Scanned pages/files
| Request | Server response | Status |
http://imagebamxxx.com/ | HTTP/1.1 301 Moved Permanently Cache-Control: private, no-cache, no-store, max-age=0 Connection: close Date: Mon, 15 Sep 2014 14:01:21 GMT Location: http://safadetes.com Expires: Mon, 01 Jan 1990 0:00:00 GMT | clean |
http://safadetes.com/ | HTTP/1.1 301 Moved Permanently Connection: close Date: Mon, 15 Sep 2014 14:01:24 GMT Location: http://www.safadetes.com/ Server: nginx admin Content-Length: 0 Content-Type: text/html; charset=UTF-8 X-Cache: HIT from Backend X-Pingback: http://www.safadetes.com/xmlrpc.php X-Powered-By: PHP/5.3.26 | clean |
http://www.safadetes.com/ | 200 OK Content-Length: 28410 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) var puShown = false; function doOpen(url) { if ( puShown == true ) { return true; } var wFeatures = "toolbar=0,statusbar=1,resizable=1,scrollbars=1,menubar=0,location=1"; if(navigator.userAgent.indexOf('Chrome') != -1){ wFeatures = "scrollbar=yes"; } pu_window= window.open('about:blank','wmPu',wFeatures + ',height=720,widt } } function checkTarget(e) { if ( !getCookie('popundersafadetes') ) { var e = e || window.event; var win = doOpen('http://redirect.ero-advertising.com/speedclicks/in.php?pid=41766&spaceid=199620&returnurl='); setCookie('popundersafadetes', 1, 24*60*60*5); } } initPu(); Antivirus reports:
| ||
http://www.safadetes.com/wp-includes/js/jquery/jquery.js?ver=1.11.1 | 200 OK Content-Length: 95807 Content-Type: application/x-javascript | clean |
http://www.safadetes.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1 | 200 OK Content-Length: 7200 Content-Type: application/x-javascript | clean |
http://www.safadetes.com/wp-content/themes/safadetes.com/includes/js/jquery.cycle.all.min.js?ver=4.0 | 200 OK Content-Length: 27450 Content-Type: application/x-javascript | clean |
http://imagebamxxx.com/flutuante.js | HTTP/1.1 301 Moved Permanently Cache-Control: private, no-cache, no-store, max-age=0 Connection: close Date: Mon, 15 Sep 2014 14:01:26 GMT Location: http://safadetes.com Expires: Mon, 01 Jan 1990 0:00:00 GMT | clean |
http://safadetes.com/test404page.js | HTTP/1.1 301 Moved Permanently Cache-Control: no-cache, must-revalidate, max-age=0 Connection: close Date: Mon, 15 Sep 2014 14:01:29 GMT Pragma: no-cache Location: http://www.safadetes.com/test404page.js Server: nginx admin Content-Length: 0 Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT X-Pingback: http://www.safadetes.com/xmlrpc.php X-Powered-By: PHP/5.3.26 | clean |
http://www.safadetes.com/test404page.js | 404 Not Found Content-Length: 18463 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) var puShown = false; function doOpen(url) { if ( puShown == true ) { return true; } var wFeatures = "toolbar=0,statusbar=1,resizable=1,scrollbars=1,menubar=0,location=1"; if(navigator.userAgent.indexOf('Chrome') != -1){ wFeatures = "scrollbar=yes"; } pu_window= window.open('about:blank','wmPu',wFeatures + ',height=720,widt } } function checkTarget(e) { if ( !getCookie('popundersafadetes') ) { var e = e || window.event; var win = doOpen('http://redirect.ero-advertising.com/speedclicks/in.php?pid=41766&spaceid=199620&returnurl='); setCookie('popundersafadetes', 1, 24*60*60*5); } } initPu(); Antivirus reports:
| ||
http://www.safadetes.com/flutuante.js | 200 OK Content-Length: 2290 Content-Type: application/x-javascript | clean |
http://adspaces.ero-advertising.co/adspace/199300.js | 200 OK Content-Length: 1557 Content-Type: text/html | clean |
http://adspaces.ero-advertising.co/test404page.js | 200 OK Content-Length: 1557 Content-Type: text/html | clean |
http://adspaces.ero-advertising.co/adspace/199050.js | 200 OK Content-Length: 1557 Content-Type: text/html | clean |
http://adspaces.ero-advertising.co/adspace/199052.js | 200 OK Content-Length: 1557 Content-Type: text/html | clean |
http://www.safadetes.com/wp-content/plugins/wp-socializer/public/js/wp-socializer-bookmark-js.js?ver=2.4.9.8 | 200 OK Content-Length: 453 Content-Type: application/x-javascript | clean |
http://ads.juicyads.com/jsclients/jam_min.js | 200 OK Content-Length: 21397 Content-Type: application/x-javascript | clean |
http://ads.juicyads.com/jsclients/jac.js | 200 OK Content-Length: 91344 Content-Type: application/x-javascript | clean |
http://adspaces.ero-advertising.co/adspace/199304.js | 200 OK Content-Length: 1557 Content-Type: text/html | clean |
http://adspaces.ero-advertising.com/adspace/199305.js | 200 OK Content-Length: 4435 Content-Type: application/javascript | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: imagebamxxx.com
Result:
HTTP/1.1 301 Moved Permanently
Cache-Control: private, no-cache, no-store, max-age=0
Connection: close
Date: Mon, 15 Sep 2014 14:01:21 GMT
Location: http://safadetes.com
Expires: Mon, 01 Jan 1990 0:00:00 GMT
GET / HTTP/1.1
Host: imagebamxxx.com
Result:
HTTP/1.1 301 Moved Permanently
Cache-Control: private, no-cache, no-store, max-age=0
Connection: close
Date: Mon, 15 Sep 2014 14:01:21 GMT
Location: http://safadetes.com
Expires: Mon, 01 Jan 1990 0:00:00 GMT
Second query (visit from search engine):
GET / HTTP/1.1
Host: imagebamxxx.com
Referer: http://www.google.com/search?q=imagebamxxx.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: imagebamxxx.com
Referer: http://www.google.com/search?q=imagebamxxx.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=imagebamxxx.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://imagebamxxx.com/
Result: imagebamxxx.com is not infected or malware details are not published yet.
Result: imagebamxxx.com is not infected or malware details are not published yet.