aw-snap.info with malware? Redirects to -https://aw-snap.info/403.htm

Nothing here: https://www.virustotal.com/gui/url/ac6c85beada1be72c78a21693c5a786896de443a05ca8205eaefe989b64a8ac0/detection

See: https://sitecheck.sucuri.net/results/https/aw-snap.info
8 malicious files : https://quttera.com/detailed_report/aw-snap.info
IP related malware: https://www.virustotal.com/gui/ip-address/107.180.40.144/relations
See also: https://toolbar.netcraft.com/site_report?url=https://aw-snap.info/file-viewer/
Re: https://retire.insecurity.today/#!/scan/fb9f5fe2c2bde4a2cd6183929c0e3ab1b09ecc25929f7f30636764e4ae4904a9

polonus

I used to see this a long time ago but with the 404 error (missing file/page/image, etc.).

The hack was to create a specific malicious 404 error page and edit the normal home page (or any other) inserting a link to a non existent page/image, etc. triggering the malicious 404 page.

I just wonder if there isn’t something similar going on here.

Description: Malicious scripts injected to Magneto (and other e-commerce) site that try to steal pyament details and site credentials from website forms. Typically the hijack login and checkout forms and send entered data to a remote third-party site controled by the attackers. Sometime the script may redirect online shoppers to fake checkout pages.

https://www.virustotal.com/gui/file/b23b9fc160fada7c57050a59485fbdcf50f406c4ba89d8320fd8efeb842f689d/detection

Script injection malcode, thank you DavidR and Pondus for putting the detection-cherry on the cake.
The proof of the pudding is indeed in the eating, but we had to taste it first…

For the moment I get here with the 403 error

403 Forbidden

Forbidden

You don't have permission to access / on this server.


Apache Server at -aw-snap.info Port 80

VT gives as clean: -http://aw-snap.info/wp-content/redleg_sm.ico,
somehow the connection is not encrypted and not secure.
So Redleg has some cleansing to do on his own website analysis website ;D :frowning:

pol

aw-snap.info still won’t open up in my browser: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/
see: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#links
response hrml: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#transactions
behavior: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#behaviour
Indicators of compromise (around an attack): https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#iocs
host details: https://www.shodan.io/host/107.180.40.144
Website test results: https://internet.nl/site/aw-snap.info/671442/
1 malicious file detected: https://quttera.com/detailed_report/www.aw-snap.info
File:

index.html
Severity: Malicious
Reason: Detected malicious PHP content
Details: Detected PHP backdoor
Offset: 3162
Threat dump: View code index html - blocked
Threat dump MD5: 0DEAEF3CF103258A26211AB017E008E6
File size[byte]: 10618
File type: HTML
Page/File MD5: 9818584FD5B51A3DEA390ACD83ADDFE0
Scan duration[sec]: 0.08

pol