Scanned pages/files
| Request | Server response | Status |
http://www.primavera.ca/ | HTTP/1.1 301 Moved Permanently Connection: close Date: Sat, 20 Dec 2014 21:46:12 GMT Location: http://primavera.ca/ Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 Content-Length: 0 Content-Type: text/html; charset=UTF-8 X-Pingback: http://primavera.ca/xmlrpc.php X-Powered-By: PHP/5.4.33 | clean |
http://primavera.ca/ | 200 OK Content-Length: 21909 Content-Type: text/html | suspicious |
Malicious code - confirmed by antiviruses (see below) window.scrollBy(0,0) window.resizeTo(0,0) window.moveTo(0,0) setTimeout("move()", 1); var mxm=100000 var mym=100000 var mx=100000 var my=100000 var sv=70 var status=1 var szx=0 var szy=0 var c=25 var n=0 var sm=10 var cycle=2 var done=2 function move() { if (status == 1) { mxm=mxm/1.01 mym=mym/1.01 mx=mx+mxm my=my-mym mxm=mxm+(500-mx)/5 mym=mym-(400-my)/5 w } } } if (status == 6) { document.title = "Cljck" alert("Cljck") cycle=2 status=4 done=1 } if (status == 7) { c=c+4 document.bgColor=c*65536 document.fgColor=(255-c)*65536 if (c > 128) {status=8} } if (status == 8) { window.moveTo(0,0) sx=screen.availWidth sy=screen.availHeight window.resizeTo(sx,sy) status=9 } var timer=setTimeout("move()",0) } Antivirus reports:
Deface/Content modification. The following signature was found: -=: Hacked By le4derofh4cklD :=- <html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type" /> <link rel="icon" href="http://cyberpolice.persiangig.com/favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="" type="image/x-icon" /> <title>-=: Hacked By le4derofh4cklD :=-</title> <style type="text/css"> body, div, p, h1{padding: 0px;margin: 0px;} body{border-width: 0px;background-color: #000000;} h1.head{font-family: Georgia, "Times New Roman", Times, serif;font-size: 30px;font-weight: bold;text-align:center;padding-top: 30px;text-shadow:0 0 4px white, 0 -5px 4px #ff3, 2px -10px 6px #fd3, -2px -15px 11px #f80, 2px -25px 18px #f20;} div.note{color: #99000 ...[25308 bytes skipped]... | ||
http://primavera.ca/test404page.js | 404 Not Found Content-Length: 12517 Content-Type: text/html | clean |
http://primavera.ca/wp-content/themes/twentyeleven/scripts/jquery-1.4.3.min.js | 200 OK Content-Length: 77746 Content-Type: application/javascript | clean |
http://primavera.ca/wp-content/themes/twentyeleven/scripts/jquery.nivo.slider.pack.js | 200 OK Content-Length: 9716 Content-Type: application/javascript | clean |
http://primavera.ca/wp-includes/js/l10n.js?ver=20101110 | 200 OK Content-Length: 308 Content-Type: application/javascript | clean |
http://primavera.ca/wp-includes/js/jquery/jquery.js?ver=1.6.1 | 200 OK Content-Length: 91363 Content-Type: application/javascript | clean |
http://primavera.ca/wp-content/plugins/contact-form-7/jquery.form.js?ver=2.52 | 200 OK Content-Length: 26755 Content-Type: application/javascript | clean |
http://primavera.ca/wp-content/plugins/contact-form-7/scripts.js?ver=2.4.6 | 200 OK Content-Length: 5802 Content-Type: application/javascript | clean |
http://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js | 200 OK Content-Length: 91556 Content-Type: text/javascript | clean |
http://primavera.ca/wp-content/themes/primavera-wp/scripts/crousel/jquery.easing.1.3.js | 200 OK Content-Length: 8097 Content-Type: application/javascript | clean |
http://primavera.ca/wp-content/themes/primavera-wp/scripts/crousel/jquery.mousewheel.js | 200 OK Content-Length: 2235 Content-Type: application/javascript | clean |
http://primavera.ca/wp-content/themes/primavera-wp/scripts/crousel/jquery.contentcarousel.js | 200 OK Content-Length: 8621 Content-Type: application/javascript | clean |
http://primavera.ca/collections-primavera/ | HTTP/1.1 301 Moved Permanently Connection: close Date: Sat, 20 Dec 2014 21:46:21 GMT Location: http://primavera.ca/collections-primavera Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 Content-Length: 0 Content-Type: text/html; charset=UTF-8 X-Pingback: http://primavera.ca/xmlrpc.php X-Powered-By: PHP/5.4.33 | clean |
http://primavera.ca/collections-primavera | 200 OK Content-Length: 18649 Content-Type: text/html | clean |
http://primavera.ca/wp-includes/js/comment-reply.js?ver=20090102 | 200 OK Content-Length: 786 Content-Type: application/javascript | clean |
http://primavera.ca/products-fabric/ | HTTP/1.1 301 Moved Permanently Connection: close Date: Sat, 20 Dec 2014 21:46:23 GMT Location: http://primavera.ca/products-fabric Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 Content-Length: 0 Content-Type: text/html; charset=UTF-8 X-Pingback: http://primavera.ca/xmlrpc.php X-Powered-By: PHP/5.4.33 | clean |
http://primavera.ca/products-fabric | 200 OK Content-Length: 15571 Content-Type: text/html | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: primavera.ca
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 20 Dec 2014 21:46:14 GMT
Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
Content-Type: text/html; charset=UTF-8
X-Pingback: http://primavera.ca/xmlrpc.php
X-Powered-By: PHP/5.4.33
GET / HTTP/1.1
Host: primavera.ca
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 20 Dec 2014 21:46:14 GMT
Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
Content-Type: text/html; charset=UTF-8
X-Pingback: http://primavera.ca/xmlrpc.php
X-Powered-By: PHP/5.4.33
Second query (visit from search engine):
GET / HTTP/1.1
Host: primavera.ca
Referer: http://www.google.com/search?q=primavera.ca
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: primavera.ca
Referer: http://www.google.com/search?q=primavera.ca
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=primavera.ca
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://primavera.ca/
Result: primavera.ca is not infected or malware details are not published yet.
Result: primavera.ca is not infected or malware details are not published yet.