How do I tell if a site is malicious

[Guest ~BD~]

I have nothing to say regarding the site, as I've told you many times, I really don't have time to explore sites unless said site might contain malicious scripts and/or trojan downloads.

Have a good weekend Dave!

Thanks for your comments, Dustin.

Is there any way that I - as a non-techie guy - can determine if a site actually contains malicious code, as you call it?

I'll be happy to explore on my own and send samples to you. Just tell me how to find/recognise it!

Dave

PS Shouldn't you be out and about enjoying yourself on a Saturday?!!

[nosirrah]

Is there any way that I - as a non-techie guy - can determine if a site actually contains malicious code, as you call it?

Run process guard (its free) , it wont let any exes run that you have not whitelisted . You may end up doing a lot of google to see what you can whitelist but it will put the breaks on getting infected through web exploits .

I'll be happy to explore on my own and send samples to you. Just tell me how to find/recognise it!

Process guard will also do this because while process guard is preventing the file from running you can cut and paste it to another locatin and then deny the execution . This is a great way to collect web exploit downloaded malware without getting your PC infected .

Keep in mind that it only takes one slip up to completely screw things up and I would not be doing this if I were you unless you had either a test system or VM software .

PS Shouldn't you be out and about enjoying yourself on a Saturday?!!

I work 7 days a week at least 10 hours a day . In the end though it will be worth the sacrifice .

[lordpake]

Is there any way that I - as a non-techie guy - can determine if a site actually contains malicious code, as you call it?

I'll be happy to explore on my own and send samples to you. Just tell me how to find/recognise it!

This may be a more techie thing, but if you know even little about coding websites, you can take a peek at the site itself, w/o actually opening it in browser. Malzilla is one nice tool that let's you check out pages, and see where they link, and if they have obfuscated javascript present. Obfuscated script is always sign of danger.

I work 7 days a week at least 10 hours a day . In the end though it will be worth the sacrifice .

Everyone needs some rest and relaxation every now and then. Don't work too hard, you are of no use to anyone (especially to yourself) if you exhaust yourself

[Raid]

Thanks for your comments, Dustin.

Is there any way that I - as a non-techie guy - can determine if a site actually contains malicious code, as you call it?

I'll be happy to explore on my own and send samples to you. Just tell me how to find/recognise it!

Dave

PS Shouldn't you be out and about enjoying yourself on a Saturday?!!

Their are several ways you can use to try and determine if a site has malicous code present. However, as Bruce has already mentioned, it only takes one screwup and you can be in serious trouble. If you do not have a test machine and/or reliable vm, this isn't something i'd recommend doing, unless you have really good reliable backups present.

Bruce has mentioned ProcessGuard, and if used properly it's a fine program. Very useful for obtaining malicious samples.

Depending on the malware in question, I'm known personally for Sandboxing it with Sandboxie, but again, if not used properly you can miss things (files the host is trying to remove for example) and/or still infect yourself.

For site code analysis, vurl is a nice app.

This is really a 7 days a week kind of thing Dave. Malware authors don't take days off. And for the time being atleast, neither can we.

[JeanInMontana]

You can also use a free tool vURL to dissect the site for malicious code. Very simple to use.

[Guest ~BD~]

Many thanks for the replies - everyone.

I'll be happy to help further ........... but not quite yet!

We are enjoying the start of what we call an Indian Summer, so we're off again mid-week to spend more time living aboard our narrowboat!

Your small team has done a great job so far - I wish you every success in your endeavours.

Dave

[Guest ~BD~]

Hi

I found a few minutes to play today and would like you to look at this extract.

vURL Desktop Edition v0.3.5 Results

Source code for: http://www.humanevents.com/article.php?id=2849

Server IP: 84.53.177.9 [ Resolution failed ]

> 84.53.177.33 [ Resolution failed ]

hpHosts Status: Not Listed

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 67

iFrames: 1

Date: 22 September 2008

Time: 23:10:43:10

Is there any sort of problem here? TIA

Dave

[Guest ~BD~]

Hi

I found a few minutes to play today and would like you to look at this extract.

vURL Desktop Edition v0.3.5 Results

Source code for: http://www.humanevents.com/article.php?id=2849

Server IP: 84.53.177.9 [ Resolution failed ]

> 84.53.177.33 [ Resolution failed ]

hpHosts Status: Not Listed

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 67

iFrames: 1

Date: 22 September 2008

Time: 23:10:43:10

Is there any sort of problem here? TIA

Dave

[sho-dan]

Hello ~BD~

Check the Source code link properties > right click link > click properties and look at the Address: URL > whats wrong with it?

