Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on February 02, 2014, 05:08:21 PM

Title: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 02, 2014, 05:08:21 PM

See: http://maldb.com/kurtoyunlari.org/#
Non-detection here: https://www.virustotal.com/nl/url/a37231de82f77760a7d0fdbd117ddd8c93210f0907bac764de5ae6279b993ab1/analysis/1391354936/
and here: http://urlquery.net/report.php?id=9196594
Other sites on same IP: http://sameid.net/ip/95.173.183.139/
connection timed out  What web info: htxp://www.koyunoyunlari.com/kurt-oyunlari [200] Google-API[ajax/libs/jquery/1.3.2/jquery.min.js],
 HTTPServer[LiteSpeed],
 IP[95.173.183.139],
 JQuery, PHP[5.3.27],
 X-Powered-By[PHP/5.3.27],
 Cookies[PHPSESSID],
 Title[Kurt Oyunlar� Oyna, Kurt Oyunlar� Oyunu],
 Country[TURKEY]

& see: http://builtwith.com/?http%3a%2f%2fwww.koyunoyunlari.com%2fkurt-oyunlari JS errors: http://jsunpack.jeek.org/?report=e0475117c42c5df1847a95fc391a35fd2876f9b4 -> - invalid flag after regular expression  & SyntaxError: invalid decrement operand: External links benign. Quote Content after the < /html> tag should be considered suspicious. 163: This could denote an threat that has been removed earlier. The recommended scanner Sucuri gives site as clean. Conditional redirects can be suspicious, but aren't always insecure! polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 02, 2014, 05:30:22 PM

See: http://maldb.com/aay-search.info/#
See: http://builtwith.com/aay-search.info
Quttera's gives it as clean: http://www.quttera.com/detailed_report/aay-search.info
Sucuri gives it as clean.
The redirect is there: stats.wordpress dot com/e-201405.js benign -> http://jsunpack.jeek.org/?report=771b71927a5f60fc132d5f3cd15a53814d4f7f03
[nothing detected] (script) stats dot wordpress dot com/e-201405.js
     status: (referer=thefutureisbetterthanyouthink dot com/) Redirect to this URL found in 9 sites
and redirect site has unsatisfactory web rep according to WOT: https://www.mywot.com/en/scorecard/trade.nosis.com?utm_source=addon&utm_content=popup-donuts (Poor customer experience fraudulent info)
appears in this listing: http://johnpc.home.xs4all.nl/vulnerable_sites-ips.txt
Site has suspicioius Spam Check: Suspicion of Spam
s**g gllrs in bubaxxx s#xyfp0rn0-s*ndib*le-c*rt^^ns dot com brzg wwwwwb s-tacom ocii ocxxxcom ra eldi wwo gpco u wwoo w...
(onscured by me -pol)
No flag here: http://urlquery.net/report.php?id=9198109 -> http://www.webutations.net/go/review/aay-search.info

Do not venture  out there because it is a smut search engine!

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 02, 2014, 07:08:59 PM

Here one redirect was being cleansed another left on. See on what was left on: to: htcp://www.dailyfx.com/forex_forum/expert-advisor-discussion/96889-best-forex-ea-4.html - 2 sites infected with redirects to this URThe other redirect still flagged here: index
Severity:    Suspicious
Reason:   Detected suspicious redirection to external web resources at HTTP level. [What's this?]
Details:    Detected HTTP redirection to htxp://bit.ly/16FSPwZ.
Threat dump MD5:    D41D8CD98F00B204E9800998ECF8427E
File size[byte]:    18446744073709551615
File type:    Unknown
MD5:    00000000000000000000000000000000
Scan duration[sec]:    0.001000 -> http://jsunpack.jeek.org/?report=d7ba41c67996414aaa935282cc6ebf3082c3f47b
External link to page with trackers: htxp://webmoney.pixub.com/ -> Couldn't connect using TCP protocol and 3 further warnings,
see: http://www.dnsinspect.com/webmoney.pixub.com

WhatWeb info: http://1eplh.com [403] WordPress, HTTPServer[Apache],
 Adobe-Flash, PoweredBy[WordPress],
 Apache, IP[199.188.200.101],
 JQuery[1.10.2],
 PHP[5.3.27],
 X-Powered-By[PHP/5.3.27],
 Title[Best forex broker Review | Best forex broker Review – Read More …]
Web application version:
WordPress version: WordPress
Wordpress version from source: 3.6
Wordpress Version 3.6 based on: htxp://1eplh.com//wp-admin/js/common.js
WordPress directory: htxp://1eplh.com/wp-content
WordPress theme: htxp://1eplh.com/wp-content/themes/FinanceSpot/
WordPress version outdated: Upgrade required.

One website with OVERDUE! malcode on same IP: http://support.clean-mx.de/clean-mx/viruses.php?ip=199.188.200.101&sort=first%20desc
See recent reports here: http://urlquery.net/report.php?id=9199442

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 03, 2014, 07:29:37 PM

Here a visitors redirect, see: http://maldb.com/photovoltaik-montage.net/#
See also: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fphotovoltaik-montage.net%2F&useragent=Fetch+useragent&accept_encoding=
Conditional redirect found going to:
Redirect to this URL found in 299 sites -> htxp://minal.strangled.net/ -> http://www.webutations.net/go/review/strangled.net?req=chrome
See: https://www.virustotal.com/nl/url/be484cb2f96f63779aac708d629434e90b2a2dfea9730abc19e6ad79cd4d9d89/analysis/
Threat Category: Dynamic DNS. IP malcode most closed and dead: http://support.clean-mx.de/clean-mx/viruses.php?domain=ddns.info&sort=netname%20desc

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 04, 2014, 12:07:16 AM

Read on redirects as a general introduction to this theme, info here:   
http://searchengineland.com/redirects-good-bad-conditional-14539   link article author = Stephan Spencer

Here the question is, is a conditional redirect still there: http://maldb.com/uapbbands.com/#
It seems and it is a non-desired redirect destination (two "reds" on WOT's)

Not  detected here: https://www.virustotal.com/nl/url/34ed42c1f4e5caa85d3edf5431613c594fc06c73870fb5d0868d4e912156d543/analysis/1391467345/
and here: http://quttera.com/detailed_report/uapbbands.com  and here:  http://urlquery.net/report.php?id=9212432

Server software and CMS check: apache/2.2.24 (unix) mod_hive/3.6 mod_ssl/2.2.24 openssl/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 frontpage/5.0.2.2635 mod_jk/1.2.35     
CMS: wordpress 3.5.1

