system
1
Since 2 weeks this domain is blocked: http://embroidershoppe.com
It’s hosted on W2008 IIS7. I installed Avast for Server V7 and it doesn’t find anything.
I point following domain to the same app: http://www.clipart4embroidery.com and that is NOT blocked.
Spent 3 days on this already. What is the solution?
Thanks to anyone who can shed some light, client is going ballistic over this.
Dutchie
polonus
2
Hi dutchie,
Well consider a couple of general insecurities and code insecurities I have found up while scanning with some external scanners.
iFrame insecurities:
See: iFramecheck: Suspicious → 16 instances of potentially suspicious files → http://quttera.com/detailed_report/embroidershoppe.com
and this actually nr. 17 because hidden iFrame load.
/ScriptResource.axd?d=QAPP1-xZVVRpy7V68WnRu1lzbgnE51KTpb1Sz3cXQBfYXGJP0CeR4Yxp-rLI8EonMT0S0WwvAriXCgJzbk4bHWC2OxILL2TuAefhnBvEO-4U5WfPoGuoAK_IxU6R3hsYy0fx_EnEkkGiILaprKp5QA2&t=ffffffffdd783992
Severity: Potentially Suspicious
Reason: Suspicious JavaScript code injection. (debugging dynamic javascript code causes vs to create “eval” code)
Details: Procedure: + has been called with a string containing hidden JavaScript code .
Threat dump: http://jsunpack.jeek.org/?report=57befa697621827f23bc46b67cb75cd86f38a3bb
File size[byte]: 357822
File type: ASCII
MD5: 470FFDE37F8C0C1F8811DD3CF6AE1807
Scan duration[sec]: 3.477000
empty.htm’
javascript:false’
javascript:false’
slideshow.asp?i=homepage’
timer.asp’
yahoo.html’
External links to check:
htxp://embroidershoppe.blogspot.com/ → ’ blog’
htxp://www.2checkout.com → ’ 'http://urlquery.net/report.php?id=7978963
hxtp://www.embroiderybillboard.com/ → ‘’ http://urlquery.net/report.php?id=7978901
Potentially risky methods on server seen.
General asp dot net site configuration insecurities:
General asp dot net insercurities on website: https://asafaweb.com/Scan?Url=www.embroidershoppe.com%2Fdefault.aspx
Custom errors Fail , Stacktrace Fail, Excessive headers warning, Clickjacking warning. All could lead to too much info being spread to potential attackers of the site.
Code hick-up on site:
wXw.embroidershoppe.com/DXR.axd?r=1_42-LVoO5 benign
[nothing detected] (script) wXw.embroidershoppe.com/DXR.axd?r=1_42-LVoO5
status: (referer=wXw.embroidershoppe.com/default.aspx)saved 167634 bytes 8db6709db0b4f6aa502f763b605d83e88503b905
info: [iframe] wXw.embroidershoppe.com/
info: [decodingLevel=0] found JavaScript
suspicious:
polonus
system
3
Good catch polonus, but those iframes are references to FaceBook Likes and are there for about a year now.
polonus
4
Hi dutchie,
I do not mean to say that these are threat alerts, nothing more that general insecure coding that could be abused/exploited.
For the evaluation of your case, we have to consider that particular IP’s security and DNS resolving issues!
And then we are going to a new one: htxp://hatchedinafrica.com/
Daily changes → http://www.dailychanges.com/afraid.org/
DNS issues with nameservers: Results for httpembroidershoppe.com
The next instant it is resolving to: thequiltnation.com → http://www.dnssy.com/report.php?q=thequiltnation.com
See the patterns here!
Test Results Status
Checking domain format: Hostname looks good. Pass
Checking for parent nameservers: Found 13 parent nameservers. Pass
Checking for parent glue: Found glue from root nameservers to parent nameservers. Info
NS records at parent nameserver: Your NS records at your parent nameserver are:
Provided by a.gtld-servers.net Info *
Nameservers listed at parent: No nameservers found at parent nameserver. Fail
Your web server appears to reveal version information. This can pose a security risk if vulnerabilities are identified in this version. You should consider disabling version information in your server configuration.
WWW server alert from DNSsy
- the clue to it all this is a strange Bot-powered Scam Network , read: https://blog.damballa.com/archives/271
link article credits: – Gunter Ollmann, VP Research
– Credit to Roberto Perdisci for the detailed analysis
polonus
system
5
I’m impressed. This is very good information. However I still don’t see any reason to block a website for this. I am going to resolve all those issues but what do I tell the client? After all there are no viruses on that server. Thanks for your insight though!
polonus
6
Dutchie,
Well the injected hidden code is making this all part of that bot-powered scam. Impressive form of abuse with massive domain cycling for Scam and Phishbusters & Co.
polonus