Site with web beacon given as malware site, but what malware?

See: https://www.virustotal.com/nl/url/44c78ff32db9ab75dc677ad6e9effcc25c366520ff52e65236ca9ab92bd1a51f/analysis/1413921709/
Most blacklists say they do not have the site, also not recognized as a PHISH.
Current status said unreachable. Critical website errors detected by Sucuri’s.
In code going to wX=ww.dnsrsearch.com/index.php → issue? : http://www.wix.com/support/html5/ugc/26168b83-9d8a-4a8f-af21-441ca931c7db/e27da127-bdb2-4dee-893d-617b4c1e4c55
Code hick-up: cdn.srchdeliv dot com/js/jquery.min.js benign
[nothing detected] (script) cdn.srchdeliv.com/js/jquery.min.js
status: (referer=www.dnsrsearch dot com/index.php?origURL=htXp:/www.onemillionathome.com/)saved 93435 bytes d09d3a99ed25d0f1fbe6856de9e14ffd33557256
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
suspicious: external code link to: adserver.adtechus dot com/addyn - malware site: https://www.mywot.com/en/scorecard/advertserve.com?utm_source=addon&utm_content=popup
Some see this as legit: http://myip.ms/info/whois/104.131.12.134/k/609595416/website/advertpro.com

pol

Domain is deleted and available again, is it being used for malware distribution in the mean time?
http://whois.domaintools.com/onemillionathome.com
This site could be a sinkho;le candidate or should be blocked.

polonus

when Sucuri say Unable to properly scan your site. it usually means site is down http://www.downforeveryoneorjustme.com/http://www.onemillionathome.com/

But it is not down as you can see from the jsunpack scan results, it just won’t resolve as there is no official record for it.
Normal resolving gets a PHP Fatal error: File not found
Convince yourself here: http://jsunpack.jeek.org/?report=a88e3e43fdd49895b8a4bec0fbb10dc7689625cf
directly redirecting to: -www.dnsrsearch.com/index.php?origURL=http:/www.onemillionathome.com/./js/v0Min.js benign
Well that" benign"is a joke there… ;D
Grand playground for official white collar cybercrime that goes under the detection radar via dnssearch.
Officially site does not exist, however still going on to score ads income for those that redirect it.

polonus

if i try to go there, using chrome or Opera i just get this site is not available

urlquery.net give error … not valid URL

But did you open the jsunpack scan result link?

Scan results here from 350 days ago: http://killmalware.com/www.onemillionathome.com/
Compare with: http://killmalware.com/www.dnsrsearch.com/index.php?origURL=http:/www.onemillionathome.com/./js/v0Min.js
There it still exists.
I get HTTP Request Header

Connect to 198.105.244.228 on port 80 … ok

GET /index.php?origURL=-http%3A%2Fwww.onemillionathome.com%2F.%2Fjs%2Fv0Min.js HTTP/1.1[CRLF]
Host: -www.dnsrsearch.com[CRLF]
Connection: close[CRLF]
User-Agent: Web-sniffer/1.1.0 (+http://web-sniffer.net/)[CRLF]
Accept-Encoding: gzip[CRLF]
Accept-Charset: ISO-8859-1,UTF-8;q=0.7,*;q=0.7[CRLF]
Cache-Control: no-cache[CRLF]
Accept-Language: de,en;q=0.7,en-us;q=0.3[CRLF]
Referer: http://web-sniffer.net/[CRLF]
[CRLF]
HTTP Response Header

Name Value Delim
Status: HTTP/1.1 200 OK
Server: nginx
Date: Tue, 21 Oct 2014 20:52:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Last-Modified: Tue Oct 21 20:52:17 UTC 2014
Set-Cookie: PHPSESSID=6kneufebkondam8bbfi6c37cb6; expires=Wed, 21-Oct-2015 20:52:17 GMT; Max-Age=31536000; path=/
Expires: Tue, 21 Oct 2014 20:52:17 GMT
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: langPref=en; expires=Fri, 18-Oct-2024 20:52:17 GMT; Max-Age=315360000; path=/
Set-Cookie: sgUID=add8d566f096691f612e0794799f9b39; expires=Fri, 18-Oct-2024 20:52:17 GMT; Max-Age=315360000; path=/
Set-Cookie: sid=4e89305d8d37895c597bd8a7a0b985f4; expires=Fri, 18-Oct-2024 20:52:17 GMT; Max-Age=315360000; path=/
Set-Cookie: ooep=nxd; expires=Fri, 18-Oct-2024 20:52:17 GMT; Max-Age=315360000; path=/
Content-Encoding: gzip

pol

yes i did :wink:

Hi Pondus,

Now you see the peekaboo game that is being played by dnsrsearch ;D
Clever isn’t it, and there are more parked domains going on to bring in the money,
only sites that cannot resolve that is new for me. Also guess they do not pay tax over the advert income that way. 8)

polonus

if you cant access the site, it cant be dangerous … or am i missing something

Yes it can and McAfee Siteadvisor gives it as suspicious: 192.95.22.46
It was a malware site: https://www.virustotal.com/nl/url/b6698c6492574544289a9424c121135485eb65f1e84c4cebfd365008be50feea/analysis/
hxtp://onemillionathome.com/cgi-sys/suspendedpage.cgi
and you could be right here: https://www.virustotal.com/nl/file/07f99e34de6b4f4707f502d1cfcf2957b330c5ff713cf377d1eb82b85f975539/analysis/1386101146/
The direct look-up fails, but search engine may play foul.
Here they don’t even know it is down - http://www.avgthreatlabs.com/website-safety-reports/domain/onemillionathome.com/

But there is something PHISHY about the redirecting results, maybe users without script blocking and request policy are at risk.

pol