WhatWeb info: htxp://uapbbands.com [200] WordPress[3.5.1],
 MetaGenerator[WordPress 3.5.1],
 HTTPServer[Unix][Apache/2.2.24 (Unix) mod_hive/3.6 mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.35],
 x-pingback[,http://uapbbands.com/xmlrpc.php],
 UncommonHeaders[x-pingback],
 Apache[2.2.24][mod_auth_passthrough/2.1,mod_bwlimited/1.4,mod_hive/3.6,mod_jk/1.2.35,mod_ssl/2.2.24],
 HTML5, IP[108.175.152.88],
 JQuery[1.8.3],
 Mobile-Website[Apple Handheld],
 FrontPage[5.0.2.2635],
 OpenSSL[0.9.8e-fips-rhel5],
 Title[University Bands at UAPB | Marching Musical Machine of the Mid-South],
 Email[evansdATuapb dot edu,foosterhATuapb dot edu,grahamjAT uapb dot du,uapbbandsATuapb dot edu]
also see: http://fetch.scritch.org/%2Bfetch/?url=uapbbands.com&useragent=Fetch+useragent&accept_encoding=

Site vulnerable: Web application version:
WordPress version: WordPress 3.5.1
Wordpress version from source: 3.5.1
Wordpress Version 3.5 based on: htxp://uapbbands.com//wp-admin/js/common.js
WordPress theme: htxp://uapbbands.com/wp-content/themes/nash/
Wordpress internal path: /home/showcase/public_html/uapbbands.com/wp-content/themes/nash/index.php
WordPress version outdated: Upgrade required.

On the conditional redirect site: https://www.mywot.com/en/scorecard/piopo.25u.com?utm_source=addon&utm_content=rw-viewsc
kraken Virus Tracker domain classification: piopo dot 25udot com,24.228.64.193,ns1.changeip dot org,Criminals,
where "criminals" means no more or less than "active malware up".

General insecurity warnings on site are, Outdated vulnerable CMS, excessive header info spread to the globe and potential attackers alike (see earlier),
and this site seems also vulnerable to clickjacking.

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 04, 2014, 04:02:52 PM

The following site, see scan here: http://maldb.com/so-5.info/#  had a conditional redirect on it earlier,
that was cleansed, probably because it was/is open to the so-called xmlrpc.php pingback vulnerability.

Read about this issue and protection against it here:
http://blogs.reliablepenguin.com/2013/05/28/wordpress-xmlrpc-php-pingback-vulnerability  article author = leerb
Why I thought up this possible scenario, see here:
http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fso-5.info%2F&useragent=Fetch+useragent&accept_encoding=

Think status of page now is OK: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fso-5.info%2Fxmlrpc.php
but the vulnerability (excessive header info & the xmlrpc.php issue should be tackled!)

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 04, 2014, 11:08:19 PM

Re: http://maldb.com/aacbe.co.uk/
Here we got one that is been reported as cleansed, nonetheless detected as with a suspicious domain
: Suspicious domain detected.
Details: http://sucuri.net/malware/malware-entry-mwblacklisted35
Location: htxp://uendkgkw.ddns.me.uk/
And again site is vulnerable because CMS is outdated: (probably also via the htxp://www.aacbe.co.uk/xmlrpc.php pingback vuln.)
WordPress version: WordPress 3.4.2
Wordpress version from source: 3.4.2
Wordpress Version 3.3 or 3.4 based on: htxp://www.aacbe.co.uk//wp-includes/js/autosave.js
WordPress directory: htxp://www.aacbe.co.uk/wp-content
WordPress theme: htxp://www.aacbe.co.uk/wp-content/themes/acbe/
also see: http://fetch.scritch.org/%2Bfetch/?url=www.aacbe.co.uk&useragent=Fetch+useragent&accept_encoding=

No alerts here: http://urlquery.net/report.php?id=9225688

Finally zuluZscaler detects and flags as 100/100% malicious: http://zulu.zscaler.com/submission/show/c6f935c4389f7a9fd3bbfd25185af358-1391550956
Why, see here: http://jsunpack.jeek.org/?report=cdb26aa2f42eca1c05234a00a401757ea5216f89

polonus
WordPress version outdated: Upgrade required.

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 05, 2014, 07:24:48 PM

Another one alerted here: http://sitecheck2.sucuri.net/results/gregoryposey.com
See payload: http://sitecheck2.sucuri.net/results/gregoryposey.com#viewpayload2 -> http://sucuri.net/malware/malware-entry-mwht291
Google browser diff. Google: 7741 bytes       Firefox: 8299 bytes
Diff:         558 bytes

First difference:
" content="text/html; charset=utf-8"/> <head> <title>cx.cc</title> <script src="htxp://www.google.com/adsense/domains/caf.js" type="text/javascript" ></script> <link href="htt...  -> http://maldb.com/gregoryposey.com/#  -> http://evuln.com/labs/valueband.cx.cc/

Also a PHISH on misused and abused server: http://support.clean-mx.de/clean-mx/phishing.php?id=3746674

Not flagged here: http://zulu.zscaler.com/submission/show/d7da35eba458b3f97be03327c055882d-1391624361

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 06, 2014, 03:16:08 PM

The following example in this parade of consitional redirects has a malicious server redirect/status: Code: 301,  htxp://ristoncharge.in/meeting/index.php
Redirect to external server! -> http://siteexplorer.info/domain/ristoncharge.in
With jsunpack I get: failure: <urlopen error [Errno -2] Name or service not known - 11004 [11004] Valid name, no data record (check DNS setup)
All of that redirect campaign: http://evuln.com/labs/ristoncharge.in/
See: http://urlquery.net/report.php?id=9256585  - The location line in the header above has redirected the request to: htxp://ristoncharge.in/meeting/index.php
Malicious redirects are detected by avast! as PHP:Redirector-Z[Trj]
Also detected here: http://app.webinspector.com/public/reports/19940248 Possible Malware checked url Google Advisory! -> http://sucuri.net/malware/malware-entry-mwblacklisted35 (and again we see 404javascript.js * in the Security Warnings and 404testpage4525d2fdc
Read on this WP malcode from T.Layman: http://wordpress.org/support/topic/removing-malicious-code-malicious-404-redirect
and here: https://www.badwarebusters.org/main/conversations?tag=404testpage4525d2fdc&view=tag
For * see: http://www.askapache.com/seo/404-google-wordpress-plugin.html

polonus

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 08, 2014, 06:56:01 PM

The following conditional redirect to malcode is not being flagged everywhere. Sucuri Site check detects: http://sitecheck2.sucuri.net/results/metrolinatheatre.org
malcode detected: http://sucuri.net/malware/entry/MW:HTA:7
Remove offending code from .htaccess and/or index.php or contact support@sucuri.net for help (not free)

Joomla version outdated: oomla Version 1.5.8 to 1.5.14 for: htxp://metrolinatheatre.org/media/system/js/caption.js
Joomla Version 1.5.14 for: htxp://metrolinatheatre.org/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.

