Author Topic: vt issues  (Read 13752 times)

0 Members and 1 Guest are viewing this topic.

June 14, 2010, 10:46:36 am
Reply #15

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
hi @all

since some hours, https:// links  like this one
https://www.virustotal.com/analisis/aa48278240b37ece04e08d64825f8e1ae4f0c866e592a2ffef3c9eeeafe27a8d-1276503243
also port 80
http://www.virustotal.com/analisis/aa48278240b37ece04e08d64825f8e1ae4f0c866e592a2ffef3c9eeeafe27a8d-1276503243

this incident has been perfectly anlyes previously.... see:
http://support.clean-mx.de/clean-mx/viruses.php?md5=d59bfcfdd7657335e15947e6fdd32949&sort=id%20desc

but doesnt work anymore... try to query for md5=d59bfcfdd7657335e15947e6fdd32949 on virustotal ....

has someone contact to virustotal ?

-- gerhard

June 14, 2010, 01:21:15 pm
Reply #16

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Your port 80 link works here.
Ruining the bad guy's day

June 14, 2010, 01:37:03 pm
Reply #17

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
Your port 80 link works here.


amazing... now 3 hours later port 80 works... this has thrown a 404 as time of writing my original post....

-- gerhard

June 14, 2010, 03:07:34 pm
Reply #18

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
my curl routines does not work anymore...

i only get this response if i query for a md5:

Quote
HTTP/1.0 417 Expectation failed
Server: squid/2.7.STABLE9
Date: Mon, 14 Jun 2010 15:03:40 GMT
Content-Type: text/html
Content-Length: 1495
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from viruskill2.hispasec.com
Via: 1.0 viruskill2.hispasec.com:80 (squid/2.7.STABLE9)
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR noshade size="1px">
<P>
While trying to process the request:
<PRE>
POST /vt/en/consultamd5 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: www.virustotal.com
Accept: */*
Content-Length: 171
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------b5f048a0e858

</PRE>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Invalid Request
</STRONG>
</UL>

<P>
Some aspect of the HTTP Request is invalid.  Possible problems:
<UL>
<LI>Missing or unknown request method
<LI>Missing URL
<LI>Missing HTTP Identifier (HTTP/1.0)
<LI>Request is too large
<LI>Content-Length missing for POST or PUT requests
<LI>Illegal character in hostname; underscores are not allowed
</UL>
<P>Your cache administrator is <A HREF="mailto:webmaster@hispasec.com">webmaster@hispasec.com</A>.

<BR clear="all">
<HR noshade size="1px">
<ADDRESS>
Generated Mon, 14 Jun 2010 15:03:40 GMT by viruskill2.hispasec.com (squid/2.7.STABLE9)
</ADDRESS>
</BODY></HTML>

Code: [Select]
<?php
function vthash($hash) {
        
$use_proxy false;
        
$ch curl_init("https://www.virustotal.com/vt/en/consultamd5");
        
curl_setopt($chCURLOPT_POSTFIELDS,
               array(
                        
'hash'=>"$hash"
               
));
        
curl_setopt($chCURLOPT_RETURNTRANSFER1);
        
curl_setopt($chCURLOPT_HEADER,true);
        
curl_setopt($chCURLOPT_CONNECTTIMEOUT,30);
        
curl_setopt($chCURLOPT_TIMEOUT,60);
curl_setopt($chCURLOPT_USERAGENT'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)');

                                if (
$use_proxy == TRUE)
                                {
                                        
curl_setopt($chCURLOPT_PROXY,'62.67.194.35');
                                        
curl_setopt($chCURLOPT_PROXYPORT3128);
                                        
#curl_setopt($ch, CURLOPT_PROXYUSERPWD ,        'myuser:mypwd');
                                        
curl_setopt($chCURLOPT_PROXYTYPE CURLPROXY_HTTP);
                                        
#curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
                                
}
        
$ret curl_exec($ch);
        
curl_close($ch);
        
print_r($ret);
        return 
$ret;

}
?>


June 14, 2010, 03:50:31 pm
Reply #19

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
try using http instead of https.

