Author Topic: Is a conditional redirect always suspicious? Not in this case if meant to be!  (Read 55860 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
See: http://maldb.com/kurtoyunlari.org/#
Non-detection here: https://www.virustotal.com/nl/url/a37231de82f77760a7d0fdbd117ddd8c93210f0907bac764de5ae6279b993ab1/analysis/1391354936/
and here: http://urlquery.net/report.php?id=9196594
Other sites on same IP: http://sameid.net/ip/95.173.183.139/
connection timed out  What web info: htxp://www.koyunoyunlari.com/kurt-oyunlari [200] Google-API[ajax/libs/jquery/1.3.2/jquery.min.js],
 HTTPServer[LiteSpeed],
 IP[95.173.183.139],
 JQuery, PHP[5.3.27],
 X-Powered-By[PHP/5.3.27],
 Cookies[PHPSESSID],
 Title[Kurt Oyunlar� Oyna, Kurt Oyunlar� Oyunu],
 Country[TURKEY]
& see: http://builtwith.com/?http%3a%2f%2fwww.koyunoyunlari.com%2fkurt-oyunlari

JS errors: http://jsunpack.jeek.org/?report=e0475117c42c5df1847a95fc391a35fd2876f9b4 ->
- invalid flag after regular expression  & SyntaxError: invalid decrement operand:

External links benign.
Quote
Content after the < /html> tag should be considered suspicious.
163:
This could denote an threat that has been removed earlier.

The recommended scanner Sucuri gives site as clean.
Conditional redirects can be suspicious, but aren't always insecure!

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
See: http://maldb.com/aay-search.info/#
See: http://builtwith.com/aay-search.info
Quttera's gives it as clean: http://www.quttera.com/detailed_report/aay-search.info
Sucuri gives it as clean.
The redirect is there: stats.wordpress dot com/e-201405.js benign -> http://jsunpack.jeek.org/?report=771b71927a5f60fc132d5f3cd15a53814d4f7f03
[nothing detected] (script) stats dot wordpress dot com/e-201405.js
     status: (referer=thefutureisbetterthanyouthink dot com/) Redirect to this URL found in 9 sites
and redirect site has unsatisfactory web rep according to WOT: https://www.mywot.com/en/scorecard/trade.nosis.com?utm_source=addon&utm_content=popup-donuts (Poor customer experience fraudulent info)
appears in this listing: http://johnpc.home.xs4all.nl/vulnerable_sites-ips.txt
Site has suspicioius Spam Check: Suspicion of Spam
s**g gllrs in bubaxxx s#xyfp0rn0-s*ndib*le-c*rt^^ns dot com brzg wwwwwb s-tacom ocii ocxxxcom ra eldi wwo gpco u wwoo w...
(onscured by me -pol)
No flag here: http://urlquery.net/report.php?id=9198109 -> http://www.webutations.net/go/review/aay-search.info

Do not venture  out there because it is a smut search engine!

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Here one redirect was being cleansed another left on. See on what was left on: to: htcp://www.dailyfx.com/forex_forum/expert-advisor-discussion/96889-best-forex-ea-4.html - 2 sites infected with redirects to this URThe other redirect still flagged here: index
Severity:    Suspicious
Reason:   Detected suspicious redirection to external web resources at HTTP level. [What's this?]
Details:    Detected HTTP redirection to htxp://bit.ly/16FSPwZ.
Threat dump MD5:    D41D8CD98F00B204E9800998ECF8427E
File size[byte]:    18446744073709551615
File type:    Unknown
MD5:    00000000000000000000000000000000
Scan duration[sec]:    0.001000 -> http://jsunpack.jeek.org/?report=d7ba41c67996414aaa935282cc6ebf3082c3f47b
External link to page with trackers: htxp://webmoney.pixub.com/ -> Couldn't connect using TCP protocol and 3 further warnings,
see: http://www.dnsinspect.com/webmoney.pixub.com

WhatWeb info: http://1eplh.com [403] WordPress, HTTPServer[Apache],
 Adobe-Flash, PoweredBy[WordPress],
 Apache, IP[199.188.200.101],
 JQuery[1.10.2],
 PHP[5.3.27],
 X-Powered-By[PHP/5.3.27],
 Title[Best forex broker Review | Best forex broker Review – Read More …]
Web application version:
WordPress version: WordPress
Wordpress version from source: 3.6
Wordpress Version 3.6 based on: htxp://1eplh.com//wp-admin/js/common.js
WordPress directory: htxp://1eplh.com/wp-content
WordPress theme: htxp://1eplh.com/wp-content/themes/FinanceSpot/
WordPress version outdated: Upgrade required.

