SE visitor redirect detected?

[polonus]

See: htxp://preferredhotelrates.com/
SE visitors redirects
Visitors from search engines are redirected
to: htxp://opec.lflink.com/
opec.lflink.com is reported by Google as suspicious
7166 sites infected with redirects to this URL
Detection missed here: http://www.websicherheit.at/web-security-test-scanner/
Confirmed here: http://sitecheck.sucuri.net/results/preferredhotelrates.com/ISSUE DETECTED   DEFINITION   INFECTED URL
Website Malware   malware-entry-mwblacklisted35   htxp://preferredhotelrates.com/about-us
Web application version:
Joomla Version 1.5.18 - 1.5.26 for: http://preferredhotelrates.com//media/system/js/caption.js
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.20 or 3.3

Mentioned in this list: http://johnpc.home.xs4all.nl/vulnerable_sites-ips.txt
Potentially suspicious file:
plugins/content/plugin_jw_ts/tabs_slides_comp.js
Severity:    Potentially Suspicious
Reason:    Detected potentially suspicious content.
Details:   Detected potentially suspicious initialization of function pointer to JavaScript method write <code> __tmpvar652329893 = write; <code/>
Threat dump:   http://jsfiddle.net/pA3SS/
Threat dump MD5:    F04E022C0C9DA0CC04D2535F19F19EEC
File size[byte]:    5367
File type:    ASCII
MD5:    BE7C24CC472F71F680EC3371FEC7C320
Scan duration[sec]:    0.279000

polonus

[Pondus]

probably not a malicious redirect......

preferredhotelrates.com
https://www.virustotal.com/en/file/b7c5c25306d140814fff2b0d287efd5c269a3ee315a8952c7a73ff00db23f4ca/analysis/1404660754/

the redirect site  opec.lflink.com/   seems down

[polonus]

Hi Pondus,

That could be why scanners do not detect. -> http://wepawet.iseclab.org/view.php?hash=4b87b798f3a22ffd1fa2814bd2d26c9b&t=1362597312&type=js
However site stays vulnerable because of Joomla being out of date and exploitable.

Code is suspicious, see screenshot attached.

Either preferredhotelrates dot com is NOT REDIRECTING to any URL or the redirect is NOT SEARCH ENGINE FRIENDLY.

[polonus]

Here urlquery dot net is not detecting.
Killmalware has it: SE visitors redirects
Visitors from search engines are redirected
to: htxp://kasiacleaningservice.com/blog/?p=5510&comment=497630
120 sites infected with redirects to this URL
as does Sucuri's: http://sitecheck.sucuri.net/results/virgonova.com
Website Malware   malware-entry-mwblacklisted35   htxp://kasiacleaningservice.com/blog/?p=5510&comment=497630
Unable to properly scan your site. Site empty (no content): Content-Length: 0
Misused or defaced server.

pol

[polonus]

This site has a malware history in the past: https://www.virustotal.com/nl/file/4e32b9ce70e50bed88eac0a76b0a005dea7e7f88dcaba61968ef20a8c6d7bc15/analysis/
SE visitors redirects
Chain of redirects found:
to: htxp://tinyurl.com/d3z22b6
3890 sites infected with redirects to this URL
to: htxp://www.96khz-productions.com//administrator/components/com_config/views/application/tmpl/www/all.php
6799 sites infected with redirects to this URL
Site blacklisted and probably compromised.
Server redirect
Code: 404, 
Content cannot be read!

See code attached

[polonus]

Loads of scanners will miss this SE redirect: http://killmalware.com/nvshu.org/#
Sucuri misses, Web Security Test, zulu Zscaler etc.
Redleg's file viewer has it: The location line in the header above has redirected the request to: htxp://t.ypjd.net/t.php?jiechi-wen-nvshu.org

( If this redirect is not what you expected SEE: Redirects. for some tips on clearing redirects.)
Content displayed is from the redirect location, the URL htxp://t.ypjd.net/t.php?jiechi-wen-nvshu.org
Dynamic Content - policy ref: htxp://www.dsparking.com/w3c/p3p.xml
IP badness history: https://www.virustotal.com/nl/ip-address/208.73.211.191/information/

polonus

[polonus]

