SE visitor redirect detected?

[polonus]

Blacklisted by Yandex: https://www.virustotal.com/nl/url/a5b6f9763016a2f8cde7b573098f3f128da0df479543bc6cdf7c77fd5036e55f/analysis/1405711467/
Found to be suspicious: http://zulu.zscaler.com/submission/show/ad67cae331de03997f52a653dcaddca6-1405711429
Site likely compromised (hacked) and potentially harmful: http://sitecheck.sucuri.net/results/hpft.ru/
http://killmalware.com/hpft.ru/#
SE visitors redirects
Chain of redirects found:
to: htxp://avicennahealth.org/templates/beez/html/mod_poll/1/all.php
0 sites infected with redirects to this URL
to: htxp://www.caribsoft-online.biz/templates/rhuk_solarflare_ii/images/index.php
www.caribsoft-online.biz is reported by Google as suspicious
860 sites infected with redirects to this URL
external link to hxtp://inetlog.ru/ blocked
external link with bad web rep: https://www.mywot.com/en/scorecard/hpft.ru?utm_source=addon&utm_content=warn-viewsc

polonus

[mchain]

Not only that, FF 30.0 gets into the act, too re hxxp://www.caribsoft-online.biz/ when you click that too.

See attached below:

[polonus]

Missed by a couple of scanners: http://www.urlvoid.com/scan/kopuzlartekstil.com/
and here: http://app.webinspector.com/public/reports/23182778
and here: http://zulu.zscaler.com/submission/show/ad7a82e36464664f7c34c557cb33aa1c-1405716708
and here: https://www.virustotal.com/nl/url/23c007d64fd172b5e45424285754f40b0f1b131e3ed4042738a30210a0e7e3ff/analysis/1405717202/
Blacklisted by Yandex: https://www.virustotal.com/nl/url/a5b6f9763016a2f8cde7b573098f3f128da0df479543bc6cdf7c77fd5036e55f/analysis/1405711467/
confirmned here: http://sitecheck.sucuri.net/results/kopuzlartekstil.com/
ISSUE DETECTED   DEFINITION   INFECTED URL
Website Malware   MW:HTA:7   htxp://kopuzlartekstil.com/ ( View Payload )
Suspicious conditional redirect. Details: http://sucuri.net/malware/entry/MW:HTA:7

polonus
Redirects users to:htxp://bkamedic.com -
Phishing on same  IP: http://support.clean-mx.de/clean-mx/phishing.php?review=5.250.244.27&sort=id%20DESC

[polonus]

Flagged here: http://sitecheck.sucuri.net/results/palmgren.net
ISSUE DETECTED   DEFINITION   INFECTED URL
Website Malware   malware-entry-mwhta7?v3   htxp://palmgren.net/404testpage4525d2fdc ( View Payload )
Website Malware   malware-entry-mwhta7?v3   htxp://palmgren.net/404javascript.js ( View Payload )
Website Malware   malware-entry-mwhta7?v3   htxp://palmgren.net ( View Payload )
Website Malware   MW:HTA:7   htxp://palmgren.net ( View Payload )
Known javascript malware. Details: htxp://sucuri.net/malware/malware-entry-mwhta7?v3
Location: htxp://softwareid.ru/zisec/index.php
SE visitors redirects
Visitors from search engines are redirected
to: htxp://softwareid.ru/zisec/index.php
10 sites infected with redirects to this URL
Flagged: http://killmalware.com/palmgren.net/#

This should not be available: htxps://secure.servage.net/**/login/  ** broken by me, polonus
nor this wXw.servage.net/products_services/website_builder/ HTTP/1.1
"This Servage Hosting customer has not yet uploaded any index file."

Redirect host down: GET //softwareid dot ru/ HTTP/1.1
Host: softwareid dot ru --- > no response

polonus

[polonus]

https://forum.avast.com/index.php?action=post;topic=151778.0;last_msg=1107250
Confirmed here: http://urlquery.net/report.php?id=1405782274390

website unknown in the system

D

[mchain]