One website with OVERDUE! malcode on same IP: http://support.clean-mx.de/clean-mx/viruses.php?ip=199.188.200.101&sort=first%20desc
See recent reports here: http://urlquery.net/report.php?id=9199442

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
« Last Edit: February 03, 2014, 07:33:43 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Read on redirects as a general introduction to this theme, info here:   
http://searchengineland.com/redirects-good-bad-conditional-14539   link article author = Stephan Spencer

Here the question is, is a conditional redirect still there: http://maldb.com/uapbbands.com/#
It seems and it is a non-desired redirect destination (two "reds" on WOT's)

Not  detected here: https://www.virustotal.com/nl/url/34ed42c1f4e5caa85d3edf5431613c594fc06c73870fb5d0868d4e912156d543/analysis/1391467345/
and here: http://quttera.com/detailed_report/uapbbands.com  and here:  http://urlquery.net/report.php?id=9212432

Server software and CMS check: apache/2.2.24 (unix) mod_hive/3.6 mod_ssl/2.2.24 openssl/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 frontpage/5.0.2.2635 mod_jk/1.2.35     
CMS: wordpress 3.5.1

WhatWeb info: htxp://uapbbands.com [200] WordPress[3.5.1],
 MetaGenerator[WordPress 3.5.1],
 HTTPServer[Unix][Apache/2.2.24 (Unix) mod_hive/3.6 mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.35],
 x-pingback[,http://uapbbands.com/xmlrpc.php],
 UncommonHeaders[x-pingback],
 Apache[2.2.24][mod_auth_passthrough/2.1,mod_bwlimited/1.4,mod_hive/3.6,mod_jk/1.2.35,mod_ssl/2.2.24],
 HTML5, IP[108.175.152.88],
 JQuery[1.8.3],
 Mobile-Website[Apple Handheld],
 FrontPage[5.0.2.2635],
 OpenSSL[0.9.8e-fips-rhel5],
 Title[University Bands at UAPB | Marching Musical Machine of the Mid-South],
 Email[evansdATuapb dot edu,foosterhATuapb dot edu,grahamjAT uapb dot du,uapbbandsATuapb dot edu]
also see: http://fetch.scritch.org/%2Bfetch/?url=uapbbands.com&useragent=Fetch+useragent&accept_encoding=

Site vulnerable: Web application version:
WordPress version: WordPress 3.5.1
Wordpress version from source: 3.5.1
Wordpress Version 3.5 based on: htxp://uapbbands.com//wp-admin/js/common.js
WordPress theme: htxp://uapbbands.com/wp-content/themes/nash/
Wordpress internal path: /home/showcase/public_html/uapbbands.com/wp-content/themes/nash/index.php
WordPress version outdated: Upgrade required.

On the conditional redirect site: https://www.mywot.com/en/scorecard/piopo.25u.com?utm_source=addon&utm_content=rw-viewsc
kraken Virus Tracker domain classification: piopo dot 25udot com,24.228.64.193,ns1.changeip dot org,Criminals,
where "criminals" means no more or less than "active malware up".

General insecurity warnings on site are, Outdated vulnerable CMS, excessive header info spread to the globe and potential attackers alike (see earlier),
and this site seems also vulnerable to clickjacking.

polonus
« Last Edit: February 04, 2014, 12:25:21 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
The following site, see scan here: http://maldb.com/so-5.info/#  had a conditional redirect on it earlier,
that was cleansed, probably because it was/is open to the so-called xmlrpc.php pingback vulnerability.

Read about this issue and protection against it here:
http://blogs.reliablepenguin.com/2013/05/28/wordpress-xmlrpc-php-pingback-vulnerability  article author = leerb
Why I thought up this possible scenario, see here:
http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fso-5.info%2F&useragent=Fetch+useragent&accept_encoding=

