Reported domain

Possibly compromised: http://sitecheck.sucuri.net/results/ofertaonacional.com
Abuse instances 501374 First seen 11/26/2012 Last seen 5/29/2014 Migrated from 200.169.104.140
https://www.virustotal.com/nl/ip-address/200.169.104.140/information/
Site software vulnerable to remote buffer overflow: http://pastebin.com/VvMtydsD
Vulnerable to HYML:Shellface-T[Trj] object, which avast! may detect.
Over 64 domains on same IP, which badness history = https://www.virustotal.com/nl/ip-address/186.224.101.249/information/

pol

Unfortunately nothing from Avast when opening that website.

Hi Steven Winderlich,

That avast does not alert here does not surprise me one bit as avast is a mono-culture av solution in the Brazil malware theater,
So all malware is scanned there to go under the avast av radar and avast! has been known to perform rather poor out there.
Some Brazilian malcreants call avast mockingly! the “malware sieve” :D.
Would like to hear our friend Tech about the present situation now
as he is an avast team member from Brazil ;D
and he was a one-time evangelist like we all are here,
before he came to join the avast! ranks.

polonus

Hi all, i checked the website and i found nothing wrong.
It was hacked from the start of the year and used to host phishing content, but it seems clean now and i see all phishing links dead.
Do you know about another issue?

Hi Tondah,

As you say the site seems benign at the mo. Site is Ghosted!
But outdated and vulnerable software are one of the most common causes for web site compromises , malware and blacklisting.
The server configuration is vulnerablr to PHPshell.
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 mod_perl/2.0.6 Perl/v5.8.8 vulnerable
See various earlier SURICATA TLS invalid handshake message IDS alerts for this particular site.
Sucuri therefore qualifies the website: Site Potentially Harmful. Immediate Action is Required.
Bad web rep javascript code external link: http://fbstatic-a.akamaihd.net/ → src.php/v2/yo/r/PZSRk0mswIW.js

Suspious Javascript check: Suspicious

y.min.js"> <script type="text/j

Included script check: Suspect - please check list for unknown includes

-http://www.ofertaonacional.com/_js/_functions.js.php

Flagged by Web Rep: htxp://www.ofertaonacional.com/_js/_functions.js.php
checked response time 2.239 sec.

Site reported at WOT for spamming: https://www.mywot.com/en/scorecard/Ofertaonacional.com?utm_source=addon&utm_content=contextmenu

polonus

Thanks polonus.
I agree that vulnerable software is a problem, but we can’t block site just because it can be attacked. That way, we would have to block half of the internet :slight_smile:
File “_js/_functions.js.php” is obfuscated same way as malware, but its clean after deobfuscation.

Hi Tondah,

Agree with you that from a general user point of view the site is av-standard safe to visit.
The website owner, hoster, webmaster may however be grateful with the existing vulnerability information.
That just depends with how much security awareness and responsibility they run that website.
There is still a lot of ignorance around that may later put visitors at danger at some point in time.
Outdated so vulnerable server software and outdated so vulnerable CMS will stay with us for quite some time I am afraid. Amateurs hosting websites and sloppy hosters stay endangering the Interwebs.

polonus

Pol,is that true? I mean that was the situation and I think it changed after v5 of avast and since then we have come a long way.“Malware sieve” LOL could you post a link to some malcreants twitter channel who told this ;D

I think situation has changed after v5.Because I am constantly testing malware out on my VMWare.I have even seen alot of banker tojan since v7 and avast seems to pretty good at them right now.

Hope that my research is right.I wont like to see avast getting clobbered by brazilian writers.I think We should ask Tech ;D