CYSC.RED.CLICKFRAUD-1 on site...

IDS alert here: http://urlquery.net/report.php?id=440837
(domain not valid) tries to run on some browsers, but fail for others…
Message given “Please click the following link if you are not automatically redirected in 5 seconds: etc…”

Suspicious file found via Quttera:
?epl=0VCN_Fi_C4Z6XAhweHl7aUCVvjkKEgqnSO5iZy7d5h8yxcGw7CUiUSXpQZNUhNpsjirwI7CsxMWifkMIef8sd-7eQvam83TwOWAhODzhStpEoiZfqZCaVKQLQoVhQIG6NfeZuKekp3o0g9CGaqMJjCpBkwFl09A0mtokD0VoACDA3OevAADw_wMAAECA2wsAAKr0zVFZUyZZQTE2aFpChQAAAPA
File size[byte]:
2242
Severity:
Potentially Suspicious
Details:
Detected unconditional redirection to external web resource.
Reason:

MD5:
0CF451F07F9A20808DFFAD1ED98E314C

HTML.Redirector.WD found active for htxp://ww2.lsp-test-nax.ind.in/winlogon.htm - on same IP
See: https://www.virustotal.com/file/f84c5fb4dbb5009039d992f11e5ac00743b63ce1a7bbb99e33020ce79e7d24b3/analysis/
Not detected at avast? Reported to virus AT avast dot com

polonus

VirusTotal
https://www.virustotal.com/url/b79c061cced0fb6ba3799e60869db8c3cf8b3f42b5c4695b2437d805d653ad8a/analysis/1355866068/

sucuri
http://sitecheck.sucuri.net/results/ww2.lsp-test-nax.ind.in/

URLvoid
http://vscan.novirusthanks.org/analysis/9360d8abacee4ed0881e47cd9835b40d/bG9hZHMtcGhw/

Thanks Pondus for reporting these results.
Only flagged by specific scanners on VT.
The following CYSC.FRAUD.PHARMACY-4 and SPAM is only flagged on VT by ADMINUSLabs & C-SIRT…
Same ASN, other type of clickfraud: CYSC.FRAUD.PHARMACY-4
See: https://www.virustotal.com/url/506cd0261eedb7b1ec926dc37cc83a4dacb98f0e31769ee741ae87f70f5e8c35/analysis/
Quttera detects:
wXw.google.com/bookmarks/mark?op=edit&output=popup&bkmk=%site_url%&title=%site_title%
File size[byte]:
72575
Severity:
Potentially Suspicious
Details:
Detected hidden reference to external web resource.
Reason:
Detected generation of hidden DOM element [iframe].
MD5:
7603DA1785C5A5B03AB21DF9EDB3C977

But there is no IDS alert for the clickfraud on the urlquery scan: http://urlquery.net/report.php?id=441194
But known spam detects by Sucuris’s: http://sitecheck.sucuri.net/results/wcrzzev.mediclock.ru/

polonus

VirusTotal
https://www.virustotal.com/file/1d74f74550c05a3ddec21633330d4c7d1d42094ca90ce107ba60f28ce77013f8/analysis/1355875612/

Hi Pondus,

Thanks for scanning that. Has that been reported to avast?
This for instance is known load.php malware: http://www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml
General removal instructions from jimmy uptomark here: http://www.uptomark.com/how-to-remove-malware-and-virus-from-wordpress-blog/

pol