See: http://icreamservice.com/report/url-3505
Compare to: https://www.virustotal.com/en/url/8845d990647a0c1c2baf10a74da1a01e8275dd2d1819f727010c969cc2f42891/analysis/
Blaxklisting status: http://quttera.com/detailed_report/comunidadpaisajismo.cl

polonus

is detected but there is no such character (0)

http://my.jetscreenshot.com/18363/20131026-lr4p-45kb.jpg

Phishing (CAT021)

http://check.gred.jp/WebscanAction.action

Blacklists
http://sitecheck.sucuri.net/results/comunidadpaisajismo.cl

http://www.siteadvisor.com/sites/comunidadpaisajismo.cl

http://www.avgthreatlabs.com/website-safety-reports/domain/comunidadpaisajismo.cl/

http://www.unmaskparasites.com/security-report/?page=http%3A%2F%2Fcomunidadpaisajismo.cl%2F

Malicious =>http://zulu.zscaler.com/submission/show/6b34d18bad2de96f523f12f58ced4457-1382751593

http://app.webinspector.com/public/reports/18055790

Hi jefferson santiag,

Thanks for your investigation.
There is not such a character actualy but that character may play a role in that specific kind of malcode.
Someone should add these to regexpressions used in IDS sigs!
That is why I mentioned it.

Interesting also is the trojan landing IDS alert we get via this : http://urlquery.net/report.php?id=7136183
Emerging Threats IDS “ET CURRENT_EVENTS Possible BHEK Landing URI Formatscan”
These are added from August-September last: http://doc.emergingthreats.net/bin/view/Main/2017376

# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible BHEK Landing URI Format"; flow:to_server,established; urilen:>41; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php/U"; classtype:trojan-activity; sid:2017376; rev:6;)

But we have to be cautious with this one, because it is FP prone, but there were many right hits as well - do a search up on urlquery scans for that). Read on this sig here: http://t46633.security-ids-snort-emerging-sigs.securityupdate.info/false-positive-2015797-bhek-2-landing-3-t46633.html (info thanks to Will Metcalf * on a question from frank in a Security IDS Snort Emerging Sigs discussion, N.B. credits go to aforementioned specialist *. The redirect to: qpnkczev.sytes.net does not resolve anymore, Well, sytes dot net is a known malware distributor (Dynamic DNS) : http://www.mywot.com/en/scorecard/sytes.net?utm_source=addon&utm_content=popup-donuts Read on this here: htx p://blog.sucuri.net/2013/10/malware-iframe-campaign-from-sytes-net.html (avast! Web Shield blocks something on this blog site as infested with HTML:Iframe-BJA[Trj])

polonus