What are they doing in my net monitor logs?

See: http://toolbar.netcraft.com/site_report?url=http://ptr7.bubbles.co.il
Site is into social and affiliation organizations
See: http://toolbar.netcraft.com/site_report?url=http://ptr7.bubbles.co.il
Unable to properly scan site: http://urlquery.net/report.php?id=1409604597490
See: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fptr7.bubbles.co.il%2F&useragent=Fetch+useragent&accept_encoding=
Microsoft-HTTPAPI/2.0- X-Powered-By: Express; site vulnerable to clickjacking
and Pre-Auth Remote Stack Overflow Exploit - It will bind a cmdshell on port 1154 if successful.
Mail server account → http://www.projecthoneypot.org/ip_64.34.182.212
All I see is test2.
Somehow there is active malware up and active there, but what?
Also consider: http://www.isoc.org.il/domain_heb/whois.htmlhttp://domains.livedns.co.il

polonus

Here is how they should remove the extensive header in Express:
In Express >= 3.0.0rc5:


app.disable('x-powered-by');

Here is a simple middleware that removes the header in earlier versions of Express:


app.use(function (req, res, next) {
  res.removeHeader("x-powered-by");
  next();
});  

info credits go to stackoverflkow’s Jacob Marble & rjack

polonus