Hi

I am getting constant redirects from hxxp://www.flyertalk.com/forum (only this site)

The redirects are to Polish domains (changing each day - http://support.clean-mx.de/clean-mx/viruses.php?ip=31.210.109.37&sort=first%20desc) with a Turkish IP address (constantly - 31.210.109.37) - the latest http://urlquery.net/report.php?id=108921

Other forum users are getting the same redirect, however it is only happening IE (Firefox/Chrome seem unaffected).

I have scanned the forum with Sucuri SiteCheck/Virus Total/Zscaler, but it is coming up clean each time.

Any thoughts why the redirect is happening?

Thanks

Also to add:

This is not happening everytime. It is infrequent (say 1 in 10 times).

Hi AndyH,

Does the redirect happen immediately or on page-load?

Hi

It happens immediately, before the page has time to load.

It happens when you access the site from any way (manually inputting the address/Google search/clicking on a favourite/history).

Look at the code here, suspicious?

polonus

Hi Polonus,

Given here as a tracking cookie:
hXtp://www.flyertalk.com/forum/technical-issues/991476-waiting-pxl-ibpxl-com.html

@AndyH,
I am unable to replicate the problem.
http://urlquery.net/report.php?id=108970
http://urlquery.net/report.php?id=108993

Or Here:
http://www.unmaskparasites.com/security-report/?page=http%3A//www.flyertalk.com/forum/index.php

Or the return I get with IE:
https://www.virustotal.com/file/7835952352613aea6c69a8768a7567bbd13e16988f93783083419bff7a8c5f31/analysis/1343740830/
Always returns around 85-90,000 bytes.

Nothing Here:
http://zulu.zscaler.com/submission/show/71d7b2d74d2432f132c395aed8f8523d-1343740996

Thanks

Yes, none of the usual sites can find where the redirect is coming from as it’s not occuring everytime.

Other forums have also experienced the same redirect over the past few days to the same Turkish IP address - hxxp://www.quartertothree.com/game-talk/showthread.php?p=3182083

I guess it is a matter of trying to figure out what both sites have in common?

This time (using firefox), I get a somewhat different return. A popUp() function, however, using the general search, no reference to it.

To raise more suspicion, it uses eval to generate it. This could be the cause of redirect.

Hi AndyH and !Donovan,

Somehow the issue is related to an outdated os commerce installation (IP 31.210.109.37 has many domains, where this malware has now being closed).
See sitevet report for that AS: AS Name: RADORE Radore Hosting Telekomunikasyon Hizmetleri San. ve Tic. Ltd. Sti.
IPs allocated: 94464
Blacklisted URLs: 177

Hosts…
…malicious URLs? Yes
…badware? Yes
…Zeus botnet servers? Yes
…Current Events? Yes
Another related site: http://urlquery.net/report.php?id=107502

What is taking place there is a Fake AV attack via performancetesterfail-safety dot pl
This info was mentioned in Norton Safe Web comments, but later removed, but I found it via the Google cache data,
yes my good friends, sometimes Google is your best friend, like in this case, keeping this info for polonus online,
so WordPress users and users of outdated oscommerce software are under attack,

polonus

@!Donovan and @polonus

Thanks - I think we are getting there…

The same infected IP is picked up here - http://urlquery.net/report.php?id=106836

However, I am not so sure what it means exactly.

Hi AndyH,

This is being returned from there: hxtp://ispsystem.com/sites/all/modules/views/js/jquery.ui.dialog.patch.js?m80f8m
File size:1134 bytes File MD5:48e77be7c0c6ba44bdef8f3adc2774bb (a patch for jQuery) but that code is benign

Now the malware being served up from that site:
First there is a malcious request: /yd45hn/al/7deeae50b6b00140/0/download/ HTTP/1.1
Host: pctestersaver dot pl
And the response results in what I mentioned earlier: htxp://pctestersaver.pl/yd45hn/al/7deeae50b6b00140/0/release/new/setup.exe

And bingo 100/100% malicious, see: http://zulu.zscaler.com/submission/show/11168afb1422684c37990b09d8757c21-1343746829
Also detected here: http://www.avgthreatlabs.com/sitereports/domain/pctestersaver.pl

During the last 7 days potentially active threats were detected on the main site of this domain

Site blacklisted in multiple real-time domain blocklists, malware last detected 2012-07-28, site infected also this domain: monarchmoving dot com, 12 trojans found there, see: http://www.google.com/safebrowsing/diagnostic?site=monarchmoving.com/ infected through: http://www.google.com/safebrowsing/diagnostic?site=wojianfei.net/ and some 202 other sites were infested with this malcode.... This one was from 2 days ago: http://urlquery.net/report.php?id=106836

polonus

Hi again polonus/!Donovan

Ok, I have tested the site with HTTP Analyzer and avast! disabled to get the full picture when the redirect happens.

As you can see, the redirect is coming from hxxp://adbitserver.com - question is though, where is that in the original forum?

Here is a pic of the HTTP Analyzer http://img24.imageshack.us/img24/3795/httpanalyzer.png - ignore the live.com, that is my hotmail account. Your uploads weren’t working as I kept getting a 500 error.

Hi AndyH,

If you would, please navigate to the Header tab and post the contents of the Referer information in your next post.

(Request-Line):GET /in?q=LfCAhlbgw9cnPT8tAbM5uSk36uh4OyeQxol9XkHX HTTP/1.1
Accept:text/html, application/xhtml+xml, /
Referer:hxxp://www.flyertalk.com/forum/
Accept-Language:en-GB
User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding:gzip, deflate
Host:adbitserver.com
Connection:Keep-Alive

I’ve also attached a copy of the original source code for the site - interestingly the site loaded on my screen a fraction of a sec before the redirect.

Looking further at the HHTP Analysis, the redirect originates from #3 in the list (adliclick.com):

This is the content response:

document.write(‘’);document.write(‘’);

Hi AndyH,

This is a PHISH for yahoo as you can see from the external element in this scan: http://zulu.zscaler.com/submission/show/f552c70b095960fbb46e7f029360a2be-1343831094
100/100% malicious! I get
Content after the < /html> tag should be considered suspicious.

38: < !-- w234.fp.bf1.yahoo dot com uncompressed/chunked Wed Aug 1 07:37:16 PDT 2012 →

See IDS alert here: http://urlquery.net/report.php?id=110442

polonus