See: http://app.webinspector.com/public/reports/show_website?site=http%3A%2F%2Fwww.clicmotoshop.com
Object: htxp://www.clicmotoshop.com/
SHA1: 8f9e82fa15940564bd46e53c9ecb2add86b01180
Name: TrojWare.JS.Agent.caa
Confirmed as being SEO Spam here: http://sitecheck.sucuri.net/results/www.clicmotoshop.com
Vulnerable site because Web application version:
Joomla Version 1.5.8 to 1.5.14 for: htxp://www.clicmotoshop.com/media/system/js/caption.js
Joomla Version 1.5.14 for: htxp://www.clicmotoshop.com/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.20 or 3.3
Javascript check:
Suspicious

nguage="javascript"> function dnnviewstate() { var a=0,m,v,t,z,x=new array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787','9499907

SEO Spam infection missed overall here: https://www.virustotal.com/nl/url/efc428d25c9322261a322b123aa3e434f3a08a8509f459d77fda3dc89264e675/analysis/1404927680/

But the avast! Web Shield detects this on that site as: JS:Clickjack-A[Trj].
We are being protected.

Damian

[polonus]

And another one: http://app.webinspector.com/public/reports/show_website?site=http%3A%2F%2Fvmsix.com
SEO Spam malware: http://sitecheck.sucuri.net/results/vmsix.com
Iframe check:
Suspicious
htxp://affl.sucuri.net/?affl=8fedd13cfe82ba6b5fd4a93876cc2065&noredir&trid=sitecheckwarnnew3'
Javascript check:
Suspicious

'+x[1]+'}&lt;/'+x[0]+'&gt;');}dnnviewstate(); </pre></code></div><div id="viewpayload2" class="collapse"><pre><code style="font-size:10px;"><b>known javascript malware. details: h...
Included scripts checked:
Suspect - please check list for unknown includes


Suspicious Script:
   sucuri.net//js/bootstrap.min.js
   getmama-encoded-javascript.html'>new malware &#8211; eval + getmama + encoded javascript</a></li> <li><a href='htxps://sucuri.net/wordpress
Suspicious Script:
   sucuri.net//js/offcanvas.js
   getmama-encoded-javascript.html'>new malware &#8211; eval + getmama + encoded javascript</a></li> <li><a href='htxps://sucuri.net/wordpress

polonus

[polonus]

VirusTotal does not have it: https://www.virustotal.com/nl/url/9c623d1af66a3cc4f6ec981b3478c13479505a0a171e1a2b2bacc6a8e8a4ec46/analysis/
as does Quttera's: http://quttera.com/detailed_report/www.opf.pt
Sucuri gives it all: http://sitecheck.sucuri.net/results/www.opf.pt  Infested with SEO-Spam
and Javascript Check

Suspicious

guage="javascript">function dnnviewstate(){var a=0,m,v,t,z,x=new array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787','949990

Read: http://vel.joomla.org/articles/844-spotting-spam-code-in-malicious-extensions.html  (link author = Vel)

Trojan detected:
Object: htxp://www.opf.pt/
SHA1: 5388db16362c6f84c0131cfaa2a236f45c767918
Name: TrojWare.JS.Agent.caa

Malcode on other domain with same IP: https://www.virustotal.com/nl/url/4abeed786ba49572fcfc80142193f23eef1c52c657ea6835b15a0418db5ec1b1/analysis/

polonus

[polonus]

iFrame malware on site missed by many scanners.
Detected here: http://killmalware.com/ffinlo.com/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://uk.cvrcc.com/?ffinlo.com
3 sites infected with redirects to this URL -> https://www.mywot.com/en/scorecard/cvrcc.com?utm_source=addon&utm_content=popup
Missed at recommended scanner: http://sitecheck.sucuri.net/results/ffinlo.com/
and here: http://zulu.zscaler.com/submission/show/f2a218aa5842b6bad801f378ea2b2f9f-1405256029
Google browser diff: Not identical

Google: 5683 bytes       Firefox: 0 bytes
Diff:         5683 bytes

First difference:
="eng"> <head> <title>discount authentic michael kors handbags uk outlet dot online < ffinlo dot com</title> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"...

Errors and warnings on site, see: https://asafaweb.com/Scan?Url=ffinlo.com

polonus

[polonus]

Site vulnerable because of outdated Drupal -> Drupal under 6.31 or 7.27
http://killmalware.com/chudovperjax.ru/#
Missed by most scanners:
http://www.urlvoid.com/scan/chudovperjax.ru/
Injection check:
Suspicious Text before HTML

<a href="htxp://cheapdrugswithoutrx.com/buy-generic-wellbutrin-sr-online/">order bupropion</a>
Javascript check:
Suspicious

><img src="htxp://chudovperjax.ru/sites/default/files/imagecache/small/_mg_9028_thumb_0.jpg" alt="" title="" class="imagecache imagecache-small" width="106" height="106" /><span c...