See: https://asafaweb.com/Scan?Url=metrolinatheatre.org
Custom errors fail: Requested URL: htxp://metrolinatheatre.org/trace.axd | Response URL: htxp://metrolinatheatre.org/trace.axd | Page title: Trace Error | HTTP status code: 403 (Forbidden) | Response size: 2,077 bytes | Duration: 291 ms
Various Warnings for server configuration insecurities - see scan results.

Live malware on same IP: http://support.clean-mx.de/clean-mx/viruses?id=14468864
-> https://www.virustotal.com/nl/file/76358a5c6f25a85f120ed8b6cec01bb1c070dc967ffe95de0e148c37b50b35e2/analysis/
and more here:  http://urlquery.net/report.php?id=9317486
More malcode from Arizona, Scottsdale: https://www.virustotal.com/nl/ip-address/50.63.196.33/information/
where avast! Webshield blocks htxp://urlquery.net/report.php?id=6994270 as with JS:Iframe-CSU[Trj]

For the infested redirect source -> http://evuln.com/labs/shop-apps.net/ and redirects to view: http://jsunpack.jeek.org/?report=7a3240abfdaddddf9422721f681445e430bb9f51 -> https://www.virustotal.com/nl/ip-address/69.43.160.215/information/
and WOT has two red alerts for this destination: https://www.mywot.com/en/scorecard/bidr.trellian.com
bidr.trellian.com is listed in OpenDNS's Block Tool http://forums.opendns.com    "reported to WOT by marco2981
listed in 2012 - not now. Earlier  IDS alert for "MALWARE-OTHER SimpleTDS - request to go.php".
bidr.trellian.com/r.php?u=htxp:/www.winstmethode.com/css/js/cufon-yui.js benign *
[nothing detected] (script) bidr.trellian dot com/r.php?u=htxp:/www.winstmethode.com/css/js/cufon-yui.js
     status: (referer=bidr.trellian dot com/r.php?u=htxp:/www.winstmethode.com/?  A=4746&SubAffiliateID=14723145&sid=201402090437526893c4a3bca84fb633&s=m)saved 18258 bytes 8c9ba8f142de4e3769a9c1444d74b94d5aa815ff
     info: [decodingLevel=0] found JavaScript
     error: undefined variable C (nothing detected] (element) 127.0.0.1/undefined)
     suspicious: -> http://jsunpack.jeek.org/?report=c8fa98efb9d0241c79265ede0f5c71047a8533ef
N.B. * POOR SOCIAL NETWORK PRESENCE (mentioned via 7 links on scamvoid)

Joomla consider: -http://metrolinatheatre.org/media/system/js/caption.js
Avast! does not flag site, also see: http://zulu.zscaler.com/submission/show/7dbd43f3810511364ac2beaf09bac4d5-1391881637
Webutation flags via WOT: http://www.webutations.net/go/review/shop-apps.net?req=chrome

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 11, 2014, 11:39:58 PM

Following site has outdated Joomla CMS: Joomla Version: 1.7.1
Joomla Version 1.6 or 1.7 for: htxp://mbryadesign.com//media/system/js/caption.js
Joomla Version 1.6.x for: htxp://mbryadesign.com//language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.

PHISHING going on from domain - response dead.
Quttera has one potentially suspicious file:
/plugins/system/cd_scriptegrator/utils/js/highslide/highslide.packed.js.php
Severity:    Potentially Suspicious
Reason:    Detected potentially suspicious content.
Details:   Detected potentially suspicious initialization of function pointer to JavaScript method eval <code> __tmpvar632980728 = eval; <code/>
Threat dum - view here: http://jsunpack.jeek.org/?report=3289e58f3b7f3721f1a04795b1bad7bec321af49
Threat dump MD5:    9665F6C56A641419EAE6DC83FC5FFCC5
File size[byte]:    32328
File type:    ASCII
MD5:    091A36204A929EB1437C1E744E9E3D42
Scan duration[sec]:    0.625000
That code (once decoded by the browser) is used to generate an iframe where more malware is loaded
and used to infect the browser of the person visiting the compromised web site.

Muti-Hop_Mass_iframe_Exploits_Cybercrime -> Muti-Hop_Mass_iframe_Exploits_Cybercrime
o: htxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php
Redirect to this URL found in 3779 sites -> https://www.virustotal.com/nl/url/933fbbe4eb0fe7b7a982d713943d637f903f32eaf38c865568275b4227bcb058/analysis/

http://97.74.215.83/ see attached  -> https://www.virustotal.com/nl/ip-address/97.74.215.83/information/

ThreatSTOP alerts: 1 connection from first seen 10 months ago to last seen 23 hours ago   Threatname AlienVault Danger level 3

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 13, 2014, 04:22:08 PM

Here a redirect after site became parked: http://maldb.com/kuhinje-contessa.si/#
See: http://jsunpack.jeek.org/?report=e1cc42a33e677371f75a59cbddf99a07977b9c28
Reported as a redirecting site two days ago and therefore now being blacklisted.,
so Google reports kuhinje-contessa.si as suspicious website.
The redirect site is detected here: https://www.virustotal.com/nl/url/e6e08616089df66480c0ac23200411a9a8df17c08d2d48fcbcadd8c0de1724dd/analysis/
also see: https://www.virustotal.com/nl/ip-address/50.63.202.52/information/
Server redirect: Code: 301,  htxp://flameorangeadvantageous.info/glasse?8  Redirect to external server!
Re: https://www.google.com/safebrowsing/diagnostic?site=http://flameorangeadvantageous.info/&hl=nl
iFrame Check: Suspicious  htxp://mcc.godaddy.com/park/p3yhrawvmj5uquwhpjyhljqhquwvntlhqzsmlt==/fe/nzcdyaevlae5pv5jlab=?=404;ht'
-> http://urlquery.net/report.php?id=1621455
Google/browser diff -> Not identical
Google: 663 bytes       Firefox: 0 bytes
Diff:         663 bytes
First difference:
dy></html>...

