Scanned pages/files
| Request | Server response | Status |
http://chairpit.com/ | 200 OK Content-Length: 4379 Content-Type: text/html | suspicious |
Deface/Content modification. The following signature was found: Hacked by ./r14nul ...[4473 bytes skipped]... > young modern promo tshirt <br /><br /> <img border="1" src="images/discography/tshirts/young_modern_promo_arrivals.jpg" /> </div> </div> </div> </div> <div id="cc"> <div id="cc2"> <div id="ccc"> <h1 class="title">news</h1> <h2><a href="news.php?newsID=2">Hacked by ./r14nul</a></h2> <p>Hacked by ./r14nul...</p> <p> <small>posted on: 2012-05-20 23:12:20</small> <br /> <small>posted by: beau</small> </p> <h2><a href="news.php?newsID=1">welcome to the new look chairpit</a></h2> <p>chairpit is back from the dead...</p> <p> <small>posted on: ...[365 bytes skipped]... | ||
http://chairpit.com/index.php | 200 OK Content-Length: 4379 Content-Type: text/html | clean |
http://chairpit.com/news.php | 200 OK Content-Length: 3340 Content-Type: text/html | clean |
http://chairpit.com/members.php | HTTP/1.1 302 Moved Temporarily Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Connection: close Date: Wed, 17 Dec 2014 18:47:18 GMT Pragma: no-cache Location: login.php?accesscheck=%2Fmembers.php Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Content-Length: 0 Content-Type: text/html Expires: Thu, 19 Nov 1981 08:52:00 GMT Set-Cookie: PHPSESSID=515494839ffee5445fa496c7a3a01c11; path=/ X-Powered-By: PHP/5.4.25 | clean |
http://chairpit.com/login.php?accesscheck=%2fmembers.php | 200 OK Content-Length: 3729 Content-Type: text/html | clean |
http://chairpit.com/photos.php | 200 OK Content-Length: 3192 Content-Type: text/html | clean |
http://chairpit.com/photos.php?album=20070507&type=live | 200 OK Content-Length: 35425 Content-Type: text/html | clean |
http://chairpit.com/test404page.js | 404 Not Found Content-Length: 460 Content-Type: text/html | clean |
http://chairpit.com/photos.php?album=20070506&type=live | 200 OK Content-Length: 24671 Content-Type: text/html | clean |
http://chairpit.com/photos.php?album=20070330&type=live | 200 OK Content-Length: 16637 Content-Type: text/html | clean |
http://chairpit.com/recover.php | 200 OK Content-Length: 3508 Content-Type: text/html | clean |
http://chairpit.com/register.php | 200 OK Content-Length: 4299 Content-Type: text/html | clean |
http://chairpit.com/news.php?newsID=2 | 200 OK Content-Length: 64451 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) <!-- HTML Encryption provided by r14nulr00t.blogspot.com --> <!-- document.write(unescape('%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%3C%74%69%74%6C%65%3E%2D%3D%5B%20%48%61%63%6B%65%64%20%62%79%20%2E%2F%72%31%34%6E%75%6C%20%5D%3D%2D%3C%2F%74%69%74%6C%65%3E%0A%3C%6D%65%74%61%20%6E%61%6D%65%3D%22%64%65%73%63%72%69%70%74%69%6F%6E%22%20%63%6F%6E%74%65%6E%74%3D%22%68%61%63%6B%65%64%20%62%79%20%2E%2F%72%31%34%6E%75%6C%22%2F%3E%0A%3C%6D%65%74%61%20%6E%61%6D%65%3D%22%6B%65%79%77 Decoded script: <html> <head> <title>-=[ Hacked by ./r14nul ]=-</title> <meta name="description" content="hacked by ./r14nul"/> <meta name="keywords" content="hacked by ./r14nul"/> <meta name="robots" content="index, follow"/> <link href='http://www.gifs.net/Animation11/Geography_and_History/International_Flags/palestine.gif' rel='icon' type='image/vnd.microsoft.icon'/> alert("Sorry Admin I Just Check Your Security , Do not call P <iframe src="http://r14nulr00t.blogspot.com/" width="700" height="5"></iframe> <iframe src="http://www.rianul.com/" width="700" height="5"></iframe> <iframe src="http://www.th3-zo0mbie.com/" width="700" height="5"></iframe> <iframe src="http://rianul.tk/" width="700" height="5"></iframe> </html> Antivirus reports:
| ||
http://chairpit.com/news.php?newsID=1 | 200 OK Content-Length: 3438 Content-Type: text/html | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: chairpit.com
Result:
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Wed, 17 Dec 2014 18:47:16 GMT
Pragma: no-cache
Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: PHPSESSID=7eb9d8a4e35843f50fdb23a94ef04146; path=/
X-Powered-By: PHP/5.4.25
GET / HTTP/1.1
Host: chairpit.com
Result:
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Wed, 17 Dec 2014 18:47:16 GMT
Pragma: no-cache
Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: PHPSESSID=7eb9d8a4e35843f50fdb23a94ef04146; path=/
X-Powered-By: PHP/5.4.25
Second query (visit from search engine):
GET / HTTP/1.1
Host: chairpit.com
Referer: http://www.google.com/search?q=chairpit.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: chairpit.com
Referer: http://www.google.com/search?q=chairpit.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=chairpit.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://chairpit.com/
Result: chairpit.com is not infected or malware details are not published yet.
Result: chairpit.com is not infected or malware details are not published yet.