Hi !Donovan,
Thank you and I trust you can work klogier through that part of his WP ordeal.
Now first some further info about the recent and previous redirect. I assume this is some Malware Network Compromised Redirect as we call this.
klogier's site -http://targetservice.pl/ is hosted at 62.212.76.142 state now redirected.
IP 62.212.76.142 uses the reverse pointer s91.linuxpl dot com only.
For the redirect to opec.lflink dot com/ I get a Server error: 403 Forbidden and mentioned site is redirecting visitors and also visitors coming from search engines to the URL: htxp://restmee.net/in/?pid=16&lid=79&page=/horo2013/&p=0&s=4606
->
http://aw-snap.info/file-viewer/?tgt=+http%3A%2F%2Frestmee.net%2Fin%2F%3Fpid%3D16%26lid%3D79%26page%3D%2Fhoro2013%2F%26p%3D0%26s%3D4606&ref_sel=Google&ua_sel=ffThis URL is at IP: 93.170.108.41 a dummy description from camxx.ru (SEO DNS - Detected a Dynamic DNS URL, 93.170.0.0/15 Dummy description for 93.170.0.0/15AS44546 AS44546 (not announced) re:
http://www.mywot.com/en/scorecard/restmee.netearlier in this threat the other redirect was from 62.212.76.142 to 31.148.220.14 (also fraudulent)
31.148.220.14 resolves to ASN AS5580 Atrato IP Networks (also with malicious URLs and current events)
Location [Netherlands] Netherlands
This URL is not confirmed as malicious. I get: HTTP/1.0 302 Found
X-Powered-By: PHP/5.3.5-1ubuntu7.11
Set-Cookie: vc=NL; path=/; domain=46.183.147.108
Set-Cookie: uid=2876; path=/; domain=46.183.147.108
Set-Cookie: pid=16; path=/; domain=46.183.147.108
Set-Cookie: s=4606; path=/; domain=46.183.147.108
Set-Cookie: bs=1; path=/; domain=46.183.147.108
Set-Cookie: ref=0; path=/; domain=46.183.147.108
Set-Cookie: ctr=1-1; path=/; domain=46.183.147.108
Set-Cookie: mf_popup=0; path=/; domain=46.183.147.108
Set-Cookie: data=deleted; expires=Thu, 08-Mar-2012 10:01:00 GMT; path=/; domain=46.183.147.108
Set-Cookie: lid=79; path=/; domain=46.183.147.108
Location:
http://46.183.147.108/horo2013/ see:
http://urlquery.net/report.php?id=1318268Content-type: text/html
Content-Length: 0
Date: Fri, 08 Mar 2013 10:01:01 GMT
Server: lighttpd/1.4.28
Connection: close
Here I also get a disconnected and this:
HTTP/1.0 404 Not Found
X-Powered-By: PHP/5.3.5-1ubuntu7.11
Content-type: text/html
Content-Length: 123
Connection: close
Date: Fri, 08 Mar 2013 10:24:28 GMT
Server: lighttpd/1.4.28
<h2>Error 404</h2>
<div class="error">
Ðевозможно обработать Ð·Ð°Ð¿Ñ€Ð¾Ñ "horo2013".</div>
Re to decode:
http://www.phpkode.com/source/p/pyrocms/pyrocms-pyrocms-fc6071c/system/codeigniter/language/russian/ftp_lang.php['ftp_unable_to_connect'] ....
And we can establish that there must be abusive php ftp attacks going on there originating from camxx.ru (Badness going on in Holland!)
So this is all taking place on the server in the Netherlands:
http://urlquery.net/report.php?id=1318303AS16265 LeaseWeb B.V. has quite some reputation for allowing dubious practices on it's servers, see the Badness Graphics at Sitevet.
AS Name: LEASEWEB LeaseWeb B.V.
IPs allocated: 349184
Blacklisted URLs: 4642
Hosts...
...malicious URLs? Yes
...badware? Yes
...botnet C&C servers? No
...exploit servers? Yes
...Zeus botnet servers? Yes
...Current Events? Yes
...phishing servers? Yes
...spam servers? Yes
...spam bots? Yes
...spam activity? Yes
polonus