Author Topic: Is a conditional redirect always suspicious? Not in this case if meant to be!  (Read 55861 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Here scanners still give a redirect to SE visitors redirects
Visitors from search engines are redirected
to: htxp://domemt.com/p2out/index.html
166 sites infected with redirects to this URL
See: http://killmalware.com/hogang.net/# & http://quttera.com/detailed_report/hogang.net
Server redirect status: Code: 302,  htxp://domemt.com/p2out/index.html
Redirect to external server!
Missed here: http://www.urlvoid.com/scan/hogang.net/
But see atual code there now: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwww.hogang.net%2F&useragent=Fetch+useragent&accept_encoding=
(see under source) and attached...

pol
« Last Edit: April 29, 2014, 01:05:09 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
SE conditional redirect flagged at this site: http://killmalware.com/zhesich.com/#
Server Redirect check: Code: 302,  htxp://www.thisbrand.net/
Redirect to external server!
Javascript Check: Suspicious
) ? " https://" : " http://");document.write(unescape("%3cspan id='cnzz_stat_icon_5604389'%3e%3c/span%3e%3cscript src='" + cnzz_protocol + "s96.cnzz.com/stat.php%3fid%3d5604389' ty...

Missed here: https://www.virustotal.com/nl/url/c2a39c7df25af23f833e809aaf708ceb53a88f08efbdeed969bfbc86d35c7cce/analysis/1399155769/
& https://www.virustotal.com/nl/url/0dd078f09c6997a2ac70a74b0147ae200b3c0b908da339704169674a33238889/analysis/1399155847/

Certainly spreading excessive header info: http://fetch.scritch.org/%2Bfetch/?url=+zhesich.com&useragent=Fetch+useragent&accept_encoding=

site linking to -> htx://www.umacau-datacenter.com:4998/cnweb-jrj/20131222/bdimg.share.baidu.com/static/js/  (benign)

External link with a PHISHing attempt blocked by Bitdefender TrafficLight: htxp://www.swhaifeng.com/

pol

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
See: http://killmalware.com/thehappycartoonist.com/#
See: SE visitors redirects
Visitors from search engines are redirected
to: htxp://gqillqigqilqigqiqlqiigqilqiiiqgg.esmtp.biz/1.php *
188 sites infected with redirects to this URL

For malware traffic analysis see: http://malware-traffic-analysis.net/2013/12/27/index.html
avast! Webshield detects as URL:Mal
* sucuri blacklist: http://labs.sucuri.net/?details=gqillqigqilqigqiqlqiigqilqiiiqgg.esmtp.biz

Site used change.ip redirecting and conclusively  Bitdefender's TrafficLight blocks it.

Capturing events: gqillqigqilqigqiqlqiigqilqiiiqgg.esmtp dot biz   IPV4    209.208.4.53

2014-05-04 17:52:24.591 [Expired]

IP badness history for IP: https://www.virustotal.com/nl/ip-address/209.208.4.53/information/

388 websites on one and the same IP: http://sameid.net/ip/209.208.4.53/

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Now let us look at this one: http://killmalware.com/clarkecares.org/
SE visitors redirects
Visitors from search engines are redirected
to: htxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php *
4181 sites infected with redirects to this URL
see: https://www.mywot.com/en/scorecard/cibonline.org?utm_source=addon&utm_content=popup

Read here about this malicious multi-hop iframe campaign from  Dancho Danchev on his blog:
http://www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-affects-thousands-of-web-sites-leads-to-cve-2011-3402/
 
and how avast! miss the detection here: https://www.virustotal.com/nl/file/0aa8ab30d46be758cbf79f7fa393248b1acd111f31da233a4b61ebaf2d9edcaf/analysis/1383781200/
and here: https://www.virustotal.com/nl/file/0bbe25bea0a6166b3fa996bf0c284df177aa2ddc6bb768694884cad636c07848/analysis/
to finally detect it here: https://www.virustotal.com/nl/file/3ac491982cf2c47e3f56bf2ff333b09c4c84094fa24a4b7c8d4e120ede8711ac/analysis/
as SWF:Malware-gen [Trj]

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Infected with SEO Spam: http://sitecheck.sucuri.net/results/unlvkidsclub.com
See: https://www.virustotal.com/nl/url/cdfa8dea4a0846a2510ed34555f5004900c2118cbc7169931590f47dbd654aa9/analysis/1399328228/  missed
See: http://killmalware.com/unlvkidsclub.com/#

Spam check: Suspicion of Spam

a name="description" content="canadian pharmacy no canadian pharmacy no prescription synthroid prescription synthroid, o...

Google Browser Diff: Not identical

Google: 15166 bytes       Firefox: 9957 bytes
Diff:         5209 bytes

First difference:
" > <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta name="robots" content="index, follow" /> <meta name="keywords" content="unlv, ru...

