Unknown_RFI_shell malware on website

General Topics
1

See: https://www.virustotal.com/nl/url/27e5817dd8b10cf10eb79a543af34933c5968d6b13560dc1de68345aaf86760f/analysis/1428097625/
See: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http://flowviolento.com/web/&acceptheader=&useragentheader=
t XFN .
Check: “htxps://apis.google.com/js/plusone.js”;
link to htxp://widgets.amung.us/small.js …has Troj/FakeAV-ECV?
See the malware detections here:
http://urlquery.net/report.php?id=1428098913902
Netcraft risk 1 red out of 10: http://toolbar.netcraft.com/site_report/?url=http%3A%2F%2Fflowviolento.com

polonus

2

only Avira…

flowviolento.com.htm
https://www.virustotal.com/en/file/825b75f7dab6a846323a94703fb6b6b402988a10257aa07a34b72c1487df0d54/analysis/1428100188/

htxp://widgets.amung.us/small.js … nothing
https://www.virustotal.com/en/file/1d7cb5643145f37eddc0901946f7c6c35aeb6ae2e3f75066eb97a6659c11c30a/analysis/1428100252/

htxps://apis.google.com/js/plusone.js … nothing
https://www.virustotal.com/en/file/b9de1d6e052b49abeab1aec5bff072fe46b0f9427f96b417c356e58f85e72eff/analysis/1428100370/

3

Hi Pondus,

If that first detection is genuine, then Avast should detect this as HTML:FBJack-A [Trj].

pol

4

detection confirmed by Norman/BlueCoat

website contains Facebook like-jacking script. Detection added: flowviolento.com.htm - Faceliker.J