Freeware to test a specific web site php URL for malware?

Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

On Tue, 17 Sep 2013 14:22:19 +0000 (UTC)
jan wrote:

Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?


Wepawet and zscaler come to mind. There are others as well, none of
them are perfect of course.

On Tue, 17 Sep 2013 14:22:19 +0000 (UTC)
jan wrote:

Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

It looks suspicious to me, that jquery script in particular. Too
complicated for me to check out right now, looks like mostly
advertising crap.

On Tue, 17 Sep 2013 14:36:42 +0000 (UTC)
~BD~ wrote:

jan wrote:
Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

Yes! Paste the URL he- https://www.virustotal.com/en-gb/

What kind of results do you get?

On Tue, 17 Sep 2013 14:46:24 +0000 (UTC)
~BD~ wrote:

~BD~ wrote:
jan wrote:
Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

Yes! Paste the URL he- https://www.virustotal.com/en-gb/

Please see he-

https://www.virustotal.com/en-gb/url...28d1/analysis/

So, what's the verdict?

f/ups to acf only

~BD~ wrote:
jan wrote:
Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Google can test a URL and give you a report like this:

http://www.google.com/safebrowsing/d...r%2F876569.php
Safe Browsing
Diagnostic page for aochi.hideo.perso.neuf.fr

Append any domain to the end of the URL
“google.com/safebrowsing/diagnostic?site="

But that testing isn't 'comprehensive' for the potential of a site to be
a problem.

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

Yes! Paste the URL he- https://www.virustotal.com/en-gb/

That is not correct. That is not the purpose of the VT functions.

VT functions to allow you to 'send' VT a malware file or to 'give' VT a
specific file by providing VT a link to the specific file. VT does not
send some kind of freeware tool to the site.

If you give VT the link to the site above, you will get a VT report like
this:

File scan:The URL response content could not be retrieved or it is some
text format (HTML, XML, CSV, TXT, etc.), hence, it was not enqueued for
antivirus scanning.



--
Mike Easter

NOTE: Windows 7 is not freeware so it is off-topic for inclusion with
the alt.comp.freeware newsgroup.

A better target would be to ask in a newsgroup that discusses your web
browser since other users may know of add-ons or extensions to assist
with such testing.

jan wrote:

Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

http://www.avg.com.au/resources/web-page-scanner/
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/security-report/
http://www.google.com/safebrowsing/d...e=enterURLhere

For the Google check, replace "enterURLhere" with the URL to the web
site (sans quotes). They don't provide a web form for entry and instead
rely on the URL parameter (since they are also programmatically accessed
for checking sites). Proper URLs do not have spaces although some sites
will handle them anyway. If there are spaces in the URL you want to
check, replace them with the %20 hexidecimal iso entity value. Do not
include the protocol (http://, ftp://, etc), just start with the
hostname in the domain portion of the URL.

I do not recommend WOT or McAfee SiteAdvisor or any community-voted
ranking service - just look at the reports by users and you'll
understand why boobs shouldn't rank sites.

jan wrote:
http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

That site redirects to:

http://greencoffee-fat-loss.com/?20/12

Google's tester says:

http://google.com/safebrowsing/diagn...oss.com/?20/12
What is the current listing status for greencoffee-fat-loss.com? This
site is not currently listed as suspicious.

However VT's function to submit to 39 site testers shows 36 of them
reporting clean site, while 4 report as malicious or suspicious, 6
report as unrated, and 29 report as clean.

https://www.virustotal.com/en-gb/url...28d1/analysis/

It appears to me that in order to use the VT function to submit to
numerous site testers that you have to resolve the redirection first.

--
Mike Easter

On Tue, 17 Sep 2013 16:49:44 +0000 (UTC)
~BD~ wrote:

FromTheRafters wrote:
On Tue, 17 Sep 2013 14:46:24 +0000 (UTC)
~BD~ wrote:

~BD~ wrote:
jan wrote:
Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

Yes! Paste the URL he- https://www.virustotal.com/en-gb/

Please see he-

https://www.virustotal.com/en-gb/url...28d1/analysis/

So, what's the verdict?

Detection ratio 3/39

Can you not see that at my link?

Yes, but wat does that *mean*?

