iFrame malware on hacked and defaced website now suspended.

See: http://www.isithacked.com/check/http%3A%2F%2Fselfishchristian.com%2Fcgi-sys%2Fsuspendedpage.cgi
http://toolbar.netcraft.com/site_report?url=http://selfishchristian.com
on the IP a 404 not found: http://toolbar.netcraft.com/site_report?url=http://192.254.185.212
risk status = 9 red out of 10!
content

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
       <head>
               <title>Contact Support</title>
               <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
       </head>
       <body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0">
               <iframe width="100%" height="100%" frameborder="0" SCROLLING="auto" marginwidth="0" src="htxp://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4"  * ></iframe>
       </body>
</html>

  • blocked by Bitdefender TrafficLight as part of a PHISHing attempt.
    List of iframes included
    htxp://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4

Webmaster please contact Hostgator.com :o → http://toolbar.netcraft.com/site_report?url=http://fwdssp.com

Quttera misses the above history: http://quttera.com/detailed_report/selfishchristian.com

pol

Update.
Here we see the same suspicious code on another website: This is a suspicious page
Result for 2016-06-13 16:17:32 UTC
Website: -http://retailmavens.com
Start URL: -http://retailmavens.com/
Start URL was redirected to another page: -http://retailmavens.com/cgi-sys/suspendedpage.cgi
Checked URL: -http://retailmavens.com/cgi-sys/suspendedpage.cgi
Suspicious code detected:
Object: -http://retailmavens.com/cgi-sys/suspendedpage.cgi
SHA1: 41472ba5c40f61fa1c77c42cf06248f13b8785f0
Name: Suspicious-WI.

For that code: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fretailmavens.com%2Fcgi-sys%2Fsuspendedpage.cgi+

For that suspicious code inside that: http://www.domxssscanner.com/scan?url=http%3A%2F%2Ffwdssp.com%2F%3Fdn%3Ddetect%26pid%3D5POL4F2O4

error in code

 found JavaScript
     error: line:6: SyntaxError: missing } in compound statement:
          error: line:6: 
          error: line:6: ^
     error: line:3: SyntaxError: missing ; before statement:
          error: line:3: %2BEt%2Fo%2FrcUQiimciWjLienSjL0f0UcvYHZyBicA6w%3D%3D&cifr=1&"; /* --> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_NFXcAH+LdCKplmA8d29obefZ50xWd+Gcz
          error: line:3: .......................................................................^

When one has an error saying ; missing, you have to look at the line before (or sometimes the file loaded before). Info credits go to Stackoverflow’s QuickFix. Wrong syntax for functions.

polonus (volunteer website security analyst and website error-hunter)

Similar update: http://killmalware.com/atlantanaturalbirth.com/#
Contact support: → -http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4
hostgator abuse: http://toolbar.netcraft.com/site_report?url=http://atlantanaturalbirth.com
IP address: http://192.185.16.75/404.html
File viewer: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fatlantanaturalbirth.com%2Fcgi-sys%2Fsuspendedpage.cgi&ref_sel=GSP2&ua_sel=ff&fs=1
Consider: http://www.malwareurl.com/ns_listing.php?ns=ns8017.hostgator.com
& http://dns.coffee/nameservers/NS8017.HOSTGATOR.COM
Compare next online analyses: https://www.hybrid-analysis.com/sample/0ff0b7fcb090c65d0bdcb2af4bbd2c30f33356b3ce9b117186fa20391ef840a3?environmentId=100

info: [decodingLevel=0] found JavaScript
     error: undefined variable relplaceAllALinks
     error: undefined function relplaceAllALinks
     info: [element] URL=fwdssp.com/sk-logabpstatus.php?a= etcetera

Has been set and has not been previously declared by that code. Extra variable should be created.

polonus (volunteer website security analyzer and website error-hunter)