holpo
October 21, 2014, 8:15pm
1
See: https://www.virustotal.com/nl/url/44c78ff32db9ab75dc677ad6e9effcc25c366520ff52e65236ca9ab92bd1a51f/analysis/1413921709/
Most blacklists say they do not have the site, also not recognized as a PHISH.
Current status said unreachable. Critical website errors detected by Sucuri’s.
In code going to wX=ww.dnsrsearch.com/index.php → issue? : http://www.wix.com/support/html5/ugc/26168b83-9d8a-4a8f-af21-441ca931c7db/e27da127-bdb2-4dee-893d-617b4c1e4c55
Code hick-up: cdn.srchdeliv dot com/js/jquery.min.js benign
[nothing detected] (script) cdn.srchdeliv.com/js/jquery.min.js
status: (referer=www.dnsrsearch dot com/index.php?origURL=htXp:/www.onemillionathome.com/)saved 93435 bytes d09d3a99ed25d0f1fbe6856de9e14ffd33557256
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
suspicious: external code link to: adserver.adtechus dot com/addyn - malware site: https://www.mywot.com/en/scorecard/advertserve.com?utm_source=addon&utm_content=popup
Some see this as legit: http://myip.ms/info/whois/104.131.12.134/k/609595416/website/advertpro.com
pol
holpo
October 21, 2014, 8:21pm
2
Domain is deleted and available again, is it being used for malware distribution in the mean time?
http://whois.domaintools.com/onemillionathome.com
This site could be a sinkho;le candidate or should be blocked.
polonus
when Sucuri say Unable to properly scan your site. it usually means site is down http://www.downforeveryoneorjustme.com/http://www.onemillionathome.com/
holpo
October 21, 2014, 8:32pm
4
But it is not down as you can see from the jsunpack scan results, it just won’t resolve as there is no official record for it.
Normal resolving gets a PHP Fatal error: File not found
Convince yourself here: http://jsunpack.jeek.org/?report=a88e3e43fdd49895b8a4bec0fbb10dc7689625cf
directly redirecting to: -www.dnsrsearch.com/index.php?origURL=http:/www.onemillionathome.com/./js/v0Min.js benign
Well that" benign"is a joke there… ;D
Grand playground for official white collar cybercrime that goes under the detection radar via dnssearch.
Officially site does not exist, however still going on to score ads income for those that redirect it.
polonus
if i try to go there, using chrome or Opera i just get this site is not available
urlquery.net give error … not valid URL
holpo
October 21, 2014, 8:47pm
6
But did you open the jsunpack scan result link?
Scan results here from 350 days ago: http://killmalware.com/www.onemillionathome.com/
Compare with: http://killmalware.com/www.dnsrsearch.com/index.php?origURL=http:/www.onemillionathome.com/./js/v0Min.js
There it still exists.
I get HTTP Request Header
Connect to 198.105.244.228 on port 80 … ok
GET /index.php?origURL=-http%3A%2Fwww.onemillionathome.com %2F.%2Fjs%2Fv0Min.js HTTP/1.1[CRLF]
Host: -www.dnsrsearch.com[CRLF]
Connection: close[CRLF]
User-Agent: Web-sniffer/1.1.0 (+http://web-sniffer.net/)[CRLF]
Accept-Encoding: gzip[CRLF]
Accept-Charset: ISO-8859-1,UTF-8;q=0.7,*;q=0.7[CRLF]
Cache-Control: no-cache[CRLF]
Accept-Language: de,en;q=0.7,en-us;q=0.3[CRLF]
Referer: http://web-sniffer.net/[CRLF]
[CRLF]
HTTP Response Header
Name Value Delim
Status: HTTP/1.1 200 OK
Server: nginx
Date: Tue, 21 Oct 2014 20:52:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Last-Modified: Tue Oct 21 20:52:17 UTC 2014
Set-Cookie: PHPSESSID=6kneufebkondam8bbfi6c37cb6; expires=Wed, 21-Oct-2015 20:52:17 GMT; Max-Age=31536000; path=/
Expires: Tue, 21 Oct 2014 20:52:17 GMT
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: langPref=en; expires=Fri, 18-Oct-2024 20:52:17 GMT; Max-Age=315360000; path=/
Set-Cookie: sgUID=add8d566f096691f612e0794799f9b39; expires=Fri, 18-Oct-2024 20:52:17 GMT; Max-Age=315360000; path=/
Set-Cookie: sid=4e89305d8d37895c597bd8a7a0b985f4; expires=Fri, 18-Oct-2024 20:52:17 GMT; Max-Age=315360000; path=/
Set-Cookie: ooep=nxd; expires=Fri, 18-Oct-2024 20:52:17 GMT; Max-Age=315360000; path=/
Content-Encoding: gzip
pol
holpo
October 21, 2014, 8:58pm
8
Hi Pondus,
Now you see the peekaboo game that is being played by dnsrsearch ;D
Clever isn’t it, and there are more parked domains going on to bring in the money,
only sites that cannot resolve that is new for me. Also guess they do not pay tax over the advert income that way. 8)
polonus
if you cant access the site, it cant be dangerous … or am i missing something
holpo
October 21, 2014, 9:15pm
10
Yes it can and McAfee Siteadvisor gives it as suspicious: 192.95.22.46
It was a malware site: https://www.virustotal.com/nl/url/b6698c6492574544289a9424c121135485eb65f1e84c4cebfd365008be50feea/analysis/
hxtp://onemillionathome.com/cgi-sys/suspendedpage.cgi
and you could be right here: https://www.virustotal.com/nl/file/07f99e34de6b4f4707f502d1cfcf2957b330c5ff713cf377d1eb82b85f975539/analysis/1386101146/
The direct look-up fails, but search engine may play foul.
Here they don’t even know it is down - http://www.avgthreatlabs.com/website-safety-reports/domain/onemillionathome.com/
But there is something PHISHY about the redirecting results, maybe users without script blocking and request policy are at risk.
pol