Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=u.159.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://u.159.com/
Result: The website is marked by Yandex as suspicious. - visiting this web site may harm your computer.
Details are available here.
Result: The website is marked by Yandex as suspicious. - visiting this web site may harm your computer.
Details are available here.
Scanned pages/files
| Request | Server response | Status |
http://u.159.com/ | HTTP/1.1 302 Redirect Date: Mon, 07 Apr 2014 05:29:13 GMT Location: http://www.159.com/ Server: Microsoft-IIS/7.5 Content-Length: 142 Content-Type: text/html; charset=UTF-8 X-Powered-By: ASP.NET | clean |
http://www.159.com/ | HTTP/1.1 302 Found Cache-Control: private Date: Mon, 07 Apr 2014 05:29:21 GMT Location: http://www.159.com/index.html Server: Microsoft-IIS/6.0 Content-Length: 146 Content-Type: text/html; charset=gb2312 Set-Cookie: ASP.NET_SessionId=i54vru45kxodxd55214qvz45; path=/; HttpOnly X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET | clean |
http://www.159.com/index.html | 200 OK Content-Length: 11334 Content-Type: text/html | clean |
http://www.159.com/NewJs/IndexJs/a.tbcdn.js | 200 OK Content-Length: 59089 Content-Type: application/x-javascript | clean |
http://u.159.com/NewJs/PublicJs/del.js | HTTP/1.1 302 Redirect Date: Mon, 07 Apr 2014 05:29:25 GMT Location: http://www.159.com/NewJs/PublicJs/del.js Server: Microsoft-IIS/7.5 Content-Length: 163 Content-Type: text/html; charset=UTF-8 X-Powered-By: ASP.NET | clean |
http://www.159.com/newjs/publicjs/del.js | 500 timeout Content-Length: 30 Content-Type: text/plain | clean |
http://www.159.com/test404page.js | 200 OK Content-Length: 2767 Content-Type: text/html | clean |
http://count11.51yes.com/click.aspx?id=116201287&logo=12 | 200 OK Content-Length: 1694 Content-Type: text/html | clean |
http://count11.51yes.com/test404page.js | 404 Not Found Content-Length: 1308 Content-Type: text/html | clean |
http://www.159.com/js/count.js | 200 OK Content-Length: 468 Content-Type: application/x-javascript | malicious |
Malicious code - confirmed by antiviruses (see below) var _bdhmProtocol = (("https:" == document.location.protocol) ? " https://" : " http://"); document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F2beb3264352a23a96640a687d9496910' type='text/javascript'%3E%3C/script%3E")); document.write("<div style='display:none;'>"); document.write("<script src=' http://s137.cnzz.com/stat.php?id=1382900&web_id=1382900' language='JavaScript' charset='gb2312'></script>"); document.write("</div>"); Antivirus reports:
| ||
http://u.159.com/NewJs/IndexJs/Flash.js | HTTP/1.1 302 Redirect Date: Mon, 07 Apr 2014 05:29:35 GMT Location: http://www.159.com/NewJs/IndexJs/Flash.js Server: Microsoft-IIS/7.5 Content-Length: 164 Content-Type: text/html; charset=UTF-8 X-Powered-By: ASP.NET | clean |
http://www.159.com/newjs/indexjs/flash.js | 200 OK Content-Length: 3411 Content-Type: application/x-javascript | clean |
http://u.159.com/NewJs/PublicJs/shou.js | HTTP/1.1 302 Redirect Date: Mon, 07 Apr 2014 05:29:36 GMT Location: http://www.159.com/NewJs/PublicJs/shou.js Server: Microsoft-IIS/7.5 Content-Length: 164 Content-Type: text/html; charset=UTF-8 X-Powered-By: ASP.NET | clean |
http://www.159.com/newjs/publicjs/shou.js | 200 OK Content-Length: 659 Content-Type: application/x-javascript | clean |
http://u.159.com/NewJs/AppShop/popup.js | HTTP/1.1 302 Redirect Date: Mon, 07 Apr 2014 05:29:37 GMT Location: http://www.159.com/NewJs/AppShop/popup.js Server: Microsoft-IIS/7.5 Content-Length: 164 Content-Type: text/html; charset=UTF-8 X-Powered-By: ASP.NET | clean |
http://www.159.com/newjs/appshop/popup.js | 200 OK Content-Length: 8852 Content-Type: application/x-javascript | suspicious |