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
The following SE redirect could not be scanned at Websecurity Test: Server Redirect status
Code: 0,  Content cannot be read!
Blocked by Bitdefender: http://www.urlvoid.com/scan/decorunusual.com/
See: http://urlquery.net/report.php?id=1399389210418
On IP alert for    ET RBN Known Russian Business Network IP group 190
See: https://www.virustotal.com/nl/url/ef2b13b3561469625b3f37673a731e9af3a67a459762ef5f8a643062524e02dc/analysis/1399388575/
Site error detected.
Details: http://sucuri.net/malware/php-error-fatal-error
<b>Fatal error</b>: Class 'vRequest' not found in <b>/home/content/z/d/i/zdido/html/plugins/vmcustom/specification/specification.php</b> on line <b>98</b><br /> htxp://decorunusual.com/test404page.js4525d2fdc -> to: htxp://liveupdate.swhw.it/relay.php
27 sites infected with redirects to this URL

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
The scan: http://maldb.com/thesesmallhours.com/#redirects
Conditional redirects found. Visitors from search engines are redirected
to: htxp://changedivstyle.ru/vis/index.php -> https://www.mywot.com/en/scorecard/changedivstyle.ru?utm_source=addon&utm_content=popup
Redirect to this URL found in 68 sites
Server redirect status check: Code: 301,  http://changedivstyle.ru/vis/index.php ->
Read http://wordpress.org/support/topic/cannot-access-widgets (info credits go to moderator = esmi)
Unable to properly scan your site. Site empty (no content): Content-Length: 0
Redirect to external server!  malicious! -> http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fthesesmallhours.com%2F
See: http://labs.sucuri.net/db/malware/malware-entry-mwhta7
Javascript Check: Suspicious

vascriptusingdocumentwrite(a){document.write("<script src=\""+a+"\" type=\"text/javascript\"><\/script>")}function setstaticrequestparameters(){var a="";var b="";var c="";var d="";...

Google browser diff.: Not identical

Google: 18378 bytes       Firefox: 1286 bytes
Diff:         17092 bytes

First difference:
<head> <title>changedivstyle dot ru - changedivstyle</title> <meta http-equiv="content-type" content="text/html;charset=utf-8"/> <meta name="description" content="changedivs...

pol

P.S. This comers also flagged on site by Sucuri's: https://www.virustotal.com/nl/url/7af7dd39234001653467abd18a82a199ea8f3aa5280c44971f13d0f8663788a7/analysis/

D
« Last Edit: May 07, 2014, 01:53:49 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
The following conditional redirect is missed by Sucuri's: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwapakonetasoccer.com
eader returned by request for: http://wapakonetasoccer.com -> 204.174.223.28

HTTP/1.1 302 Found
Date: Thu, 08 May 2014 12:24:23 GMT
Server: Apache/2.2.16 (Debian)
Location: htxp://www.leaguelineup.com/wapakonetasoccer
Note: This line has redirected the request to htxp://www.leaguelineup.com/wapakonetasoccer
where I get "Timeout!   Page or file not found!" -> http://zulu.zscaler.com/submission/show/8f4ddd72ada95c8c2c03f4c578e4720a-1399552545
Content-Length: 314
Connection: close
Content-Type: text/html; charset=iso-8859-1

SE visitors redirects
Visitors from search engines are redirected  (site was compromised see presence of -> htxp://wapakonetasoccer.com/test404page.js)
to: htxp://www.leaguelineup.com/wapakonetasoccer -> http://urlquery.net/report.php?id=1399552534167
1177 sites infected with redirects to this URL


The location line in the header above has redirected the request to: http://www.leaguelineup.com/wapakonetasoccer

Quite some issues are wrong on site: https://asafaweb.com/Scan?Url=wapakonetasoccer.com -> Custom errors:Fail, Excessive Headers warning, HTTP Only cookies warning, clickjacking warning.

A stack trace can reveal

what encryption algorithm you use
what some existing paths on your application server are
whether you are properly sanitizing input or not
how your objects are referenced internally
what version and brand of database is behind your front-end  info credits go to Kilan Foth on StackExchange-security.

polonus
« Last Edit: May 08, 2014, 02:52:37 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
SE visitors redirects

Visitors from search engines are redirected

to: htxp://workstationrepresentative.ru/intellectual?7
19 sites infected with redirects to this URL  from? => http://killmalware.com/architectura-perspectiva.com/
Missed completely here: http://zulu.zscaler.com/submission/show/db80958f0fa4a8071f92cf798a7d9440-1399758294
and here: http://icreamservice.com/report/url-4245
Flagged 6 instances of malware: http://sitecheck.sucuri.net/results/architectura-perspectiva.com
redirecting to fake av!
Site vulnerable because of outdated CMS:
Joomla Version 1.5.18 - 1.5.26 for: hxtp://architectura-perspectiva.com/media/system/js/caption.js
Joomla Version 1.5.18 to 1.5.26 for: htxp://architectura-perspectiva.com/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Now a chain of redirects here: http://killmalware.com/alians-project.ru/#
Javascript check: Suspicious

t" href="htxp://alians-project.ru//plugins/content/mavikthumbnails/slimbox/css/slimbox.css" type="text/css" /> <link rel="stylesheet" href="http://alians-project.ru/templates/syste...  (older XSS vulnerability and rare inability to update for slimbox.js)