On Tue, 17 Sep 2013 17:12:08 +0000 (UTC), FromTheRafters
wrote:

On Tue, 17 Sep 2013 16:49:44 +0000 (UTC)
~BD~ wrote:

FromTheRafters wrote:
On Tue, 17 Sep 2013 14:46:24 +0000 (UTC)
~BD~ wrote:

~BD~ wrote:
jan wrote:
Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

Yes! Paste the URL he- https://www.virustotal.com/en-gb/

Please see he-

https://www.virustotal.com/en-gb/url...28d1/analysis/

So, what's the verdict?

Detection ratio 3/39

Can you not see that at my link?

Yes, but wat does that *mean*?

I venture that it means there's a growing body of evidence that it's
best to stay the **** away from that site. What do you infer from the
evidence so far submitted?

--
p-0.0-h the cat

Internet Terrorist, Mass sock puppeteer, Agent provocateur, Gutter rat,
Devil incarnate, Linux user#666, ******* hacker, Resident evil, Monkey Boy,
Certifiable criminal, Spineless cowardly scum, textbook Psychopath,
the SCOURGE, l33t p00h d3 tr0ll, p00h == lam3r, p00h == tr0ll, troll infâme,
the OVERCAT [The BEARPAIR are dead, and we are its murderers], lowlife troll,
shyster [pending approval by STATE_TERROR], cripple, sociopath, kook,
smug prick, smartarse, arsehole, moron, idiot, imbecile, snittish scumbag,
liar, and shill.

Honorary SHYSTER and FRAUD awarded for services to Haberdashery.
By Appointment to God Frank-Lin.

On Tue, 17 Sep 2013 17:19:50 +0000 (UTC)
~BD~ wrote:

FromTheRafters wrote:
On Tue, 17 Sep 2013 16:49:44 +0000 (UTC)
~BD~ wrote:

FromTheRafters wrote:
On Tue, 17 Sep 2013 14:46:24 +0000 (UTC)
~BD~ wrote:

~BD~ wrote:
jan wrote:
Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

Yes! Paste the URL he- https://www.virustotal.com/en-gb/

Please see he-

https://www.virustotal.com/en-gb/url...28d1/analysis/

So, what's the verdict?

Detection ratio 3/39

Can you not see that at my link?

Yes, but wat does that *mean*?

It *may* mean that most AV companies are slow off the blocks ..... OR that
the detections found are 'false positives'.

Does this help you?

Does VT follow links? What did they think of
hxxp://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js

On Tue, 17 Sep 2013 18:24:23 +0100
"p-0''0-h the cat (ES)" wrote:

On Tue, 17 Sep 2013 17:12:08 +0000 (UTC), FromTheRafters
wrote:

On Tue, 17 Sep 2013 16:49:44 +0000 (UTC)
~BD~ wrote:

FromTheRafters wrote:
On Tue, 17 Sep 2013 14:46:24 +0000 (UTC)
~BD~ wrote:

~BD~ wrote:
jan wrote:
Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

Yes! Paste the URL he- https://www.virustotal.com/en-gb/

Please see he-

https://www.virustotal.com/en-gb/url...28d1/analysis/

So, what's the verdict?

Detection ratio 3/39

Can you not see that at my link?

Yes, but wat does that *mean*?

I venture that it means there's a growing body of evidence that it's
best to stay the **** away from that site. What do you infer from the
evidence so far submitted?

The obfuscation is to hide its spamminess not its maliciousness. I only
looked at it for a little while. The VT results are worthless, it's a
file submission scanner and expects executable code of some kind to be
in the file it gets pointed to. The zulu.zscaler or wepawet would be a
better choice for checking webpage maliciousness - but not all that
much better sometimes. Most of the rest are 'reputation' based and
don't actually look at all.

On Tue, 17 Sep 2013 17:44:44 +0000 (UTC), FromTheRafters
wrote:

On Tue, 17 Sep 2013 18:24:23 +0100
"p-0''0-h the cat (ES)" wrote:

On Tue, 17 Sep 2013 17:12:08 +0000 (UTC), FromTheRafters
wrote:

On Tue, 17 Sep 2013 16:49:44 +0000 (UTC)
~BD~ wrote:

FromTheRafters wrote:
On Tue, 17 Sep 2013 14:46:24 +0000 (UTC)
~BD~ wrote:

~BD~ wrote:
jan wrote:
Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

Yes! Paste the URL he- https://www.virustotal.com/en-gb/

Please see he-

https://www.virustotal.com/en-gb/url...28d1/analysis/

So, what's the verdict?

