SE visitors redirect to spam and smut...

[polonus]

See: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fradioactiveabsorbents.com&ref_sel=GSP2&ua_sel=ff&fs=1
In the browser we get a "a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request".
Vulnerable nameserver DROWn exploit: ns41.domaincontrol.com  -> http://toolbar.netcraft.com/site_report?url=http://radioactiveabsorbents.com
Questionable web rep for reverse dns: https://www.mywot.com/en/scorecard/p3nlh137.shr.prod.phx3.secureserver.net?utm_source=addon&utm_content=rw-viewsc
This website is insecure.
50% of the trackers on this site could be protecting you from NSA snooping. Tell secureserver.net to fix it.
 All trackers
At least 2 third parties know you are on this webpage.
-shaaaaaaaaaaaaa.com
-=p3nlh137.shr.prod.phx3.secureserver.net  -p3nlh137.shr.prod.phx3.secureserver.net

and also DROWn vulnerable: https://test.drownattack.com/?site=P3NLH137.SHR.PROD.PHX3.SECURESERVER.NET

See: https://seomon.com/domain/radioactiveabsorbents.com/performance/

Spam via domainparking hack: https://seomon.com/domain/radioactiveabsorbents.com/dns/

pol

[polonus]

Probably this website is a victim of the same SE redirection campaign, which has infested 162 sites so far.
This all according to this scan: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fcordycepssupplier.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1
PHP vulnerable: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcordycepssupplier.com%2Fcontact.php

Insecure IDs tracking: 66% of the trackers on this site could be protecting you from NSA snooping. Tell cordycepssupplier.com to fix it.
 All trackers
At least 3 third parties know you are on this webpage.

 -Google
 -shaaaaaaaaaaaaa.com
-cordycepssupplier.com  -cordycepssupplier.com

See: -http://cordycepssupplier.com/contact.php
Detected libraries:
jquery - 1.2.6 : (active1) -http://cordycepssupplier.com/smenu/jquery.min.js *
Info: Severity: medium
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected

Checking for errors here:

Code: [Select]

script
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     info: [decodingLevel=0] found JavaScript
     error: line:3: SyntaxError: invalid flag after regular expression:
          error: line:3: s,"form")?jQuery.makeArray(this.elements):this;}).filter(function(){return this.name&&!this.disabled&&(this.checked||/select|textarea/i.test(this.nodeName)||/text|hidden|password/i.test(this.type));}).map(function(i,elem){var val=jQuery(this).val();re
          error: line:3: ^
Input field values, invalid flag etc. could mean no , following last option, forgotten quote " etc. Get the value of the form elements.

Luckily these are all "same origin" script: <script type="text/javascript" src="smenu/jquery.min.js"></script>    Same origin
<script type="text/javascript" src="smenu/ddsmoothmenu.js"></script>    Same origin

Read on cleansing redirects: -https://aw-snap.info/articles/redirects.php

Avast seems to detect this malcode as PHP:Redirector-Z [Trj].

Site has GoDaddy abuse; reverse DNS with questionable web rep: -sg2nlhg268c1268.shr.prod.sin2.secureserver.net

Vulnerable nameserver (DROWn exploit): https://test.drownattack.com/?site=ns31.domaincontrol.com

Also consider this and where it lands: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcordycepssupplier.com%2Fcordyceps_usage_instruction.php

polonus (volunteer website security analyst and website error-hunter)

[polonus]

And another one that fell victim to this: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fusvh.org&ref_sel=GSP2&ua_sel=ff&fs=1
And where they failed to flag it: http://isithacked.com/check/usvh.org  &  https://seomon.com/domain/usvh.org/
GoDaddy abuse and where it is hosted in the Netherlands: http://toolbar.netcraft.com/site_report?url=http://n1nlhg286c1286.shr.prod.ams1.secureserver.net  with a DROWn vulnerable nameserver: https://test.drownattack.com/?site=cns1.secureserver.net
Bad IP rep: https://www.mywot.com/en/scorecard/46.252.201.1?utm_source=addon&utm_content=warn-viewsc

polonus

[polonus]

Another one that fits this SE redirect campaign: http://killmalware.com/ifcss.org/# 
GoDaddy abuse again!
The script that comes loaded = -Script loaded: -http://ifcss.org/home/wp-content/themes/df_marine/accordian.js
Re: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fifcss.org%2Fhome%2Fwp-content%2Fthemes%2Fdf_marine%2Faccordian.js
and see where it lands - let us look at that code: nothing detected - but where it lands we have

Code: [Select]

     info: [decodingLevel=0] found JavaScript
     error: undefined variable r
Error is given and returned regardless whether the variable was defined
or this should be searched in attached packages. Referrer can be abused.

Questionable web rep for reversed DNS: http://toolbar.netcraft.com/site_report?url=http://ifcss.org

polonus
     

[polonus]

Another one that fits this campaign scheme: with an Apache Web Server the redirect is most likely in the .htaccess file: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.heree-g.com&ref_sel=GSP2&ua_sel=ff&fs=1  (info credits go out to analyst/specialist,  Redleg.
We find this

Code: [Select]

6:  < no​ sc​ript >
7:   < meta http-equiv="refresh" content="0; url=htxp://www.clickpapa.com/d.php?&id=6980&client=pub-2766&trxid=16060518_12_97391_5754544cd0affc&subaffid=a97391s&bla=123123"/>
8:  < /no​ sc​ript >
url broken by me, pol. This link is blocked by adblockers as it is in this list: ||wXw.clickpapa.com^
Found in: MVPS HOSTS
Reversed DNS is DROWn vulnerable: https://test.drownattack.com/?site=p3slh077.shr.phx3.secureserver.net
questionable webrep: https://www.mywot.com/en/scorecard/p3slh077.shr.phx3.secureserver.net?utm_source=addon&utm_content=rw-viewsc

pol