Freeware to test a specific web site php URL for malware?

On Tue, 17 Sep 2013 19:56:12 +0000 (UTC)
jan wrote:

On Tue, 17 Sep 2013 19:44:39 +0000, jan wrote:

VirusTotal results were problematic because it didn't
tell you that the primary URL redirected you to a secondary URL.
Neither did the Google diagnostic scan.
Luckily, the other two did.

Given that, how does this look for our recommended
Windows/Linux/Mac freeware sites to bookmark for
future scanning of suspect URLs?

(In priority order):
1. http://zulu.zscaler.com

2. http://wepawet.iseclab.org

3. https://www.virustotal.com/en-gb/#url

4. http://google.com/safebrowsing/diagn.../path/file.htm

I would say just the first two, and then even take the results with a
grain of salt. If I'm not mistaken, the VT one is expecting the URL to
be a file to download and check for malware - not a URL to check out by
rendering HTML, interpreting JavaScript, and following links. Also I'm
under the impression that the Google one is a reputation based lookup
table.

On Tue, 17 Sep 2013 16:15:06 -0400
"...winston" wrote:

jan wrote:
Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

That 'Green coffee bean' ad has been floating around for some time
across a bevy of different isp email addresses.

Not all originate from the senders email address, some with forged
headers, some from harvesting addresses from one of the faked sender's
contacts (i.e. the sender may not be compromised but one of their
contacts)...the list goes on.

I also noticed a reference to a GPS locator function which seemed
suspicious to me, but I have seen such ads using GPS to customize the
ad to the visitor's location. For instance the old earn money now just
like this person did (an address in your own home town) scam ad.

On Tue, 17 Sep 2013 21:22:57 +0000, ~BD~ wrote:

You are mistaken, FTR - VT fulfils BOTH functions!

https://www.virustotal.com/en-gb/#url

It does.

At first, with all scripts blocked, VT didn't even show the URL
form; but once I unblocked scripts, the form came up for pasting
in a URL.

Still, VT wholly missed the redirect, so, it can be used as a
backup (once you already know there is a redirect); but it can't
be (reliably) used as a primary scan.

On Tue, 17 Sep 2013 21:22:57 +0000 (UTC)
~BD~ wrote:

FromTheRafters wrote:
On Tue, 17 Sep 2013 18:50:08 +0000 (UTC)
jan wrote:

On Tue, 17 Sep 2013 17:44:44 +0000, FromTheRafters wrote:

zulu.zscaler or wepawet would be a better choice

Trying just http://zulu.zscaler first ...

Given this original suspected URL:
aochi dot hideo dot perso dot neuf dot fr slash 876569.php
I pasted that into http://zulu.zscaler.com where the first
problem I had was nothing worked, so I had to again turn off
all my script blockers.

Then, I tried to answer the zulu.zscaler "user agent" question.
However, I have FirefoxESR 17.0.8 (RHEL6) which isn't one of the
options, so I picked Firefox 8, which was the closest available.

I didn't know what to put for the "Referrer" so I left it blank.

The results for the primary URL came up as "5/100 (Benign)".
a. This URL has been analyzed by Zulu in the past
b. Analyzed on: 09/17/2013 at 18:33 GMT
c. Redirections: greencoffee dash fat dash loss dot com/?20/12 (302 Moved Temporarily)
d. IP Address: 86.65.123.70, Country: France
e. Netblock size has size 511

Well, at least *that* site figured out there was a redirect involved,
so, this is better than virustotal (which didn't figure that out).

Then I repeated this with the secondary URL (the coffee page):
greencoffee dash fat dash loss dot com ?20/12
That was red flagged as 100/100 Malicious
IP Address: 46.249.59.209 located in the Netherlands
a. Blacklisted in multiple real-time domain blocklists
b. Blacklisted in multiple real-time domain blocklists
c. Netblock size has size 255
d. IP address has been identified as risky by one/more sources

So far, here's my observations:
A. VirusTotal = not the best choice because it doesn't know about the redirect
B. Zule.Scaler = a better choice because it at least tells you about the redirect
C. I will try wepawet next

VT should not have been suggested in the first place since it isn't
what the OP asked for but is instead a file submission scanner.

You are mistaken, FTR - VT fulfils BOTH functions!

I see that now, thanks.

On Tue, 17 Sep 2013 19:59:25 +0000, ~BD~ wrote:

I'm no expert, Jan, but I don't think Mac or Linux users need be too
concerned if they had clicked on the link.

Hi Dave,
I always understood why a Windows PC is very vulnerable
(mainly because there are no protections against root execution),
but, you can still load a user-run virus onto Mac & Linux, can't you?

This has always eluded me as to why virus writers don't write
programs that drop into, say, your home directory, and which execute
as the user.

They could still log keystrokes, websites, take files that the user
has permission for (which is most if not all their data files), etc.

So, I just don't get how a Linux/Max user would be protected all
that much more than a Windows user (other than root privileges).