See: http://sitecheck.sucuri.net/results/alians-project.ru/

Malware found: http://labs.sucuri.net/db/malware/mw-redirection121?v3

CMS vulnerable: Joomla Version 1.5.18 - 1.5.26 for: http://alians-project.ru//media/system/js/caption.js
Joomla Version 1.5.18 to 1.5.26 for: http://alians-project.ru//language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.

On the chain of redirects (with one I get this kicked up: about:neterror - pseudo protocol)
http://urlquery.net/report.php?id=1394834830314 - alert for Detected suspicious URL pattern
http://labs.sucuri.net/?details=alfsystem.com.my
https://urlquery.net/report.php?id=8728358  (invalid security certificate on urlquery dot net The certificate expired on 7-5-2014 20:45.
http://evuln.com/labs/jbtconsultinggroup.com/

polonus

« Last Edit: May 13, 2014, 10:54:07 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Two instances of SE redirects: http://killmalware.com/wglasserinternational.org/
Quttera detects: http://quttera.com/detailed_report/www.wglasserinternational.org
Too low entropy detected in string [[''1AQAPKRV'1Gdwlavkml'02Anmqg'0:'0;y'1@'2F'2Cdwlavkml'02Nkli'0:'0;y'1@'2F'2Cdwlavkml'02pgcfAmmikg'0:l']] of length 9892 which may point to obfuscation or shellcode. view code: http://quttera.com/detailed_report/www.wglasserinternational.org#myModalPotSuspACEE0E2AEEA19A91A8BA23A16E4DE924
Website Malware and SEO Spam detected: http://sitecheck.sucuri.net/results/www.wglasserinternational.org
See: http://labs.sucuri.net/db/malware/malware-entry-mwjsanon7?v9 -> /focusgenresources/focus.js
See: http://www.exedb.com/systemfiles/focus.js.html
and http://labs.sucuri.net/db/malware/malware-entry-mwspamseo on htxp://www.wglasserinternational.org/index.php/component/users/?view=reset
See: http://evuln.com/labs/tdson.com/ particular SE redirect campaign. -> http://www.seocert.net/site-analyzer.php
1. - put scripts together and link them from an external files rather then put them in the same file as the main page.
2. Users are concerned about the safety of their online transactions. Trustworthiness rating is based on real user ratings and that tells you how much other users trust this site, so do the serch engines. note: this trustworthiness score is provided by WOT (Web of Trust).

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Update: http://killmalware.com/tttravelbrasil.com/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php
wXw.cibonline.org is reported by Google as suspicious
4241 sites infected with redirects to this URL
See VT result: https://www.virustotal.com/nl/url/d28da482c8ea2bfbd01d63b4120089a7e21aec6d8b37646a25bf7583823d6fab/analysis/
Web application version:
Joomla Version 1.5.18 to 1.5.26 for: htxp://tttravelbrasil.com/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.26 or 3.3.5
Joomla Version
1.5
Found in META Generator Tag
Joomla Modules, Components and Plugins
The following modules were detected from the HTML source of the Joomla front page.
mod_roknewspager
mod_jflanguageselection
mod_yoo_login
css
The following components were detected from the HTML source of the Joomla front page.
com_jnews
com_joomfish
The following plugins were detected from the HTML source of the Joomla front page.
mtupgrade
rokbox
Adding Modules, Components and Plugins to a Joomla site expands your attack surface. These addons are a source of many security vulnerabilities, it is important to always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes. Using the Joomscan scanner you are able to test more aggressively for plugins and modules installed within a Joomla installation. (source open source vuln. scan )

Linked Javascript
/plugins/system/mtupgrade/mootools.js
/media/system/js/caption.js
/plugins/system/rokbox/rokbox-mt1.2.js
/plugins/system/rokbox/themes/light/rokbox-config.js
/modules/mod_roknewspager/tmpl/js/roknewspager-mt1.2.js
/templates/hot_wellness/js/jquery.min.js
/templates/hot_wellness/js/jquery-ui-1.8.5.custom.min.js
/templates/hot_wellness/js/jquery.hjt.megamenu.js
/templates/hot_wellness/js/reflection.js
/templates/hot_wellness/js/fontresize.js

polonus (volunteer website security analyst and website error-hunter)

P.S. Added a tracker tracker report - do not open links inside a browser, results for security research purposes only.

D
« Last Edit: April 25, 2015, 06:09:30 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!