June 14, 2010, 03:59:09 pm
Reply #20

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
https is broken... i know... but also http does not work.... and it makes no diffremce if i take a proxy or not...

this piece of code workded now for over 2 years...

-- gerhard

June 14, 2010, 04:36:34 pm
Reply #21

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Hi:

http works for me now.

June 14, 2010, 04:46:16 pm
Reply #22

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
totally weird...
if i do it with old fashion sockets... function vt2 ... all is fine...
Code: [Select]
<?php
function vt1($hash) {
        
$use_proxy false;
        
$ch curl_init("http://www.virustotal.com/vt/en/consultamd5");
        
curl_setopt($chCURLOPT_POSTFIELDS,
               array(
                        
'hash'=>"$hash"
               
));
        
curl_setopt($chCURLOPT_RETURNTRANSFER1);
        
curl_setopt($chCURLOPT_HEADER,true);
        
curl_setopt($chCURLOPT_CONNECTTIMEOUT,30);
        
curl_setopt($chCURLOPT_TIMEOUT,60);
curl_setopt($chCURLOPT_USERAGENT'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)');

                                if (
$use_proxy == TRUE)
                                {
                                        
curl_setopt($chCURLOPT_PROXY,'62.67.194.35');
                                        
curl_setopt($chCURLOPT_PROXYPORT3128);
                                        
#curl_setopt($ch, CURLOPT_PROXYUSERPWD ,        'myuser:mypwd');
                                        
curl_setopt($chCURLOPT_PROXYTYPE CURLPROXY_HTTP);
                                        
#curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
                                
}
        
$ret curl_exec($ch);
        
curl_close($ch);
        
print_r($ret);
        return 
$ret;

}
function 
vt2($hash) {
               
$tbdaten "hash=$hash";
                
$tb_proxy="http://www.virustotal.com/vt/en/consultamd5";
                
$t explode("://",$tb_proxy);
                
$t2 explode("/",$t[1]);
                
$fp fsockopen($t2[0], 80);
                
fputs($fp"POST ".$tb_proxy." HTTP/1.1\r\n");
                
fputs($fp"Host: ".$t2[0]."\r\n");
                
fputs($fp"Content-type: application/x-www-form-urlencoded\r\n");
                
fputs($fp"Content-length: ".strlen($tbdaten)."\r\n");
                
fputs($fp"Connection: close\r\n\r\n");
                
fputs($fp$tbdaten."\r\n");
                for (
$i=0;$i<520;$i++){
                        
$ret.= fgets($fp,1024);
                }
                
fclose($fp);
                
print_r($ret);
}
vt1("d0ce138479c9c45636bf1ccdb530144f");
vt2("d0ce138479c9c45636bf1ccdb530144f");
?>


output of vt1
Quote
HTTP/1.0 417 Expectation failed
Server: squid/2.7.STABLE9
Date: Mon, 14 Jun 2010 16:42:21 GMT
Content-Type: text/html
Content-Length: 1495
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from viruskill2.hispasec.com
Via: 1.0 viruskill2.hispasec.com:80 (squid/2.7.STABLE9)
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR noshade size="1px">
<P>
While trying to process the request:
<PRE>
POST /vt/en/consultamd5 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: www.virustotal.com
Accept: */*
Content-Length: 171
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------b627f3b069e0

</PRE>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Invalid Request
</STRONG>
</UL>

<P>
Some aspect of the HTTP Request is invalid.  Possible problems:
<UL>
<LI>Missing or unknown request method
<LI>Missing URL
<LI>Missing HTTP Identifier (HTTP/1.0)
<LI>Request is too large
<LI>Content-Length missing for POST or PUT requests
<LI>Illegal character in hostname; underscores are not allowed
</UL>
<P>Your cache administrator is <A HREF="mailto:webmaster@hispasec.com">webmaster@hispasec.com</A>.