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 13, 2014, 06:10:56 PM

Now in these series of various conditional redirects (malicious, suspicious, and otherwise) we start from the other side up. At the redirect source and it's being malicious: http://totalhash.com/analysis/7fdfe186d1f2e4a306dfc6437a8833374a2e686b
Conditional redirects found. Visitors from search engines are redirected
to: htxp://bbodisk.com/?p_id=showpolo&category_use=1&category=ani
Redirect to this URL found in 5 sites
Now I get an Invalid web site provided.
Where it was flagged from, well here, see: http://maldb.com/c8uqtr0.heliumacademy.co.kr/#
Funny we see no alerts on this scan: http://urlquery.net/report.php?id=9423612
also here: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fc8uqtr0.heliumacademy.co.kr%2F

Is it already history or is the redirect source dead?
But the redirect source had malware -> South Brisbane QLD AU registered
Error while checking the SSL Certificate!!
-
The SSL Certificate we found on this site is not meant for bbodisk.com, probably this is another site on the same server.

We advise you not to submit any confidential or personal data to this website because a secure connection could not be established with this website.
Bot or Trojan  IPs                   # of Connections   First Identified     Last Seen   Threat                       Danger Level
                      115.71.2.22   2                           3 years ago     6 days ago   Modified ITAR                         1

                                                                                3 years ago     6 days ago   Republic of Korea

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 14, 2014, 05:00:04 PM

Let us check on another suspicious redirect, http://maldb.com/elcorco.com/#
Conditional redirects found. Visitors from search engines are redirected
to: htxp://dubstep.dumb1.com/
Redirect to this URL found in 1950 sites
Both Bitdefender's TrafficLight and WOT give the redirect as malicious: dubstep dot dumb1 dot com/
-> https://www.mywot.com/en/scorecard/dubstep.dumb1.com
-> https://www.robtex.com/dns/dubstep.dumb1.com.html
-> http://labs.sucuri.net/?details=dubstep.dumb1.com
-> http://www.freemalwarecheck.com/malware-11/unokesyh-dumb1-com-and-dubstep-dumb1-com-removal.html
-> also into PHISHing - http://support.clean-mx.de/clean-mx/phishing?id=3739087

The malcode is only detected by 2 solutions: http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&domain=zlpjh.disrai.dumb1.com
Re: https://www.virustotal.com/nl/file/b21e50d4efb18a2b820c1298c711eed1bb20be5af18c6d5b5646836f9863163b/analysis/

And of course our avast! is one of them,

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 19, 2014, 05:30:58 PM

This conditional redirect was found in 346 domains (so a malware campaign) -> https://www.virustotal.com/nl/url/10ddf9f88bbf25d9a45fb215832b658c94c1e4e7deebcee1140b243bc0323c7b/analysis/
One of the affected sites: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2F333racing.com
& http://maldb.com/333racing.com/#
How this was performed, read here: https://productforums.google.com/forum/#!topic/webmasters/Lmmo2_skpcg (replies in link from Redleg - the man behind his wellknown fileviewer - he reports

Quote

The redirect to www6 . uiopqw . jkub . com   is typically done with a bit of obfuscated php code

)
-> http://wordpress.org/support/topic/clicking-the-link-leads-to-a-nonexistant-webpage (repair info thanks to esmi there)
and additionally scan report here: http://killmalware.com/infotik.eu/
Here the redirection is missed: http://www.toolshack.com/site?host=http://architectura-perspectiva.com/

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 19, 2014, 10:40:00 PM

For this site the conditional redirect is not alerted on Sucuri's: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fendlessmountainadvertising.com
Malvertising redirect source has been closed and is no longer found at that server!
What is flagged is what may have led to it: Joomla Version: 2.5.3
Joomla Version 2.5.x - 3.0.x for: htxp://endlessmountainadvertising.com/media/system/js/caption.js
Joomla Version 2.5.0 to 2.5.2 for: htxp://endlessmountainadvertising.com/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Redirect flagged here: http://maldb.com/endlessmountainadvertising.com/# (but redirect status unchecked)
Missed for that reason here: http://www.quttera.com/detailed_report/endlessmountainadvertising.com
and also here: http://zulu.zscaler.com/submission/show/eef2a28fabce71e8efd8327d6b1bb99e-1392845022
probably in both cases because of the redirect server no longer responding to that request!
Releg's fileviewer gives it all:
Header returned by request for: htxp://endlessmountainadvertising.com -> 50.63.208.1

HTTP/1.1 302 Moved Temporarily
Date: Wed, 19 Feb 2014 21:26:16 GMT
Server: Apache
Location: htxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php

The location line in the header above has redirected the request to: htxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php
Redirect to this URL found in 3783 sites. -> www.cibonline.org,217.76.130.29,,Parked/expired,
and so no longer responding: http://jsunpack.jeek.org/?report=bf09c52830fb3b6efa1bb170992d5a0040ab1c35
Here we have it confirmed the malware has now been closed: http://support.clean-mx.de/clean-mx/viruses.php?review=50.63.208.1&sort=first%20desc

Maladver clicks: http://www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-affects-thousands-of-web-sites-leads-to-cve-2011-3402/
(link article author Dancho Danchev)

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 22, 2014, 01:22:13 AM

Here a redirect that is going to no-no land,  failure: <urlopen error timed out>
See: http://maldb.com/4wright.com/#   Redirect to this URL found in 93 sites
which should translate to mtas154.ecommercemail.com.br   a disconnect from unknown
Then for more info look here: http://mail.lozano.net/analyzer/?uid=35474120
and here we could not find it: http://indicca-mc.no-ip.org/~ipaudit/cgi-bin/ipahttp?daily/server2+2014-02-02-server2.html

Read about this one here: https://productforums.google.com/forum/#!msg/webmasters/MRvB8xP_KyM/P5y75YCW6jwJ

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 22, 2014, 01:35:14 AM

This site has a malcious redirect, not detected at VT: https://www.virustotal.com/nl/url/e1c8209b77acfbb781c622e1f29b8d513c7b46aca0554483e30c6b90e93fc42b/analysis/1393028772/
see: http://maldb.com/samhyeppaint.com/#redirects
and confirmed by kraken virus tracker: samhyeppaint dot com,115.71.232.203,ns1.hosting.co dot kr,Criminals,
IP seen 7 days ago threat Modified ITAR danger level 1
No alerts detected here: http://urlquery.net/report.php?id=9575850
Trying to go there I get a under construction
Undefined code from there: http://jsunpack.jeek.org/?report=952469bc60456d0d8edd993c1f4947478148108f

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on February 24, 2014, 11:18:29 PM