Think status of page now is OK: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fso-5.info%2Fxmlrpc.php
but the vulnerability (excessive header info & the xmlrpc.php issue should be tackled!)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: http://maldb.com/aacbe.co.uk/
Here we got one that is been reported as cleansed, nonetheless detected as with a suspicious domain
: Suspicious domain detected.
Details: http://sucuri.net/malware/malware-entry-mwblacklisted35
Location: htxp://uendkgkw.ddns.me.uk/
And again site is vulnerable because CMS is outdated: (probably also via the htxp://www.aacbe.co.uk/xmlrpc.php pingback vuln.)
WordPress version: WordPress 3.4.2
Wordpress version from source: 3.4.2
Wordpress Version 3.3 or 3.4 based on: htxp://www.aacbe.co.uk//wp-includes/js/autosave.js
WordPress directory: htxp://www.aacbe.co.uk/wp-content
WordPress theme: htxp://www.aacbe.co.uk/wp-content/themes/acbe/
also see: http://fetch.scritch.org/%2Bfetch/?url=www.aacbe.co.uk&useragent=Fetch+useragent&accept_encoding=

No alerts here: http://urlquery.net/report.php?id=9225688

Finally zuluZscaler detects and flags as 100/100% malicious: http://zulu.zscaler.com/submission/show/c6f935c4389f7a9fd3bbfd25185af358-1391550956
Why, see here: http://jsunpack.jeek.org/?report=cdb26aa2f42eca1c05234a00a401757ea5216f89

polonus
WordPress version outdated: Upgrade required.
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Another one alerted here: http://sitecheck2.sucuri.net/results/gregoryposey.com
See payload: http://sitecheck2.sucuri.net/results/gregoryposey.com#viewpayload2 -> http://sucuri.net/malware/malware-entry-mwht291
Google browser diff. Google: 7741 bytes       Firefox: 8299 bytes
Diff:         558 bytes

First difference:
" content="text/html; charset=utf-8"/> <head> <title>cx.cc</title> <script src="htxp://www.google.com/adsense/domains/caf.js" type="text/javascript" ></script> <link href="htt...  -> http://maldb.com/gregoryposey.com/#  -> http://evuln.com/labs/valueband.cx.cc/

Also a PHISH on misused and abused server: http://support.clean-mx.de/clean-mx/phishing.php?id=3746674

Not flagged here: http://zulu.zscaler.com/submission/show/d7da35eba458b3f97be03327c055882d-1391624361

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
The following example in this parade of consitional redirects has a malicious server redirect/status: Code: 301,  htxp://ristoncharge.in/meeting/index.php
Redirect to external server! -> http://siteexplorer.info/domain/ristoncharge.in
With jsunpack I get: failure: <urlopen error [Errno -2] Name or service not known - 11004 [11004] Valid name, no data record (check DNS setup)
All of that redirect campaign: http://evuln.com/labs/ristoncharge.in/
See: http://urlquery.net/report.php?id=9256585  - The location line in the header above has redirected the request to: htxp://ristoncharge.in/meeting/index.php
Malicious redirects are detected by avast! as PHP:Redirector-Z[Trj]
Also detected here: http://app.webinspector.com/public/reports/19940248 Possible Malware checked url Google Advisory! -> http://sucuri.net/malware/malware-entry-mwblacklisted35 (and again we see 404javascript.js * in the Security Warnings and 404testpage4525d2fdc
Read on this WP malcode from T.Layman: http://wordpress.org/support/topic/removing-malicious-code-malicious-404-redirect
and here: https://www.badwarebusters.org/main/conversations?tag=404testpage4525d2fdc&view=tag
For * see: http://www.askapache.com/seo/404-google-wordpress-plugin.html

polonus

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
The following conditional redirect to malcode is not being flagged everywhere. Sucuri Site check detects: http://sitecheck2.sucuri.net/results/metrolinatheatre.org
malcode detected: http://sucuri.net/malware/entry/MW:HTA:7
Remove offending code from .htaccess and/or index.php or contact support@sucuri.net for help (not free)

Joomla version outdated: oomla Version 1.5.8 to 1.5.14 for: htxp://metrolinatheatre.org/media/system/js/caption.js
Joomla Version 1.5.14 for: htxp://metrolinatheatre.org/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.

See: https://asafaweb.com/Scan?Url=metrolinatheatre.org
Custom errors fail: Requested URL: htxp://metrolinatheatre.org/trace.axd | Response URL: htxp://metrolinatheatre.org/trace.axd | Page title: Trace Error | HTTP status code: 403 (Forbidden) | Response size: 2,077 bytes | Duration: 291 ms
Various Warnings for server configuration insecurities - see scan results.