Detection ratio 3/39

Can you not see that at my link?

Yes, but wat does that *mean*?

I venture that it means there's a growing body of evidence that it's
best to stay the **** away from that site. What do you infer from the
evidence so far submitted?

The obfuscation is to hide its spamminess not its maliciousness. I only
looked at it for a little while. The VT results are worthless, it's a
file submission scanner and expects executable code of some kind to be
in the file it gets pointed to. The zulu.zscaler or wepawet would be a
better choice for checking webpage maliciousness - but not all that
much better sometimes. Most of the rest are 'reputation' based and
don't actually look at all.

Interestingly, when I put
hxxp://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js
into URL to scan it comes up clean, but if you click on
Go to downloaded file analysis

the file is called keygen.exe

Which comes up clean.

I've not even looked at this site yet, but the word keygen has tickled
my whiskers.

Unfortunately the need to hunt, is my primary directive right now.

--
p-0.0-h the cat

Internet Terrorist, Mass sock puppeteer, Agent provocateur, Gutter rat,
Devil incarnate, Linux user#666, ******* hacker, Resident evil, Monkey Boy,
Certifiable criminal, Spineless cowardly scum, textbook Psychopath,
the SCOURGE, l33t p00h d3 tr0ll, p00h == lam3r, p00h == tr0ll, troll infâme,
the OVERCAT [The BEARPAIR are dead, and we are its murderers], lowlife troll,
shyster [pending approval by STATE_TERROR], cripple, sociopath, kook,
smug prick, smartarse, arsehole, moron, idiot, imbecile, snittish scumbag,
liar, and shill.

Honorary SHYSTER and FRAUD awarded for services to Haberdashery.
By Appointment to God Frank-Lin.

On Tue, 17 Sep 2013 14:36:42 +0000, ~BD~ wrote:

http colon slash slash aochi dot hideo dot perso dot neuf
dot fr slash 876569 dot php

Paste that URL he
https://www.virustotal.com/en-gb/

Ah. Perfect.

That site's home page explains:
"VirusTotal is a free service that analyzes suspicious files
and URLs and facilitates the quick detection of viruses,
worms, trojans, and all kinds of malware."

However, it wasn't (at first) at all intuitive how to paste the
URL in, as it kept wanting me to upload a file (which I don't have).

But then I (temporarily) turned off my automatic script blockers
and only then did the GUI for the URL show up on the web page.

Once I turned off my Firefox script blockers, it immediately reported:
URL already analysed
This URL was already analysed by VirusTotal on 2013-09-17 14:40:40 UTC.
Detection ratio: 0/39
You can take a look at the last analysis or analyse it again now.

Looking at the detailed results, it was clean on most issues
(and "unrated" for a half dozen of the 39 tests).

Thanks for this nice testing site.
I will read on and respond to each suggestion separately.

jan

On Tue, 17 Sep 2013 14:46:24 +0000, ~BD~ wrote:

http colon slash slash aochi dot hideo dot perso dot neuf
dot fr slash 876569 dot php

https://www.virustotal.com/en-gb/url...28d1/analysis/

Now I'm confused!

When I pasted the original URL into virustotal, it said it was clean:
http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash 876569 dot php

Yet, that URL goes to:
http colon slash slash greencoffee dash fat dash loss dot com slash ?20 slash 12

When I pasted *that* secondary URL into virustotal, it said:
URL already analysed
This URL was already analysed by VirusTotal on 2013-09-17 17:58:02 UTC.
Detection ratio: 3/39
You can take a look at the last analysis or analyse it again now.

The bad things we
1. BitDefender Malware site
2. CLEAN MX Suspicious site
3. Sophos Malicious site
4. Websense ThreatSeeker Malicious site

Can you shed light on an interpretation of why the original site can
test clean, yet, the re-direct tests bad. Why wouldn't the virus total
site actually follow the links.

Are my initial results (i.e., clean site) wrong?