Trojans detected:
Object: http://best-javlon.fo.ru/
SHA1: b95ca7022414dfa722e8777525a893a2affd8372
Name: TrojWare.JS.Agent.JL
Site blacklisted and probably compromised.
best-javlon.fo.ru/common/mlp/js/anonymous.lib.js?11744 benign
[nothing detected] (script) best-javlon.fo dot ru/common/mlp/js/anonymous.lib.js?11744
status: (referer=best-javlon.fo.ru/ )saved 518068 bytes afdd91b1b57ab25da7aae2fec9c457ab5a213c66
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [iframe] best-javlon.fo dot ru/common/mlp/js/javascript:false;
info: [img] best-javlon.fo dot ru/common/mlp/js/
info: [iframe] best-javlon.fo dot ru/common/mlp/js/
info: [img] best-javlon.fo dot ru/common/tinyMCE_3.4.4/themes/advanced/img/trans.gif
info: [img] best-javlon.fo dot ru/common/widget/unlink.gif
info: [img] best-javlon.fo dot ru/common/widget/link.gif
info: [decodingLevel=0] found JavaScript
suspicious:
Server software https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=nginx;dist=unstable bugs exploitable for nginx/1.6.2?
IP badness history: https://www.virustotal.com/nl/ip-address/213.19.128.77/information/
XSS could be exploitable on site: Results from scanning URL: hxtp://best-javlon.fo.ru
Number of sources found: 33
Number of sinks found: 197
Results from scanning URL: htxp://am15.net/sb.php?s=45130
Number of sources found: 2
Number of sinks found: 176
Results from scanning URL: //wXw.googleadservices.com/pagead/conversion.js *
Number of sources found: 535
Number of sinks found: 146
polonus
On above site there is also a security exploit client side JavaScript vulnerability via document.referrer.substring on htxp://am15.net/sb.php?s=45130. Read: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20051202-1_webmail_security.txt
pol
polonus
November 24, 2014, 6:39pm
3
Another more recent detection for this domain: https://app.webinspector.com/public/reports/show_website?result=3&site=http%3A%2F%2Fcgulcg.fo.ru
On the list of unsafe sites: https://app.webinspector.com/recent_detections?id=93974
Suspicious Javascript Check
Inclkuded Script Check: Suspect - please check list for unknown includes
htxp://am15.net/sb.php?s=45130
Suspicious Script:
cgulcg.fo dot ru//common/mlp/js/anonymous.lib.js?11759
.ru/market"; }, applets_content: function() { if($(‘#tp_applets_content ’).length){ $(‘#tp_applets_content ’).toggle();
404 error check: Suspicious Suspicious 404 Page:
Re: http://jsunpack.jeek.org/?report=f8828f3d8eb8a937f44569410fb0c322facc93b5
Link for security research only, open with NoScript active and in a VM/sandbox
Code hick-up:cgulcg.fo dot ru/common/mlp/js/anonymous.lib.js?11759 benign
[nothing detected] (script) cgulcg.fo dot ru/common/mlp/js/anonymous.lib.js?11759
status: (referer=cgulcg.fo dot ru/)saved 518068 bytes afdd91b1b57ab25da7aae2fec9c457ab5a213c66
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [iframe] cgulcg.fo dot ru/common/mlp/js/javascript:false;
info: [img] cgulcg.fo dot ru/common/mlp/js/
info: [iframe] cgulcg.fo dot ru/common/mlp/js/
info: [img] cgulcg.fo dot ru/common/tinyMCE_3.4.4/themes/advanced/img/trans.gif
info: [img] cgulcg.fo dot ru/common/widget/unlink.gif
info: [img] cgulcg.fo dot ru/common/widget/link.gif
info: [decodingLevel=0] found JavaScript
error: undefined function q.getElementsByTagName
error: undefined variable q
suspicious: exceeded code runtime…
pol
Update - another sub domain with virus issues: https://www.virustotal.com/nl/url/f1da6ea0b286aba264e5301c249e785e9d4b0fb54af166c9868e0101aa8ad0b1/analysis/1427904147/
Nothing here: http://sitecheck.sucuri.net/results/ltldsd.fo.ru
On that IP: http://urlquery.net/report.php?id=1426151234250
Consider: {“c”: [{“v”: “htxp://sync2.audtd.com/match…/advmaker”}, {}, {“v”: 204}, {}, {}, {}, {}, {}]}, {“c”: [{“v”: “htxp://www.rw6ase.narod.ru…/favicon.ico”}, {“v”: 1}, {“v”: 200}, {“v: “image/x-icon”}, {}, {}, {},
See: http://www.scumware.org/report/213.19.128.77.html & http://support.clean-mx.de/clean-mx/viruses.php?id=61922217 ”
& http://www.nictasoft.com/ace/malware-urls/18610807/ → HEUR:Trojan.Script.Generic - OVERDUE! malware.
Quttera detects: http://quttera.com/detailed_report/ltldsd.fo.ru
4 malicious files with detected reference to malicious blacklisted domain -izpjsz.fo.ru
SQL code detected.
9 detected suspicious files with detected reference to suspicious blacklisted domain yep.com ,
engaged in distribution of malware: https://www.mywot.com/en/scorecard/yep.com?utm_source=addon&utm_content=popup
polonus
Update: https://www.virustotal.com/en-gb/url/55d4f23be6e5a0c17a49e0f75cf607fbc63aa7c66ff4c6ea2707a9c0ef0edc10/analysis/1435580429/
See: 18 instances of “detected reference to malicious blacklisted domain -clck.ru”
List of blacklisted external links: 1
htxp://clck.ru/8ai8w
List of referenced blacklisted domains/hosts: 1
-clck.ru
Outdated Web Server Nginx Found Vulnerabilities on nginx nginx/1.2.8
malware alerts: https://urlquery.net/report.php?id=1435580534440
polonus