Live malware on same IP: http://support.clean-mx.de/clean-mx/viruses?id=14468864
-> https://www.virustotal.com/nl/file/76358a5c6f25a85f120ed8b6cec01bb1c070dc967ffe95de0e148c37b50b35e2/analysis/
and more here:  http://urlquery.net/report.php?id=9317486
More malcode from Arizona, Scottsdale: https://www.virustotal.com/nl/ip-address/50.63.196.33/information/
where avast! Webshield blocks htxp://urlquery.net/report.php?id=6994270 as with JS:Iframe-CSU[Trj]

For the infested redirect source -> http://evuln.com/labs/shop-apps.net/ and redirects to view: http://jsunpack.jeek.org/?report=7a3240abfdaddddf9422721f681445e430bb9f51 -> https://www.virustotal.com/nl/ip-address/69.43.160.215/information/
and WOT has two red alerts for this destination: https://www.mywot.com/en/scorecard/bidr.trellian.com
bidr.trellian.com is listed in OpenDNS's Block Tool http://forums.opendns.com    "reported to WOT by marco2981
listed in 2012 - not now. Earlier  IDS alert for "MALWARE-OTHER SimpleTDS - request to go.php".
bidr.trellian.com/r.php?u=htxp:/www.winstmethode.com/css/js/cufon-yui.js benign *
[nothing detected] (script) bidr.trellian dot com/r.php?u=htxp:/www.winstmethode.com/css/js/cufon-yui.js
     status: (referer=bidr.trellian dot com/r.php?u=htxp:/www.winstmethode.com/?  A=4746&SubAffiliateID=14723145&sid=201402090437526893c4a3bca84fb633&s=m)saved 18258 bytes 8c9ba8f142de4e3769a9c1444d74b94d5aa815ff
     info: [decodingLevel=0] found JavaScript
     error: undefined variable C (nothing detected] (element) 127.0.0.1/undefined)
     suspicious: -> http://jsunpack.jeek.org/?report=c8fa98efb9d0241c79265ede0f5c71047a8533ef
N.B. * POOR SOCIAL NETWORK PRESENCE (mentioned via 7 links on scamvoid)

Joomla consider: -http://metrolinatheatre.org/media/system/js/caption.js
Avast! does not flag site, also see: http://zulu.zscaler.com/submission/show/7dbd43f3810511364ac2beaf09bac4d5-1391881637
Webutation flags via WOT: http://www.webutations.net/go/review/shop-apps.net?req=chrome

polonus

« Last Edit: February 08, 2014, 07:01:35 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Following site has outdated Joomla CMS: Joomla Version: 1.7.1
Joomla Version 1.6 or 1.7 for: htxp://mbryadesign.com//media/system/js/caption.js
Joomla Version 1.6.x for: htxp://mbryadesign.com//language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.

PHISHING going on from domain - response dead.
Quttera has one potentially suspicious file:
/plugins/system/cd_scriptegrator/utils/js/highslide/highslide.packed.js.php
Severity:    Potentially Suspicious
Reason:    Detected potentially suspicious content.
Details:   Detected potentially suspicious initialization of function pointer to JavaScript method eval <code> __tmpvar632980728 = eval; <code/>
Threat dum - view here: http://jsunpack.jeek.org/?report=3289e58f3b7f3721f1a04795b1bad7bec321af49
Threat dump MD5:    9665F6C56A641419EAE6DC83FC5FFCC5
File size[byte]:    32328
File type:    ASCII
MD5:    091A36204A929EB1437C1E744E9E3D42
Scan duration[sec]:    0.625000
That code (once decoded by the browser) is used to generate an iframe where more malware is loaded
and used to infect the browser of the person visiting the compromised web site.

Muti-Hop_Mass_iframe_Exploits_Cybercrime -> Muti-Hop_Mass_iframe_Exploits_Cybercrime
o: htxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php
Redirect to this URL found in 3779 sites -> https://www.virustotal.com/nl/url/933fbbe4eb0fe7b7a982d713943d637f903f32eaf38c865568275b4227bcb058/analysis/

http://97.74.215.83/ see attached  -> https://www.virustotal.com/nl/ip-address/97.74.215.83/information/

ThreatSTOP alerts: 1 connection from first seen 10 months ago to last seen 23 hours ago   Threatname AlienVault Danger level 3

