The code there is flagged in the browser as a malformed or illegal request attack code, also resembles XSS attack.
Google produces a 400 error.
An Injection check produces: Suspicious Text before HTML
Excessive header info proliferation alert for apache/2.4.9 (win64) php/5.5.12
PHP 5.5.12 suffers from a memory corruption vulnerability.
Site is flagged by Bitdefender’s TrafficLight as malcious.
Sucuri gives 6 instances of iFrame malware - MW:IFRAME:HD28 (for analogue detection issue → https://forum.avast.com/index.php? topic=127154.10 )
Quote from Alain Purcaru on error: undefined function vd5e274e → http://jsunpack.jeek.org/?report=7c15bf2c1e70c8b19bd754e2a81d55539b341547
(open link with NoScript extension active and inside a VM/sandbox, for security research only)
Although PHP does not require variable declaration, it does recommend it in order to avoid some security vulnerabilities or bugs where one would forget to give a value to a variable that he will use later in the script. What PHP does in the case of undeclared variables is issue a very low level error, E_NOTICE, one that is not even reported by default,
XSS vuln: Results from scanning URL: htxp://www.flyff-atomix.com/javascript/javascript.js
Number of sources found: 41
Number of sinks found: 17
Your code
div class="header"> <div class="logocircle"></div><div class="logocircle2"><a href="/"><img src="/images/pixel_vide.gif" class="header-lien"></a></div> </div>
still gives alerts by malware Script Detector as XSS attack code related.
You should be a bit aware of your coding especially while with your hosting you are not as secure as “Fort Knox”
so to say as far as the header configuration there shows.
Result Category Name Actual Value Our Recommendation Show All Details
Missing Framing X-Frame-Options Use ‘sameorigin’
Missing Transport Strict-Transport-Security Use ‘max-age=31536000; includeSubDomains’
Missing Content X-Content-Type-Options Use ‘nosniff’
Correct Content Content-Type text/html; charset=UTF-8 Use ‘text/html;charset=utf-8’
Missing XSS X-XSS-Protection Use ‘1; mode=block’
Warning Cookies Set-Cookie PHPSESSID=3h6eucsn3j…3dd6plv7lc05; path=/ Add ‘secure; httponly;’
Correct Caching Cache-Control no-store, no-cache, …check=0, pre-check=0 Use ‘no-cache, no-store, must-revalidate’
Correct Caching Pragma no-cache Use ‘no-cache’
Correct Caching Expires Thu, 19 Nov 1981 08:52:00 GMT Use ‘-1’. Currently, expiration is current time minus -1043473382 seconds.
Missing Access Control X-Permitted-Cross-Domain-Policies Use ‘master-only’
Missing Content Security Policy Content-Security-Policy Try Content-Security-Policy-Report-Only to start. Include default-src ‘self’, avoid ‘unsafe-inline’ and ‘unsafe-eval’
Warning Server Information Server Apache/2.4.9 (Win64) PHP/5.5.12 Avoid version numbers
Warning Server Information X-Powered-By PHP/5.5.12 Avoid header
Well that up with those that host the server this site is on - for recommendations see details here: http://cyh.herokuapp.com/cyh
where the 3rd party scan came from.
polonus
(volunteer website analyst and website error-hunter)