Not flagged here: http://urlquery.net/report.php?id=9634625
Redirect to external server: Code: 301,  htxp://goo.gl/qsao2y  Redirect to this URL found in 2344 sites
Javascript check: Suspicious

ite("<img src='//counter.yadro dot ru/hit?t15.6;r" + escape(document.referrer) + ((typeof(screen) == "undefined") ? "" : ";s" + screen.width + "*" + screen.height + "*" + (screen.color...
Browser difference: First difference:
"ru-ru"> <head> <meta charset="utf-8"> <base href="htxp://goldline.pro/welcome/"> <title>gold line international - international financial mutual aid system</title...The chain of redirects found:
to: htxp://goldline.pro?partner=pashkela
Redirect to this URL found in 73 sites
to: htxp://glbonus.in/?partner=pashkela
Redirect to this URL found in 73 sites -sucuri finds as http://sucuri.net/malware/malware-entry-mwblacklisted35
Quttera finds as suspicious:
index
Severity:    Suspicious
Reason:   Detected suspicious redirection to external web resources at HTTP level. [What's this?]
Details:    Detected HTTP redirection to htxp://goo.gl/qSaO2y.
Threat dump MD5:    00000000000000000000000000000000
File size[byte]:    18446744073709551615
File type:    Unknown
MD5:    00000000000000000000000000000000
Scan duration[sec]:    0.001000

Discussion about that hack: https://productforums.google.com/forum/#!msg/webmasters/S9TbKAP2_VI/eRgHJI2W77EJ  reply source poster = Nidya
PHP Fatal error: Call to undefined function de_obfuscate() in /public_html/php-functions/base-64.php on line 351

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on March 01, 2014, 07:37:01 PM

avast! does not block, site says content coming soon. Is site now being cleansed of this conditional redirect to htxp://javsiu.ru/in.cgi?5
Redirect to this URL found in 42 sites ->  [Errno -2] Name or service not known>
Sucuri still have this detection here: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fmylikenew.com
Here it is already being given as clean: http://zulu.zscaler.com/submission/show/9b342cfe558a2536999fd784fe0a85a2-1393698433

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on March 02, 2014, 07:45:22 PM

This conditional redirect is missed by Sucuri's: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fqtcatalog.com%2F
and also here: http://zulu.zscaler.com/submission/show/0eec6e46fa83fed15cd8c0b1257547b8-1393784835
maldb has it: http://maldb.com/qtcatalog.com/#
Redleg's Fileviewer confirms: Location: htxp://www.jonedna.com/?squery=
Note: This line has redirected the request to htxp://www.jonedna.com/?squery=

The location line in the header above has redirected the request to: htxp://www.jonedna.com/?squery=
Redirect to this URL found in 265 sites -> is nehind a ronot.txt -> http://www.urldab.net/www.jonedna.com
see on ip: https://www.virustotal.com/nl/ip-address/175.111.30.41/information/

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on March 03, 2014, 04:27:00 PM

Another one here: http://maldb.com/priest1.hu/
Returned for for: htxp://priest1.hu -> 81.0.75.69
Note: This line has redirected the request to htxp://onotiw.dnset.com/
Conditional redirects found. Visitors from search engines are redirected
to: htxp://
Redirect to this URL found in 13681 sites
Malicious: http://labs.sucuri.net/?details=onotiw.dnset.com
Read what redleg has to say about this here: https://productforums.google.com/forum/#!topic/webmasters/bxLkCkYnlGA
malicious rediret IP: http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&domain=zlpjh.disrai.dumb1.com
treated before by me: http://forum.avast.com/index.php?topic=145026.0

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on March 04, 2014, 12:37:04 AM

This conditional redirect was found in 5784 sites: http://maldb.com/flightlevel180.org/#
It is a so-called multi-hop iFrame campaign.
Mothing flagged here: http://www.quttera.com/#online url malware scanner
Joomla outdated flagged here: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fflightlevel180.org
which might have lead to the redirect to: htxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php
Read redleg's comments here: https://productforums.google.com/forum/#!msg/webmasters/QJ8gYZly1Ns/S-aZzbwSsuMJ

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on March 04, 2014, 10:14:08 PM

Conditional redirect found on 177 sites:  htxp://216.120.231.11/~aggieba/coppermine/include/
found here: http://killmalware.com/readfreedom.com/
Also detected here: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Freadfreedom.com
See: http://labs.sucuri.net/db/malware/malware-entry-mwhta7
This is so-called SERP-hijacking: https://productforums.google.com/forum/#!topic/webmasters/MqoqIRle_g8  (link post reply from flashbass65level1)
View in http://www.rexswain.com/httpview.html  ->
IP also out on phish-list: http://lists.clean-mx.com/pipermail/phishwatch/20090810/029752.html

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on March 05, 2014, 05:11:28 PM

This is a visitors redirect that has been going on since 2010! IDS for Detected SutraTDS URL pattern
Known javascript malware: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fchinaophthalmic.com
Recently detected here: http://killmalware.com/chinaophthalmic.com/#  & http://scanurl.net/?u=chinaophthalmic.com&uesb=Check+This+URL#results
one of 70: http://evuln.com/labs/landriver44.ru/
Read comments from Dennis in thread here: https://www.badwarebusters.org/main/itemview/23409
and http://blog.unmaskparasites.com/2010/11/19/update-on-htaccess-redirects-of-oscommerce-sites/
-> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=chinaophthalmic.com
See: http://urlquery.net/report.php?id=8910458
Nothing now here: http://urlquery.net/report.php?id=9780306
But other sites on same IP still may have it: http://urlquery.net/report.php?id=8809984 & http://killmalware.com/ktqk.com/#
IDS alerts for ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS  severity 2
& ET CURRENT_EVENTS TDS Sutra - HTTP header redirecting to a SutraTDS severity 2
This rule was made less generic by Gmane because of the "in.cgi?10" : http://comments.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/15833
Sucuri's Daniel Cid wrote on these attacks here: http://blog.sucuri.net/2012/07/new-web-malware-attacks-from-ruin-cgi16.html
and it seemed that only avast! was the one to detect this then! 

