Hypothesis Correct. See:
http://urlquery.net/report.php?id=78686Notice the referrer is the link I receive from the Google redirect.
Compare To No Referrer:
http://urlquery.net/report.php?id=78685With the referrer, Suricata alerts "ET RBN Known Russian Business Network IP (410)".
There is also a new instance URL, and to raise more suspicion, to a javascript file: wXw.pisezmakoons.org/ijr.js?essonf
Final Statement:
Malicious. Google Redirect.
Remember, referrer is a powerful weapon that we use. Using it can change an outcome drastically. See:
http://urlquery.net/intro.php====================================
RefererThis is probably the most important to use correctly.
This manipulates the referer field in the HTTP header which tells a webserver where a user originated from. This is automaticly set by the browser to contain the URL of the site/page a user came from when clicking a link or getting redirected. Many maliciouse sites use this to filter out direct traffic to their maliciouse site and only accept traffic which gets redirected from one of their infected sites. This is to prevent security researchers from accessing their maliciouse code to reverse it. Do note not all maliciouse site use the referer field to filter traffic, but missing this value can drasticly change the result.The difference between supplying a referer and not can be the difference of a blank page and the actual maliciouse page being sent back.When using this field it is important to note that it requires a full URL. Example:
http://google.com/ or
http://google.com/somepage.htmUsing only google.com would be an invalied entry based on the HTTP standard.
Default: None
====================================