Freeware to test a specific web site php URL for malware?

[jan]

Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

 

[~BD~]

Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

Yes! Paste the URL here:- https://www.virustotal.com/en-gb/

 

[FromTheRafters]

Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

Wepawet and zscaler come to mind. There are others as well, none of
them are perfect of course.

 

[~BD~]

Yes! Paste the URL here:- https://www.virustotal.com/en-gb/

Please see here:-

https://www.virustotal.com/en-gb/ur...68a5ca30e12241d96a4ab5a34132aa128d1/analysis/

 

[FromTheRafters]

Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

It looks suspicious to me, that jquery script in particular. Too
complicated for me to check out right now, looks like mostly
advertising crap.

 

[FromTheRafters]

Yes! Paste the URL here:- https://www.virustotal.com/en-gb/

What kind of results do you get?

 

[FromTheRafters]

Please see here:-

https://www.virustotal.com/en-gb/ur...68a5ca30e12241d96a4ab5a34132aa128d1/analysis/

So, what's the verdict?

 

[Mike Easter]

f/ups to acf only


Google can test a URL and give you a report like this:

http://www.google.com/safebrowsing/diagnostic?site=http://aochi.hideo.perso.neuf.fr/876569.php
Safe Browsing
Diagnostic page for aochi.hideo.perso.neuf.fr

Append any domain to the end of the URL
“google.com/safebrowsing/diagnostic?site="

But that testing isn't 'comprehensive' for the potential of a site to be
a problem.

Yes! Paste the URL here:- https://www.virustotal.com/en-gb/

That is not correct. That is not the purpose of the VT functions.

VT functions to allow you to 'send' VT a malware file or to 'give' VT a
specific file by providing VT a link to the specific file. VT does not
send some kind of freeware tool to the site.

If you give VT the link to the site above, you will get a VT report like
this:

File scan:The URL response content could not be retrieved or it is some
text format (HTML, XML, CSV, TXT, etc.), hence, it was not enqueued for
antivirus scanning.

 

[VanguardLH]

NOTE: Windows 7 is not freeware so it is off-topic for inclusion with
the alt.comp.freeware newsgroup.

A better target would be to ask in a newsgroup that discusses your web
browser since other users may know of add-ons or extensions to assist
with such testing.

Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

http://www.avg.com.au/resources/web-page-scanner/
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/security-report/
http://www.google.com/safebrowsing/diagnostic?site=enterURLhere

For the Google check, replace "enterURLhere" with the URL to the web
site (sans quotes). They don't provide a web form for entry and instead
rely on the URL parameter (since they are also programmatically accessed
for checking sites). Proper URLs do not have spaces although some sites
will handle them anyway. If there are spaces in the URL you want to
check, replace them with the %20 hexidecimal iso entity value. Do not
include the protocol (http://, ftp://, etc), just start with the
hostname in the domain portion of the URL.

I do not recommend WOT or McAfee SiteAdvisor or any community-voted
ranking service - just look at the reports by users and you'll
understand why boobs shouldn't rank sites.

 

[~BD~]

f/ups to acf only



Google can test a URL and give you a report like this:

http://www.google.com/safebrowsing/diagnostic?site=http://aochi.hideo.perso.neuf.fr/876569.php
Safe Browsing
Diagnostic page for aochi.hideo.perso.neuf.fr

Append any domain to the end of the URL “google.com/safebrowsing/diagnostic?site="

But that testing isn't 'comprehensive' for the potential of a site to be a problem.


That is not correct. That is not the purpose of the VT functions.

VT functions to allow you to 'send' VT a malware file or to 'give' VT a
specific file by providing VT a link to the specific file. VT does not
send some kind of freeware tool to the site.

If you give VT the link to the site above, you will get a VT report like this:

File scan:The URL response content could not be retrieved or it is some
text format (HTML, XML, CSV, TXT, etc.), hence, it was not enqueued for antivirus scanning.

You need to spend a little more time exploring on the page where you saw
that, Mike.

 

[Mike Easter]

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

That site redirects to:

http://greencoffee-fat-loss.com/?20/12

Google's tester says:

http://google.com/safebrowsing/diagnostic?site=http://greencoffee-fat-loss.com/?20/12
What is the current listing status for greencoffee-fat-loss.com? This
site is not currently listed as suspicious.

However VT's function to submit to 39 site testers shows 36 of them
reporting clean site, while 4 report as malicious or suspicious, 6
report as unrated, and 29 report as clean.

https://www.virustotal.com/en-gb/ur...68a5ca30e12241d96a4ab5a34132aa128d1/analysis/

It appears to me that in order to use the VT function to submit to
numerous site testers that you have to resolve the redirection first.