Can't a virus do damage executing as the current user?

(Certainly I can do a "rm -r *" and that would be devastating to my
data.)

On Tue, 17 Sep 2013 22:23:46 +0000 (UTC)
jan wrote:

On Tue, 17 Sep 2013 19:59:25 +0000, ~BD~ wrote:

I'm no expert, Jan, but I don't think Mac or Linux users need be too
concerned if they had clicked on the link.

Hi Dave,
I always understood why a Windows PC is very vulnerable
(mainly because there are no protections against root execution),
but, you can still load a user-run virus onto Mac & Linux, can't you?

This has always eluded me as to why virus writers don't write
programs that drop into, say, your home directory, and which execute
as the user.

They could still log keystrokes, websites, take files that the user
has permission for (which is most if not all their data files), etc.

So, I just don't get how a Linux/Max user would be protected all
that much more than a Windows user (other than root privileges).

Can't a virus do damage executing as the current user?

(Certainly I can do a "rm -r *" and that would be devastating to my
data.)

They mostly only need root or admin tokens to obtain stealth and/or
persistence.

On 2013-09-17, FromTheRafters wrote:
On Tue, 17 Sep 2013 22:23:46 +0000 (UTC)
jan wrote:

On Tue, 17 Sep 2013 19:59:25 +0000, ~BD~ wrote:

I'm no expert, Jan, but I don't think Mac or Linux users need be too
concerned if they had clicked on the link.

Hi Dave,
I always understood why a Windows PC is very vulnerable
(mainly because there are no protections against root execution),
but, you can still load a user-run virus onto Mac & Linux, can't you?

This has always eluded me as to why virus writers don't write
programs that drop into, say, your home directory, and which execute
as the user.

They could still log keystrokes, websites, take files that the user
has permission for (which is most if not all their data files), etc.

So, I just don't get how a Linux/Max user would be protected all
that much more than a Windows user (other than root privileges).

Can't a virus do damage executing as the current user?

(Certainly I can do a "rm -r *" and that would be devastating to my
data.)

They mostly only need root or admin tokens to obtain stealth and/or
persistence.

They don't need admin for persistence (eg: using @reboot in crontab)




--
⚂⚃ 100% natural

--- news://freenews.netfront.net/ - complaints: ---

On 19 Sep 2013 07:56:56 GMT
Jasen Betts wrote:

On 2013-09-17, FromTheRafters wrote:
On Tue, 17 Sep 2013 22:23:46 +0000 (UTC)
jan wrote:

On Tue, 17 Sep 2013 19:59:25 +0000, ~BD~ wrote:

I'm no expert, Jan, but I don't think Mac or Linux users need be too
concerned if they had clicked on the link.

Hi Dave,
I always understood why a Windows PC is very vulnerable
(mainly because there are no protections against root execution),
but, you can still load a user-run virus onto Mac & Linux, can't you?

This has always eluded me as to why virus writers don't write
programs that drop into, say, your home directory, and which execute
as the user.

They could still log keystrokes, websites, take files that the user
has permission for (which is most if not all their data files), etc.

So, I just don't get how a Linux/Max user would be protected all
that much more than a Windows user (other than root privileges).

Can't a virus do damage executing as the current user?

(Certainly I can do a "rm -r *" and that would be devastating to my
data.)

They mostly only need root or admin tokens to obtain stealth and/or
persistence.

They don't need admin for persistence (eg: using @reboot in crontab)

Also they don't need admin if they get restarted by infecting a program
with code to restart the rest of the program, or if they are viral in
nature.

FromTheRafters wrote:

Does VT follow links? What did they think of
hxxp://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js


C:\Users\Grahamwget
http://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js
--2013-09-20 17:07:03--
http://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js
Resolving aochi.hideo.perso.neuf.fr... 86.65.123.70
Connecting to aochi.hideo.perso.neuf.fr|86.65.123.70|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2013-09-20 17:07:05 ERROR 404: Not Found.

--

They who can give up essential liberty to obtain a little temporary safety,
deserve neither liberty nor safety. - Ben Franklin

On Fri, 20 Sep 2013 17:08:26 -0500
G. Morgan wrote:

FromTheRafters wrote:

Does VT follow links? What did they think of
hxxp://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js


C:\Users\Grahamwget
http://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js
--2013-09-20 17:07:03--
http://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js
Resolving aochi.hideo.perso.neuf.fr... 86.65.123.70
Connecting to aochi.hideo.perso.neuf.fr|86.65.123.70|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2013-09-20 17:07:05 ERROR 404: Not Found.

Limited time offer I guess.

It had some mildly obfuscated JS and other links to follow with
"random" data appended to the passed values. I didn't have the time, nor
the programs I need to follow it further.

I'm pretty sure it was just an advertisement scam. It looks like Google
added their website reputation thing to VT, so I was just wondering
what they/it thought of the JS page.