Detected by Sucuri's http://sitecheck.sucuri.net/results/www.sacketsharborny.com
Infected with SEO Spam: SEO Spam   MW:SPAM:SEO   htxp://www.sacketsharborny.com
SEO Spam   MW:SPAM:SEO   htxp://www.sacketsharborny.com/404testpage4525d2fdc
SEO Spam   MW:SPAM:SEO   htxp://www.sacketsharborny.com/index.php/visit-and-stay-here/entertainment
Missed here: http://killmalware.com/www.sacketsharborny.com/
and here: http://zulu.zscaler.com/submission/show/036bdad4be0bae6b4312a11f0ef7a9a1-1405708939
Comodo detects: rojans detected:
Object: hxxp://www.sacketsharborny.com/
SHA1: 67565f1579f03e2e26162038b3788ef02aeb4d75
Name: TrojWare.JS.Agent.caa
Flagged twice here: https://www.virustotal.com/nl/url/a9278f1241b22751e1c6ac0ec05ee21e8b0442b66b6c1d729790ff56e4c008f2/analysis/1405709366/
Also consider: http://sameid.net/ip/50.87.39.164/

polonus

Confirmed.

avast! now blocks JS:Clickjack-B (Trj).  See attached below:   (Link modified in quote to prevent malicious trojan download)

[polonus]

Not detected at ZuluZscaler and Sucuri"s: http://killmalware.com/moreperfectunion.org/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php
4231 sites infected with redirects to this URL
Missed here: http://zulu.zscaler.com/submission/show/776a80cf110d0f40e77f4cc2b932397e-1405889973
Site probably vulnerable because of outdated CMS:
ISSUE DETECTED            DEFINITION                   VULNERABLE HEADER
Outdated Joomla Found   Security Announcements   Joomla under 2.5.20 or 3.3

pol

[polonus]

Re: http://killmalware.com/shleiyan.com/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://vip886.woai778.com/register.aspx
35 sites infected with redirects to this URL
Website Malware   malware-entry-mwanomalysp8   htxp://shleiyan.com ( View Payload )
Website Malware   malware-entry-mwanomalysp8   htxp://shleiyan.com/index.php ( View Payload )
Website Malware   malware-entry-mwanomalysp8   htxp://shleiyan.com/page/html/company.php ( View Payload )
Website Malware   malware-entry-mwanomalysp8   htxp://shleiyan.com/product/class ( View Payload )
Website Malware   malware-entry-mwanomalysp8   htxp://shleiyan.com/news/class/ ( View Payload )
Website Malware   malware-entry-mwanomalysp8   htxp://shleiyan.com/page/html/cert.php ( View Payload )
Anomaly behavior detected (possible malware). Details: htxp://sucuri.net/malware/malware-entry-mwanomalysp8

Code: [Select]

<script type="text/javascript" src="htxp://www.passit.cn/js/passit_float_new.js?pub=0&img_src=btn18&move=0&simple=1" charset="UTF-8"></script>Malicious external element:
htxp://s6.cnzz.com/stat.php?id=5251118&web_id=5251118&show=pic2   script   Malicious -> https://www.mywot.com/en/scorecard/s6.cnzz.com?utm_source=addon&utm_content=popup

polonus

[polonus]

Here we have a site with a SE conditional  redirect, with IP blacklist and VT detection condition and web rep issues.
See: http://killmalware.com/ccsiusainc.com/#
Missed completely here: https://www.virustotal.com/nl/url/20bcad1368404db0a753f2a3677e611b2bd43c6d2260fb9b1a0db3e54d02af68/analysis/1406048676/
and here: http://zulu.zscaler.com/submission/show/a8f00a6ec843f125a145279698821860-1406048782

Sucuri's as recommended scanner is quite certain about the site being infested:

ISSUE DETECTED   DEFINITION   INFECTED URL
Website Malware   MW:HTA:7   htxp://ccsiusainc.com/
Suspicious conditional redirect. Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:htxp://abe.muhay.eu/s.php 846 sites infected with redirects to this URL.

IP blacklisted with 9 instances: http://www.ip-finder.me/97.74.144.180/

IP badness and detection history: https://www.virustotal.com/nl/ip-address/97.74.144.180/information/

polonus

[polonus]

Site infested via httaccess and SEO conditional redirect to rogue browser hijacker:
See: http://killmalware.com/loaapa.com/
Conditional redirect goes to htxp://doctornger.com/rg-erdr.php?_rpo=t nfwzfze&_rdm=qwb4wb 
Bad web rep: https://www.mywot.com/en/scorecard/doctornger.com?utm_source=addon&utm_content=popup
Redirect to rogue browser hijacker.
WOT and avast block the access to an external link: htxp://searchremagnified.com/sk-domsale.php?dom=doctornger.c

polonus

[polonus]

