Scanned pages/files
| Request | Server response | Status |
http://afikei-orot.org.il/ | 200 OK Content-Length: 27978 Content-Type: text/html | suspicious |
Malicious code - confirmed by antiviruses (see below) REM -- Var to determine current nav1 to mark nav1_to_mark = 1 sub ChangeBackgrounds(navCurr, nav1_id) REM -- Change current nav1 to be marked nav1_to_mark = nav1_id rem -- Total number of nav1 on side/secondary bar nav1Count = document.navfrm.nav1Count.value REM -- Clear all selected backgrounds except current for P = 0 to nav1Count-1 if P <> navCurr then document.all("divy_" & P).style.background="url(images/nav2_bg1.gif)" end if next end sub sub MouseOutFunc(nav1_id, navCurr) if CInt(nav1_id) <> CInt(nav1_to_mark) then document.all("divy_" & navCurr).style.background="url(images/nav2_bg1.gif)" end if end sub Antivirus reports:
Deface/Content modification. The following signature was found: HACKED BY THE KEY40 FROM ALGERIA ...[3778 bytes skipped]... úä áèåç ëé áøöåðê ìîçå÷ àú äøùåîä" Case else iMsg = "? äàí àúä áèåç ëé áøöåðê ìîçå÷ àú äøùåîä" End select REM -- Actual deleting if msgbox(iMsg, VbYesNo, "îçé÷ä")=6 then document.delete.submit() end if end function </script> <title dir="rtl">HACKED BY THE KEY40 FROM ALGERIA</title> </head> <body OnLoad=> <table width="916" border="0" align="left" cellpadding="0" cellspacing="0"> <tr> <td width="200" rowspan="3" align="center" valign="top" bgcolor="#FFF3E6"><table width="100%" cellpadding="10" cellspacing="0" > <tr> <td width=100% colspan="2" valign="top" align="center" dir="rtl"> <marquee heig ...[29462 bytes skipped]... | ||
http://afikei-orot.org.il/date-picker.js | 404 Not Found Content-Length: 1635 Content-Type: text/html | clean |
http://afikei-orot.org.il/test404page.js | 404 Not Found Content-Length: 1635 Content-Type: text/html | clean |
http://afikei-orot.org.il/inc/general/date-picker.js | 200 OK Content-Length: 16529 Content-Type: application/x-javascript | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: afikei-orot.org.il
Result:
HTTP/1.1 200 OK
Cache-Control: private
Date: Tue, 25 Nov 2014 13:35:59 GMT
Server: Microsoft-IIS/6.0
Content-Length: 27978
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSABRQASB=GBGNJCECHABHGHPJNAHNGPJA; path=/
X-Powered-By: ASP.NET
...27978 bytes of data.
GET / HTTP/1.1
Host: afikei-orot.org.il
Result:
HTTP/1.1 200 OK
Cache-Control: private
Date: Tue, 25 Nov 2014 13:35:59 GMT
Server: Microsoft-IIS/6.0
Content-Length: 27978
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSABRQASB=GBGNJCECHABHGHPJNAHNGPJA; path=/
X-Powered-By: ASP.NET
...27978 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: afikei-orot.org.il
Referer: http://www.google.com/search?q=afikei-orot.org.il
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: afikei-orot.org.il
Referer: http://www.google.com/search?q=afikei-orot.org.il
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=afikei-orot.org.il
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://afikei-orot.org.il/
Result: afikei-orot.org.il is not infected or malware details are not published yet.
Result: afikei-orot.org.il is not infected or malware details are not published yet.