What parked malcode is hxtp://ak2.imgaft.com/script/jquery-1.3.1.min.js

Blocked by Bitdefender in my browser, nothin’ here: http://urlquery.net/report.php?id=3483611
See: htxp://jsunpack.jeek.org/?report=a14ce75f19c14e404ae5d073bdb1da0fbef9c8ed (visit link with NoScript active and in a VM)
script having this bug: http://bugs.jquery.com/ticket/11312 bug link reported there bydmethvin
flagged in many instances here: http://scanurl.net/?u=http%3A%2F%2Fak2.imgaft.com&uesb=Check+This+URL#results
SiteAdvisor blacklisted - WOT blacklisted Garry Dee reported:

htxp://www.pinkmartinis.com/ https://www.virustotal.com/de/url/4d751b9a07b1f939f9b66e2929ec3d9890ed89... HTML (Missing, Invalid): https://www.virustotal.com/de/file/f1f5762a7e58e0b3d9364345a6b7e388fcbef... BitDefender domain information: The URL domain/host was seen to host badware at some point in time htxp://ak2.imgaft.com/script/jquery-1.3.1.min.js https://www.virustotal.com/de/url/157beff286c570d893eedba9e653fd3f51170c... Site blacklisted, malware not identified http://sitecheck.sucuri.net/results/ak2.imgaft.com http://www.siteadvisor.com/sites/ak2.imgaft.com See also: http://www.mywot.com/scorecard/ak2.imgaft.com "
See: https://www.virustotal.com/nl/url/157beff286c570d893eedba9e653fd3f51170cefedeb0861976b41c72a17334b/analysis/1365539823/ https://www.virustotal.com/nl/file/8629280c64020e8b35c76f71bf51d449bce65ec56fbe467799a1bb98a0c68ec4/analysis/

Seen in/from relation to parked domains like htxp://www.blacklistdoctor.com

polonus

Update,

Still a threat out there, although it seems the site is now down: http://urlquery.net/report.php?id=1428248435974
-ak2.imgaft.com is Ghosted. AkamaiGHost (Akamai’s HTTP Acceleration/Mirror service) - Invalid URL.
Errors when we want to connect to htxps://ak2.imgaft.com/ the certificate is an Akamai one.
Google Safebrowser gives a warning - your connection isn’t private.
The link popped up here: http://urlquery.net/report.php?id=1428248435974 at Blacklists info.

polonus

Newer update: Detected twice: htxp://ak3.imgaft.com/script/jquery-1.3.1.min.js
On what website, well here: http://urlquery.net/report.php?id=1430222099253
Look here: http://www.webdeveloper.com/forum/showthread.php?291427-New-domain-displaying-strange-JavaScript
See here: http://urlquery.net/report.php?id=1428586315635
Decoded output: http://www.unphp.net/decode/7f26ea2a6fd002c61bf7d6f81df169e0/
x-javascript Check:
Suspicious

eturn o.nodename(e,“iframe”)?e.contentdocument||e.contentwindow.document:o.makearray(e.childnodes)}},function(e,f){o.fn[e]=function(g){var h
Bug report - OVERDUE! → http://bugs.jquery.com/query?milestone=1.5&group=status&desc=1&order=summary&row=description

microsoft-iis/7.5 - custom errors: Fail and two warnings: https://asafaweb.com/Scan?Url=ak2.imgaft.com

Anyone?

polonus (volunteer website security analyst and website error-hunter)

Update here: blacklisted: -ak2.imgaft.com/script/jquery-1.3.1.min.js
Where detected?, here: http://urlquery.net/report.php?id=1434794265052
But consider: https://www.virustotal.com/en-gb/file/8629280c64020e8b35c76f71bf51d449bce65ec56fbe467799a1bb98a0c68ec4/analysis/1433172245/
See: https://www.mywot.com/en/scorecard/ak2.imgaft.com
Read: http://www.webdeveloper.com/forum/showthread.php?291427-New-domain-displaying-strange-JavaScript
Unverified risk - anyone?