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Here a redirect after site became parked: http://maldb.com/kuhinje-contessa.si/#
See: http://jsunpack.jeek.org/?report=e1cc42a33e677371f75a59cbddf99a07977b9c28
Reported as a redirecting site two days ago and therefore now being blacklisted.,
so Google reports kuhinje-contessa.si as suspicious website.
The redirect site is detected here: https://www.virustotal.com/nl/url/e6e08616089df66480c0ac23200411a9a8df17c08d2d48fcbcadd8c0de1724dd/analysis/
also see: https://www.virustotal.com/nl/ip-address/50.63.202.52/information/
Server redirect: Code: 301,  htxp://flameorangeadvantageous.info/glasse?8  Redirect to external server!
Re: https://www.google.com/safebrowsing/diagnostic?site=http://flameorangeadvantageous.info/&hl=nl
iFrame Check: Suspicious  htxp://mcc.godaddy.com/park/p3yhrawvmj5uquwhpjyhljqhquwvntlhqzsmlt==/fe/nzcdyaevlae5pv5jlab=?=404;ht'
-> http://urlquery.net/report.php?id=1621455
Google/browser diff -> Not identical
Google: 663 bytes       Firefox: 0 bytes
Diff:         663 bytes
First difference:
dy></html>...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Now in these series of various conditional redirects (malicious, suspicious, and otherwise) we start from the other side up. At the redirect source and it's being malicious: http://totalhash.com/analysis/7fdfe186d1f2e4a306dfc6437a8833374a2e686b
Conditional redirects found. Visitors from search engines are redirected
to: htxp://bbodisk.com/?p_id=showpolo&category_use=1&category=ani
Redirect to this URL found in 5 sites
Now I get an Invalid web site provided.
Where it was flagged from, well here, see: http://maldb.com/c8uqtr0.heliumacademy.co.kr/#
Funny we see no alerts on this scan: http://urlquery.net/report.php?id=9423612
also here: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fc8uqtr0.heliumacademy.co.kr%2F

Is it already history or is the redirect source dead?
But the redirect source had malware -> South Brisbane QLD AU registered
Error while checking the SSL Certificate!!
-
The SSL Certificate we found on this site is not meant for bbodisk.com, probably this is another site on the same server.

We advise you not to submit any confidential or personal data to this website because a secure connection could not be established with this website.
Bot or Trojan  IPs                   # of Connections   First Identified     Last Seen   Threat                       Danger Level
                      115.71.2.22   2                           3 years ago     6 days ago   Modified ITAR                         1

                                                                                3 years ago     6 days ago   Republic of Korea

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Let us check on another suspicious redirect, http://maldb.com/elcorco.com/#
Conditional redirects found. Visitors from search engines are redirected
to: htxp://dubstep.dumb1.com/
Redirect to this URL found in 1950 sites
Both Bitdefender's TrafficLight and WOT give the redirect as malicious: dubstep dot dumb1 dot com/
-> https://www.mywot.com/en/scorecard/dubstep.dumb1.com
-> https://www.robtex.com/dns/dubstep.dumb1.com.html
-> http://labs.sucuri.net/?details=dubstep.dumb1.com
-> http://www.freemalwarecheck.com/malware-11/unokesyh-dumb1-com-and-dubstep-dumb1-com-removal.html
-> also into PHISHing - http://support.clean-mx.de/clean-mx/phishing?id=3739087

The malcode is only detected by 2 solutions: http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&domain=zlpjh.disrai.dumb1.com
Re: https://www.virustotal.com/nl/file/b21e50d4efb18a2b820c1298c711eed1bb20be5af18c6d5b5646836f9863163b/analysis/

And of course our avast! is one of them,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
This conditional redirect was found in 346 domains (so a malware campaign) -> https://www.virustotal.com/nl/url/10ddf9f88bbf25d9a45fb215832b658c94c1e4e7deebcee1140b243bc0323c7b/analysis/
One of the affected sites: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2F333racing.com
& http://maldb.com/333racing.com/#
How this was performed, read here: https://productforums.google.com/forum/#!topic/webmasters/Lmmo2_skpcg (replies in link from Redleg - the man behind his wellknown fileviewer - he reports
Quote
The redirect to www6 . uiopqw . jkub . com   is typically done with a bit of obfuscated php code
)
-> http://wordpress.org/support/topic/clicking-the-link-leads-to-a-nonexistant-webpage (repair info thanks to esmi there)
and additionally scan report here: http://killmalware.com/infotik.eu/
Here the redirection is missed: http://www.toolshack.com/site?host=http://architectura-perspectiva.com/

polonus
« Last Edit: May 11, 2014, 12:24:59 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!