[Guest ~BD~]

Hello ~BD~

Check the Source code link properties > right click link > click properties and look at the Address: URL > whats wrong with it?

Good question 'sho-dan' - I've never looked before (took me a while to figure out exactly what you meant, too!)

I see this: http://hxxp//www.humanevents.com/article.php?id=2849

I have a strong suspicion that that isn't right!

For an explanation of where this came from, look here:- http://www.pqlr.org/bbs/viewtopic.php?t=1161&highlight=

I've checked the Properties on the links in that thread ......... and they now seem OK! <scratches head>

Dave

[Guest ~BD~]

I'm simply an interested amateur - but am trying to learn about security matters!

The background to my enquiry may be found here: http://www.pqlr.org/bbs/viewtopic.php?t=1169

If I go to http://validator.w3.org and type in either www.1usachurch.com or www.pqlr.org I'm shown that there are many errors - in fact, 33 Errors and 35 Errors, 5 warning(s) respectively.

Am I right in thinking that these two web sites are highly vulnerable to an SQL injection attack ......... or am I simply barking up the wrong tree, so to speak?

Any comment will be much appreciated. TIA

Dave

[Guest ~BD~]

vURL Desktop Edition v0.3.5 Results

Source code for: http://66.102.9.104

Server IP: 66.102.9.104 [ lm-in-f104.google.com ]

hpHosts Status: Not Listed

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 6

iFrames: 0

Date: 24 September 2008

Time: 17:16:07:16

*****************************************************************

This is what Norton says:- https://safeweb.norton.com/report/show?name=66.102.9.104

If anyone is remotely interested, you may wonder from whence this URL came. Well - I'll tell you!

Here:- http://66.102.9.104/translate_c? ............. hl=en&sl=fr&u=http://pierre.szwarc.free.fr/en/guestbook.php&prev=/search%3Fq%3DPierre%2BSzwarc%26hl%3Den%26pwst%3D1&usg=ALkJrhgnvXlZRN30h7UcsG1hEo4pNaVMlQ

Link broken by ..............

Where did I first meet Pierre Szwarc? On the Annexcafe U2U newsgroup!

Dave rambling?

Sorry!

Edit: See here too:- http://validator.w3.org/check?uri=http%3A%...ine&group=0

[JeanInMontana]

Dave, find all the bad sites you want. But don't post the links here. Think about it, posting malicious site links on a forum as busy as this, what's going to happen? At least two of the links you have posted are nothing. One goes to a forum log on and the other is Google search.

[Guest ~BD~]

Dave, find all the bad sites you want. But don't post the links here. Think about it, posting malicious site links on a forum as busy as this, what's going to happen? At least two of the links you have posted are nothing. One goes to a forum log on and the other is Google search.

I'm afraid you have lost me, Jean!

Raid (aka Dustin Cook) had - I thought - invited me to try and find bad sites and inform him.

Where do you suggest I post any 'bad' sites I may find, Jean?

The guys here are the experts in recognising untoward sites - that's why I'm here. Maybe I've been looking a bit longer than you!

Dave

PS I note that ........ someone ......... changed the whole sense of my initial post - your prerogative!

[Guest ~BD~]

PS I note that ........ someone ......... changed the whole sense of my initial post - your prerogative!

Would someone, please, respond to post #11 here - Raid has access to the referenced link!

TIA

Dave

[JeanInMontana]

I'm afraid you have lost me, Jean!

Raid (aka Dustin Cook) had - I thought - invited me to try and find bad sites and inform him.

Where do you suggest I post any 'bad' sites I may find, Jean?

The guys here are the experts in recognising untoward sites - that's why I'm here. Maybe I've been looking a bit longer than you!

Dave

PS I note that ........ someone ......... changed the whole sense of my initial post - your prerogative!

Your initial post was not changed. I split it off from the other topic because it is a completely different subject.

If you and Dustin/Raid want to exchange bad sites that can be done any number of ways not on this forum. We do not specialize in taking down bad sites here. I don't know where you got that idea. Yes, we have several members capable of finding, and recognizing one, but this site is for MBAM, RogueRemover and Malwarebytes in general. You might want to look at forums that deal specifically in site blocking. hpHosts, is one.

