Site defaced with javascript malcode...

See: http://killmalware.com/torontodecompression.com/#
Already on there for over 10 days. http://sitecheck.sucuri.net/results/torontodecompression.com#sitecheck-details
ISSUE DETECTED DEFINITION INFECTED URL
Defacement MW:DEFACED:01 htxp://torontodecompression.com
Defacement MW:DEFACED:01 htxp://torontodecompression.com/404javascript.js

Javascript: error: ./pre.js:249: InternalError: too much recursion see: http://jsunpack.jeek.org/?report=679d8a71c9785352b52fe4c1c9487f46dd103fdc
For security research only, open link with NoScript active and inside a VM/Sandbox.
index.html

Severity: Potentially Suspicious
Reason: Suspicious JavaScript code injection.
Details: Procedure: unescape has been called with a string containing hidden JavaScript code %0Avar numraindrops=“150”;%0Avar speed=“5”;%0Avar rainsize=“2”;%0Avar wind=“left”;%0Avar genxgallery=“”;%0A%0Afunction tb5_makeArray(n){ this.length = n; return this.length;%0A}%0Atb5_messages = new tb5_makeArray(3);%0Atb5_messages[0] = “0wn3d by”;%0Atb5_messages[1] = “Mr. DellatioNx196”;%0Atb5_messages[2] = “Security fail :p”;%0Atb5_rptType = ‘infinite’;%0Atb5_rptNbr = 10;%0Atb5_speed = 50;%0Atb5_delay = 2000;%0Avar tb5_counter=1;%0Avar tb5_currMsg=0;%0Avar tb5_stsmsg=“”;%0Afunction tb5_shuffle(arr){%0Avar k;%0Afor (i=0; i<arr.length; i++){ k = Math.round(Math.random() * (arr.length - i - 1)) + i; temp = arr[i];arr[i]=arr[k];arr[k]=temp;%0A}%0Areturn arr;%0A}%0Atb5_arr = new tb5_makeArray(tb5_messages[tb5_currMsg].length);%0Atb5_sts = new tb5_makeArray(tb5_messages[tb5_currMsg].length);%0Afor (var i=0; i<tb5_messages[tb5_currMsg].length; i++){ tb5_arr[i] = i; tb5_sts[i] = “_”;%0A}%0Atb5_arr = tb5_shuffle(tb5_arr);%0Afunction tb5_init(n){%0Avar k;%0Aif (n == tb5_arr.length){ if (tb

Threat dump: http://jsunpack.jeek.org/?report=36618835aeb6248a302daa1450817b7319068fae
Detected HTML/JavaScript input, results may be less reliable than a URL or pcap file upload. (pol)
Threat dump MD5: 9F4EB431E4AE2E35C46403A98AC49532
File size[byte]: 16430
File type: ASCII
Page/File MD5: 15CBACEE84C1C512CE4E63BA91B5D648
Scan duration[sec]: 0.050000

Suspicious of Defacement: Suspicion of Spam

a name=“description” content=“hacked by mr. dellationx196 - indonesian cyber freedom”/> <meta name=“googlebot” content=…

Hacked via wXw.p0wersurge.com/js/jquery-css-transform.js (query_transform.js hack) → https://gist.github.com/bengourley/3865844
via style embed:
src=“htxp://www.p0wersurge.com/js/rotate3Di.js”>

XSS vuln. Results from scanning URL: htxp://torontodecompression.com
Number of sources found: 3
Number of sinks found: 7

polonus

There is also suspicious hiding advertisements in a frame on this site via htxp://cdn.dsultra.com/js/registrar.js
Read: http://forum.joomla.org/viewtopic.php?f=621&t=684752
and here: https://www.badwarebusters.org/main/itemview/33609
See: http://jsunpack.jeek.org/?report=03f30d9cfecaaa9dd9c100b4acb40d6030b9e617
and http://jsunpack.jeek.org/?report=dab4f8a58a2ad73bdb83948eadc36e4e41fc5e1b
These two last links for security researchers only, open with NoScript active and inside a VM/sandbox.
Could it not be a very good idea then to be hosted by DOMAINSATCOST.CA CORP :o
Apart from the insertion of forced adverts the site mentioned in the full JScript is flagged
See: http://whois.domaintools.com/torontodecompression.com
IP Address 66.147.242.189 - 2,061 other sites hosted on this server
Spam abuse for this IP reported here: http://knujon.com/ips/66.147.242.189.html

Damian