 

[~BD~]

f/ups to acf only



Google can test a URL and give you a report like this:

http://www.google.com/safebrowsing/diagnostic?site=http://aochi.hideo.perso.neuf.fr/876569.php
Safe Browsing
Diagnostic page for aochi.hideo.perso.neuf.fr

Append any domain to the end of the URL “google.com/safebrowsing/diagnostic?site="

But that testing isn't 'comprehensive' for the potential of a site to be a problem.


That is not correct. That is not the purpose of the VT functions.

VT functions to allow you to 'send' VT a malware file or to 'give' VT a
specific file by providing VT a link to the specific file. VT does not
send some kind of freeware tool to the site.

If you give VT the link to the site above, you will get a VT report like this:

File scan:The URL response content could not be retrieved or it is some
text format (HTML, XML, CSV, TXT, etc.), hence, it was not enqueued for antivirus scanning.

You need to spend a little more time exploring on the page where you saw
that, Mike.

 

[~BD~]

So, what's the verdict?

Detection ratio 3/39

Can you not see that at my link?

 

[FromTheRafters]

Detection ratio 3/39

Can you not see that at my link?

Yes, but wat does that *mean*?

 

[~BD~]

Yes, but wat does that *mean*?

It *may* mean that most AV companies are slow off the blocks ..... OR that
the detections found are 'false positives'.

Does this help you?

 

[FromTheRafters]

It *may* mean that most AV companies are slow off the blocks ..... OR that
the detections found are 'false positives'.

Does this help you?

Does VT follow links? What did they think of
hxxp://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js

 

[jan]

Paste that URL here:
https://www.virustotal.com/en-gb/

Ah. Perfect.

That site's home page explains:
"VirusTotal is a free service that analyzes suspicious files
and URLs and facilitates the quick detection of viruses,
worms, trojans, and all kinds of malware."

However, it wasn't (at first) at all intuitive how to paste the
URL in, as it kept wanting me to upload a file (which I don't have).

But then I (temporarily) turned off my automatic script blockers
and only then did the GUI for the URL show up on the web page.

Once I turned off my Firefox script blockers, it immediately reported:
URL already analysed
This URL was already analysed by VirusTotal on 2013-09-17 14:40:40 UTC.
Detection ratio: 0/39
You can take a look at the last analysis or analyse it again now.

Looking at the detailed results, it was clean on most issues
(and "unrated" for a half dozen of the 39 tests).

Thanks for this nice testing site.
I will read on and respond to each suggestion separately.

jan

 

[jan]

https://www.virustotal.com/en-gb/ur...68a5ca30e12241d96a4ab5a34132aa128d1/analysis/

Now I'm confused!

When I pasted the original URL into virustotal, it said it was clean:
http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash 876569 dot php

Yet, that URL goes to:
http colon slash slash greencoffee dash fat dash loss dot com slash ?20 slash 12

When I pasted *that* secondary URL into virustotal, it said:
URL already analysed
This URL was already analysed by VirusTotal on 2013-09-17 17:58:02 UTC.
Detection ratio: 3/39
You can take a look at the last analysis or analyse it again now.

The bad things were:
1. BitDefender Malware site
2. CLEAN MX Suspicious site
3. Sophos Malicious site
4. Websense ThreatSeeker Malicious site

Can you shed light on an interpretation of why the original site can
test clean, yet, the re-direct tests bad. Why wouldn't the virus total
site actually follow the links.

Are my initial results (i.e., clean site) wrong?

 

[jan]

So, what's the verdict?

The results are weird.

If you paste the original URL into the virustotal site, it
comes back as clean.

However, if you then physically GO to the original URL, you
find that the php script re-directs you to a secondary URL.

If you then paste that secondary URL into the virustotal site,
it comes back as dealing with malware.

Is it just me or does something seem wrong with this sequence?

Do I actually have to *visit* the site in order to find the URL
in order to give virustotal that URL so that it can tell me that
I shouldn't have visited the site after all?

Or, did I do something wrong?

 

[jan]

Detection ratio 3/39
Can you not see that at my link?

Hi Dave,
I did visit your link, and I ran the test myself, which
showed the following:

a. BitDefender Malware site
b. Sophos Malicious site
c. Websense ThreatSeeker Malicious site
d. CLEAN MX Suspicious site

But, I'm not sure what that means, to me, and I'm definitely
unclear what to tell my siblings who had clicked on the link.

What does this mean, to a Mac/Windows/Linux user?