Zeus tracker detected?

polonus · December 11, 2014, 4:17pm

See: https://www.virustotal.com/nl/url/526b0b41195d703f4521e057503431f20b88ab3d6d0f2ba422a60adb4c5bd8ef/analysis/1418313990/
Sure blacklisted: http://quttera.com/detailed_report/ipkill.org 8 externnal links flagged and blacklisted
Potentially harmful: http://sitecheck.sucuri.net/results/ipkill.org
IDS alert: http://urlquery.net/report.php?id=1417814332345
for ET CNC Zeus Tracker Reported CnC Server group 14

pol

polonus · December 11, 2014, 4:21pm

Closed down: https://zeustracker.abuse.ch/monitor.php?ipaddress=213.186.33.17
But still enough malcode on that IP: https://www.virustotal.com/nl/ip-address/213.186.33.17/information/

pol

Pondus · December 11, 2014, 4:25pm

full URL give scan error … but shorted works see pic http://urlquery.net/report.php?id=1418314833866

full url give not VT detection, but short does
https://www.virustotal.com/en/file/466d33db84f27f2a53353e3dacd6c029a826cf7a2951c9e0b2786cf14f9f6cef/analysis/1418314937/

polonus · December 11, 2014, 6:15pm

Hi Pondus,

Very attentive. So we as website scanners should always distinct between full and naked domain scans.
Check between www dot scandomain dot com and scandomain com.
Also check whether a domain is been hosted as a Multiple IP Domain, meaning some share 4 different IP on hoster.

As an example see this domain scan: http://urlquery.net/report.php?id=1418314297236
Nada: https://www.virustotal.com/nl/url/4f2aa8c268aa4c073fc106b39a337fc4f211325b8997e0d4b28d4b2e7e910c28/analysis/
and another nada: http://quttera.com/detailed_report/www.scamwarners.com
Surprise, surprise Multiple IP domain (4) Which IP numbers does wXw.scamwarners.com use?

WXW.SCAMWARNERS.COM uses the four IP numbers 2400:CB00:2048:1::C629:CEE5, 2400:CB00:2048:1::C629:CFE5, 198.41.206.229 and 198.41.207.229 together → https://www.robtex.com/en/advisory/dns/com/scamwarners/www/
Resolution failed: http://hosts-file.net/default.asp?s=www.scamwarners.com

Brightcloud flags with 1 infection in the past: Webroot Content Classification and Web Reputation
Category Reputation Index Status
Society
Request a new URL category
40
Request URL Reputation change
Suspicious
Learn more
Web Reputation Analysis
Factor Value Impact
Infections (past 12 months) 1
Popularity High
Age 46 months (Established)

Here all seems all-right: http://www.dnsinspect.com/scamwarners.com/1418320376
and here (for what that seal is is worth_ http://scamwarners.com.trustcheck.net/ )

Fatal code error: ////cdn-cgi/nexp/dok2v=1613a3a185/ in CDN plug-in: https://wordpress.org/support/topic/an-unexpected-error-occured-13

asynchronous adsense code: adsbygoogle = window.adsbygoogle || ).push( and static.getclicky.com DNS issues …

polonus

Zeus tracker detected?

Announcements