DrWeb flags as "non-recommended" site!

Viruses and worms
1

Why is that flagged as "non-recommended?
We see: unknown_html on 91.202.63.30
For that IP see: https://www.threatcrowd.org/ip.php?ip=91.202.63.30
See: https://www.virustotal.com/en-gb/url/17b61bf0bf42956c009b8e8c67ef3c028525377d8a846571429cfdb420606382/analysis/1467143911/
Nothing here: https://quttera.com/detailed_report/0eo.ru
On that server: Result
It looks like 2 cookies are being set without the “HttpOnly” flag being set (name : value):

remixlhk : 388e7eb615861c128b
remixstid : 1014315249_1c1143eb083f0a2889
Unless the cookie legitimately needs to be read by JavaScript on the client, the “HttpOnly” flag should always be set to ensure it cannot be read by the client and used in an XSS attack. → https://urlquery.net/report.php?id=1467143049600

See: https://www.threatminer.org/host.php?q=91.202.63.30 & https://www.threatcrowd.org/ip.php?ip=91.202.63.30

See sources and sinks and errors: http://www.domxssscanner.com/scan?url=http%3A%2F%2F0eo.ru%2F<

What we find in the script

script
     info: [meta refresh] URL=127.0.0.1/badbrowser.php
     info: [script] 127.0.0.1/js/3rdparty/rbadman-html5.js
     info: [script] 127.0.0.1/js/nav19369_3.js
     info: [script] 127.0.0.1/js/al/common.js?1132_196
     info: [script] 127.0.0.1/js/lang3_0.js?3602
     info: [script] 127.0.0.1/js/lib/px.js?ch=1
     info: [script] 127.0.0.1/js/lib/px.js?ch=2
     info: [script] 127.0.0.1/js/al/index.js?33
     info: [script] 127.0.0.1/js/lib/controls.js?192
     info: [iframe] login.vk.com/?role=frame&_origin=http:/vk.com&h=fc18e1106373c86251
     info: [img] 127.0.0.1/images/join/m.png?4
     info: [img] 127.0.0.1/images/join/m.png?4
     info: [img] 127.0.0.1/images/join/m.png?4
     info: [img] top-fwz1.mail.ru/counter?id=2579437;pid=0;js=na
     info: [decodingLevel=0] found JavaScript
     error: line:67: SyntaxError: missing ; before statement:
          error: line:67: x.js':{v:33},'controls.css':{v:66},'controls.js':{v:192} } var abp; 
          error: line:67: ...............................................................^
     error: line:3: SyntaxError: missing = in XML attribute:
          error: line:3: <!DOCTYPE html PUBLIC "-/W3C/DTD XHTML 1.0 Strict/EN" "http:/www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http:/www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <link rel="sho
          error: line:3: ...............^

Too many parenthesis.

Now analyze here: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2F0eo.ru%2F_EfJPBB&ref_sel=GSP2&ua_sel=ff&fs=1
We stumble in the code upon “badbrowser.php” and then: Haven’t we been there before?
Re: https://forum.avast.com/index.php?topic=174348.0

polonus (volunteer website security analyser and website error-hunter)