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on April 17, 2014, 11:47:16 PM

This campaign going on, see: http://killmalware.com/michaeldoneman.com/#
and malware detected from a conditional redirect: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fmichaeldoneman.com
See web rep: http://www.webutations.org/go/review/goldline.pro?req=chrome
Quttera's detects: index
Severity:    Suspicious
Reason:   Detected suspicious redirection to external web resources at HTTP level.
Details:    Detected HTTP redirection to htxp://goo.gl/qSaO2y.
File size[byte]:    18446744073709551615
File type:    Unknown
MD5:    00000000000000000000000000000000
Scan duration[sec]:    0.001000

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on April 18, 2014, 10:14:46 PM

See here: http://killmalware.com/cnxqc.com/
flagged is SE visitors redirects
Visitors from search engines are redirected
to: htxp://piopo.25u.com/   -> http://quttera.com/detailed_report/piopo.25u.com
2701 sites infected with redirects to this URL
So Detected unconditional redirection to external web resource.
Redirect destination scanned, see  https://www.virustotal.com/nl/url/d2aaeda3c14e350a2db0f021b7d5edc07b066f4f4bda9515baf639ec2f6b4fb3/analysis/1397851512/
Alert for dynamic dns Virus Tracker classifies as piopo.25u dot com,208.109.200.4,ns1.changeip dot .org,Criminals,
Criminals means here that site has active malware, that is up~.
Therefore twice flagged here: http://urlquery.net/report.php?id=1397851855100
as Detected a Dynamic DNS URL  and DNS-BH as 2013-10-04   2   piopo dot.25u dot com   redirect

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on April 19, 2014, 12:17:30 PM

The following conditional redirect for site is completely missed by Sucuri's: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fsultanimmobilya.com
About how the redirect has been achieved, see here: htxps://productforums.google.com/forum/#!topic/webmasters/JWI1fLp7k8E
Redirect site is also flagged here: https://www.virustotal.com/nl/url/98ce77635e84ef0fea0102be273c9945193d639bb0f55d9218db1f8c9ce984bc/analysis/
but given clean here: http://quttera.com/detailed_report/onotiw.dnset.com
Bad web rep: https://www.mywot.com/en/scorecard/onotiw.dnset.com?utm_source=addon&utm_content=rw-viewsc
and also Bitdefender's TrafficLight to block this site immediately.

Mind you that SE conditional redirection is a criminal offense, so we discussing cybercrime here that is missed by Sucuri's and a landing site that is not being blocked by avast!  :-[  (What not helps towards detection also is that landing site is intermittently accessible).
Furthermore IP PHISH now given as dead: 31.210.65.98 -> http://support.clean-mx.de/clean-mx/phishing.php?id=4040853
173 sites on one and the same IP. History of IP badness: https://www.virustotal.com/nl/ip-address/31.210.65.98/information/
with a rather low detection rate: https://www.virustotal.com/nl/file/4a8fcf1604125853cb53c5d997314ab695766c95ce92cc5406a96ce129fcf06c/analysis/

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on April 19, 2014, 05:41:19 PM

SE visitors redirects
Visitors from search engines are redirected
to: htxp://nc-guardian.org/hlft.html?h=2272998
4 sites infected with redirects to this URL
on: http://killmalware.com/alnabd.com/#  -> http://labs.sucuri.net/db/malware/mw-redirection121?v4
blacklisted on Sucuri;s and here: http://safeweb.norton.com/report/show?url=nc-guardian.org
Threat Name: Malicious Site: Malicious Domain Request 2
Location: htxp://nc-guardian.org/
See the redirect going to an exploit landing site: http://urlquery.net/report.php?id=1397921048072
Detected: EXPLOIT-KIT Redkit exploit kit landing page

History of IP badness: https://www.virustotal.com/nl/ip-address/74.220.207.115/information/

Malware on redirect dead now? Re: http://zulu.zscaler.com/submission/show/a855650d02d78bfeb477bef367273004-1397921574

Quote

The requested URL /hlft.html was not found on this server.
ZuluZscaler also includes a hearbleed vuln.scan for ther main redirected site: Heartbleed OpenSSL Check   Heartbleed OpenSSL Result: Not Vulnerable

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Web rep report: https://www.mywot.com/en/scorecard/nc-guardian.org?utm_source=addon&utm_content=rw-viewsc
and Site Report from Netcraft: http://toolbar.netcraft.com/site_report?url=http://nc-guardian.org
-> http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fnc-guardian.org&useragent=Fetch+useragent&accept_encoding=

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on April 28, 2014, 11:11:11 PM

Here the SE visitor redirect is immediately blocked by avast! as HYML:RedirME-inf[Trj],
but redirect cannot be traced now -> http://urlquery.net/report.php?id=1398719198338
and see: http://killmalware.com/ooobelogorie.ru/#
Suspicious Javascript check: Suspicious
div> <script src="//mc.yandex dot ru/metrika/watch.js" type="text/javascript" defer="defer"></script> <noscript><div style="position:absolute"><img src="//mc.yandex dot ru/watch/4085509"...
Suspicious includes check:
Suspicious Script:
   ooobelogorie dot ru///mc.yandex.ru/metrika/watch.js
   .ru/metrika/watch.js was not found on this server.</p> <hr> <address>apache/2.2.16 (debian) server at ooobelogorie dot u port 80</address> </bo

Found on IP: Up(nil):   unknown_html   RIPE   RU   admin at clodo doy ru   62.76.46.53    to 62.76.46.53   31md.ru   htxp://www.31md.ru/

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on April 29, 2014, 01:01:12 PM

Here scanners still give a redirect to SE visitors redirects
Visitors from search engines are redirected
to: htxp://domemt.com/p2out/index.html
166 sites infected with redirects to this URL
See: http://killmalware.com/hogang.net/# & http://quttera.com/detailed_report/hogang.net
Server redirect status: Code: 302,  htxp://domemt.com/p2out/index.html
Redirect to external server!
Missed here: http://www.urlvoid.com/scan/hogang.net/
But see atual code there now: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwww.hogang.net%2F&useragent=Fetch+useragent&accept_encoding=
(see under source) and attached...

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on May 04, 2014, 12:39:37 AM

SE conditional redirect flagged at this site: http://killmalware.com/zhesich.com/#
Server Redirect check: Code: 302,  htxp://www.thisbrand.net/
Redirect to external server!
Javascript Check: Suspicious
) ? " https://" : " http://");document.write(unescape("%3cspan id='cnzz_stat_icon_5604389'%3e%3c/span%3e%3cscript src='" + cnzz_protocol + "s96.cnzz.com/stat.php%3fid%3d5604389' ty...

