Author Topic: www redirections  (Read 17095 times)

0 Members and 1 Guest are viewing this topic.

Offline klogier

  • Jr. Member
  • **
  • Posts: 35
Re: www redirections
« Reply #15 on: February 28, 2013, 09:25:55 PM »
Uff I found that, what now?

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: www redirections
« Reply #16 on: February 28, 2013, 09:36:26 PM »
Do you know your hosting provider? Can you access your site's cpanel?

If so, open the file manager and check "show hidden files". Then look for a .htaccess file in the root directory and post its content.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline klogier

  • Jr. Member
  • **
  • Posts: 35
Re: www redirections
« Reply #17 on: February 28, 2013, 09:42:37 PM »

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: www redirections
« Reply #18 on: February 28, 2013, 09:55:01 PM »
What sites are you being redirected on?

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline klogier

  • Jr. Member
  • **
  • Posts: 35
Re: www redirections
« Reply #19 on: February 28, 2013, 09:57:43 PM »
c.mclarenz.net/click
notfound.lflink.com

but not always, also sometimes avast gives me a warning and blocks access.

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: www redirections
« Reply #20 on: February 28, 2013, 09:59:57 PM »
I think you misunderstood me.

What sites redirect you to c.mclarenz.net/click and notfound.lflink.com? Is it random?

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29355
  • malware fighter
Re: www redirections
« Reply #21 on: March 01, 2013, 12:55:27 PM »
Hi !Donovan,

If this isn't a DealPly infection, the following procedure may help.
There is no  BrowserCompanion folder found?
Does user use two resident av solutions? This could also have caused this.

I think victim's host file has been hijacked. He could download: http://winhelp2002.mvps.org/hosts.zip
For Windows XP
Click mvps.bat and choose “run” to start up mvps.bat  (*).
Press a key to continue.
A backup is being made from the existing HOSTS-file from the standard location C:\windows\system32\drivers\named HOSTS.MVP
Than the file is being changed to the actual MVPS Hosts-version..

(*) Both Windows Vista & Windows 7 users should right click mvps.bat and choose ”run as administrator” to start mvps.bat.

polonus
« Last Edit: March 01, 2013, 01:04:40 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline klogier

  • Jr. Member
  • **
  • Posts: 35
Re: www redirections
« Reply #22 on: March 01, 2013, 01:50:11 PM »
Hi !Donovan
After steps  recommended by essexboy and by my own (comboFix) there isn't any redirections, but...
I am afraid that this infection came from my own page (targetservice.pl). Probably you ask why.
Two weeks ago HDD in this computer has been replaced becuase of bad sectors. But from about 3 months before there was a lot of problem with viruses. To resolve this one time the Vista was installed on formated partition. Two weeks ago on new HDD. Only emails (oulootk.pst) and documents/music/movies was restored from old drive. Before that I scanned these files by avast on another computer, there isn any infections. Few days after HDD has been replaced I noticed redirections when I am tried to go to my site.


Hi polonus (dobrze spotkać rodaka)
There is only one av installed on this computer

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29355
  • malware fighter
Re: www redirections
« Reply #23 on: March 01, 2013, 04:17:58 PM »
Cześć klogier,

Dostałem 
Header returned by request for: htxp://targetservice.pl

HTTP/1.1 302 Moved Temporarily
Date: Fri, 01 Mar 2013 14:56:30 GMT
Server: Apache
Location: htxp://fpert.qpoe.com/    Sprawdź: http://urlquery.net/queued.php?id=15956074 (Detected a Dynamic DNS URL)
Site empty (no content -zadnych): Content-Length: 0 zera -Sprawdź:    http://urlquery.net/report.php?id=1134410
The connection timed out before all (any?) content was returned! (Bounch-back)...

Header goes to: htxp://fpert.qpoe.com/%20%20
HTTP/1.1 404 Not Found  IP =31.148.220.14
Get info: The requested URL /   was not found on this server.</p>
<hr>
<address>Apache/2.2.16 (Debian) Server at 0.0.0.53 Port 80</address>
</body></html> -> htxp://host.robtex.com/fpert.qpoe.com.html js-error DocLinks is undefined...


Date: Fri, 01 Mar 2013 17:15:11 GMT
Server: Apache/2.2.16 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1

Get info: The requested URL /   was not found on this server.</p>
<hr>
<address>Apache/2.2.16 (Debian) Server at 0.0.0.53 Port 80</address>
</body></html> htxp://host.robtex.com/fpert.qpoe.com.html js-error DocLinks is undefined...

Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html

Content returned by request for: htxp://targetservice.pl
Re: http://urlquery.net/report.php?id=1199928
See some broken links.
Oto linki: 8.     htxp://targetservice.pl/comments/feed/     (404) BROKEN Strona nie została odnaleziona = The page you requested does not exist.
15.     htxp://fonts.googleapis.com/css?family=DroidSans     (400) BROKEN code, does not function on Android
your font-family should be the same as those you declared in the css  Prosimy sprawdzić poprawność adresu lub spróbować za jakiś czas ponownie.
Re: http://jsunpack.jeek.org/?report=9b112efd813682a57f1765ae3e40b15ff5459cb4  ( pokazujący błąd 404)
17.     #     (404) BROKEN
34.     #     (404) BROKEN
43.     #     (404) BROKEN
44.    #    (404) BROKEN

pozdrawiam.

polonus
« Last Edit: March 01, 2013, 06:22:31 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline klogier

  • Jr. Member
  • **
  • Posts: 35
Re: www redirections
« Reply #24 on: March 01, 2013, 05:47:08 PM »
polonus a co to dla mnie oznacza? Nie za bardzo się na tym znam.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29355
  • malware fighter
Re: www redirections
« Reply #25 on: March 01, 2013, 06:30:51 PM »
Witam klogier,

Ta sprawe chce zgłosic do hostera! Sprawa serwera, taka tam zabawa!
Co mogę samemu zrobić? Można zrobić  to ->: http://evuln.com/labs/fpert.qpoe.com/
i dalej: http://evuln.com/hacked/redirect.html  (info link author = Alex (Aliaksandr Hartsuyeu penetration tester))

pozdrawiam,

polonus
« Last Edit: March 01, 2013, 06:57:19 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29355
  • malware fighter
Re: www redirections
« Reply #26 on: March 01, 2013, 09:33:39 PM »
Hi !Donovan,

Here we have the verdict: http://evuln.com/tools/malware-scanner/targetservice.pl/
Malicious redirects
    Found

Visitors from search engines are redirected to the 3rd-party URL:
htxp://fpert.qpoe.com/ (1993 websites infected)

The website "targetservice dot pl" is most probably hacked and losing its visitors. You need to take action as soon as possible to fix security issues.

Google Safe Browsing
Query: http://www.google.com/safebrowsing/diagnostic?site=targetservice.pl

Result: This site is not currently listed as suspicious.
Redirection of visitors coming from search engines
First query - normal visit.
GET / HTTP/1.1
Host: targetservice dot pl

Result:
HTTP/1.1 200 OK
Connection: close
Date: Fri, 01 Mar 2013 20:29:55 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
X-Pingback: http://targetservice dot pl/xmlrpc.php

17586 bytes of data
Second query - visit from search engine.
GET / HTTP/1.1
Host: targetservice dot pl
Referer: http://www.google.com/search?q=targetservice dot pl

Result:
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Fri, 01 Mar 2013 20:29:55 GMT
Location: htXp://fpert.qpoe.com/
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html
External iFrames on targetservice.pl
No suspicious iFrames found.
Suspicious JavaScript code on targetservice.pl (0 warnings in 16 scripts)

Note: this is a beta version of JS code scanner. Results are not 100% accurate.
There is no suspicious JS code found,

polonus
« Last Edit: March 01, 2013, 09:38:39 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29355
  • malware fighter
Re: www redirections
« Reply #27 on: March 01, 2013, 09:50:05 PM »
How did this occur? Well this was another xmlrpcphp-file hack. Re: http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
(link article posted by Holy Shmoly)
Evidence comes here:
Header returned by request for: htxp://targetservice.pl/xmlrpc.php

HTTP/1.1 302 Moved Temporarily
Date: Fri, 01 Mar 2013 20:39:56 GMT
Server: Apache
Location: htxp://fpert.qpoe.com/
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Connection: close
Quote
As of 2.6 you can deactivate XML-RPC from within your Dashboard. Settings -> Writing and scroll down to Remote Publishing where you will see a checkbox to activate/deactivate remote publishing. (Enable the WordPress, Movable Type, MetaWeblog and Blogger XML-RPC publishing protocols.)

If you're constantly getting hacked make sure you're using the latest version of WP. Have you checked your plugins? Perhaps you're using an outdated/vulnerable one? You may want to read:  http://codex.wordpress.org/Hardening_WordPress
Quote taken from http://wordpress.org/support/topic/xmlrpcphp-file-necessary-getting-hacked-can-i-remove-the-file (link quote author = len)

polonus
« Last Edit: March 01, 2013, 10:05:02 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: www redirections
« Reply #28 on: March 02, 2013, 03:15:38 AM »
Hi Polonus,

Excellent analysis of the suspect site. I wouldn't have figured it out myself. It's also interesting that the xmlrpc.php exploit was used, as recently reported on The WAR here: http://websiteanalystsresource.wordpress.com/2013/02/20/xmlrpc-php-malware/

I hope to use this newly obtained knowledge in the near future.

Many Thanks,
~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29355
  • malware fighter
Re: www redirections
« Reply #29 on: March 02, 2013, 04:21:49 PM »
Hi !Donovan,

You are welcome, my friend. But not so modest as you helped me to get at that detection in some respects. Well bookmark these scanners at http://evuln.com/tools/
Relying on "good old" google safe browsing detection and their javascript beta scanner, they might come up there with some new detections that were missed at sucuri's.
Keep up the good work at the WAR site for us,

Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!