<BR clear="all">
<HR noshade size="1px">
<ADDRESS>
Generated Mon, 14 Jun 2010 16:42:21 GMT by viruskill2.hispasec.com (squid/2.7.STABLE9)
</ADDRESS>
</BODY></HTML>

output vt2:

Quote
HTTP/1.0 303 See Other
Date: Mon, 14 Jun 2010 16:42:40 GMT
Server: Apache
Location: /analisis/09081d63524625f3b42547c95e6cf07960230b89731bb0bf08bebf20f11074a5-1276269443
Content-Length: 292
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from viruskill2.hispasec.com
Via: 1.1 viruskill2.hispasec.com:80 (squid/2.7.STABLE9)
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>303 See Other</title>
</head><body>
<h1>See Other</h1>
<p>The answer to your request is located <a href="/analisis/09081d63524625f3b42547c95e6cf07960230b89731bb0bf08bebf20f11074a5-1276269443">here</a>.</p>
</body></html>


June 14, 2010, 05:23:18 pm
Reply #23

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
It seems, the content-type is wrong. If you specify an array for CURLOPT_POSTFIELDS, the content-type is set to multipart/form-data. What you want though, is application/x-www-form-urlencoded.
Read here:
http://www.php.net/manual/en/function.curl-setopt.php

So, using
Code: [Select]
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "hash=$hash");
should work.

June 14, 2010, 05:41:07 pm
Reply #24

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
So, using
Code: [Select]
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "hash=$hash");
should work.

You are right. Works perfectly!
Ruining the bad guy's day

June 14, 2010, 06:10:00 pm
Reply #25

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
So, using
Code: [Select]
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "hash=$hash");
should work.

You are right. Works perfectly!

thx !!! but really weird, this arry-method has been working since 2 years....

they must have changed their pages recently....

the most ugly thing is... submit does not work either, but this need multiform data ! so i submit now by email....

-- gerhard

this code has been working till this morning since 2 years....

now i fixed it: this made my day...
Code: [Select]
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:'));
Code: [Select]
<?php
function do_virustotal($url,$xid) {
        
$use_proxy=false;
        
$ret="";
        
$uploadfile="/var/www/clean-mx/virusesevidence/output.$xid.txt";
        
$ch curl_init("http://www.virustotal.com/vt/de/recepcion");
        
curl_setopt($chCURLOPT_POSTFIELDS,
               array(
                        
'distribuir'=>'1',
                        
'envioseguro'=>'0',
                        
'archivo'=>"@$uploadfile"
               
));
        
curl_setopt($chCURLOPT_RETURNTRANSFER1);
        
curl_setopt($chCURLOPT_HEADER,true);
        
curl_setopt($chCURLOPT_CONNECTTIMEOUT,30);
        
curl_setopt($chCURLOPT_TIMEOUT,60);
        
curl_setopt($chCURLOPT_USERAGENT'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)');
                                if (
$use_proxy == TRUE)
                                {
                                        
curl_setopt($chCURLOPT_PROXY,'62.67.194.35');
                                        
curl_setopt($chCURLOPT_PROXYPORT3128);
                                        
#curl_setopt($ch, CURLOPT_PROXYUSERPWD ,        'myuser:mypwd');
                                        
curl_setopt($chCURLOPT_PROXYTYPE CURLPROXY_HTTP);
                                        
#curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
                                
}
        
$postResult curl_exec($ch);
        
#print_r($postResult);
        
curl_close($ch);
        
$serverantwort=explode("\n",$postResult);
                foreach(
$serverantwort as $resp){
                        if (
strpos($resp,"Location: ")===false) {
                        } else {
                                
$ret1=trim(substr($resp,strpos($resp,"Location: ")+10));
                                
$ret2=explode("\r",$ret1);
                                
$ret="http://www.virustotal.com".$ret2[0];
                                print(
"$xid\tsubmitted\t$ret\n");
                                break;
                        }
                }
        return 
$ret;
}
?>


June 16, 2010, 02:06:25 pm
Reply #26

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
vt again with some new design but not working really

Quote
internal server error

if you query for a md5

also input mask has been changed see screenshot...

