Author Topic: Suspicious conditional redirect not detected or taken down?  (Read 1091 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33795
  • malware fighter
Suspicious conditional redirect not detected or taken down?
« on: February 01, 2014, 06:26:56 PM »
See: http://maldb.com/villasmarche.com/#  (name or service not known -> http://jsunpack.jeek.org/?report=5a0d19da0d87cbb8c9622febee2d1b0047dc9adb
Confirmed by Sucuri's as http://sucuri.net/malware/entry/MW:HTA:7
Suspicious site given at Quttera's: index
Severity:    Suspicious
Reason:   Detected suspicious redirection to external web resources at HTTP level.
Details:    Detected HTTP redirection to htxp://cartographicglobs.net/markersity?8.
File size[byte]:    18446744073709551615
File type:    Unknown
MD5:    00000000000000000000000000000000
Scan duration[sec]:    0.001000
Quote
Visitors from search engines are redirected
to: htxp://cartographicglobs.net/markersity?8
Redirect to this URL found in 47 sites

Part of unknown java exploit: https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-September/020383.html
-> http://evuln.com/labs/cartographicglobs.net/  -> https://www.virustotal.com/nl/url/5a86a174c68c220c22c1b8579119155e302617c705d483b6022697dd84eb022b/analysis/

redirect site seems down now, 11004 [11004] Valid name, no data record (check DNS setup).

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33795
  • malware fighter
Re: Suspicious conditional redirect not detected or taken down?
« Reply #1 on: February 01, 2014, 07:19:17 PM »
Another one that was not taken down yet -> http://maldb.com/fruitofthevineyoga.com/   and not blocked by avast! either.
Probably compromised via outdated Joomla CMS: Joomla Version: 2.5.14
Joomla Version 2.5.x - 3.0.x for: htxp://fruitofthevineyoga.com/media/system/js/caption.js
Joomla version outdated: Upgrade required.
Conditional redirects found. Visitors from search engines are redirected
to: htxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php
Redirect to this URL found in 3770 sites
See other similar infestations on IP: http://support.clean-mx.de/clean-mx/viruses.php?ip=184.168.248.1&sort=id+DESC
See: https://www.virustotal.com/nl/url/933fbbe4eb0fe7b7a982d713943d637f903f32eaf38c865568275b4227bcb058/analysis/
See: http://sitecheck2.sucuri.net/results/www.cibonline.org
See: http://quttera.com/detailed_report/www.cibonline.org  -> http://jsunpack.jeek.org/?report=1eeb1ab7f114714119db6dc0ccb3c5b7a50c9005
flagged on site 256 times as Not supported malicious buffer type.
Potentially suspicious: plugins/system/cd_scriptegrator/utils/js/highslide/highslide.packed.js.php
Severity:    Potentially Suspicious
Reason:    Detected potentially suspicious content.
Details:   Detected potentially suspicious initialization of function pointer to JavaScript method eval <code> __tmpvar1886438521 = eval; <code/>
Threat dump:   -> http://jsunpack.jeek.org/?report=fd5492cf0aecd6a33d9307870c8aebf6af02c962
File size[byte]:    32328
File type:    ASCII
MD5:    091A36204A929EB1437C1E744E9E3D42
Scan duration[sec]:    0.347000
External link check benign: hxtp://newmandoesit.com/ -> http://www.rexswain.com/cgi-bin/httpview.cgi?url=http://www.fruitofthevineyoga.com/&uag=MSIE+8.0+Trident&ref=http://www.google.com&aen=&req=GET&ver=1.1&fmt=AUTO

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!