See:
https://urlquery.net/report/60d6bcbb-5146-415b-aaaf-637f949a467eConsider:
https://www.virustotal.com/#/domain/c520866.r66.cf2.rackcdn.com (given as OK at VT)
error
-c520866.r66.cf2.rackcdn.com/1/js/rotator.min.js
status: (referer=http:/XXX/web?q=puppies)saved 155580 bytes 101d0bf9997195e9ccd8c56ed6f2d338a21411b9
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [javascript variable] URL=
info: [img] -c520866.r66.cf2.rackcdn.com/1/js/
info: [iframe] -c520866.r66.cf2.rackcdn.com/1/js/
info: [decodingLevel=0] found JavaScript
error: undefined variable e.style
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var e.style = 1;
error: line:1: ....^
alerted ET WEB_CLIENT Obfuscated Javascript // ptth on source IP 95.101.72.192
The exploit:
https://cxsecurity.com/issue/WLB-2016050071 (source credits go to Iranian Security Group)
Dork : inurl:/wp-content/plugins/easyrotator-for-wordpress WordPress version outdated - Version does not appear to be latest 4.9.8 - update now.
Reputation Check
WARNING
Google Safe Browse: FOUND
Also found - -Rackcdn.com pop-up malcode...
Type: Malicious Add-on/Extension
Brief Description: Malicious add-on or extension can perform various unwanted tasks on computer.
polonus
