Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on September 16, 2018, 07:03:36 PM

Title: Website via api has cloaking...on a src=hxxp://sedoparking.com/frmpark/' website
Post by: polonus on September 16, 2018, 07:03:36 PM

Site given as under construction.

Checking for cloaking
There is a difference of 19894 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that's trying to hide from browsers but make Google think there's something else on the page.

Pop-up ad-code from hxtp://i1.cdn-image.com/__media__/js/min.js?v2.2 by Media.net Advertising FZ-LLC Dubai based, blocked for me by uBlock Origin.

Consider: https://urlscan.io/result/1576f582-a797-4f81-96d1-dfdeb3754a42/

Ransomeware has been spread from this IP, https://otx.alienvault.com/indicator/ip/208.91.197.27
Previously Malicious Host, Spamming, Malware Domain, Malware IP, C&C

See also https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Xn18LXN7XnV9W3R5Ll19Zw%3D%3D~enc

polonus (volunteer website security analyst and website error-hunter)

Title: Re: Website via api has cloaking...on a src=hxxp://sedoparking.com/frmpark/' website
Post by: DavidR on September 16, 2018, 07:57:46 PM

I'm always suspicious of anything to do with SEO.

Title: Re: Website via api has cloaking...on a src=hxxp://sedoparking.com/frmpark/' website
Post by: polonus on September 16, 2018, 11:07:52 PM

And right you are, DavidR.

Especially when it is a "SEO driven sedoparking" website.
Also a preferred target for hackers and malcreants, etc.
So be suspicious when you stumble upon such websites.
For most cases the history of IP and AS is a certain give-away in that direction.

Damian