Update:
now its working again, but queries are rate-limited... I ask them at api@ adress for a unlimitted access... but got not yet a answer...

-- gerhard

June 19, 2010, 12:55:49 pm
Reply #27

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
vt down again !
ping possible, but no services under port 80 oder 443

-- gerhard

Quote
root@base2:/home/gerhard# lft -ANTE www.virustotal.com

Tracing _______________________________________________________________________________________________.

TTL  LFT trace to www.virustotal.com (74.53.201.162):80/tcp
**   [firewall] the next gateway may statefully inspect packets
 1   [AS65190] [PRIVATE-ADDRESS-CBLK-RFC1918-IANA-RESERVED] easy.box (192.168.178.1) 0.4/0.6ms
 2   [AS3209] [88-RIPE/ARCOR-DSL-NET16] dslb-088-066-160-001.pools.arcor-ip.net (88.66.160.1) 42.2/44.0/*/*/*ms
 3   [AS3209] [88-RIPE/ARCOR-BACKBONE-BB-NET5] 88.79.10.193 43.6/49.5/*/*/*ms
 4   [AS3209] [92-RIPE/ARCOR-BACKBONE-BB-NET10] 92.79.213.101 42.3/42.5/*/*/*ms
 5   [AS3209] [92-RIPE/ARCOR-BACKBONE-BB-NET10] 92.79.213.130 50.2/49.8/*/*/*ms
 6   [AS6695] [80-RIPE/DE-CIX-FRA-IXP] xe-1-2-0.mpr1.fra4.de.above.net (80.81.194.26) 50.4/50.7/*/*/*ms
 7   [ASN?] [ABOVENET] xe-1-0-0.mpr1.fra3.de.above.net (64.125.31.221) 51.9/51.3/*ms
 8   [ASN?] [ABOVENET] xe-0-1-0.mpr1.cdg11.fr.above.net (64.125.31.233) 60.5/61.1/60.9ms
 9   [ASN?] [ABOVENET] xe-3-1-0.mpr1.lhr2.uk.above.net (64.125.24.1) 69.1/69.2ms
10   [ASN?] [ABOVENET] so-0-1-0.mpr1.dca2.us.above.net (64.125.27.57) 141.7/141.6ms
11   [ASN?] [ABOVENET] so-1-0-0.mpr3.iah1.us.above.net (64.125.29.37) 168.7/167.5ms
12   [ASN?] [ABOVENET] xe-1-3-0.cr1.iah1.us.above.net (64.125.30.105) 167.1/167.1ms
13   [ASN?] [ABOVENET] xe-1-1-0.er1.iah1.above.net (64.125.26.222) 167.1/166.1ms
14   [ASN?] [NETBLK-ABOVENET2] 209.66.99.94.available.above.net (209.66.99.94) 167.2/167.6ms
15   [AS21844] [NETBLK-THEPLANET-BLK-13] et5-4.ibr04.dllstx3.theplanet.com (70.87.253.53) 172.5/172.2ms
16   [AS21844] [NETBLK-THEPLANET-BLK-13] te7-2.dsr01.dllstx3.theplanet.com (70.87.253.10) 172.1/172.0ms
**   [neglected] no reply packets received from TTL 17
18   [AS21844] [NETBLK-THEPLANET-BLK-13] te1-1.car06.dllstx6.theplanet.com (70.87.254.178) 171.7/171.7ms
19   * [AS21844] [NETBLK-THEPLANET-BLK-14] [target] www.virustotal.com (74.53.201.162):80 172.1ms

LFT's trace took 9.19 seconds.  Resolution required 48.39 seconds.


August 11, 2010, 07:53:40 am
Reply #28

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
vt changed their webpage completly.


i requested now twice a private api key, but got no answer yet.

does anybody have contact to them ?

to speed up things...

-- gerhard

August 11, 2010, 01:47:45 pm
Reply #29

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
i manged the new scenario....

all submission by mail and analye mails and feed back in database...

-- gerhard