Blacklisted site with SE redirect: http://killmalware.com/dsfdelmec.co.uk/#
Server redirect: Code: 302,  http://candice-accola.org/mocf.html?h=1487472

Redirect to external server! Visitors from search engines are redirected
to: htxp://candice-accola.org/mocf.html?h=1487472
166 sites infected with redirects to this URL
Web application details:
Running cPanel 11.44.0.29: candice-accola.org:2082
The following cPanel & WHM versions address all known vulnerabilities:

* 11.44.1.5 & Greater
* 11.44.0.29 & Greater
* 11.42.1.23 & Greater
* 11.40.1.18 & Greater

pol

[polonus]

Known spam detected: Known Spam detected. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    <title>Online Pharmacy - Genuine Medications, Fast Delivery, Lowest Prices In the Market</title>
for http://killmalware.com/mirotelei.ru/#
SE visitors redirects
Visitors from search engines are redirected
to: http://loopdown.lflinkup.com/
3424 sites infected with redirects to this URL  (quite some campaign).
Site vulnerable through outdated CMS: Web application version:
Joomla Version 1.0.12 to 1.0.15 for: htxp://mirotelei.ru//mambots/editors/tinymce/jscripts/tiny_mce/plugins/flash/editor_plugin.js
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.20 or 3.3
See suspicious external elements on scan here: http://zulu.zscaler.com/submission/show/093bebc5cf3a2b804bdcd3774fb4c059-1406059136

pol

[polonus]

SE redirect SE visitors redirects
Visitors from search engines are redirected
to: http://security.0oq.ru/?ref=skarmanis.ru
60 sites infected with redirects to this URL
on http://killmalware.com/skarmanis.ru/
Server Redirect: Code: 500, 
Content cannot be read!
Javascript Check: Suspicious
onnection: close server: jino.ru/mod_pizza location: htxp://security.0oq.ru/?ref=skarmanis.ru expires: wed, 11 jan 1984 05:00:00 gmt last-modified: wed, 23 jul 2014 13:39:19 gm...
404 error Check:
Suspicious

Suspicious 404 Page:
   .ru/mod_pizza location: htxp://security.0oq.ru/?ref=skarmanis.ru expires: wed, 11 jan 1984 05:00:00 gmt last-modified

polonus

[polonus]

SEO Spam detected:
SE visitors redirects
Visitors from search engines are redirected
to: htxp://www.femilypharma1.com/
101 sites infected with redirects to this URL from, see: http://killmalware.com/radioislam.tv/#
Known Spam detected. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
        <title>Order b*spirone no prescription - Official Drugstore</title>
Spam Check:
Suspicion of Spam

/bpm.unnes.ac.id/where-to-buy-vi*gr*-in-london/">buy generic v*ltrex online no prescription</a> <a href="http://rikyc.mo...
Side-wide check:
Suspicious

lrt0jg">buy coum*din tester - canadian pharmacy!</a></h3><div class="s"><div class="kv" style="margin-bottom:2px"><cite>

Google browser difference:
Not identical

Google: 23185 bytes       Firefox: 370 bytes
Diff:         22815 bytes

First difference:
ng="en"> <head profile="htxp://gmpg.org/xfn/11"> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>order b*spirone no prescription -...

Detection completely missed here: http://zulu.zscaler.com/submission/show/160eedfd85567745651e294a9ac8d5a7-1406130274

polonus

[polonus]

I received following very interesting observations from my good forum friend mchain:

Could it be that zulu detects nothing because site appears to be down (timed out)?  Showing no content:
(Results of urlquery scan)
http://urlquery.net/report.php?id=1406143819844
http://urlquery.net/report.php?id=1406146546913

http://www.downforeveryoneorjustme.com/radioislam.tv/

Just wondering.

I answered him:

-s
Strange as I get this now from http://www.downforeveryoneorjustme.com/radioislam.tv/  it is up.
Maybe it was down for cleansing. DrWeb's URL checker: Checking: htxp://radioislam.tv/
Engine version: 7.0.9.4080
Total virus-finding records: 5382155
File size: 201 bytes
File MD5: df36865edfc13b8c114e47214b94fc21

htxp://radioislam.tv/ - Ok

Was posted at wg/clean-mx/viruses.php, now no longer there, showing how short-lived online malcode can be.
Site IP also mentioned in PHiSHing.

polonus