aw-snap.info with malware? Redirects to -https://aw-snap.info/403.htm

[polonus]

Nothing here: https://www.virustotal.com/gui/url/ac6c85beada1be72c78a21693c5a786896de443a05ca8205eaefe989b64a8ac0/detection

See: https://sitecheck.sucuri.net/results/https/aw-snap.info
8 malicious files : https://quttera.com/detailed_report/aw-snap.info
IP related malware: https://www.virustotal.com/gui/ip-address/107.180.40.144/relations
See also: https://toolbar.netcraft.com/site_report?url=https://aw-snap.info/file-viewer/
Re: https://retire.insecurity.today/#!/scan/fb9f5fe2c2bde4a2cd6183929c0e3ab1b09ecc25929f7f30636764e4ae4904a9

polonus

[DavidR]

I used to see this a long time ago but with the 404 error (missing file/page/image, etc.). 

The hack was to create a specific malicious 404 error page and edit the normal home page (or any other) inserting a link to a non existent page/image, etc. triggering the malicious 404 page. 

I just wonder if there isn't something similar going on here.

[Pondus]

Description: Malicious scripts injected to Magneto (and other e-commerce) site that try to steal pyament details and site credentials from website forms. Typically the hijack login and checkout forms and send entered data to a remote third-party site controled by the attackers. Sometime the script may redirect online shoppers to fake checkout pages.


https://www.virustotal.com/gui/file/b23b9fc160fada7c57050a59485fbdcf50f406c4ba89d8320fd8efeb842f689d/detection

[polonus]

Script injection malcode, thank you DavidR and Pondus for putting the detection-cherry on the cake.
The proof of the pudding is indeed in the eating, but we had to taste it first...

For the moment I get here with the 403 error

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
<link href='-http://aw-snap.info/wp-content/redleg_sm.ico' rel='icon' type='image/x-icon'/>
<link rel="shortcut icon" href="-http://aw-snap.info/wp-content/redleg_sm.ico" />
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access / on this server.</p>
<hr>
<address>Apache Server at -aw-snap.info Port 80</address>
</body></html>

VT gives as clean:  -http://aw-snap.info/wp-content/redleg_sm.ico,
somehow the connection is not encrypted and not secure.
So Redleg has some cleansing to do on his own website analysis website   

pol

[polonus]

aw-snap.info still won't open up in my browser: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/
see: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#links
response hrml: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#transactions
behavior: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#behaviour
Indicators of compromise (around an attack): https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#iocs
host details: https://www.shodan.io/host/107.180.40.144
Website test results: https://internet.nl/site/aw-snap.info/671442/
1 malicious file detected: https://quttera.com/detailed_report/www.aw-snap.info
File:

index.html
Severity:   Malicious
Reason:   Detected malicious PHP content
Details:   Detected PHP backdoor
Offset:   3162
Threat dump:   View code  index html - blocked
Threat dump MD5:   0DEAEF3CF103258A26211AB017E008E6
File size[byte]:   10618
File type:   HTML
Page/File MD5:   9818584FD5B51A3DEA390ACD83ADDFE0
Scan duration[sec]:   0.08

pol