See: http://killmalware.com/torontodecompression.com/#
Already on there for over 10 days. http://sitecheck.sucuri.net/results/torontodecompression.com#sitecheck-details
ISSUE DETECTED DEFINITION INFECTED URL
Defacement MW:DEFACED:01 htxp://torontodecompression.com
Defacement MW:DEFACED:01 htxp://torontodecompression.com/404javascript.js
Javascript: error: ./pre.js:249: InternalError: too much recursion see: http://jsunpack.jeek.org/?report=679d8a71c9785352b52fe4c1c9487f46dd103fdc
For security research only, open link with NoScript active and inside a VM/Sandbox.
index.html
Severity: Potentially Suspicious
Reason: Suspicious JavaScript code injection.
Details: Procedure: unescape has been called with a string containing hidden JavaScript code %0Avar numraindrops=“150”;%0Avar speed=“5”;%0Avar rainsize=“2”;%0Avar wind=“left”;%0Avar genxgallery=“”;%0A%0Afunction tb5_makeArray(n){ this.length = n; return this.length;%0A}%0Atb5_messages = new tb5_makeArray(3);%0Atb5_messages[0] = “0wn3d by”;%0Atb5_messages[1] = “Mr. DellatioNx196”;%0Atb5_messages[2] = “Security fail :p”;%0Atb5_rptType = ‘infinite’;%0Atb5_rptNbr = 10;%0Atb5_speed = 50;%0Atb5_delay = 2000;%0Avar tb5_counter=1;%0Avar tb5_currMsg=0;%0Avar tb5_stsmsg=“”;%0Afunction tb5_shuffle(arr){%0Avar k;%0Afor (i=0; i<arr.length; i++){ k = Math.round(Math.random() * (arr.length - i - 1)) + i; temp = arr[i];arr[i]=arr[k];arr[k]=temp;%0A}%0Areturn arr;%0A}%0Atb5_arr = new tb5_makeArray(tb5_messages[tb5_currMsg].length);%0Atb5_sts = new tb5_makeArray(tb5_messages[tb5_currMsg].length);%0Afor (var i=0; i<tb5_messages[tb5_currMsg].length; i++){ tb5_arr[i] = i; tb5_sts[i] = “_”;%0A}%0Atb5_arr = tb5_shuffle(tb5_arr);%0Afunction tb5_init(n){%0Avar k;%0Aif (n == tb5_arr.length){ if (tb
Threat dump: http://jsunpack.jeek.org/?report=36618835aeb6248a302daa1450817b7319068fae
Detected HTML/JavaScript input, results may be less reliable than a URL or pcap file upload. (pol)
Threat dump MD5: 9F4EB431E4AE2E35C46403A98AC49532
File size[byte]: 16430
File type: ASCII
Page/File MD5: 15CBACEE84C1C512CE4E63BA91B5D648
Scan duration[sec]: 0.050000
Suspicious of Defacement: Suspicion of Spam
a name=“description” content=“hacked by mr. dellationx196 - indonesian cyber freedom”/> <meta name=“googlebot” content=…
Hacked via wXw.p0wersurge.com/js/jquery-css-transform.js (query_transform.js hack) → https://gist.github.com/bengourley/3865844
via style embed:
src=“htxp://www.p0wersurge.com/js/rotate3Di.js”>
XSS vuln. Results from scanning URL: htxp://torontodecompression.com
Number of sources found: 3
Number of sinks found: 7
polonus