hello
Sunday, Yesterday when I went to access this page a message
attacked
http://i.imgur.com/WtSlACd.png
http://sitecheck.sucuri.net/results/www.redeceteps.com.br
http://urlquery.net/report.php?id=1414407303604
see avast detects Html: defacement-N [trj]
My computer has not been compromised
I would like to analyze the logs and have not again certain behavior strange.
logs FRST attached
Ha jefferson santiag,
Site has been taken down now.
Page Response Status
http://redeceteps.com.br/
500 Can’t connect to redeceteps.com.br:80
Content-Length: 192
Content-Type: text/plain
clean
http://redeceteps.com.br/test404page.js
500 Can’t connect to redeceteps.com.br:80
Content-Length: 192
Content-Type: text/plain
clean
Where did we come across this particular defacement malcode, well earlier discussed here for a similar attack:
https://forum.avast.com/index.php?topic=143639.0
Read about this facebook abuse through obfuscated javascript reversing defacement malcode here: http://viralgandhi1990.blogspot.nl/
On dropbox abuse: http://malware-traffic-analysis.net/2014/05/19/index2.html
IDS alert you give:
urlQuery Client ET POLICY DropBox User Content Access over SSL(fake log-in page being hosted on dropbox)
Read how this is being performed from Chris Hemedinger here: http://blogs.sas.com/content/sasdummy/2012/12/18/using-sas-to-access-data-stored-on-dropbox/ (the cloud is not all that secure yet ;D - pol).
polonus
I’m sure that was done during the night of here Brazil
eight o’clock PM,after the result for president because of the elections in the country.
only avast detects the files are in vírus chest
not being added other antivirus
detected by the Chinese product Trojan generic
was removed from the database
Again Avast first to detect: First submission 2014-10-27 00:42:56 UTC ( 18 hours, 20 minutes ago )
this is detected by avast and Qihoo 360
Looks clean 
Hi jefferson santiag,
Thanks for the heads up and essexboy for confirming that you got off scot free.
Thanks to avast! for protection against this in a very early stage.
Threads like this one leave you with a good feeling,
polonus
Deface code is usually not malicious … unless they add some extra code
<title>Hacked by The HaCk-BLack Team</title>
Hi Pondus,
Not completely true, sometimes it is a mix - and the added code is coming from this IP source: 54.225.142.77
But what is found here is not to be trusted: https://www.virustotal.com/nl/ip-address/54.225.142.77/information/
and adware and malware galore as you can see here: http://www.herdprotect.com/ip-address-54.225.142.77.aspx
This all because of these IDS flag, here: http://urlquery.net/report.php?id=1414407303604
with some PUP’s and some genetic frauder finds. 8)
So I would not like to come an visit it when it is viral. Good avast! protects us here
and we are being forewarned by our constant threat analysis.
pol
Thank for your help
hardly going to fall in a coup while the page is not ideal to come in the information can be a danger (visual apparently been modified is a bait) Website owner probably does not even know about the attack ,
this is the second time I enter site hacked, but I not know this group and even their intentions (good or bad it does not interest me).
I believe the “HackBlack” team is a branch of Anonymous…
https://www.youtube.com/watch?v=CqlzD1X7OnE
I also found other sites hacked by them.
hxxt://xxx.robit.cc
hxxp://ppc.easyefortune.c0m/
hxxp://abpvis.c0m/
http://sitecheck.sucuri.net/results/www.robit.cc
http://www.urlvoid.com/scan/robit.cc/
http://urlquery.net/report.php?id=1414497635706
I think we get the point, they aren’t friendly