Scanned pages/files
Request | Server response | Status |
http://workerscompinsurance.info/ | HTTP/1.1 302 Moved Temporarily Connection: close Date: Thu, 25 Sep 2014 23:00:30 GMT Location: http://www.libertymutual.com/business Server: Apache-Coyote/1.1 Content-Length: 0 | clean |
http://www.libertymutual.com/business | HTTP/1.1 301 Moved Permanently Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Date: Thu, 25 Sep 2014 23:00:32 GMT Location: http://www.libertymutualgroup.com/business-insurance Content-Language: en-US Content-Length: 0 Content-Type: text/html Expires: Thu, 01 Dec 1994 16:00:00 GMT P3P: policyref="http://libertymutual.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAIi PSA PSDi IVDi CONo HIS TELo OUR LEG UNI PHY ONL PUR FIN COM NAV INT DEM CNT STA POL HEA GOV" Set-Cookie: JSESSIONID_LMCOM=0001bOBLhFdDnFCX7HLgnSx5NKe:17te9ibg9; Path=/; Domain=libertymutual.com; HttpOnly Set-Cookie: oam.Flash.RENDERMAP.TOKEN=ciadyra8i; Path=/; HttpOnly Set-Cookie: LMPersonalization=bOBLhFdDnFCX7HLgnSx5NKe; Expires=Fri, 25-Sep-15 23:00:31 GMT; Path=/; Domain=.libertymutual.com Set-Cookie: BIGipServerwww-origin.pdc.libertymutual.com=rd2240o00000000000000000000ffff0a506034o8004; expires=Fri, 26-Sep-2014 01:00:31 GMT; path=/ Set-Cookie: TS998304=aa90d66595b126155aabcbc2951a3abfb6ed4b47f17905c454249e8f; Path=/; HTTPOnly X-Frame-Options: DENY X-Powered-By: Servlet/3.0 X-UA-Compatible: IE=Edge,chrome=1 | clean |
http://www.libertymutualgroup.com/business-insurance | 200 OK Content-Length: 53326 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) var axel = Math.random() + ""; var a = axel * 10000000000000; document.write('<iframe src="http://3447791.fls.doubleclick.net/activityi;src=3447791;type=comme865;cat=lmgro538;ord=' + a + '?" width="1" height="1" frameborder="0" style="display:none"></iframe>'); Antivirus reports:
Hidden iFrame found. size: 1x1 style: hidden src: http://3447791.fls.doubleclick.net/activityi;src=3447791;type=comme865;cat=lmgro538;ord= <iframe src="http://3447791.fls.doubleclick.net/activityi;src=3447791;type=comme865;cat=lmgro538;ord=' + a + '?" width="1" height="1" frameborder="0" style="display:none"> Hidden iFrame found. size: 1x1 style: hidden src: http://3447791.fls.doubleclick.net/activityi;src=3447791;type=comme865;cat=lmgro538;ord=1? <iframe src="http://3447791.fls.doubleclick.net/activityi;src=3447791;type=comme865;cat=lmgro538;ord=1?" width="1" height="1" frameborder="0" style="display:none"> | ||
http://www.libertymutualgroup.com/omapps/ContentServer?pagename=common/Omniture/lmg2Omniture_SCode | 200 OK Content-Length: 68768 Content-Type: text/html | clean |
http://www.libertymutualgroup.com/test404page.js | 200 OK Content-Length: 29085 Content-Type: text/html | clean |
http://www.libertymutualgroup.com/omapps/ContentServer?pagename=LMGroup2/JS/lmg2JSJQueryMin | 200 OK Content-Length: 93029 Content-Type: text/javascript | clean |
http://www.libertymutualgroup.com/omapps/ContentServer?pagename=LMGroup2/JS/lmg2JSJQueryUIMin | 200 OK Content-Length: 40027 Content-Type: text/javascript | clean |
http://www.libertymutualgroup.com/omapps/ContentServer?pagename=LMGroup2/JS/lmg2JSColorboxMin | 200 OK Content-Length: 11098 Content-Type: text/javascript | clean |
http://www.libertymutualgroup.com/omapps/ContentServer?pagename=LMGroup2/JS/lmg2JSCyclePack | 200 OK Content-Length: 21675 Content-Type: text/javascript | clean |
http://www.libertymutualgroup.com/omapps/ContentServer?pagename=LMGroup2/JS/lmg2JSQtipMin | 200 OK Content-Length: 33478 Content-Type: text/javascript | clean |
http://www.libertymutualgroup.com/omapps/ContentServer?pagename=LMGroup2/JS/lmg2JSUniformMin | 200 OK Content-Length: 8318 Content-Type: text/javascript | clean |
http://www.libertymutualgroup.com/omapps/ContentServer?pagename=LMGroup2/JS/lmg2JSJQueryCookieMin | 200 OK Content-Length: 1469 Content-Type: text/javascript | clean |
http://www.libertymutualgroup.com/omapps/ContentServer?pagename=LMGroup2/JS/lmg2JSAddThisMin | 200 OK Content-Length: 2486 Content-Type: text/javascript | clean |
http://www.libertymutualgroup.com/omapps/ContentServer?pagename=LMGroup2/JS/lmg2JSMediaElementAndPlayerMin | 200 OK Content-Length: 71676 Content-Type: text/javascript | clean |
http://www.libertymutualgroup.com//ajax.aspnetcdn.com/ajax/jquery.validate/1.11.1/jquery.validate.min.js/ | 200 OK Content-Length: 29089 Content-Type: text/html | clean |
http://www.libertymutualgroup.com/omapps/ContentServer?pagename=LMGroup2/JS/lmg2JSOmnitureVideoTag | 200 OK Content-Length: 3102 Content-Type: text/javascript | clean |
http://www.libertymutualgroup.com/omapps/ContentServer?pagename=LMGroup2/JS/lmg2JSLM | 200 OK Content-Length: 7981 Content-Type: text/javascript | clean |
Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: workerscompinsurance.info
Result:
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 25 Sep 2014 23:00:30 GMT
Location: http://www.libertymutual.com/business
Server: Apache-Coyote/1.1
Content-Length: 0
...0 bytes of data.
GET / HTTP/1.1
Host: workerscompinsurance.info
Result:
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 25 Sep 2014 23:00:30 GMT
Location: http://www.libertymutual.com/business
Server: Apache-Coyote/1.1
Content-Length: 0
...0 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: workerscompinsurance.info
Referer: http://www.google.com/search?q=workerscompinsurance.info
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: workerscompinsurance.info
Referer: http://www.google.com/search?q=workerscompinsurance.info
Result:
The result is similar to the first query. There are no suspicious redirects found.
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=workerscompinsurance.info
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://workerscompinsurance.info/
Result: workerscompinsurance.info is not infected or malware details are not published yet.
Result: workerscompinsurance.info is not infected or malware details are not published yet.