Analysis of the malware on website detected is here: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~LockScr-J/detailed-analysis.aspx (detailed analysis credits go to Sophos) -see *
Additionally I report:
Re: -http://pimpam.ru/ (category: hacking)
Detected libraries:
jquery - 1.7.2 : -http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery-ui-dialog - 1.8.20 : -http://pimpam.ru/js/custom.js
Info: Severity: medium
http://bugs.jqueryui.com/ticket/6016
jquery-ui-autocomplete - 1.8.20 : -http://pimpam.ru/js/custom.js
2 vulnerable libraries detected
Various adware links blocked by script- and adblocker. (-http://c.am15.net/preloader7.js -http://am15.net/sb.php?s=16264 * etc. etc.) and there is also a link to an expired website: -http://yandexapi.net/partner_js.php?site=2&id=236&rev=0
This domain is expired. If you are the domain owner please click here to renew it. yandexapi.net 2016 Copyright. All Rights Reserved.The Sponsored Listings displayed above are served automatically by a third party. Neither the service provider nor the domain owner maintain any relationship with the advertisers. In case of trademark issues please contact the domain owner directly (contact information can be found in whois).
Privacy Policy
Flagged here: https://urlquery.net/report.php?id=1456340025419
htxp://pimpam.ru/ is in Dr.Web malicious sites list!
Flagged as with malscript is -http://asset.easydmp.net/
Cloaking: There is a difference of 44 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that’s trying to hide from browsers but make Google think there’s something else on the page.
id:'f03e62333576be815a18373cad3e1e6d',
id:'7d4141b7f471e0bccbfc61519f57b268',
browser:'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31'
browser:'Mozilla/5.0 (compatible; Googlebot/2.1; +-http://www.google.com/bot.html)'
"><font color="white">???????????? ???? ?????????????????????? ??????????</font> <img src="images/seodoktor.jpg" alt="???????????? ???? ?????????????????????? ??????????" title="???????????? ???? ?????????????????????? ??????????" border="0"></a></td>
"><font color="white">?????????????????????? ?????????????????? ??????????</font> <img src="images/seodoktor.jpg" alt="?????????????????????? ?????????????????? ??????????" title="?????????????????????? ?????????????????? ??????????" border="0"></a></td>
System Details:
Running on: nginx/1.2.1
Powered by: PHP/5.4.6-1ubuntu1.8
Web application details:
Google Analytics installed: UA-12835423-1
Outdated Web Server Nginx Found: nginx/1.2.1
Also -http://wapcpa.ru/?type=js&key=e2b5fe88776a4ea with outdated software: HTTP Server: nginx 1.4.6 (Outdated)
PHP Version: 5.4.20 (Outdated)
Malware by link to -http://recreativ.ru/rcode.1af096caf8.js should be removed: https://yandex.com/infected?l10n=en&url=-http://pimpam.ru/
Suspicious = /dvd/mystic Quttera flags this file.
Severity: Suspicious
Reason: Detected encoded JavaScript code commonly used to hide suspicious behaviour.
Details: Detected encoded JavaScript code used to hide suspicious activity
See code attached as harmless image.
polonus