Scanned pages/files
Request | Server response | Status |
http://www.johannesburgprimaryschool.co.za/ | 200 OK Content-Length: 40797 Content-Type: text/html | suspicious |
Malicious code - confirmed by antiviruses (see below) <!-- MAS --> <!-- document.write(unescape('%3C%68%74%6D%6C%3E%20%20%0A%3C%6D%65%74%61%20%63%68%61%72%73%65%74%3D%22%55%54%46%2D%38%22%20%2F%3E%0A%20%20%3C%48%45%41%44%3E%20%0A%20%20%3C%74%69%74%6C%65%3E%48%61%63%6B%65%64%20%42%79%20%4D%2E%41%2E%53%3C%2F%74%69%74%6C%65%3E%0A%3C%6D%65%74%61%20%63%6F%6E%74%65%6E%74%3D%27%48%61%63%6B%65%64%20%20%62%79%20%4D%2E%41%2E%53%27%20%6E%61%6D%65%3D%27%73%75%62%6A%65%63%74%27%2F%3E%0A%3C%6D%65%74%61%20%63%6F%6E%74%65%6E%74%3D%27%48%61 Decoded script: <html> <meta charset="UTF-8" /> <HEAD> <title>Hacked By M.A.S</title> <meta content='Hacked by M.A.S' name='subject'/> <meta content='Hacked by M.A.S' name='Abstract'/> <meta content='HACKED BY M.A.S' name='description'/> <meta content='M.A.S & FNFHM' name='copyright'/> <meta content='M.A.S' name='author'/> <link href="https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-pr </div><center> <iframe src="http://www.facebook.com/plugins/likebox.php?href=https://www.facebook.com/MoroccanAgentSecret&width=280&height=70&show_faces=true&colorscheme=light&stream=true&border_color&header=false&appId=166279230061538" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:280px; height:70px;" allowTransparency="true"></iframe></div> </center> </html> Antivirus reports:
Deface/Content modification. The following signature was found: HACKED BY MOROCCAN AGENT SECRET <!DOCTYPE HTML PUBLIC>
<Html> <head> <title></title><SCRIPT LANGUAGE="JavaScript"> <!-- Begin var scrl = " HACKED BY MOROCCAN AGENT SECRET "; function scrlsts() { scrl = scrl.substring(1, scrl.length) + scrl.substring(0, 1); document.title = scrl; setTimeout("scrlsts()", 300); } // End --> </script> </head> <head> <meta name="description" content="Hacked By Moroccan Agent Secret"> <meta name="keywords" content="mas,hacked,moroccanagentsecret,morocco"> <meta ...[41111 bytes skipped]... | ||
http://www.johannesburgprimaryschool.co.za/test404page.js | 404 Not Found Content-Length: 5276 Content-Type: text/html | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: johannesburgprimaryschool.co.za
Result:
GET / HTTP/1.1
Host: johannesburgprimaryschool.co.za
Result:
Second query (visit from search engine):
GET / HTTP/1.1
Host: johannesburgprimaryschool.co.za
Referer: http://www.google.com/search?q=johannesburgprimaryschool.co.za
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: johannesburgprimaryschool.co.za
Referer: http://www.google.com/search?q=johannesburgprimaryschool.co.za
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=johannesburgprimaryschool.co.za
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://johannesburgprimaryschool.co.za/
Result: johannesburgprimaryschool.co.za is not infected or malware details are not published yet.
Result: johannesburgprimaryschool.co.za is not infected or malware details are not published yet.