This site is very badly infected (Its now clear)

Hello,

I usually visit a site about sports that is quite popular in my country called Lancenet.

However today, when I was checking the news about my soccer team, I received tons of alerts of malware (1 executable and a lot of java exploited files). They were so many infections that my webbrowser stopped to work.

The link is this one hxxp://www.lancenet.com.br/flamengo

I believe that the site was hacked.

Please, visit this site only if you are from the avast team, or know what you are doing…

I dont know if avast is detecting the malwares from this site. Trend Micro that is installed here in my work is detecting it…

I am just alerting here so avast can start to detect it if its not already detecting.

Thanks!

Elminster

Very infected
http://sitecheck.sucuri.net/results/www.lancenet.com.br/flamengo

sucuricata and snort filter alerts also http://urlquery.net/queued.php?id=190604

I believe that it started today. Because yesterday I visited it without any problem…

Do you know if avast is detecting the exploits and the executable?

Thanks for your attention,

Elminster

I could have tested that if i was on my comp…but doing this post from cellphone

will check later today

Oh Ok, Thanks!

I already alerted the avast team with the contact form, just in case if this isnt already being detected…

Thanks!

Elminster

Someting more about the infection process can be found here: http://www.honeynet.org/book/export/html/149
SCUMWARE also has the detection- only one in the VT url scan that flags…
Javascript encoding used to hide a malicious iframe.
Also packed paywall tracking code on that site…
The snort IDS alerts are for server attacks producing routing errors…

polonus

Seems no one detect it yet
https://www.virustotal.com/file/2becfcb131ebb620decaa192a32372b987d59db70bc2a74ade8cc7bbbd7cac31/analysis/1348154341/

First seen by VirusTotal
2012-09-20 15:19:01 UTC ( 2 minutes ago )

Jotti http://virusscan.jotti.org/en/scanresult/e44433242e7c054186f14e5d4b10f35080dd34ac

URLVoid webscan
http://vscan.novirusthanks.org/analysis/8da1a358ae95e300b18c5887b9c448ea/ZmxhbWVuZ28=/

Hi Pondus,

Known malware according to sucuri’s, see for Anubis analysis: http://anubis.iseclab.org/?action=result&task_id=1518d9b3eca1eea946933ca2610e88880&format=html

pol

SOPHOS have URL alert
https://www.virustotal.com/url/56e2012a8acbf332de0ae8052e66cafebf9acba78754c7470dc0e9711516382a/analysis/1348156478/

Hmmm

It seems clear now…

Thanks!

Elminster

yepp …sucuri now say clean http://sitecheck.sucuri.net/results/www.lancenet.com.br/flamengo

i guess someone have done some web cleaning