Recently Google Safebrowsing alerted, now still with issues...

[polonus]

See: http://retire.insecurity.today/#!/scan/918f40ea96ed6f6de437b34d54e341dc153805423542786128a54ff202c2aee4
SRI Report- B-Status: https://sritest.io/#report/567ee515-35bd-4029-8f80-4fc14d42f55a
10 red out of 10: http://toolbar.netcraft.com/site_report?url=http://agc54.ru
executed evals 63 -> https://webcache.googleusercontent.com/search?q=cache:jdGQyb_WZKsJ:https://urlquery.net/report.php%3Fid%3D1470509668207+&cd=10&hl=nl&ct=clnk&gl=pl

HTTP only cookies: Warning

Requested URL: -http://agc54.ru/ | Response URL: http://agc54.ru/ | Page title: Автостекло в Новосибирске. AGC - стекла на любые автомобили. | HTTP status code: 200 (OK) | Response size: 47,309 bytes (gzip'd) | Duration: 1,559 ms
Overview
Cookies not flagged as "HttpOnly" may be read by client side script and are at risk of being interpreted by a cross site scripting (XSS) attack. Whilst there are times where a cookie set by the server may be legitimately read by client script, most times the "HttpOnly" flag is missing it is due to oversight rather than by design.

Result
It looks like a cookie is being set without the "HttpOnly" flag being set (name : value):

3c1134fed02388c59e0438ff8269a9e9 : m6hdn1n8u3lcqr0me772aqmh06
Unless the cookie legitimately needs to be read by JavaScript on the client, the "HttpOnly" flag should always be set to ensure it cannot be read by the client and used in an XSS attack.

On hosting: https://www.mywot.com/en/scorecard/isp10.adminvps.ru?utm_source=addon&utm_content=rw-viewsc

Detected: undefined variable n
     info: [element] URL=mc.yandex.ru/metrika/watch.js 
variable can only be used out of the conditional block, else such varaibles do not exist.

polonus