unknown_html_RFI_shell not detected by avast taken down [SOLVED]

See: http://minotauranalysis.com/search.aspx?q=7c438aedbda604c3659981a839398123
https://www.virustotal.com/file/747b2d5cd1ca6816e0e2671452e15d28e72ce52b0abbbbbdd73e95bfdc4e7a09/analysis/
See sucuri’s scan: http://sitecheck.sucuri.net/results/ilaterra.ru/index.php/
See Yandex flag it here: http://www.yandex.com/infected?url=ilaterra.ru&l10n=en
82.146.59.150 [Spam Server] [Dictionary Attacker]

The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server and dictionary attacker. Below we’ve reported some other data associated with this IP. This interrelated data helps map spammers’ networks and aids in law enforcement efforts, see: http://www.projecthoneypot.org/ip_82.146.59.150

2/35 (5.7%) Heuristic.LooksLike.HTML.Infected.N still active from there since 2012-12-28 11:57:45 (via skypecheck.js spoofed linkpoints)
reported to virus AT avast dot com

polonus

site is down http://www.downforeveryoneorjustme.com/http://ilaterra.ru/index.php

urlQuery http://urlquery.net/report.php?id=768466 see pic in top right corner

Hi Pondus,

Site might be down now, but avast did not detect the original remote file inclusion shell attack, see my PM,

polonus

Here we see that we have very low detection rates for this Heuristic.LooksLike.HTML.Infected.N&sort=first%20desc
http://www.virustotal.com/latest-report.html?resource=d6811a715f9921d9901326a92c03ba65
http://www.virustotal.com/latest-report.html?resource=b54e6a627c91db9ebb0b608c2705ddbe
http://www.virustotal.com/latest-report.html?resource=710a0801640afe9b25dfa8b09e914641
http://www.virustotal.com/latest-report.html?resource=a2ceea4de77b57779fd773d9985186d5
But DrWeb url checker flags it here:
Checking:htxp://www.game-club.ge/forum/public/js/3rd_party/lightbox.js
File size:9382 bytes
File MD5:720b461263a1e4ae92c31679022f76ac

htxp://www.game-club.ge/forum/public/js/3rd_party/lightbox.js - Ok

Checking:htxp://www.game-club.ge/forum/public/js/3rd_party/prettify/lang-sql.js
File size:3320 bytes
File MD5:95bdb94d9be3947b3047c4b7fc19b22f

htxp://www.game-club.ge/forum/public/js/3rd_party/prettify/lang-sql.js - archive JS-HTML

htxp://www.game-club.ge/forum/public/js/3rd_party/prettify/lang-sql.js/JSFile_1[0][cf8] - Ok
htxp://www.game-club.ge/forum/public/js/3rd_party/prettify/lang-sql.js - Ok

Checking:htxp://www.game-club.ge/forum/geo.js?app=gallery
File size:2965 bytes
File MD5:e578e066c837606202d6f0d6dd170b63

htxp://www.game-club.ge/forum/geo.js?app=gallery - archive JS-HTML

htxp://www.game-club.ge/forum/geo.js?app=gallery/JSFile_1[0][b95] - Ok
htxp://www.game-club.ge/forum/geo.js?app=gallery - Ok

Checking:htxp://www.game-club.ge/forum/public/min/index.php?charset=utf-8&f=public/js/ipb.js,public/js/ips.quickpm.js,public/js/ips.rating.js,public/js/ips.gallery.js,cache/lang_cache/2/ipb.lang.js
File size:70.79 KB
File MD5:b5c63225f5fc92c8f36260ea42697cfe

htxp://www.game-club.ge/forum/public/min/index.php?charset=utf-8&f=public/js/ipb.js,public/js/ips.quickpm.js,public/js/ips.rating.js,public/js/ips.gallery.js,cache/lang_cache/2/ipb.lang.js - Ok

Checking:htxp://www.game-club.ge/forum/public/min/index.php?g=js
File size:159.45 KB
File MD5:49ae8b93c31b7f8433f95d5377bd59f2

htxp://www.game-club.ge/forum/public/min/index.php?g=js - archive JS-HTML

htxp://www.game-club.ge/forum/public/min/index.php?g=js/JSTag_1[38d][27a3d] - Ok
htxp://www.game-club.ge/forum/public/min/index.php?g=js/JSTag_2[1a0d7][dcf3] - Ok
htxp://www.game-club.ge/forum/public/min/index.php?g=js - Ok

Checking:htxp://www.game-club.ge/forum/public/js/3rd_party/prettify/prettify.js
File size:18.95 KB
File MD5:d94f9a5f2e6dbbd9c06433efe9e03348

htxp://www.game-club.ge/forum/public/js/3rd_party/prettify/prettify.js - archive JS-HTML

htxp://www.game-club.ge/forum/public/js/3rd_party/prettify/prettify.js/JSTag_1[3ff6][bd2] - Ok
htxp://www.game-club.ge/forum/public/js/3rd_party/prettify/prettify.js - Ok

Checking:htxp://counter.top.ge/cgi-bin/cod?100+30241
File size:365 bytes
File MD5:49643a76b9de4bbaa3cd64094ee8d0f7

htxp://counter.top.ge/cgi-bin/cod?100+30241 - archive JS-HTML

htxp://counter.top.ge/cgi-bin/cod?100+30241/JSFile_1[0][16d] - Ok
htxp://counter.top.ge/cgi-bin/cod?100+30241 - Ok

Checking:htxp://www.game-club.ge/forum/index.php?app=gallery
Engine version:7.0.4.9250
Total virus-finding records:3584202
File size:157.48 KB
File MD5:eb6460b3c220ffcb72646f70bd63d60a

htxp://www.game-club.ge/forum/index.php?app=gallery - archive JS-HTML

htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_1[8][db1] infected with JS.Redirector.167
htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_2[14bf][59] - Ok
htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_3[17957][ec7] - Ok
htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_4[19f72][54] - Ok
htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_5[1ce74][13d] - Ok
htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_6[1dde2][13d] - Ok
htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_7[1ed67][13d] - Ok
hxtp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_8[1fcea][13d] - Ok
htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_9[20c6b][13d] - Ok
htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_10[21c54][13d] - Ok
htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_11[22c36][13d] - Ok
htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_12[23ba6][13d] - Ok
htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_13[24b39][13d] - Ok
htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_14[25aa0][13d] - Ok
htxp://www.game-club.ge/forum/index.php?app=gallery/JSTAG_15[2713c][34d] - Ok

polonus

Hi folks,

Good news because avast detects this via avast Web Shield as JS:Agent-API[Trj] on /wXw.game-club.ge/forum/index.php?app=gallery/JSTAG_1[8][db1]
So we have detection, and that is a reassuring thing to know,

polonus

See the detection of an inline script here: http://www.UnmaskParasites.com/security-report/?page=www.game-club.ge/forum/index.php%3Fa
Similar hack being reported here: http://www.tomatocart.com/community/7-install-a-config/23304-i-was-hacked-a-few-days-ago.html (poster there Krisidious )
Joomla hack S/Kryptik.ABP trojan silme

polonus