Sitehack not being detected by most scanners!

Missed by https://www.virustotal.com/en/url/df7b2006c98154ac970439b2e0334f4e5cadb0a66226b0beaa26c430912bbeed/analysis/1417182384/
Missed by http://quttera.com/detailed_report/orgstore.com
Detected by killmalware: http://killmalware.com/orgstore.com/#

poruka[0] = " OooPs(5nifra@9 dot cn)"
poruka[1] = " This SitE has bEn haCked by KhaLidmoro"
function prikaz() {
   var text = poruka[slporuka];

Missed by Sucuri’s (cannot properly scan).
Not adding to IP security:http://sameid.net/ip/74.208.29.199/
Hacked via tbn1.google dot com (smut content) → encrypted-tbn1.google.com/images/ → hxtp://173.194.112.83/
comes up with a PHISHING attempt alert! javascript title repeated with “document.all.neonlight”.

pol

not sure if it is malicious, but site (after hack) sure contain some disturbing pictures … should at least be URL blocked

Hi Pondus,

I did not ask you to actually visit the defaced site. ;D
I have broken all links in my posting as should.
Any hack that results in defacement is caused by some vulnerability and lack of monitoring the website properly.
Sometimes it is vulnerable unpatched website software or a combination of softwate that is exploitable.
This for instance is not making us happy: Results from scanning URL: htxp://orgstore.com
Number of sources found: 19
Number of sinks found: 12
Several instances of “document.write(” and src/ strap.arguments.length * document.tickerform.strapline.value= (
See where this lead to security issues on a site checked: http://sz-dransfeld.de.trustcheck.net/
See code ='htxp://p.ld5.fr/t/lst/lst_34585_77.png (Google this) resulting in href=“htxp://www.khalidmoro.com”
(do not visit - abhorrent content))

polonus

I did not ask you to actually visit the defaced site
well you know me ... i have to put my nose in mysterious places

anyway, those who dont know how to may use urlQuery.net to see the picture

https://www.virustotal.com/en/file/bc5544aa4c599151dfc76016084aa5ef063370c220225d1834ad2587542848a1/analysis/1417188908/

one blacklisted URL on same IP
https://www.virustotal.com/en/ip-address/74.208.29.199/information/

site also ask to install RealPlayer to see evrything … could be a malicious trick?..did not test

Hi Pondus,

Cannot see why Trustwave flags that site? This is OK: http://www.dnsinspect.com/canismajor.com/1417198226
This also: http://urlquery.net/report.php?id=1417198406675
and this: http://zulu.zscaler.com/submission/show/5d37eb2e1e744853e0c9a6a2156a3723-1417198345
Completely secure: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.canismajor.com%2Fdog%2Findex.html
No source, no sink!

polonus

Well this is bad practice there →
WARNING:
The IP PTR associated with this record, does not resolve back to it’s original IP address.
This is very bad practice.

Original: 74.208.29.199
PTR: perfora.net.
PTR IP: 213.165.67.109

D