iFrame malware detected?

Viruses and worms
1

See this as it is going on since 4 days now: http://killmalware.com/media.adrcdn.com/#
The iFrame code, scanned and see where it is landing: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fgp1.wpc.edgecastcdn.net%2F00222B%2Fjtest%2Ftpbeacontest.js
0% of the trackers on this iFrame included url could be protecting you from NSA snooping. Tell edgecastcdn.net to fix it.
At least 2 third parties know you are on this webpage.
Google
-gp1.wpc.edgecastcdn.net gp1.wpc.edgecastcdn.net
landing with me dom xss scanning at -http://g.purevolumecdn.com/
Unable to properly scan your site. Site returning error (40x): HTTP/1.1 404 Not Found
Here it is missed completely…

While checking for cloaking
There is a difference of 2 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that’s trying to hide from browsers but make Google think there’s something else on the page, we detect:

	<script type="text/javascript" src="-http://gp1.wpc.edgecastcdn.net/00222B/jtest/tpbeacontest.js"></script>
	<script type="text/javascript" src="-http://gp1.wpc.edgecastcdn.net/00222B/jtest/beacontest.js"></script>

IP badnes review: https://www.virustotal.com/en/ip-address/93.184.215.163/information/

2 errors and 1 warning: https://mxtoolbox.com/domain/media.adrcdn.com/

polonus

2
See this as it is going on since 4 days now: http://killmalware.com/media.adrcdn.com/#
And if you do a fresh scan? >> scanned 4 days ago - Rescan it now!
3

A fresh scan delivers this:

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<head>
		<title>404 - Not Found</title>
	</head>
	<body>
		<h1>404 - Not Found</h1>
		<script type="text/javascript" src="-http://gp1.wpc.edgecastcdn.net/00222B/jtest/pilot_dns_best_pop.js"></script>
	</body>
</html>

Re: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fgp1.wpc.edgecastcdn.net%2F00222B%2Fjtest%2Fpilot_dns_best_pop.js&useragent=Fetch+useragent&accept_encoding=
going via a 200 OK here

var pixel = "/00222B/jtest/pixel.gif";
var beacon = -"/00222B/jtest/pilot_dns_best_pop.html";
var URLs = [];
var net = "";
if (Math.random() < 0.5)
{
	net = "A";
	URLs[0] = {region:"EU", rvip:"-93.184.221.133", latency: 0}
	URLs[1] = {region:"NA", rvip:"-72.21.81.253", latency: 0}
	URLs[2] = {region:"AP", rvip:"-117.18.232.133", latency: 0}
	URLs[3] = {region:"SA", rvip:"-192.16.48.10", latency: 0}
}
else
{
	net = "B";
	URLs[0] = {region:"EU", rvip:"-68.232.34.223", latency: 0}
	URLs[1] = {region:"NA", rvip:"-93.184.215.223", latency: 0}
	URLs[2] = {region:"AP", rvip:"-117.18.232.223", latency: 0}
	URLs[3] = {region:"SA", rvip:"-192.16.48.30", latency: 0}
}
var ctr;

function get_time(stms, ind)
{
        var stop_clock= new Date();
        var delta = stop_clock.getTime() - parseInt(stms);
        if (delta > 0)  URLs[ind].latency = delta;
        else  URLs[ind].latency = 9999;
	ctr = ctr + 1;
	if (ctr == URLs.length)
		get_final_time();
}

function pixel_load(ind)
{
	for (var ind = 0; ind < URLs.length; ind++)
	{
	        start = new Date();
        	var img = document.body.appendChild(document.createElement('img'));
	        img.src = "http://" + URLs[ind].rvip + pixel + "?" + Math.floor(Math.random() * 10000);
        	img.width = 1;
	        img.height = 1;
        	img.onload = make_handler(start.getTime(), ind);
	}
}


function make_handler(stime, i) {
    return function() {
        get_time(stime, i);
    };
}

Array.prototype.sort_by_prop = function(p){
	return this.sort(function(a,b){
		return (a[p] > b[p]) ? 1 : (a[p] < b[p]) ? -1 : 0;
	});
}

function get_final_time()
{
	URLs.sort_by_prop('latency');
	var id = Math.floor(Math.random()*(2147483647)).toString(36);
	var type = '1';
	var more = "";
	if (URLs[0].latency > 1000)
	{
		type = '3';
		for (var r = 0; r < URLs.length; r++)
			more += '&' + URLs[r].region + "_time=" + URLs[r].latency;
	}
	var next_req = "http://" + URLs[0].rvip + beacon 
		+ '?id=' + id  
		+ '&type=' + type 
		+ '&net=' + net 
		+ '&region=' + URLs[0].region
		+ more; 

	var iframe = document.createElement('iframe');
	iframe.setAttribute("src", next_req);
	iframe.setAttribute("style", "display:none");
	iframe.setAttribute("height", "1");
	iframe.setAttribute("width", "1");
	iframe.setAttribute("border", "0");
	iframe.setAttribute("name", "testecframe");
	document.head.appendChild(iframe);

	if (((URLs[0].region == "AP") || (URLs[0].region == "SA")) && (type == '1'))
	{
		for (var i=1; i < URLs.length; i++)
		{
			if ((URLs[i].region == "NA") || (URLs[i].region == "EU"))
			{
				var iframe = document.createElement('iframe');
				var next_req = "http://" + URLs[i].rvip + beacon 
					+ '?id=' + id  
					+ '&type=' + '2'  
					+ '&net=' + net 
					+ '&region=' + URLs[i].region; 
				iframe.setAttribute("src", next_req);
				iframe.setAttribute("style", "display:none");
				iframe.setAttribute("height", "1");
				iframe.setAttribute("width", "1");
				iframe.setAttribute("border", "0");
				iframe.setAttribute("name", "testecframe");
				document.head.appendChild(iframe);
			}
		}
	}
}

ctr = 0;
pixel_load();

Also consider this: http://cdn-frm-us.wargaming.net/wot/us/uploads/monthly_12_2014/post-1000668323-0-62321700-1419715610.txt & here: https://www.threatcrowd.org/domain.php?domain=images2.rightster.com

polonus