I am getting this twice only. Each of this alert is on different website. But I am seeing situation that avast block way more of this same thing in http://tieba.baidu.com/p/3532730273.
Example url:
hp://cmn.b9.aicdn.com/05/main.js?t=0.020921174436807632
hp://cun.b9.aicdn.com/a/bootstrapmin.js
I have a look at this information about aicdn https://aiscaler.com/dcc/aicdn. There are thing related to dynamic content. But I don’t see anything harmful.
Why is it bad that avast block this?
Somehow the nameservers won’t resolve from the parent names.
See: https://www.virustotal.com/en-gb/domain/cun.b9.aicdn.com/information/
A mutiple IP site. -cun.b9.aicdn.com,222.132.10.121,Multiple IPs, → http://whois.domaintools.com/aicdn.com
Fail: FAIL: While quering domain’s records, some of your name servers didn’t responded. Name servers which didn’t responded:
udp4:182.140.167.166
udp4:182.140.167.188
udp4:183.60.52.217
udp4:112.90.143.29 → http://www.dnsinspect.com/dn.com/1421592215
Links going out here are alerted by WOT: https://www.mywot.com/en/scorecard/miitbeian.gov.cn?utm_source=addon&utm_content=popup
See: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http://www.miitbeian.gov.cn/state/outPortal/queryMutualityDownloadInfo.action?id=11&acceptheader=&useragentheader=
So this code is being blocked: http://tool.114la.com/site/html/q/www.okdos.com (void(function f^ckie6(){if(location.hash && etc._)
polonus
Links going out here are alerted by WOT: https://www.mywot.com/en/scorecard/miitbeian.gov.cn?utm_source=addon&utm_content=popup See: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?[b]FP! Legit Chinese organization.[/b] see: http://tool.114la.com/site/html/q/ctn.b9.aicdn.com
...[b]该网站暂时无法进行访问[/b]...Translation: That webpage cannot be accessed temporarily. So this is an error page.
Here shown a legit Chinese governmental organization with the link as shown bad in myWOT. Clearly flase positive.原因一:根据[b][u]工信部[/u][/b]相关法规,您尚未进行备案;
This reputation has a low confidence, which means not many people have rated the site.That is what MyWot says. It doesn't say it is good or bad.
And we all know that the Chinese government can’t be trusted.
Hi Eddy and rickyyeung,
When I read this swearword inside code "void(function f^ckie6(){if(location.hash && etc).
and I see this picture of an "p yours" finger - htxps://github.com/wen0301/fckie6/blob/master/f*ck.jpg
some bells start to ring about the code. Can you imagine?
polonus
f^ckie6()it sound like someone doesn't like the old IE very much. But I see there is someone use this as a function name to produce online learning material in hxxp://www.cnblogs.com/kohpoll/archive/2012/09/13/2682706.html [b](Don't go into there without the avast web shield, I got 9 alert about the same thing: hxxp://asia.b9.aicdn.com/face/sample_face.gif)[/b]
hxxp://asia.b9.aicdn.com/face/sample_face.gifThis look like a picture of an ads about smiley icons. So bascially it is a dynamic advertisement that is loaded base on your location?
Edit: Confirm that it is a dynamic advertisement that is loaded base on your location.
got this URL:Mal hxxp://asia.b9.aicdn.com/ad/kt1.html
Edit 2: Since the site that these alert popup is usually in Chinese, I think the swear word is related to this thing
(The following text is translated from hxxp://www.haodaima.net/art/1690523, again aicdn popup alert is present) ...IE6 is a rubbish browser, espically in China! Sometime in IE6, there is a bug that prevent iframe to show...so bascially it is the website html writter's opinion on IE6. I know that swear word usually means something bad, but why is it only recently that these alert come up? I mean when I scan one in virustotal, there is even no trace of malware site rating (blacklists) for all the antivirus engines.
Edit 3: That function name IS in a html file for an 403 error page, see: http://tool.114la.com/site/html/q/www.tuangouba.com
Edit 4: Virustotal result in downloading files of same SHA256 for all 5 websites I got resultly.
The old result is https://www.virustotal.com/en/file/f69d30fad76343e239b0b154b1f87ae8f8ce538585d1553b64b0cd52921c58b7/analysis/1419603714/
VirusTotal doesn’t scan websites, it checks blacklists.
Yes, agree there is no realtime scanning with VT. -asia.b9.aicdn.com/ad/kt1.html has a 50% yellow status on BrightCloud and a Moderate Risk Status. http://www.scribd.com/doc/249681270/Web-Shield#scribd on htxp://asia.b9.aicdn.com/uploads/allimg/140415/Touma-Kaz usa-desktopsky-91131.jpg [L] URL:Mal (0) 11/29/2014 …
The site is on a Policy Block list and therefore has a 1 out of 10 Netcraft Risk Status: http://toolbar.netcraft.com/site_report/?url=asia.b9.aicdn.com%2Fad%2Fkt1.html Ref: PBL201316
60.211.0.0/16 is listed on the Policy Block List (PBL)
Outbound Email Policy of The Spamhaus Project for this IP range:
This IP address range has been identified by Spamhaus as not meeting our policy for IP addresses permitted to deliver unauthenticated ‘direct-to-mx’ email to PBL users.
Important: If you are using any normal email software (such as Outlook, Entourage, Thunderbird, Apple Mail, etc.) and you are being blocked by this Spamhaus PBL listing when you try to send email, the reason is simply that you need to turn on “SMTP Authentication” in your email program settings. For help with SMTP Authentication or ways to quickly fix this problem, contact: http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20PBL
I get a server redirect status Code: 400, Content cannot be read!
A Google Browser Diff: Not identical
Google: 1323 bytes Firefox: 0 bytes
Diff: 1323 bytes
First difference:
9/xhtml">该网站暂时无法进行访问<meta http-equiv="content-type"content=“text/html; charset=utf-8”/>.main{width:680px;heig… See: http://www.rexswain.com/cgi-bin/httpview.cgi?url=http://www.aicdn.com/&uag=MSIE+8.0+Trident&ref=http://www.google.com&aen=&req=GET&ver=1.1&fmt=AUTO
Customised XSS malware here: htxp://tieba.baidu.com/f?kw=avast
polonus