Rogue site?

Discussion in 'Virus Information' started by HarryHydro, Oct 22, 2010.

  1. HarryHydro

    HarryHydro Guest

    I had a popup with the scanning and finding virus's thing. Then a
    popup to download a file, packupdate107_2029.exe from
    www1.riseonengine1.in . I figured it was fake but I ended that task
    anyway, without clicking anything. I think I got lucky on this one.
    However, this website doesn't appear to be in DNS, also has no hits in
    google. The name of this file is all over..
    Harry
     
    HarryHydro, Oct 22, 2010
    #1
    1. Advertisements

  2. From: "HarryHydro" <>

    | I had a popup with the scanning and finding virus's thing. Then a
    | popup to download a file, packupdate107_2029.exe from
    | www1.riseonengine1.in . I figured it was fake but I ended that task
    | anyway, without clicking anything. I think I got lucky on this one.
    | However, this website doesn't appear to be in DNS, also has no hits in
    | google. The name of this file is all over..
    | Harry

    Yes Harry, it was a Rogue anti malware scam site. Often these sites exist for only a day
    or so and are provided through a general redirection site that are spammed or otherwise
    "presented" to you.

    An example of a spammed redirection site; better-web-365.com
     
    David H. Lipman, Oct 22, 2010
    #2
    1. Advertisements

  3. The last four or five I saw were all initially from the cz.cc domain
    (free domain names).
     
    FromTheRafters, Oct 22, 2010
    #3
  4. From: "FromTheRafters" <>


    | The last four or five I saw were all initially from the cz.cc domain
    | (free domain names).

    Redirection sites or the rogue host sites ?

    Another redirection site; netresults-online.com
     
    David H. Lipman, Oct 22, 2010
    #4
  5. I don't know really, I stopped invenstigating. I assume it is the
    hosting site.

    http://hostphotofree.com/?bookmark=21822
    Some other similar ones.

    http://hostphotofree.com/?bookmark=21823

    http://hostphotofree.com/?bookmark=21824

    Osfuscated script snippet from that last one:

    function
    rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ(rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ){/*dfffddfd*/var
    rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ=6952;return
    "rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ";};
    var
    rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ="rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ";


    var v89d795qo81UsWyHr9X8isuTOJa6pKCnw="e
    rav\"{=krdsarvlmwslaf:\"uqt\",ef:\"cmfr\",eslafoceqrwaf:\"akr\",eslkxbacteslaf:\"mil\",:\"pgchm,eslafthgwhv\"\"pkjypl\",1-:\"afhyo
    vid<\":ssalctnec\"\\=nallaram_gnid>\"\\nilc
    vid<\"\\=ssalartnecidnaltfel_gn=di \"\\rtnec\"\\nallael_gnid<>\"\\tfalc
    vid\"\\=sslartnecnidnal_tfel_g<>\"\\1alc
    vidl\"\\=ssoci_tfe\"\\1_nvid/\\<> vid<>\\=ssalctnec\"dna...


    ....I think two layers of obfuscation, but I'm not sure - there is an
    html file and an extensionless file with html content in addition to the
    script.

    <title>Security Analysis</title>
     
    FromTheRafters, Oct 22, 2010
    #5
  6. I don't know really, I stopped investigating. I assume it is the
    hosting site.

    http://hostphotofree.com/?bookmark=21822
    Some other similar ones.

    http://hostphotofree.com/?bookmark=21823

    http://hostphotofree.com/?bookmark=21824

    Osfuscated script snippet from that last one:

    function
    rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ(rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ){/*dfffddfd*/var
    rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ=6952;return
    "rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ";};
    var
    rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ="rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ";


    var v89d795qo81UsWyHr9X8isuTOJa6pKCnw="e
    rav\"{=krdsarvlmwslaf:\"uqt\",ef:\"cmfr\",eslafoceqrwaf:\"akr\",eslkxbacteslaf:\"mil\",:\"pgchm,eslafthgwhv\"\"pkjypl\",1-:\"afhyo
    vid<\":ssalctnec\"\\=nallaram_gnid>\"\\nilc
    vid<\"\\=ssalartnecidnaltfel_gn=di \"\\rtnec\"\\nallael_gnid<>\"\\tfalc
    vid\"\\=sslartnecnidnal_tfel_g<>\"\\1alc
    vidl\"\\=ssoci_tfe\"\\1_nvid/\\<> vid<>\\=ssalctnec\"dna...


    ....I think two layers of obfuscation, but I'm not sure - there is an
    html file and an extensionless file with html content in addition to the
    script.

    <title>Security Analysis</title>
     
    FromTheRafters, Oct 22, 2010
    #6
  7. HarryHydro

    peonyparker

    Joined:
    Dec 24, 2010
    Messages:
    3
    Likes Received:
    0
    The index page should be saved and published as index. The Rooms page save and publish as Rooms... Then when someone addresses for yoursite.com up will come the index page..
     
    peonyparker, Dec 24, 2010
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.