Suspicious tracking code on site?

Viruses and worms
1

See: http://jsunpack.jeek.org/?report=dd43df1a0b46e15d23f9aaf461dec5a1773a98b4
and look for Suspicious

? " https://" : " http://“); document.write(unescape(”%3cscript src=‘" + _bdhmprotocol + "hm.baidu.com/h.js%3Fccbf838bd79150236fb5eb01a4a9fb14’ type=‘text/javascript’%3e%3c/script… Google Analytics tracking code

Another code hisck-up on site:fj.swok dot cn/scripts/public.js benign
[nothing detected] (script) fj.swok dot cn/scripts/public.js
status: (referer=fj.swok dot cn/)saved 2960 bytes 326150e80500dcc8f446d08d219e708407db7244
info: [decodingLevel=0] found JavaScript
error: undefined variable $
error: undefined function $
suspicious:

Read also this security setting: http://securitythoughts.wordpress.com/2011/03/30/how-to-modify-apache-coyote1-1-banner/
link article author Wasim Halini

polonus

2

ATTENTION by Norton: http://safeweb.norton.com/report/show?url=fj.swok.cn&ulang=eng
Virustotal: https://www.virustotal.com/de/url/37acbcd6677681fbe0a28af56e20a4bd02bb33ef0eeb4aff4d208ce989dcd127/analysis/1383757894/
URLQuery: http://urlquery.net/report.php?id=7474400
Comodo: http://app.webinspector.com/public/reports/18255796
Zulu: http://zulu.zscaler.com/submission/show/4e2c8585969638fb661fa90b1b32aad3-1383757885
Quettra: http://www.quttera.com/detailed_report/swok.cn

3

Hi Steven Winderlich,

I think this executable was the source of the site warning: http://urlquery.net/report.php?id=7360874
https://www.virustotal.com/en/url/f675cf613a44503c8d49e7c4809a74e293d959389d3bc3150f7d649b78b9c8f6/analysis/
and only https://www.virustotal.com/en/file/0abaee9196ad6e11264b2fa04a601ca338604d25cc1442e42677c43d1b7910ea/analysis/1383768992/

Only Normal detected this as Suspicious_Gen7.CSH. Maybe our good friend Pondus can clear that up at Norman’s.
See: http://f.virscan.org/WEBTOOLOCX.exe.html

polonus

4
Only Normal detected this as Suspicious_Gen7.CSH. Maybe our good friend Pondus can clear that up at Norman's. See: http://f.virscan.org/WEBTOOLOCX.exe.html
possible FP but i will check it out

First submission 2012-12-28 13:57:07 UTC ( 10 months, 1 week ago )

5

Norman lab confirms it was a FP and detection will be removed :wink:

6

Thank you, Pondus, for checking this for us all here.
One previous detection, so one False Positive.

polonus