pol

Update: this script is detected on urlquery dot net scans as it very aggressively tries to get you to blacklisted sites.
GoDaddy subsidiary code.
See for instance here: https://urlquery.net/report.php?id=1444686722657
The reputation review here is also not very promising: http://scamanalyze.com/check/ak2.imgaft.com.html
Read here more about this strange script: http://www.webdeveloper.com/forum/showthread.php?291427-New-domain-displaying-strange-JavaScript
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fak2.imgaft.com%2Fscript%2Fjquery-1.3.1.min.js
& http://www.domxssscanner.com/scan?url=http%3A%2F%2Fak3.imgaft.com%2Fscript%2Fjquery-1.3.1.min.js

polonus

Updated: https://urlquery.net/report.php?id=1444825646840
I get the following response GET:

HTTP/1.0 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 14 Oct 2015 12:33:43 GMT
Content-Length: 295
Age: 2

<!DOCTYPE html><body style="padding:0; margin:0;"><html><body><iframe src="-http://mcc.godaddy.com/park/ZGt0YwR2BP4kZwxhZl4=" style="visibility: visible;height: 100%; position:absolute" allowtransparency="true" marginheight="0" marginwidth="0" frameborder="0" width="100%"></iframe></body></html>

and my adblocker prevented me from going there: uBlock₀ has prevented the following page from loading:
-http://mcc.godaddy.com/park/ZGt0YwR2BP4kZwxhZl4
Because of the following filter -mcc.godaddy.com^
(parked is -http://limbo.me?reqp=1&reqr=)
Well something not quite honky dory at GoDaddy: https://asafaweb.com/Scan?Url=mcc.godaddy.com%2Fpark
Three fails and three warnings!
This information should never be spread

 HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 14 Oct 2015 12:43:53 GMT
Connection: close
Content-Length: 6531

<!DOCTYPE html>
<html>
    <head>
        <title>Invalid URI: The hostname could not be parsed.</title>
        <meta name="viewport" content="width=device-width" />
        <style>
         body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} 
         p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
         b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
         H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
         H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
         pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}
         .marker {font-weight: bold; color: black;text-decoration: none;}
         .version {color: gray;}
         .error {margin-bottom: 10px;}
         .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
         @media screen and (max-width: 639px) {
          pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }
         }
         @media screen and (max-width: 479px) {
          pre { width: 280px; }
         }
        </style>
    </head>

    <body bgcolor="white">

            <span><H1>Server Error in '/park' Application.<hr width=100% size=1 color=silver></H1>

            <h2> <i>Invalid URI: The hostname could not be parsed.</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

            <b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

            



            <b> Exception Details: </b>System.UriFormatException: Invalid URI: The hostname could not be parsed.



            <b>Source Error:</b> 



            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

Line 106:      if (_parkDocumentRoute == null)
Line 107:      {
<font color=red>Line 108:        IDomainLookupData parkedDomainData = _domainLookup.Value.GetDomainInformation(_parkedDomainProvider.Value.DomainName);
</font>Line 109:
Line 110:        if (Request.QueryString[&quot;reqtid&quot;] != null &amp;&amp; Request.QueryString[&quot;reqtid&quot;] != &quot;&quot;)</pre></code>

                  </td>
               </tr>
            </table>

            


            <b> Source File: </b> d:\Sites\CDS\cds\controllers\page-controller.aspx.cs<b> &nbsp;&nbsp; Line: </b> 108
            



            <b>Stack Trace:</b> 



            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

[UriFormatException: Invalid URI: The hostname could not be parsed.]
   System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind) +6675677
   System.Uri..ctor(String uriString) +20
   System.Web.Util.UriUtil.BuildUriImpl(String scheme, String serverName, String port, String path, String queryString, Boolean useLegacyRequestUrlGeneration) +232
   System.Web.HttpRequest.BuildUrl(Func`1 pathAccessor) +233
   System.Web.HttpRequest.get_Url() +74
   ParkWeb.Providers.ParkedDomain.ParkedDomainProvider.get_DomainName() +155
   CDSPageControllers_page_controller.get_DocumentRoute() in d:\Sites\CDS\cds\controllers\page-controller.aspx.cs:108
   Atlantis.Framework.Web.CDSContent.CDSContentPageControllerBase.WhiteListCheck() +39
   Atlantis.Framework.Web.CDSContent.CDSContentPageControllerBase.OnPreInit(EventArgs e) +28
   System.Web.UI.Page.PerformPreInit() +31
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +335
</pre></code>

