51557005321cb707dc7f884b2d152e30720b66d8de281459087e3f0f6f9/analysis/1421278868/

hmmmm ??? First submission 2013-05-04 22:26:13 UTC ( 1 year, 8 months ago )

Hi, a was not able to find any actual malicious activity on nfirrupend.land.ru.htm (probably because some of the linked sites are already down), but detection for drupal.js was added. Thank you.

confirmed by Norman/BlueCoat: detection added for drupal.js: Iframe.ABY

Hi Tondah,

Thanks for keeping the avast users protected.

polonus