Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=forex-begin.ru
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://forex-begin.ru/
Result: The website is marked by Yandex as suspicious. - visiting this web site may harm your computer.
Details are available here.
Result: The website is marked by Yandex as suspicious. - visiting this web site may harm your computer.
Details are available here.
Scanned pages/files
Request | Server response | Status |
http://forex-begin.ru/ | 200 OK Content-Length: 106123 Content-Type: text/html | malicious |
Page code contains blacklisted domain: wmip.ru ...[4148 bytes skipped]... javascript"> id = 29932; document.write('<sc'+'ript type="text/javascript" src="http://a.contextbar.ru/n.js?rnd='+Math.round(Math.random()*100000)+'"></sc'+'ript>'); </script></div> <script type="text/javascript">document.getElementById('nlx').appendChild(document.getElementById('ncode'));</script> <!-- ÐºÐ¾Ð½ÐµÑ ÐºÐ¾Ð´Ð° Nolix --> <script language="JavaScript" src="http://wmip.ru/js/slider.php?id=10966"></script> </body> </html> Malicious iFrame found. size: 468x60 src: http://wmip.ru/js/banner.php?id=11029 This URL is marked by Yandex as suspicious <iframe src="http://wmip.ru/js/banner.php?id=11029" name="banner" width="468" height="60" frameborder="0" vspace="0" hspace="0" marginwidth="0" marginheight="0" scrolling="no"> | ||
http://forex-begin.ru/templates/default/js/jquery-1.8.2.min.js | 200 OK Content-Length: 93435 Content-Type: application/javascript | clean |
http://forex-begin.ru/templates/default/js/elements.js | 200 OK Content-Length: 5355 Content-Type: application/javascript | clean |
http://forex-begin.ru/engine/ajax/notebook.js | 200 OK Content-Length: 1901 Content-Type: application/javascript | clean |
http://forex-begin.ru/templates/default/js/trans-banner.min.js | 200 OK Content-Length: 51511 Content-Type: application/javascript | clean |
http://forex-begin.ru/templates/default/js/jquery.easing.1.3.min.js | 200 OK Content-Length: 7122 Content-Type: application/javascript | clean |
http://forex-begin.ru/templates/default/js/jquery.fancybox-1.3.4.pack.js | 200 OK Content-Length: 15624 Content-Type: application/javascript | clean |
http://forex-begin.ru/templates/default/js/bootstrap.min.js | 200 OK Content-Length: 27824 Content-Type: application/javascript | clean |
http://forex-begin.ru/templates/default/js/libs.js | 200 OK Content-Length: 258 Content-Type: application/javascript | clean |
http://wmip.ru/js/slider.php?id=10966 | 200 OK Content-Length: 6884 Content-Type: text/html | clean |
http://wmip.ru/ | 200 OK Content-Length: 11302 Content-Type: text/html | suspicious |
Page code contains blacklisted domain: seorates.ru ...[1950 bytes skipped]... class="main" href="/registration/">Ðåãèñòðàöèÿ</a></td> <td><a class="main" href="/help/">Ïîìîùü</a></td> <td><a class="main" href="/law/">Ïðàâèëà</a></td> <td><a class="main" href="/news/">Íîâîñòè</a></td> <td><a class="main" href="http://wmip.ru/top.php">Êîíêóðñû</a></td> <td><a clas//seorates.ru/button.php?url=wmip.ru&type=2" border="0" width="88" height="31" alt="ÒÈÖ è PR" /></a> <!--Openstat--> <span id="openstat2187218"></span> <script type="text/javascript"> var openstat = { counter: 2187218, image: 5045, next: openstat }; (function(d, t, p) { var j = d.createElement(t); j.async = true; j.type = "text/javascript"; j.src = ("https:" == p ? "https:" : "http:") + "//openstat.net/cnt.js"; var s = d.getElem ...[1936 bytes skipped]... | ||
http://wmip.ru/files/scripts.js | 200 OK Content-Length: 20001 Content-Type: application/javascript | malicious |
Malicious code - confirmed by antiviruses (see below) eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('k c={3z:\'12/7G/\',4r:"8l.5p",2P:\'7J.7F\',67:10,5N:70,6P:10,6G:70,6B:S,6v:S,4S:1,2B:17,5u:3,3K:10,5T:35,5F:10,5C:35,3y:8b,6M:\'Ðàçâåðíóòü âî âñþ âåëè÷èíó\',5o:\'Íàæìèò hs.graphicsDir = ''; hs.outlineType = ''; window.onload = function() { hs.preloadImages(1); } function popUP(url,width,height) { if(!width) { width = 600; } if(!height) { height = 400; } var posx = 200; var posy = 200; var w=window.open(url,'wind','left='+posx+',top='+posy+',width='+width+',height='+height+',status:no, help:no'); return false; } Antivirus reports:
