Two domains pointing to the same site, Avast blocks one domain and not the other

Since 2 weeks this domain is blocked: http://embroidershoppe.com
It’s hosted on W2008 IIS7. I installed Avast for Server V7 and it doesn’t find anything.
I point following domain to the same app: http://www.clipart4embroidery.com and that is NOT blocked.
Spent 3 days on this already. What is the solution?

Thanks to anyone who can shed some light, client is going ballistic over this.

Dutchie

Hi dutchie,

Well consider a couple of general insecurities and code insecurities I have found up while scanning with some external scanners.
iFrame insecurities:

See: iFramecheck: Suspicious → 16 instances of potentially suspicious files → http://quttera.com/detailed_report/embroidershoppe.com
and this actually nr. 17 because hidden iFrame load.
/ScriptResource.axd?d=QAPP1-xZVVRpy7V68WnRu1lzbgnE51KTpb1Sz3cXQBfYXGJP0CeR4Yxp-rLI8EonMT0S0WwvAriXCgJzbk4bHWC2OxILL2TuAefhnBvEO-4U5WfPoGuoAK_IxU6R3hsYy0fx_EnEkkGiILaprKp5QA2&t=ffffffffdd783992
Severity: Potentially Suspicious
Reason: Suspicious JavaScript code injection. (debugging dynamic javascript code causes vs to create “eval” code)
Details: Procedure: + has been called with a string containing hidden JavaScript code .
Threat dump: http://jsunpack.jeek.org/?report=57befa697621827f23bc46b67cb75cd86f38a3bb
File size[byte]: 357822
File type: ASCII
MD5: 470FFDE37F8C0C1F8811DD3CF6AE1807
Scan duration[sec]: 3.477000

empty.htm’
javascript:false’
javascript:false’
slideshow.asp?i=homepage’
timer.asp’
yahoo.html’

External links to check:

htxp://embroidershoppe.blogspot.com/ → ’ blog’
htxp://www.2checkout.com → ’ 'http://urlquery.net/report.php?id=7978963
hxtp://www.embroiderybillboard.com/ → ‘’ http://urlquery.net/report.php?id=7978901

Potentially risky methods on server seen.

General asp dot net site configuration insecurities:

General asp dot net insercurities on website: https://asafaweb.com/Scan?Url=www.embroidershoppe.com%2Fdefault.aspx
Custom errors Fail , Stacktrace Fail, Excessive headers warning, Clickjacking warning. All could lead to too much info being spread to potential attackers of the site.

Code hick-up on site:

wXw.embroidershoppe.com/DXR.axd?r=1_42-LVoO5 benign
[nothing detected] (script) wXw.embroidershoppe.com/DXR.axd?r=1_42-LVoO5
status: (referer=wXw.embroidershoppe.com/default.aspx)saved 167634 bytes 8db6709db0b4f6aa502f763b605d83e88503b905
info: [iframe] wXw.embroidershoppe.com/
info: [decodingLevel=0] found JavaScript
suspicious:

polonus

Good catch polonus, but those iframes are references to FaceBook Likes and are there for about a year now.

Hi dutchie,

I do not mean to say that these are threat alerts, nothing more that general insecure coding that could be abused/exploited.
For the evaluation of your case, we have to consider that particular IP’s security and DNS resolving issues!
And then we are going to a new one: htxp://hatchedinafrica.com/
Daily changes → http://www.dailychanges.com/afraid.org/
DNS issues with nameservers: Results for httpembroidershoppe.com

The next instant it is resolving to: thequiltnation.com http://www.dnssy.com/report.php?q=thequiltnation.com

See the patterns here!

Test Results Status
Checking domain format: Hostname looks good. Pass
Checking for parent nameservers: Found 13 parent nameservers. Pass
Checking for parent glue: Found glue from root nameservers to parent nameservers. Info
NS records at parent nameserver: Your NS records at your parent nameserver are:

Provided by a.gtld-servers.net Info *
Nameservers listed at parent: No nameservers found at parent nameserver. Fail

Your web server appears to reveal version information. This can pose a security risk if vulnerabilities are identified in this version. You should consider disabling version information in your server configuration.
WWW server alert from DNSsy
  • the clue to it all this is a strange Bot-powered Scam Network , read: https://blog.damballa.com/archives/271
    link article credits: – Gunter Ollmann, VP Research
    – Credit to Roberto Perdisci for the detailed analysis

polonus

I’m impressed. This is very good information. However I still don’t see any reason to block a website for this. I am going to resolve all those issues but what do I tell the client? After all there are no viruses on that server. Thanks for your insight though!

Dutchie,

Well the injected hidden code is making this all part of that bot-powered scam. Impressive form of abuse with massive domain cycling for Scam and Phishbusters & Co.

polonus