See: htxp://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Ffenkaololo.com%2Fmmmsss%2Fxpxlkzbuaodwitdwy.php&useragent=Fetch+useragent&accept_encoding=
(link broken for the non-security-savvy - do not venture out there!)
Malcode link description: http://labs.sucuri.net/db/malware/malware-entry-mwiframehd202
https://www.virustotal.com/nl/url/ed8aa33e93d4a6c97348453a5450028d196718f68b7a6fbce3b7781be9cfde4c/analysis/1392163367/
DrWeb url checker does not find anything and gives an all green. ???
Code see: http://jsunpack.jeek.org/?report=8e9dc1bb12e1f5d998bdaaa96f279caa5e796826
Visit above links in a browser protected with extensions like NoScript or ScriptSafe and inside a VM or sandbox.
We saw they were using: PHP/5.3.3-7+squeeze18
Character encoding Reported encoding (content-type): UTF-8, content decodes successfully
No meta content-type/encoding
Guessed encoding: ascii 1.0, content decodes successfully
Redirects to (location header) → http://guess.scritch.org/%2Bguess/?url=htxp%3A%2F%2Fww2.fenkaololo.com%2Fmmmsss%2Fxpxlkzbuaodwitdwy.php
(link broken for the non-security savvy)
server: Apache2 - Oversee Turing v1.0.0 (VT data)
polonus