See: http://urlquery.net/queued.php?id=50365600
Severity: Potentially Suspicious
Reason: Detected unconditional redirection to external web resource.
Details:
Threat dump: [[]]
File size[byte]: 288
File type: ASCII
MD5: 00D3E75A2F5A4715FD7397E24CE4B043
Scan duration[sec]: 0.015000
Code hick-up:
[nothing detected] (script) wXw.worldcast.co.kr/systemad/08022617423948644.js
status: (referer=wXw.worldcast.co.kr/)saved 1041 bytes 339ecdf590fe0dd8dc864dfdf36b6719375a826f
info: [embed] wXw.worldcast.co.kr/systemad/flash/bcastr.swf?url=08022617423948644.xml
info: [decodingLevel=0] found JavaScript
suspicious:
Vulnerabilities for PHP version: http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-66891/PHP-PHP-4.4.9.html
compromised site → http://evuln.com/tools/malware-scanner/worldcast.co.kr/
On the encode javascript found, read: http://bzanelato.wordpress.com/
e.g.
info: [script] w%2Eckt%34%2Ecn
info: [script] %77.c%6B%747%2Ecn
info: [script] e%2Ec%6B%744.cn
info: [script] q%2Elove2%301%32.%69%6Ef%6F
info: [script] q%2E%73if%6Cy.%69%6Ef%6F
info: [script] %71.%73%69n%611%36%33.%69nfo
info: [script] %77%2E%6Ci%67%68t%32012.i%6E%66%6F
info: [script] r.%73%69fly%2E%69%6Ef%6F
info: [script] t.%73i%6Ea%316%33%2Ei%6Ef%6F
info: [script] %75%2El%69gh%742%301%32%2Ei%6E%66o
info: [script] y%2El%69%73%74a%67%65%2Ei%6E%66%6F
info: [script] y.l%6F%76e%32%3012.i%6E%66o
info: [script] %79%2Es%69f%6C%79%2E%69%6E%66%6F
info: [script] i.%6C%69s%74%61g%65%2Ei%6E%66o
info: [script] %69%2E%68o%70e%32%301%32%2E%69%6Efo
info: [script] q%2E%34b%68%2Ei%6Ef%6F
info: [script] q%2E7n%6E.%69%6Ef%6F
info: [script] %69.%74%77oh%6F%73%74.%69n%66o
info: [script] r.%61d%62%61.in%66%6F
Testing XML
Injection check:
Suspicious Text before HTML
Blacklisted here: https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fworldcast.cn%2F&hl=en
polonus