| ||
http://wmip.ru/registration/ | 200 OK Content-Length: 8690 Content-Type: text/html | suspicious |
Page code contains blacklisted domain: seorates.ru ...[2107 bytes skipped]... ign="top"> <table width="100%" cellpadding="0" cellspacing="0" border="0"> <tr valign="top"> <td width="190" bgcolor="#eeeeee" style="padding: 3 3 3 3px; border-right: 1px solid #999999;"> <table align="center" cellpadding="1" cellspacing="0"> <form action="/login/" method="post"> <tr> <td style="padding-left: 2px;">Ëîãèí</td> <td styl//seorates.ru/button.php?url=wmip.ru&type=2" border="0" width="88" height="31" alt="ÒÈÖ è PR" /></a> <!--Openstat--> <span id="openstat2187218"></span> <script type="text/javascript"> var openstat = { counter: 2187218, image: 5045, next: openstat }; (function(d, t, p) { var j = d.createElement(t); j.async = true; j.type = "text/javascript"; j.src = ("https:" == p ? "https:" : "http:") + "//openstat.net/cnt.js"; var s = d.getElem ...[1936 bytes skipped]... | ||
http://wmip.ru/help/ | 200 OK Content-Length: 7269 Content-Type: text/html | suspicious |
Page code contains blacklisted domain: seorates.ru ...[2104 bytes skipped]... <td valign="top"> <table width="100%" cellpadding="0" cellspacing="0" border="0"> <tr valign="top"> <td width="190" bgcolor="#eeeeee" style="padding: 3 3 3 3px; border-right: 1px solid #999999;"> <table align="center" cellpadding="1" cellspacing="0"> <form action="/login/" method="post"> <tr> <td style="padding-left: 2px;">Ëîãèí</td> //seorates.ru/button.php?url=wmip.ru&type=2" border="0" width="88" height="31" alt="ÒÈÖ è PR" /></a> <!--Openstat--> <span id="openstat2187218"></span> <script type="text/javascript"> var openstat = { counter: 2187218, image: 5045, next: openstat }; (function(d, t, p) { var j = d.createElement(t); j.async = true; j.type = "text/javascript"; j.src = ("https:" == p ? "https:" : "http:") + "//openstat.net/cnt.js"; var s = d.getElem ...[1936 bytes skipped]... | ||
http://wmip.ru/law/ | 200 OK Content-Length: 11837 Content-Type: text/html | suspicious |
Page code contains blacklisted domain: seorates.ru ...[2094 bytes skipped]... r="#ffffff"> <td valign="top"> <table width="100%" cellpadding="0" cellspacing="0" border="0"> <tr valign="top"> <td width="190" bgcolor="#eeeeee" style="padding: 3 3 3 3px; border-right: 1px solid #999999;"> <table align="center" cellpadding="1" cellspacing="0"> <form action="/login/" method="post"> <tr> <td style="padding-left: 2px;">Ëî//seorates.ru/button.php?url=wmip.ru&type=2" border="0" width="88" height="31" alt="ÒÈÖ è PR" /></a> <!--Openstat--> <span id="openstat2187218"></span> <script type="text/javascript"> var openstat = { counter: 2187218, image: 5045, next: openstat }; (function(d, t, p) { var j = d.createElement(t); j.async = true; j.type = "text/javascript"; j.src = ("https:" == p ? "https:" : "http:") + "//openstat.net/cnt.js"; var s = d.getElem ...[1936 bytes skipped]... |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: forex-begin.ru
Result:
HTTP/1.1 200 OK
Connection: close
Date: Fri, 22 Aug 2014 03:23:23 GMT
Server: nginx
Vary: Accept-Encoding
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
X-Powered-By: PHP/5.2.17
GET / HTTP/1.1
Host: forex-begin.ru
Result:
HTTP/1.1 200 OK
Connection: close
Date: Fri, 22 Aug 2014 03:23:23 GMT
Server: nginx
Vary: Accept-Encoding
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
X-Powered-By: PHP/5.2.17
Second query (visit from search engine):
GET / HTTP/1.1
Host: forex-begin.ru
Referer: http://www.google.com/search?q=forex-begin.ru
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: forex-begin.ru
Referer: http://www.google.com/search?q=forex-begin.ru
Result:
The result is similar to the first query. There are no suspicious redirects found.