Missed here: https://www.virustotal.com/nl/url/c2a39c7df25af23f833e809aaf708ceb53a88f08efbdeed969bfbc86d35c7cce/analysis/1399155769/
& https://www.virustotal.com/nl/url/0dd078f09c6997a2ac70a74b0147ae200b3c0b908da339704169674a33238889/analysis/1399155847/

Certainly spreading excessive header info: http://fetch.scritch.org/%2Bfetch/?url=+zhesich.com&useragent=Fetch+useragent&accept_encoding=

site linking to -> htx://www.umacau-datacenter.com:4998/cnweb-jrj/20131222/bdimg.share.baidu.com/static/js/  (benign)

External link with a PHISHing attempt blocked by Bitdefender TrafficLight: htxp://www.swhaifeng.com/

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on May 04, 2014, 05:57:10 PM

See: http://killmalware.com/thehappycartoonist.com/#
See: SE visitors redirects
Visitors from search engines are redirected
to: htxp://gqillqigqilqigqiqlqiigqilqiiiqgg.esmtp.biz/1.php *
188 sites infected with redirects to this URL

For malware traffic analysis see: http://malware-traffic-analysis.net/2013/12/27/index.html
avast! Webshield detects as URL:Mal
* sucuri blacklist: http://labs.sucuri.net/?details=gqillqigqilqigqiqlqiigqilqiiiqgg.esmtp.biz

Site used change.ip redirecting and conclusively  Bitdefender's TrafficLight blocks it.

Capturing events: gqillqigqilqigqiqlqiigqilqiiiqgg.esmtp dot biz   IPV4    209.208.4.53

2014-05-04 17:52:24.591 [Expired]

IP badness history for IP: https://www.virustotal.com/nl/ip-address/209.208.4.53/information/

388 websites on one and the same IP: http://sameid.net/ip/209.208.4.53/

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on May 05, 2014, 01:37:21 AM

Now let us look at this one: http://killmalware.com/clarkecares.org/
SE visitors redirects
Visitors from search engines are redirected
to: htxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php *
4181 sites infected with redirects to this URL
see: https://www.mywot.com/en/scorecard/cibonline.org?utm_source=addon&utm_content=popup

Read here about this malicious multi-hop iframe campaign from  Dancho Danchev on his blog:
http://www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-affects-thousands-of-web-sites-leads-to-cve-2011-3402/
 
and how avast! miss the detection here: https://www.virustotal.com/nl/file/0aa8ab30d46be758cbf79f7fa393248b1acd111f31da233a4b61ebaf2d9edcaf/analysis/1383781200/
and here: https://www.virustotal.com/nl/file/0bbe25bea0a6166b3fa996bf0c284df177aa2ddc6bb768694884cad636c07848/analysis/
to finally detect it here: https://www.virustotal.com/nl/file/3ac491982cf2c47e3f56bf2ff333b09c4c84094fa24a4b7c8d4e120ede8711ac/analysis/
as SWF:Malware-gen [Trj]

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on May 06, 2014, 12:27:52 AM

Infected with SEO Spam: http://sitecheck.sucuri.net/results/unlvkidsclub.com
See: https://www.virustotal.com/nl/url/cdfa8dea4a0846a2510ed34555f5004900c2118cbc7169931590f47dbd654aa9/analysis/1399328228/  missed
See: http://killmalware.com/unlvkidsclub.com/#

Spam check: Suspicion of Spam

a name="description" content="canadian pharmacy no canadian pharmacy no prescription synthroid prescription synthroid, o...

Google Browser Diff: Not identical

Google: 15166 bytes       Firefox: 9957 bytes
Diff:         5209 bytes

First difference:
" > <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta name="robots" content="index, follow" /> <meta name="keywords" content="unlv, ru...

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on May 06, 2014, 05:21:17 PM

The following SE redirect could not be scanned at Websecurity Test: Server Redirect status
Code: 0,  Content cannot be read!
Blocked by Bitdefender: http://www.urlvoid.com/scan/decorunusual.com/
See: http://urlquery.net/report.php?id=1399389210418
On IP alert for    ET RBN Known Russian Business Network IP group 190
See: https://www.virustotal.com/nl/url/ef2b13b3561469625b3f37673a731e9af3a67a459762ef5f8a643062524e02dc/analysis/1399388575/
Site error detected.
Details: http://sucuri.net/malware/php-error-fatal-error
<b>Fatal error</b>: Class 'vRequest' not found in <b>/home/content/z/d/i/zdido/html/plugins/vmcustom/specification/specification.php</b> on line <b>98</b><br /> htxp://decorunusual.com/test404page.js4525d2fdc -> to: htxp://liveupdate.swhw.it/relay.php
27 sites infected with redirects to this URL

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on May 07, 2014, 01:47:53 AM

The scan: http://maldb.com/thesesmallhours.com/#redirects
Conditional redirects found. Visitors from search engines are redirected
to: htxp://changedivstyle.ru/vis/index.php -> https://www.mywot.com/en/scorecard/changedivstyle.ru?utm_source=addon&utm_content=popup
Redirect to this URL found in 68 sites
Server redirect status check: Code: 301,  http://changedivstyle.ru/vis/index.php ->
Read http://wordpress.org/support/topic/cannot-access-widgets (info credits go to moderator = esmi)
Unable to properly scan your site. Site empty (no content): Content-Length: 0
Redirect to external server!  malicious! -> http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fthesesmallhours.com%2F
See: http://labs.sucuri.net/db/malware/malware-entry-mwhta7
Javascript Check: Suspicious

vascriptusingdocumentwrite(a){document.write("<script src=\""+a+"\" type=\"text/javascript\"><\/script>")}function setstaticrequestparameters(){var a="";var b="";var c="";var d="";...

Google browser diff.: Not identical

Google: 18378 bytes       Firefox: 1286 bytes
Diff:         17092 bytes

First difference:
<head> <title>changedivstyle dot ru - changedivstyle</title> <meta http-equiv="content-type" content="text/html;charset=utf-8"/> <meta name="description" content="changedivs...

pol

P.S. This comers also flagged on site by Sucuri's: https://www.virustotal.com/nl/url/7af7dd39234001653467abd18a82a199ea8f3aa5280c44971f13d0f8663788a7/analysis/

D

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on May 08, 2014, 02:38:37 PM

The following conditional redirect is missed by Sucuri's: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwapakonetasoccer.com
eader returned by request for: http://wapakonetasoccer.com -> 204.174.223.28

HTTP/1.1 302 Found
Date: Thu, 08 May 2014 12:24:23 GMT
Server: Apache/2.2.16 (Debian)
Location: htxp://www.leaguelineup.com/wapakonetasoccer
Note: This line has redirected the request to htxp://www.leaguelineup.com/wapakonetasoccer
where I get "Timeout!   Page or file not found!" -> http://zulu.zscaler.com/submission/show/8f4ddd72ada95c8c2c03f4c578e4720a-1399552545
Content-Length: 314
Connection: close
Content-Type: text/html; charset=iso-8859-1

SE visitors redirects
Visitors from search engines are redirected  (site was compromised see presence of -> htxp://wapakonetasoccer.com/test404page.js)
to: htxp://www.leaguelineup.com/wapakonetasoccer -> http://urlquery.net/report.php?id=1399552534167
1177 sites infected with redirects to this URL


The location line in the header above has redirected the request to: http://www.leaguelineup.com/wapakonetasoccer

Quite some issues are wrong on site: https://asafaweb.com/Scan?Url=wapakonetasoccer.com -> Custom errors:Fail, Excessive Headers warning, HTTP Only cookies warning, clickjacking warning.

