Scanned pages/files
Request | Server response | Status |
http://creamwich8.com/ | 200 OK Content-Length: 61555 Content-Type: text/html | suspicious |
Malicious code - confirmed by antiviruses (see below) <!-- Hacked by Hacked by Dark-Devilz⢠--> <!-- document.write(unescape('%0A%0A%3C%68%65%61%64%3E%3C%74%69%74%6C%65%3E%2E%2E%3A%3A%2F%48%61%63%6B%65%64%20%62%79%20%44%61%72%6B%2D%44%65%76%69%6C%7A%22%3A%3A%2E%2E%3C%2F%74%69%74%6C%65%3E%0A%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%27%6A%61%76%61%73%63%72%69%70%74%27%3E%61%6C%65%72%74%20%28%22%2E%2E%3A%3A%2F%48%61%63%6B%65%64%20%62%79%20%44%61%72%6B%2D%44%65%76%69%6C%7A%22%3A%3A%2E%2E%22%29%3B%20%3C%2F%73%63%72%6 Antivirus reports:
Deface/Content modification. The following signature was found: ..::/Hacked by Dark-Devilzâ¢::.. ...[103 bytes skipped]... -><!--Dark-Devilzâ¢--><!--Dark-Devilzâ¢--><!--Dark-Devilzâ¢--><!--Dark-Devilzâ¢--> <!--Dark-Devilzâ¢--><!--Dark-Devilzâ¢--><!--Dark-Devilzâ¢--><!--Dark-Devilzâ¢--><!--Dark-Devilzâ¢--><!--Dark-Devilzâ¢--><!--Dark-Devilzâ¢--><!--Dark-Devilzâ¢--> <!--Dark-Devilz Protection.--> <body onContextMenu="alert('..::/Hacked by Dark-Devilzâ¢::..'); return false" NOOP="if (window.event != null && window.event.button == 2) alert ('..::/Hacked by Dark-Devilzâ¢::..');"><body oncontextmenu='return false;' onkeydown='return false;' onmousedown='return false;'> <Script Language='Javascript'> <!-- Hacked by Hacked by Dark-Devilz⢠--> <!-- document.write(unescape('%0A%0A%3C%68%65%61%64%3E%3C%74%69%74%6C%65%3E%2E%2E%3A%3A%2F%48%61%63%6B%65%64%20%62%79%20%44%61 ...[60849 bytes skipped]... | ||
http://creamwich8.com/test404page.js | HTTP/1.1 301 Moved Permanently Cache-Control: no-cache, must-revalidate, max-age=0 Connection: close Date: Tue, 13 Oct 2015 06:35:33 GMT Pragma: no-cache Location: http://www.creamwich8.com/test404page.js Server: nginx/1.8.0 Content-Length: 0 Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT X-Pingback: http://www.creamwich8.com/xmlrpc.php | clean |
http://www.creamwich8.com/test404page.js | 500 timeout Content-Length: 30 Content-Type: text/plain | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: creamwich8.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Tue, 13 Oct 2015 06:35:30 GMT
Accept-Ranges: bytes
Server: nginx/1.8.0
Content-Length: 61555
Content-Type: text/html
Last-Modified: Thu, 25 Apr 2013 15:26:58 GMT
...61555 bytes of data.
GET / HTTP/1.1
Host: creamwich8.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Tue, 13 Oct 2015 06:35:30 GMT
Accept-Ranges: bytes
Server: nginx/1.8.0
Content-Length: 61555
Content-Type: text/html
Last-Modified: Thu, 25 Apr 2013 15:26:58 GMT
...61555 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: creamwich8.com
Referer: http://www.google.com/search?q=creamwich8.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: creamwich8.com
Referer: http://www.google.com/search?q=creamwich8.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=creamwich8.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://creamwich8.com/
Result: creamwich8.com is not infected or malware details are not published yet.
Result: creamwich8.com is not infected or malware details are not published yet.