Scanned pages/files
Request | Server response | Status |
http://wiredprnews.com/ | HTTP/1.1 301 Moved Permanently Cache-Control: max-age=3600 Connection: close Date: Sun, 12 Jul 2015 13:19:19 GMT Location: http://www.wiredprnews.com/ Server: cloudflare-nginx Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Expires: Sun, 12 Jul 2015 14:19:19 GMT CF-RAY: 204d0a016a3c0ae4-WAW Set-Cookie: __cfduid=d7db02477166699234ece37ee2b933ff71436707159; expires=Mon, 11-Jul-16 13:19:19 GMT; path=/; domain=.wiredprnews.com; HttpOnly | clean |
http://www.wiredprnews.com/ | 200 OK Content-Length: 10761 Content-Type: text/html | suspicious |
Malicious code - confirmed by antiviruses (see below) window.scrollBy(0, 1) window.resizeTo(0,0) window.moveTo(0,0) setTimeout("move()", 1); var mxm=100 var mym=50 var mx=0 var my=0 var sv=50 var status=1 var szx=0 var szy=0 var c=255 var n=0 var sm=30 var cycle=2 var done=2 function move() { if (status == 1) document.fgColor=(255-c)*65536 if (c > 128) {status=8} } if (status == 8) { window.moveTo(0,0) sx=screen.availWidth sy=screen.availHeight window.resizeTo(sx,sy) status=9 } var timer=setTimeout("move()",0.3) } Antivirus reports:
Deface/Content modification. The following signature was found: ..::--- Hacked By ProofStriker---::.. ...[3948 bytes skipped]... y=screen.availHeight window.resizeTo(sx,sy) status=9 } var timer=setTimeout("move()",0.3) } </SCRIPT> <center> <SCRIPT language=JavaScript> msg = new Array(); //strings written in screen msg[0] = "<font color='00ff00'><center><h2><u><center>..::--- Hacked By ProofStriker---::..</u></h2></center></font>"; msg[1] = "<font color='FF0000'><center>Dj_K_A_H_I_R | BozkurT | Kursad Alp | ByTekin | Bay Ayaz | GokBoruEfe| ByCaN |Em3rGeNcY | Montesque | Alparslan | ProofStriker | CyberAttacker | Artist | KeLeS_31 | SepuLtura | Genc TurK | G0ld |Bay_ANKARA | PALYO34 | Adminturk| BILGE_KAGAN | TheEnd | Emre5807 | VatanTurk </center> </font><b"; msg[2] = " <br>"; < ...[7546 bytes skipped]... | ||
http://www.wiredprnews.com/test404page.js | 200 OK Content-Length: 10761 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) window.scrollBy(0, 1) window.resizeTo(0,0) window.moveTo(0,0) setTimeout("move()", 1); var mxm=100 var mym=50 var mx=0 var my=0 var sv=50 var status=1 var szx=0 var szy=0 var c=255 var n=0 var sm=30 var cycle=2 var done=2 function move() { if (status == 1) document.fgColor=(255-c)*65536 if (c > 128) {status=8} } if (status == 8) { window.moveTo(0,0) sx=screen.availWidth sy=screen.availHeight window.resizeTo(sx,sy) status=9 } var timer=setTimeout("move()",0.3) } Antivirus reports:
|
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: wiredprnews.com
Result:
HTTP/1.1 301 Moved Permanently
Cache-Control: max-age=3600
Connection: close
Date: Sun, 12 Jul 2015 13:19:19 GMT
Location: http://www.wiredprnews.com/
Server: cloudflare-nginx
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Expires: Sun, 12 Jul 2015 14:19:19 GMT
CF-RAY: 204d0a016a3c0ae4-WAW
Set-Cookie: __cfduid=d7db02477166699234ece37ee2b933ff71436707159; expires=Mon, 11-Jul-16 13:19:19 GMT; path=/; domain=.wiredprnews.com; HttpOnly
GET / HTTP/1.1
Host: wiredprnews.com
Result:
HTTP/1.1 301 Moved Permanently
Cache-Control: max-age=3600
Connection: close
Date: Sun, 12 Jul 2015 13:19:19 GMT
Location: http://www.wiredprnews.com/
Server: cloudflare-nginx
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Expires: Sun, 12 Jul 2015 14:19:19 GMT
CF-RAY: 204d0a016a3c0ae4-WAW
Set-Cookie: __cfduid=d7db02477166699234ece37ee2b933ff71436707159; expires=Mon, 11-Jul-16 13:19:19 GMT; path=/; domain=.wiredprnews.com; HttpOnly
Second query (visit from search engine):
GET / HTTP/1.1
Host: wiredprnews.com
Referer: http://www.google.com/search?q=wiredprnews.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: wiredprnews.com
Referer: http://www.google.com/search?q=wiredprnews.com
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=wiredprnews.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://wiredprnews.com/
Result: wiredprnews.com is not infected or malware details are not published yet.
Result: wiredprnews.com is not infected or malware details are not published yet.