Scanned pages/files
Request | Server response | Status |
http://act.tobaccochina.com/ | HTTP/1.1 200 OK Date: Sat, 04 Oct 2014 03:22:51 GMT Accept-Ranges: bytes ETag: "7d13d81ec52cf1:0" Server: Microsoft-IIS/7.5 Content-Length: 34642 Content-Type: text/html Last-Modified: Tue, 08 Apr 2014 05:36:35 GMT X-Powered-By: ASP.NET | clean |
http://act.tobaccochina.com/qkzz/index.htm | 200 OK Content-Length: 36581 Content-Type: text/html | clean |
http://act.tobaccochina.com/qkzz/ http://www.tobaccochina.com/news/javascript/jquery-1.4.2.min.js | 404 Not Found Content-Length: 1163 Content-Type: text/html | clean |
http://act.tobaccochina.com/test404page.js | 404 Not Found Content-Length: 1163 Content-Type: text/html | clean |
http://act.tobaccochina.com/share/copyright.js | 200 OK Content-Length: 346 Content-Type: application/x-javascript | malicious |
Malicious code - confirmed by antiviruses (see below) document.write("<table width=581 border=0 cellspacing=0 cellpadding=0 align=center><tr><td height=60 align=center>");
document.write ("Copyright© 1997-2011 by TobaccoChina Online LLC.±¾ÍøÕ¾ËùÓÐÄÚÈݾùÊÜ°æȨ±£»¤¡£<br>δ¾°æȨËùÓÐÈËÃ÷È·µÄÊéÃæÐí¿É£¬²»µÃÒÔÈκη½Ê½»òýÌå·Ó¡»òתÔر¾ÍøÕ¾µÄ²¿·Ö»òÈ«²¿ÄÚÈÝ "); document.write("</td></tr></table>"); Antivirus reports:
| ||
http://act.tobaccochina.com/qkzz/script_periodical.js | 200 OK Content-Length: 1803 Content-Type: application/x-javascript | clean |
http://act.tobaccochina.net/sum_ses3.jsp?kk=30 | HTTP/1.1 301 Moved Permanently Date: Sat, 04 Oct 2014 03:22:58 GMT Location: http://fwtj.tobaccochina.net/sum_ses3.jsp?kk=30 Server: Microsoft-IIS/7.5 Content-Length: 170 Content-Type: text/html; charset=UTF-8 X-Powered-By: ASP.NET | clean |
http://fwtj.tobaccochina.net/sum_ses3.jsp?kk=30 | 200 OK Content-Length: 20 Content-Type: text/html | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: act.tobaccochina.com
Result:
HTTP/1.1 200 OK
Date: Sat, 04 Oct 2014 03:22:51 GMT
Accept-Ranges: bytes
ETag: "7d13d81ec52cf1:0"
Server: Microsoft-IIS/7.5
Content-Length: 34642
Content-Type: text/html
Last-Modified: Tue, 08 Apr 2014 05:36:35 GMT
X-Powered-By: ASP.NET
...34642 bytes of data.
GET / HTTP/1.1
Host: act.tobaccochina.com
Result:
HTTP/1.1 200 OK
Date: Sat, 04 Oct 2014 03:22:51 GMT
Accept-Ranges: bytes
ETag: "7d13d81ec52cf1:0"
Server: Microsoft-IIS/7.5
Content-Length: 34642
Content-Type: text/html
Last-Modified: Tue, 08 Apr 2014 05:36:35 GMT
X-Powered-By: ASP.NET
...34642 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: act.tobaccochina.com
Referer: http://www.google.com/search?q=act.tobaccochina.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: act.tobaccochina.com
Referer: http://www.google.com/search?q=act.tobaccochina.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=act.tobaccochina.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://act.tobaccochina.com/
Result: act.tobaccochina.com is not infected or malware details are not published yet.
Result: act.tobaccochina.com is not infected or malware details are not published yet.