A stack trace can reveal

what encryption algorithm you use
what some existing paths on your application server are
whether you are properly sanitizing input or not
how your objects are referenced internally
what version and brand of database is behind your front-end  info credits go to Kilan Foth on StackExchange-security.

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on May 10, 2014, 11:50:57 PM

SE visitors redirects

Visitors from search engines are redirected

to: htxp://workstationrepresentative.ru/intellectual?7
19 sites infected with redirects to this URL  from? => http://killmalware.com/architectura-perspectiva.com/
Missed completely here: http://zulu.zscaler.com/submission/show/db80958f0fa4a8071f92cf798a7d9440-1399758294
and here: http://icreamservice.com/report/url-4245
Flagged 6 instances of malware: http://sitecheck.sucuri.net/results/architectura-perspectiva.com
redirecting to fake av!
Site vulnerable because of outdated CMS:
Joomla Version 1.5.18 - 1.5.26 for: hxtp://architectura-perspectiva.com/media/system/js/caption.js
Joomla Version 1.5.18 to 1.5.26 for: htxp://architectura-perspectiva.com/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on May 13, 2014, 10:29:46 PM

Now a chain of redirects here: http://killmalware.com/alians-project.ru/#
Javascript check: Suspicious

t" href="htxp://alians-project.ru//plugins/content/mavikthumbnails/slimbox/css/slimbox.css" type="text/css" /> <link rel="stylesheet" href="http://alians-project.ru/templates/syste...  (older XSS vulnerability and rare inability to update for slimbox.js)

See: http://sitecheck.sucuri.net/results/alians-project.ru/

Malware found: http://labs.sucuri.net/db/malware/mw-redirection121?v3

CMS vulnerable: Joomla Version 1.5.18 - 1.5.26 for: http://alians-project.ru//media/system/js/caption.js
Joomla Version 1.5.18 to 1.5.26 for: http://alians-project.ru//language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.

On the chain of redirects (with one I get this kicked up: about:neterror - pseudo protocol)
http://urlquery.net/report.php?id=1394834830314 - alert for Detected suspicious URL pattern
http://labs.sucuri.net/?details=alfsystem.com.my
https://urlquery.net/report.php?id=8728358  (invalid security certificate on urlquery dot net The certificate expired on 7-5-2014 20:45.
http://evuln.com/labs/jbtconsultinggroup.com/

polonus

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on May 14, 2014, 03:58:08 PM

Two instances of SE redirects: http://killmalware.com/wglasserinternational.org/
Quttera detects: http://quttera.com/detailed_report/www.wglasserinternational.org
Too low entropy detected in string [[''1AQAPKRV'1Gdwlavkml'02Anmqg'0:'0;y'1@'2F'2Cdwlavkml'02Nkli'0:'0;y'1@'2F'2Cdwlavkml'02pgcfAmmikg'0:l']] of length 9892 which may point to obfuscation or shellcode. view code: http://quttera.com/detailed_report/www.wglasserinternational.org#myModalPotSuspACEE0E2AEEA19A91A8BA23A16E4DE924
Website Malware and SEO Spam detected: http://sitecheck.sucuri.net/results/www.wglasserinternational.org
See: http://labs.sucuri.net/db/malware/malware-entry-mwjsanon7?v9 -> /focusgenresources/focus.js
See: http://www.exedb.com/systemfiles/focus.js.html
and http://labs.sucuri.net/db/malware/malware-entry-mwspamseo on htxp://www.wglasserinternational.org/index.php/component/users/?view=reset
See: http://evuln.com/labs/tdson.com/ particular SE redirect campaign. -> http://www.seocert.net/site-analyzer.php
1. - put scripts together and link them from an external files rather then put them in the same file as the main page.
2. Users are concerned about the safety of their online transactions. Trustworthiness rating is based on real user ratings and that tells you how much other users trust this site, so do the serch engines. note: this trustworthiness score is provided by WOT (Web of Trust).

pol

Title: Re: Is a conditional redirect always suspicious? Not in this case if meant to be!
Post by: polonus on April 25, 2015, 06:01:50 PM

Update: http://killmalware.com/tttravelbrasil.com/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php
wXw.cibonline.org is reported by Google as suspicious
4241 sites infected with redirects to this URL
See VT result: https://www.virustotal.com/nl/url/d28da482c8ea2bfbd01d63b4120089a7e21aec6d8b37646a25bf7583823d6fab/analysis/
Web application version:
Joomla Version 1.5.18 to 1.5.26 for: htxp://tttravelbrasil.com/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.26 or 3.3.5
Joomla Version
1.5
Found in META Generator Tag
Joomla Modules, Components and Plugins
The following modules were detected from the HTML source of the Joomla front page.
mod_roknewspager
mod_jflanguageselection
mod_yoo_login
css
The following components were detected from the HTML source of the Joomla front page.
com_jnews
com_joomfish
The following plugins were detected from the HTML source of the Joomla front page.
mtupgrade
rokbox
Adding Modules, Components and Plugins to a Joomla site expands your attack surface. These addons are a source of many security vulnerabilities, it is important to always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes. Using the Joomscan scanner you are able to test more aggressively for plugins and modules installed within a Joomla installation. (source open source vuln. scan )

Linked Javascript
/plugins/system/mtupgrade/mootools.js
/media/system/js/caption.js
/plugins/system/rokbox/rokbox-mt1.2.js
/plugins/system/rokbox/themes/light/rokbox-config.js
/modules/mod_roknewspager/tmpl/js/roknewspager-mt1.2.js
/templates/hot_wellness/js/jquery.min.js
/templates/hot_wellness/js/jquery-ui-1.8.5.custom.min.js
/templates/hot_wellness/js/jquery.hjt.megamenu.js
/templates/hot_wellness/js/reflection.js
/templates/hot_wellness/js/fontresize.js

polonus (volunteer website security analyst and website error-hunter)

P.S. Added a tracker tracker report - do not open links inside a browser, results for security research purposes only.

D