Saved by Avast!

See attachment below.

This came from a site rated as extremely safe by WOT.

Minding my own business, too.

(Second topic)

Yesterday I came across some sort of java script installer at hxxp://www.261.com Home page loaded without incident, but when I clicked the latest news page a java installation dialog box popped up, was written in some foreign language I could not read, and was very persistent, always reappearing after the box was closed. I was not able to view the news section as this box prevented me from entering and behaved similarly to one of those floating ads (very annoying) right in the center of the viewing area, and remained there no matter whether I scrolled the page I was on up or down.

Could not view so left the site.

Odd thing was, there is no java on the site anywhere that I could see.

Visited just now, and the java thing is gone. I assume the site is clean ATM.

Next time I see one of these critters, I’ll grab a screenshot and post it here.

Avast! had nothing to say about this intrusion. Sorry, I did not think to do it when I had the chance.

nice! avast! 7 rocks!

and now about 216.com
https://www.virustotal.com/url/167db096720e5c912d4baf2dfd0a3e453a0b985c602291d92cec80e60264a959/analysis/1330758944/

TrendMicro description
Safe. The latest tests indicate that this website contains no malicious software and shows no signs of fraud.
TrendMicro category
Message Boards and Forums.
Websense ThreatSeeker category
Message Boards and Forums.
URL after redirects
http://www.261.com/
Response code
200
Response headers
via: HTTP/1.1 GWA
content-type: text/html; charset=UTF-8
x-powered-by: PHP/5.2.17
set-cookie: wpmp_switcher=desktop; expires=Sun, 03-Mar-2013 07:15:45 GMT; path=/
x-google-cache-control: remote-fetch
vary: Cookie
server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
date: Sat, 03 Mar 2012 07:15:44 GMT
x-mobilized-by: WordPress Mobile Pack 1.2.4
x-pingback: http://261.com/xmlrpc.php
Response content SHA-256
2a15f82cb1448bb87ddbe0cc6006f9a566a886714806fba66afcd2a3dc6152cf

http://sitecheck.sucuri.net/results/www.261.com

Sheesh, I forgot to do that too.

Thanks, papu.

no problem! the site is safe…

Hi mchain,

I found no instances of dsp.php.

See http://urlquery.net/report.php?id=27593 and http://urlquery.net/report.php?id=27592
The first is the main site, the second is the latest news.

Both of them only report incidents of their site (See Attachment #1), Google’s site, and maybe a Amazon site, if this information is correct here:
http://zulu.zscaler.com/submission/show/ac79c72402088030aec0ad0db6ce4a5d-1330779908

As for the 261 site, there were some problems when checked with this same scanner:
http://zulu.zscaler.com/submission/show/bb74aa7cd5d7dffdd4398d1947a9ec3c-1330779798

But you mention that when you clicked the latest news page, a java popped up. There is no script to be loaded when the “Latest News” is selected, so it must have come from the “Latest News” page. (See Attachment #2)

I did not find anything interesting either on this “Latest News” page, so I last-resorted to VirusTotal.
https://www.virustotal.com/file/5f287eb1234ba5728e83236678a1c740016fd5971bbe26c6b351616929e880e7/analysis/1330781193/
https://www.virustotal.com/file/f36ee30bac110ffcb58a2426a8b7743b9c09a3c53810694517640b26747b66b3/analysis/1330781204/

Both resulting in b[/b]

So, we can assume that this 261 site either had a conflict with one of the sites it cross-sites to, or the site was hacked and cleaned up in an effort to keep customers.

So, we can assume that this 261 site either had a conflict with one of the sites it cross-sites to, or the site was hacked and cleaned up in an effort to keep customers.

Seems that was what happened. I was fortunate FF was sandboxed at the moment this happened. ;D

As I noted, the very next day, when I visited again, with the intention of capturing the java box, it was gone.

Was the site cross-site linked or hacked? Probably the latter, as this was a dialog box in a foreign language. Could not read it.

Thanks for doing the work. Alas, I could’ve helped Avast! users had I been thinking.

;Sigh