                  </td>
               </tr>
            </table>

            


            <hr width=100% size=1 color=silver>

            <b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34248

            </font>

    </body>
</html>
<!-- 
[UriFormatException]: Invalid URI: The hostname could not be parsed.
   at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
   at System.Uri..ctor(String uriString)
   at System.Web.Util.UriUtil.BuildUriImpl(String scheme, String serverName, String port, String path, String queryString, Boolean useLegacyRequestUrlGeneration)
   at System.Web.HttpRequest.BuildUrl(Func`1 pathAccessor)
   at System.Web.HttpRequest.get_Url()
   at ParkWeb.Providers.ParkedDomain.ParkedDomainProvider.get_DomainName()
   at CDSPageControllers_page_controller.get_DocumentRoute() in d:\Sites\CDS\cds\controllers\page-controller.aspx.cs:line 108
   at Atlantis.Framework.Web.CDSContent.CDSContentPageControllerBase.WhiteListCheck()
   at Atlantis.Framework.Web.CDSContent.CDSContentPageControllerBase.OnPreInit(EventArgs e)
   at System.Web.UI.Page.PerformPreInit()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
   at System.Web.UI.Page.HandleError(Exception e)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.cds_controllers_page_controller_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\park\e6ef9b65\18036ebd\App_Web_21qtntav.0.cs:line 0
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
--><!-- 
This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using &lt;customErrors mode="Off"/&gt;. Consider using &lt;customErrors mode="On"/&gt; or &lt;customErrors mode="RemoteOnly"/&gt; in production environments.--> 

polonus (volunteer website security analyst and website error-hunter)

Here that script is again found up: https://forum.avast.com/index.php?topic=177909.msg1260528#msg1260528
Bad web rep here, and I recently reported there: https://www.mywot.com/en/scorecard/ak2.imgaft.com?utm_source=addon&utm_content=warn-viewsc
Site currently not available: http://toolbar.netcraft.com/site_report?url=http://ak2.imgaft.com
See what is wrong Custom errors:Fail and warnings: https://asafaweb.com/Scan?Url=ak2.imgaft.com
Again the same trio involved - Secureserver - Akamai and GoDaddy - bulk hosting at it’s best? ::slight_smile:

polonus (volunteer website security analyst and website error-hoster)

Oh and what about this query blocked inside the browser with a Netcraft alert:

This page has been blocked by the Netcraft Extension for the following reason:

Suspected XSS Attack

Blocked URL: htxp://ak2.imgaft.com/site.aspx?aspxerrorpath=/trace.axd&foo=%3Cscript%3E

Update

Apart from other malware the same malcode has been found to reside here: https://www.virustotal.com/nl/url/f7571a080afbfd969604628d093733b14d51f817dae1f8e21550388dc4beb6cf/analysis/1445349807/ also see: http://urlquery.net/report.php?id=1445349666121
Nothing detected on Quttera’s: http://quttera.com/detailed_report/leadertrust.net
2 warnings: https://asafaweb.com/Scan?Url=leadertrust.net
Website has now been parked

<!DOCTYPE html><body style="padding:0; margin:0;"><html><body><iframe src="-http://mcc.godaddy.com/park/rKWhpKWyM2IbMzphLKWa/fe/rKWhpKWyM2IbMzphLKWa" style="visibility: visible;height: 100%; position:absolute" allowtransparency="true" marginheight="0" marginwidth="0" frameborder="0" width="100%"></iframe></body></html>

uBlock₀ has prevented the following page from loading:
-http://mcc.godaddy.com/park/rKWhpKWyM2IbMzphLKWa/fe/rKWhpKWyM2IbMzphLKWa
Because of the following filter
-||mcc.godaddy.com^

polonus