(script) wXw.mywebcamcrush.com/js/jquery.timers-1.2.js
status: (referer=wXw.mywebcamcrush.com/AmandaBond)saved 3201 bytes 992f2082ec5b4757f0a988d367827394654a575d
See this: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable jQuery.fn
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var jQuery.fn = 1;
error: line:1: …^
suspicious, but not flagged here: http://wepawet.iseclab.org/view.php?hash=c7a1700f52709813eb27f61e239e35d2&t=1359737574&type=js
Right verdict on site here: http://labs.sucuri.net/?blacklist=mywebcamcrush.com → Site found to be used on spam campaigns (either forum, comment or SEO spam), the jQuery code can be corrected following instructions here: http://fixingthesejquery.com/
polonus
Another one here: https://www.virustotal.com/url/51bf9153601984d54f131926f2dd516fbb3c92aaa4e3af3b67660b372860ce8a/analysis/1359822210/
Only flagged by ESET.
The location line in the header above has redirected the request to: secure.php?cmd=home (so-called command injection attack via shell code *)
Spamhaus alerts:
SBL173016
124.51.247.59/32 uplus.co.kr
18-Jan-2013 07:02 GMT
Botnet spammer hosting for these criminals use botnets and hijacked computers to send their spam
Sality launched from a domain now on the same IP, nut mitigated from another IP: http://urlquery.net/report.php?id=861892
No actual abuse: http://www.projecthoneypot.org/ip_124.51.247.59
Another one from that same IP: htxp://geuwofiuz.health-prointernet.ru/
This is the same here: The location line in the header above has redirected the request to: secure.php?cmd=home
Both sites became victims of a command injection attack to get a display of the content of “/home/docs/home.html” inside the page *.
Flaw or hick-up in the code here: (script) geuwofiuz.health-prointernet dot ru/js/easing.js
status: (referer=geuwofiuz.health-prointernet dot ru/)saved 8305 bytes 7fbd9db94fe93db1c641c663325871688f0a0d53
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable jQuery.easing
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var jQuery.easing = 1;
error: line:1: …^
suspicious: (as this is a clear hack, see: http://stackoverflow.com/questions/13514931/easing-the-excution-flow-in-js-jquery
discussion started there by user1514042 (animation not properly applied)
polonus
More details for above mentioned site here: http://sitecheck.sucuri.net/results/euwofiuz.health-prointernet.ru
see: http://www.siteadvisor.com/sites/euwofiuz.health-prointernet.ru (blacklisted)
Blackhat seo-spam site: http://labs.sucuri.net/db/malware/malware-entry-mwspamseo (various instances)
But connection timed out: http://urlquery.net/queued.php?id=11729721 (Now I know that is because of avast Network Shield blocking this *)
Webbug result
HTTP/1.1 405 Not Allowed
Server: nginx/1.2.6
Date: Sat, 02 Feb 2013 16:53:30 GMT
Content-Type: text/html
Content-Length: 172
Connection: close
GET immediately gives that avast Network Shield blocks this malicious site as http:;127.0.0.0/ *
* Another great job by the avast Network Shield protecting us here…
polonus
Hi Pondus,
Here we see why, see attached image (click attached image to view code and again to enlarge)
Very strange, nothing detected here: http://sitecheck.sucuri.net/results/bcr-banco.com/
Fake sites and scams here: http://www.malwareurl.com/ns_listing.php?as=AS26101
And it is an oldy: http://lists.clean-mx.com/pipermail/phishwatch/20120724/048728.html
and more recent look-up here:
http://permalink.gmane.org/gmane.comp.security.phishings/8781
For the code after the /html tag, this markup has being added by the hoster (AS26101). In the hosting panel, one should search and deactivate any “counter/statistics” tool. (Credits for this info from stack overflow goes to poster: Roman at StackOverflow -
judging from the coding practices the guys at yahoo seem to be using, it’s no wonder everybody’s using google as default search engine.
quote also from Roman in that same thread)…
this was discussed at stack overflow because the Yahoo code created validation errors…
polonus
This PHISH is long overdue active since 2013-01-28 18:06:07 141.4 hrs
See this line in the code: 5: < meta http-equiv=“refresh” content=“0.1;url=htxp://secure.runescape .com.vvwow.asia/m=weblogin/loginform.html?mod=www&ssl=0&dest”>
Target is runesecape
https://www.virustotal.com/url/b259c1ba3f09c15b4e58811bf028641358159928b0b0766ee972a878e7fcaf03/analysis/1359901674/
Blacklisted: http://sitecheck.sucuri.net/results/www.lidanhang.com
Also given here: http://comments.gmane.org/gmane.comp.security.phishings/9333
Nothing here: http://urlquery.net/report.php?id=924091
Nice write up from Adam Kujawa of how this target PHISH is being achieved, can be found through this link:
http://blog.malwarebytes.org/intelligence/2012/07/phishing-101-part-2/
polonus