And again Word Press at the culprit of this malicious website....

polonus · 2017-05-19T14:06:50.000Z

See: http://urlquery.net/report.php?id=1495196982475
We see outdated WordPress version:
WordPress Version
4.2.15
A meagre F-Grade here: https://observatory.mozilla.org/analyze.html?host=fundacioncchc.moovmediatest.cl

Vulnerable jQuery library: htxp://fundacioncchc.moovmediatest.cl
Detected libraries:
jquery - 1.11.1 : (active1) hxtp://fundacioncchc.moovmediatest.cl/wp-content/themes/fundacion/js/jquery-1.11.1.min.js
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected

C-status on stylesheet issues: https://sritest.io/#report/38694d0e-f2fb-4f58-ab6c-1589154848fd

Results from scanning URL: hxtp://fundacioncchc.moovmediatest.cl/wp-content/themes/fundacion/js/jquery-1.11.1.min.js
Number of sources found: 43
Number of sinks found: 19

3 to flag: https://www.virustotal.com/pl/url/b2ec4452c17b561c57ae8f815532b0d6b32a97d8a0cce28d6563b6addcd7c332/analysis/1495202160/

wp-content/themes/fundacion/js/jquery-ui.js
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [['ui-state-default ui-state-active ui-state-disabled ui-corner-top ui-corner-bottom ui-widget-content ']] of length 128 which may point to obfuscation or shellcode.

Checked for javascript errors: HTML input accepted permanent link fcfd2f20dccacbd91edcc15f63f5fd067b98b655

found JavaScript error: line:3: SyntaxError: missing ] after element list: error: line:3: [sible");this.tablist.removeClass("ui-tabs-navui-helper-resetui-helper-clearfixui-widget-headerui-corner-all").removeAttr("role");this.anchors.removeClass("ui-tabs-anchor").removeAttr("role").removeAttr("tabIndex").removeUniqueId();this.tablist.unbind(thi error: line:3: ......^

Maybe code is incomplete with multiple selectors....info credits StackOverflow where they are reporting code is not working properly.

polonus (volunteer website security analyst and website security analyst)

polonus · 2017-05-19T14:13:12.000Z

Additionally on IP: https://www.ip-finder.me/64.207.156.150/
What is detected: https://www.scumware.org/report/64.207.156.150.html
Detection: Detection created Feb 09, 2016 HTML/ScrInject.B [Threat Variant Name]

polonus

polonus · 2017-05-20T20:10:28.000Z

Another website with outdated WordPress version and kind of similar story attached to it, GoDaddy abuse -
This malware and 14 similar detected:
Threat Name: Web Attack: Mass Injection Website 19
Location: hxtp://www.talesblog.com/travel-tips/a-z-of-camping-in-devon/
listed at GMane’s for PHISHing: http://permalink.gmane.org/gmane.comp.security.phishings/66547
→ https://sitecheck.sucuri.net/results/www.talesblog.com#blacklist-status
Not given as infested here: https://quttera.com/detailed_report/www.talesblog.com
Retirable jQuery library: http://retire.insecurity.today/#!/scan/fcc415c4c44ee1fcd68aefeb56b5f9fb754728c2489b38f3afff596f7cd707ec

Same origin mainly OK: https://sritest.io/#report/ef370ced-0bdc-4f4d-9eed-e00a34059bfe

Re: https://observatory.mozilla.org/analyze.html?host=www.talesblog.com F-status

polonus

Announcements