404-error check:
Suspicious

Suspicious 404 Page:
   .ru/click' "+ "target=_blank><img src='//counter.yadro dot ru/hit?t14.6;r"+ escape(document.referrer)+((typeof(screen)=="und

polonus

[mchain]

Site vulnerable because of outdated Drupal -> Drupal under 6.31 or 7.27
http://killmalware.com/chudovperjax.ru/#
Missed by most scanners:
http://www.urlvoid.com/scan/chudovperjax.ru/
Injection check:
Suspicious Text before HTML

<a href="htxp://cheapdrugswithoutrx.com/buy-generic-wellbutrin-sr-online/">order bupropion</a>
Javascript check:
Suspicious

><img src="htxp://chudovperjax.ru/sites/default/files/imagecache/small/_mg_9028_thumb_0.jpg" alt="" title="" class="imagecache imagecache-small" width="106" height="106" /><span c...

404-error check:
Suspicious

Suspicious 404 Page:
   .ru/click' "+ "target=_blank><img src='//counter.yadro dot ru/hit?t14.6;r"+ escape(document.referrer)+((typeof(screen)=="und

polonus

Some scanners I use are showing some issues:
http://sitecheck.sucuri.net/results/chudovperjax.ru
http://zulu.zscaler.com/submission/show/842c036f7d61b89902ddeccd334af142-1405367207
Some not:
http://urlquery.net/report.php?id=1405367350576
https://www.virustotal.com/en/url/28969c8058f4a122061eae6959d58b8578d88a42874ed73615c6c8ceb865ea73/analysis/1405367300/
No a/v solution is detecting so far.

Seems work needs to be done here in protecting avast! users against these specific sort of threats.

[polonus]

Hi mchain,

Seems a pharmaco-spam site for a known anti-depressant (bupopion aka Wellbutrin)
see what quttera flags attached.
misc/jquery.js?9
Severity:    Potentially Suspicious
Reason:    Detected potentially suspicious content.
Details:   Detected potentially suspicious initialization of function pointer to JavaScript method eval <code> __tmpvar1141815228 = eval; <code/> That could be part of a dangerous website JQuery injection and theme hack attack and so it should be flagged!

That's why, mchain, we're both into this just to improve avast! detection rate, that is the only valid reason for us.

polonus

[polonus]

Here the network is spreading all sorts of live malware for various domains: http://www.worldguide.pt/clean-mx/viruses.php?inetnum=204.12.0.0%20-%20204.12.127.255&sort=id%20DESC&response=alive
Part of this: http://killmalware.com/jacksongray.com/#
SE visitors redirects
Chain of redirects found:
to: htxp://www.topmichaelkorsoutletsales.com/
0 sites infected with redirects to this URL
to: htxp://www.millionculturalrelicsin.info/
11 sites infected with redirects to this URL
Completely missed here: http://zulu.zscaler.com/submission/show/014919d31b53184977f1e6bff10d5e64-1405511544
Sucuri has it: ISSUE DETECTED   DEFINITION   INFECTED URL
Website Malware   MW:HTA:7   htxp://jacksongray.com/ ( View Payload )
Suspicious conditional redirect. Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:htxp://www.millionculturalrelicsin.info/

pol

[polonus]

Detected by Sucuri's http://sitecheck.sucuri.net/results/www.sacketsharborny.com
Infected with SEO Spam: SEO Spam   MW:SPAM:SEO   htxp://www.sacketsharborny.com
SEO Spam   MW:SPAM:SEO   htxp://www.sacketsharborny.com/404testpage4525d2fdc
SEO Spam   MW:SPAM:SEO   htxp://www.sacketsharborny.com/index.php/visit-and-stay-here/entertainment
Missed here: http://killmalware.com/www.sacketsharborny.com/
and here: http://zulu.zscaler.com/submission/show/036bdad4be0bae6b4312a11f0ef7a9a1-1405708939
Comodo detects: rojans detected:
Object: http://www.sacketsharborny.com/
SHA1: 67565f1579f03e2e26162038b3788ef02aeb4d75
Name: TrojWare.JS.Agent.caa
Flagged twice here: https://www.virustotal.com/nl/url/a9278f1241b22751e1c6ac0ec05ee21e8b0442b66b6c1d729790ff56e4c008f2/analysis/1405709366/
Also consider: http://sameid.net/ip/50.87.39.164/
Site was vulnerable because of Web application details:
Running cPanel 11.42.1.21: radioislam.tv:2082
cPanel version 11.42.1.21 outdated: Upgrade required.
Outdated cPanel Found: cPanel 11.42.1.21

polonus