As for how long I have looked? I've got enough looking in to know how an IP address can be used. I've got enough looking in to know not to post malicious links on a public forum. You keep posting links to Validator site and it shows problems. They are not malicious necessarily that site is for validating site code period. It's for web developers to use to see where they have problems with the code in the site. This site might show problems or any other perfectly legitimate site, it doesn't mean there is anything malicious.

If your really interested in learning security do some reading. I've said this to you before, Google is your friend, use it. Do some research and actually learn what your thinking your seeing. Don't expect people here to jump at your beck and call and investigate every site you can come up with that has some bad code.

[Raid]

I'm afraid you have lost me, Jean!

Raid (aka Dustin Cook) had - I thought - invited me to try and find bad sites and inform him.

Where do you suggest I post any 'bad' sites I may find, Jean?

The guys here are the experts in recognising untoward sites - that's why I'm here. Maybe I've been looking a bit longer than you!

Dave

PS I note that ........ someone ......... changed the whole sense of my initial post - your prerogative!

Hi Dave.. Apologies, I think we had a miscommunication of sorts. I didn't intend for you to post anything potentially malicious in the public forums. So please do not do that in the future.

This site is for malwarebytes support, not hunting sites that you feel might be bad. As I explained in email, or tried rather, We really don't have time for some of this stuff your doing.

Please, please use google, it really is your friend and do some researching on your own.

[Guest ~BD~]

Hi Dave.. Apologies, I think we had a miscommunication of sorts. I didn't intend for you to post anything potentially malicious in the public forums. So please do not do that in the future.

This site is for malwarebytes support, not hunting sites that you feel might be bad. As I explained in email, or tried rather, We really don't have time for some of this stuff you're doing.

Please, please use google, it really is your friend and do some researching on your own.

Dustin - thanks for responding.

I know you are busy, but ...........

Please answer my query at post #11 - by email if you do not wish others here to be informed. Thanks!

Dave

[JeanInMontana]

Dave, your links go no where. The first link goes to a log in screen, I told you this once. The second link goes to a site that will validate code. Bad code does NOT mean a bad site. It means there is a problem in the sites code, period.

[Guest ~BD~]

Dave, your links go no where. The first link goes to a log in screen, I told you this once. The second link goes to a site that will validate code. Bad code does NOT mean a bad site. It means there is a problem in the sites code, period.

Jean - thanks for your reply. Dustin has a 'key' to the log-in screen - regardless, this is my post there:-

On the web site where Leo is Webmaster ....... there is a forum too! There one may post comments, so I have! It was in reply to a post by the Webmaster that I posted this short item:

Leo said "on the way back to Delaware" - I think he meant San Antonio, Texas - but I may be mistaken!

Where are you Webmaster? %3Csmile%3E

I did nothing unusual. Can anyone explain why after my question one doesn't see the expected <smile>?

Reference: http://1usachurch.com/tinc?key=UBAIBeD4&am...6&reverse=1

FYI - I did try Google.

I got : Results 1 - 10 of about 49,400,000 for %3C. (0.26 seconds) I've not yet reviewed them all!

_________________

Dave

------

[Guest ~BD~]

Surely someone here can explain to me ?

Why didn't I see <smile> on that site - I saw %3Csmile%3E instead.

It's probably a very simple explanation - I'm all ears!

TIA

Dave

[Raid]

Jean - thanks for your reply. Dustin has a 'key' to the log-in screen - regardless, this is my post there:-

I''m not sure what key it is you think I have, but this continued name dropping nonsense is getting on my nerves.

You have been told and told again that we cannot help you with this, it's a complete waste of our time, and yours until you understand what it is your looking at. It's painfully obvious you have no desire to follow instructions.

I will not be answering any further posts, emails or PMs from you Dave. I don't have time for this BS anylonger.

[Guest ~BD~]

I''m not sure what key it is you think I have...

All I meant was that you, Dustin, already have a Username and Password for Jenn's Board (to which the links I posted in this thread refer)

FYI - Jenn has now 'lifted' the requirement to be a 'member' in order to read the posts to which the links refer - anyone reading here should now be able to access same.

HTH

Dave

[MysteryFCM]

Surely someone here can explain to me ?

Why didn't I see <smile> on that site - I saw %3Csmile%3E instead.

It's probably a very simple explanation - I'm all ears!

TIA

Dave

Because it's Hex encoded