Site with errors and warnings

Viruses and worms
1

See: https://asafaweb.com/Scan?Url=news.zjlinkwell.cn
See: https://www.virustotal.com/nl/url/ed454d7e283dc90ad7a757fc0406007862b1ac47c04a06dade7ddef3ec5920d2/analysis/1410205325/
See: http://sitecheck.sucuri.net/results/news.zjlinkwell.cn
abused site. . htxp://news.zjlinkwell.cn/foo/trace.axd Trace Error
Excessive headers warning: Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Clickjacking: Warning
Requested URL: http://news.zjlinkwell.cn/ | Response URL: htxp://news.zjlinkwell.cn/ | Page title: 淫民共和国的最新地址_北原_日本人体淫图_【图片主题站】 | HTTP status code: 200 (OK) | Response size: 26,261 bytes | Duration: 20,541 ms nvalid HTML data

pol

2

External link code suspicious: script] www.anglongtie.com/quanju3.js
info: [decodingLevel=0] found JavaScript
suspicious:
Google Safebrowsing detects malware: https://www.virustotal.com/nl/url/68ca6ba4df7a609fe1eb48b1944a1ab5184c4a0c978a711d57eaf38f4fba9103/analysis/1410206483/
code detected RedKit exploit kit URL pattern, once on IP.

polonus

3

There is one more suspicious looking JS file on the site…Seems like its been cleaned out.

js.users.51.la/17000117.js benign
[nothing detected] (script) js.users.51.la/17000117.js
status: (referer=news.zjlinkwell.cn/stat.js)saved 1980 bytes fdb8139515da7781bb34be65613126838ed351ff
info: [img] icon.ajiang.net/9.gif
info: [decodingLevel=0] found JavaScript
error: undefined variable Image
error: ./pre.js:249: TypeError: Image is not a constructor
info: [var a0117src] URL=web.51.la:82/go.asp?svid=15&id=17000117&tpages=1&ttimes=1&tzone=-4&tcolor=undefined&sSize=undefined,undefined&referrer=undefined&vpage=%5Bobject%20Object%5D&vvtime=1410166602344
info: [var newurl] URL=web.51.la:82/go.asp?svid=15&id=17000117&tpages=1&ttimes=1&tzone=-4&tcolor=undefined&sSize=undefined,undefined&referrer=undefined&vpage=%5Bobject%20Object%5D&vvtime=1410166602344
info: [decodingLevel=1] found JavaScript
error: line:6: TypeError: Image is not a constructor
file: fdb8139515da7781bb34be65613126838ed351ff: 1980 bytes
file: 3a09bfb955b3839ba383ad6ed293a3f6fbd2f0de: 778 bytes

Couldnt pick up anything there,Those binaries seem clean according to virustotal.

Nothing on quanju3.js either:
wxw.anglongtie.com/quanju3.js benign
[nothing detected] wxw.anglongtie.com/quanju3.js
status: (referer=htxp:/wxw.ask.com/web?q=puppies)saved 94 bytes 5e5646507b897345c37af9759a937b7fd56849d7
info: [script] js.lwtzdec.com/js.js
info: [decodingLevel=0] found JavaScript
info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista and browser=Opera and browser=Firefox, 0 bytes
info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista and browser=Opera and browser=Firefox, 96 bytes
info: [decodingLevel=1] found JavaScript
file: 5e5646507b897345c37af9759a937b7fd56849d7: 94 bytes
file: c584af0ec04f796e53d4fd7d6eb427a2e2ef81f9: 96 bytes

https://www.virustotal.com/en/file/fe53e232651bc2352a505c380ed8fe1b5a914051d137839fa5989e7d6495cfa8/analysis/1410232625/
https://www.virustotal.com/en/file/8b66096f8c58cfd64f820b700bd32e88b0b12ad94b4ab825c7f3cde0b9c352a3/analysis/1410232651/

4

Hi True Ind,

Frowned upon by WOT and for valid reasons as a lot of adware blockers and other extensions block this address, so
read user reviews: https://www.mywot.com/en/scorecard/js.users.51.la/17000117.js?utm_source=addon&utm_content=contextmenu
So I had a quick run of this URI Debugger: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=js.users.51.la%2F17000117.js&useragentheader=&acceptheader=
Where we get this source link: htxp://icon.ajiang.net/icon_9.gif which is MALICIOUS → https://www.virustotal.com/nl/url/c51f548c8d6192fbc2481097ba4f0e5d9ea834eebaa93196fd8d4fab72b0832d/analysis/ although it can be safely used as analyzed here: https://www.virustotal.com/nl/file/f9ae4a96bd023475b975884b0345fc1718ad5b394f024d00c4fed2b6df2b7588/analysis/1403520037/
For these cases a third party script blocker like NoScript in fx or ScriptSafe in GoogleChrome is a form of good protection.
Here we can establish that the script is probably safe: -http://jsunpack.jeek.org/?report=9fcc89fbc7088ea97cc0f3177b46b2abde821ce6 (Javascript unpacker to be used exclusively by security researchers on lab settings, use a script blocker and open up in a VM/sandbox to be safer).

An url variable is removed and replaced by a new one: see: http://fetch.scritch.org/%2Bfetch/?url=js.users.51.la%2F17000117.js&useragent=Fetch+useragent&accept_encoding=

polonus