Page code contains blacklisted domain: wa.159.com ...[9590 bytes skipped]... } function show_menu(){; if(document.getElementById("menu").style.display!='block') document.getElementById("menu").style.display='block'; else document.getElementById("menu").style.display='none'; } function changeSelect(n,c){ document.getElementById("r4_1").innerHTML=n; document.getElementById("menu").style.display='none'; var f=document.f; f.action='http://wa.159.com/'+c; } | ||
http://u.159.com/NewJs/IndexJs/indexnew.js | HTTP/1.1 302 Redirect Date: Mon, 07 Apr 2014 05:29:38 GMT Location: http://www.159.com/NewJs/IndexJs/indexnew.js Server: Microsoft-IIS/7.5 Content-Length: 167 Content-Type: text/html; charset=UTF-8 X-Powered-By: ASP.NET | clean |
http://www.159.com/newjs/indexjs/indexnew.js | 200 OK Content-Length: 9278 Content-Type: application/x-javascript | suspicious |
Page code contains blacklisted domain: wa.159.com ...[1930 bytes skipped]... f.action='http://www.159.com/appshop/appDeskSearch.aspx'; UUU('keyword').value='ÇëÊäÈë±ÚÖ½Ãû³Æ»òÕ߳ߴç½øÐÐËÑË÷,È磺240X320'; break; case 6: f.action='http://www.159.com/appshop/appRingSearch.aspx'; UUU('keyword').value='ÇëÊäÈëÊÖ»úÁåÉùÃû³Æ½øÐÐËÑË÷'; break; // case 10: // // f.action='http://wa.159.com/Movie.aspx'; // UUU('keyword').value='ÇëÊäÈëµçÓ°Ãû³Æ½øÐÐËÑË÷'; // break; } if(n==1) { UUU('borderleft1').className='S_Right_Top_Item_LeftBorder11'; UUU('Item1').className='S_Right_Top_Item11'; UUU('borderright1').className='S_Right_Top_Item_RightBorder11'; for(var i=2;i<10;i++) { UUU('borderleft'+i).className='S_Right_Top_Item_LeftBorder1'; ...[7847 bytes skipped]... | ||
http://u.159.com/NewAspx/indexAspx/CheckLoing.aspx?Pag=1 | HTTP/1.1 302 Redirect Date: Mon, 07 Apr 2014 05:29:40 GMT Location: http://www.159.com/NewAspx/indexAspx/CheckLoing.aspx Server: Microsoft-IIS/7.5 Content-Length: 175 Content-Type: text/html; charset=UTF-8 X-Powered-By: ASP.NET | clean |
http://www.159.com/newaspx/indexaspx/checkloing.aspx | 200 OK Content-Length: 23 Content-Type: text/html | clean |
http://u.159.com/NewAspx/indexAspx/GouWuChe.aspx | HTTP/1.1 302 Redirect Date: Mon, 07 Apr 2014 05:29:42 GMT Location: http://www.159.com/NewAspx/indexAspx/GouWuChe.aspx Server: Microsoft-IIS/7.5 Content-Length: 173 Content-Type: text/html; charset=UTF-8 X-Powered-By: ASP.NET | clean |
http://www.159.com/newaspx/indexaspx/gouwuche.aspx | 200 OK Content-Length: 750 Content-Type: text/html | clean |
http://www.159.com/NewAspx/ShopCart/Shop_cart.aspx | 200 OK Content-Length: 35695 Content-Type: text/html | suspicious |
Page code contains blacklisted domain: wa.159.com ...[25139 bytes skipped]... RightBorder1" id="borderright10"> </div> </div> <div class="Wa_Body_Left_Bottom"> <div class="S_Right_Bottom_1"> </div> <div class="S_Right_Bottom_Center"> <form name='serach' method='get' action='http://wa.159.com/Mobile.aspx' target='_blank'> <div class="SR_DIV"> <input style="height: 33px; border: 0px; color: #999999;" type="text" value="ÇëÊäÈëÊÖ»úÐͺţ¬Èçŵ»ùÑÇE71£¬ÔòÊäÈëE71" id="keyword" name="keyword" onfocus="if(value!=''){value=''}" /></div> <div class="TJ_DIV"> & ...[15372 bytes skipped]... | ||
http://www.159.com/NewJs/ShopCartJs/gouwuche.js | 200 OK Content-Length: 125 Content-Type: application/x-javascript | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: u.159.com
Result:
HTTP/1.1 302 Redirect
Date: Mon, 07 Apr 2014 05:29:13 GMT
Location: http://www.159.com/
Server: Microsoft-IIS/7.5
Content-Length: 142
Content-Type: text/html; charset=UTF-8
X-Powered-By: ASP.NET
...142 bytes of data.
GET / HTTP/1.1
Host: u.159.com
Result:
HTTP/1.1 302 Redirect
Date: Mon, 07 Apr 2014 05:29:13 GMT
Location: http://www.159.com/
Server: Microsoft-IIS/7.5
Content-Length: 142
Content-Type: text/html; charset=UTF-8
X-Powered-By: ASP.NET
...142 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: u.159.com
Referer: http://www.google.com/search?q=u.159.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: u.159.com
Referer: http://www.google.com/search?q=u.159.com
Result:
The result is similar to the first query. There are no suspicious redirects found.