Possible hacked website

system · October 30, 2009, 8:04pm

Would you say this site is hacked? There’s one object that looks like an invisible iframe to me but I’m no expert (Avast! is alerting me with an abort connection message every time I go on).
hxxp://www.maroczik.com/

http://wepawet.cs.ucsb.edu/view.php?hash=7cf83ee8066522a674c10df697335b67&t=1256929469&type=js

The wxw.touchmedia-ads.com entry looks suspicious to me, but neither WOT nor Site Advisor have any info on it.

system · October 30, 2009, 8:16pm

Hi Yawetage,

It seems as thought the site has been hacked.

The pic attached highlights a script (right at the bottom of the page) that causes avast! to alert. ( I am not currently on an avast! machine, but have checked it with the avast! online scanner. - Second image)

This is probably what avast! is alerting to…

the touchmedia-ads script seems to be clean…

-Scott-

polonus · October 30, 2009, 8:25pm

This was what was detected here:
Level: 0) Url checked:
hxtp://www.maroczik.com/
Google code detected (Ads, not a cheater)
Zeroiframes detected on this site: 2
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxtp://www.swi9a.com/mz_vid_feed.php
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxtp://www.fopsl.cn/forum/index.php
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.maroczik.com/fonctions.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.maroczik.com/scripts/ac_runactivecontent.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.maroczik.com/js/prototype.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.maroczik.com/js/effects.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.maroczik.com/js/controls.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxtp://www.maroczik.com/js/javascript:false;
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
type=text/javascript htxp://ad.advertstream.com/adjs_r.php?what=zone:15371&inf=no
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
type=text/javascript htxp://pagead2.googlesyndication.com/pagead/show_ads.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.google-analytics.com/urchin.js
Zeroiframes detected on this site: 0
No ad codes identified

So there is maintanace on the site,

But these are the threats found:

Report of threats
Total number of threats found: 3

Following Drive-bydownloads

Name of threat: HTTP Acrobat PDF Suspicious File Download
Location: hxtp://www.maroczik.com/index.php?c=206&genre=7

Directing to: hxtp://www.maroczik.com/index.php?c=219&genre=7
Location: hxtp://www.maroczik.com/index.php?genre=7&c=63

Name of threat: Directing to HTTP Acrobat PDF Suspicious File Download
Location: htxp://www.maroczik.com/index.php?genre=7&c=212

So this site could seriously damage your computer, good that avast will disconnect you via the Webshield,

polonus

system · October 30, 2009, 8:32pm

same here…

edit: DrWeb says it’s clean (with a scan from the link in a google search) ???
http://online.us.drweb.com/cache/?i=5e6265af2a4112b8c082bc7c5abe3315
(don’t know how deep this link scanner is scanning…)

polonus · October 30, 2009, 8:37pm

Hi Logos,

Here you find your answer to what kind of malware this is:
http://forum.avast.com/index.php?topic=43928.0

polonus

system · October 30, 2009, 8:42pm

OK thanks…but you have an idea why Dr Web (and most likely AVG link scanner…) says it’s clean ?
(I edited my last post)

polonus · October 30, 2009, 9:11pm

Hi Logos,

Off course I know why this is. It is because DrWeb’s av link scanner does not scan for all the links and redirects.
This is so with many real time scanners that scan for the given link. Reputation scanners can miss
infections all together because the site might have been hacked 5 min ago…and became suspicious or hacked from being secure and with a good reputation in the past.
Sometimes just inspection of the code on the site itself will give you a clue what is the threat at least when you know where to look.

Protection against this. Update and patch OS and third party software fully (Secunia PSI), use a normal user account for online activities (outside updating and certain downloads for which one needs admin rights) making 97% of known malware for the Windows platform cannot harm your OS by running the code in system(32) folders. Use a two way firewall and a updated av solution. Use Firefox or Flock browser with the NoScript and RequestPolicy add-ons to protect against malcode scripts running or suspicious domain requests performed. If you follow that policy there is not much that can harm you especially while avast webshield will save your glorious behind as an added line of defense…

polonus

system · October 30, 2009, 9:26pm

thanks for the feedback …thought as I said above link scanners didn’t scan that deep.

Possible hacked website

Announcements