Scanned pages/files
| Request | Server response | Status |
http://dongshan-hotel.com/ | HTTP/1.1 302 Moved Temporarily Connection: close Date: Fri, 18 Jul 2014 01:32:25 GMT Location: http://116.255.190.145/member/login.php Server: Microsoft-IIS/6.0 Content-Type: text/html;charset=utf-8 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 | clean |
http://116.255.190.145/member/login.php | 200 OK Content-Length: 7663 Content-Type: text/html | clean |
http://116.255.190.145/lang/zh-cn/lang.js | 200 OK Content-Length: 4164 Content-Type: application/x-javascript | clean |
http://116.255.190.145/file/script/config.js | 200 OK Content-Length: 238 Content-Type: application/x-javascript | clean |
http://116.255.190.145/file/script/jquery.js | 200 OK Content-Length: 85755 Content-Type: application/x-javascript | clean |
http://116.255.190.145/file/script/common.js | 200 OK Content-Length: 7182 Content-Type: application/x-javascript | clean |
http://116.255.190.145/file/script/page.js | 200 OK Content-Length: 6621 Content-Type: application/x-javascript | clean |
http://116.255.190.145/file/script/jquery.lazyload.js | 200 OK Content-Length: 5712 Content-Type: application/x-javascript | clean |
http://116.255.190.145/file/script/keyboard.js | 200 OK Content-Length: 2330 Content-Type: application/x-javascript | clean |
http://116.255.190.145/file/script/md5.js | 200 OK Content-Length: 6257 Content-Type: application/x-javascript | malicious |
Malicious code - confirmed by antiviruses (see below) var hexcase = 0; var chrsz = 8; function hex_md5(s) {return binl2hex(core_md5(str2binl(s), s.length * chrsz));} function core_md5(x, len) { x[len >> 5] |= 0x80 << ((len) % 32); x[(((len + 64) >>> 9) << 4) + 14] = len; var a = 1732584193; var b = -271733879; var c = -1732584194; var d = 271733878; for(var i = 0; i < x.length; i += 16) { var olda = a; var oldb = b; var ol if(inputs[j].type != 'password') continue; if(inputs[j].id == 'password') {formid = i; break;} } } if(formid == 10) return; try {if(document.attachEvent) {document.forms[formid].attachEvent("onsubmit", _md5);} else {document.forms[formid].addEventListener("submit", _md5, false);}} catch(e) {} } function _md5() {if(Dd('password').value != '' && Dd('password').value.length != 32) Dd('password').value = hex_md5(Dd('password').value);} Antivirus reports:
| ||
http://dongshan-hotel.com/send.php | 404 Not Found Content-Length: 1308 Content-Type: text/html | clean |
http://dongshan-hotel.com/test404page.js | 404 Not Found Content-Length: 1308 Content-Type: text/html | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: dongshan-hotel.com
Result:
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Fri, 18 Jul 2014 01:32:25 GMT
Location: http://116.255.190.145/member/login.php
Server: Microsoft-IIS/6.0
Content-Type: text/html;charset=utf-8
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.5
GET / HTTP/1.1
Host: dongshan-hotel.com
Result:
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Fri, 18 Jul 2014 01:32:25 GMT
Location: http://116.255.190.145/member/login.php
Server: Microsoft-IIS/6.0
Content-Type: text/html;charset=utf-8
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.5
Second query (visit from search engine):
GET / HTTP/1.1
Host: dongshan-hotel.com
Referer: http://www.google.com/search?q=dongshan-hotel.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: dongshan-hotel.com
Referer: http://www.google.com/search?q=dongshan-hotel.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=dongshan-hotel.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://dongshan-hotel.com/
Result: dongshan-hotel.com is not infected or malware details are not published yet.
Result: dongshan-hotel.com is not infected or malware details are not published yet.