Site has a reputation of being malicious, sucuri blocks: http://labs.sucuri.net/?blacklist=isfart.fartit.com
Thanks, Pondus, for reporting!
polonus
See detection here: http://maldb.com/spusipa.com/#
Not blocked by avast! → Conditional redirects found. Visitors from search engines are redirected
to: htxp://lllelllrlllee.4pu.com/ IDS Detected a Dynamic DNS URL
→ http://dnscheck.pingdom.com/?domain=lllelllrlllee.4pu.com×tamp=1394064330&view=1
Redirect to this URL found in 443 sites → http://labs.sucuri.net/?details=lllelllrlllee.4pu.com
See yellow here: http://urlquery.net/report.php?id=9789649
History of badness for IP: https://www.virustotal.com/nl/ip-address/184.168.208.181/information/
pol
Detected 8 hrs ago: http://killmalware.com/universalweb.dk/#
Nothing flagged here: http://urlquery.net/report.php?id=9809645
Redirect because of outdated software OSCM Joomla:
Web application version:
Joomla Version: 1.6.5
Joomla Version 1.6 or 1.7 for: htxp://universalweb.dk/media/system/js/caption.js
Joomla Version 1.6.x for: htxp://universalweb.dk/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Visitors from search engines are redirected
to: htxp://iopsiw.ignorelist.com/
1076 sites infected with redirects to this URL
code hick-up: universalweb.dk/modules/artfeaturecarousel/js/jquery.featureCarousel.js benign
[nothing detected] (script) universalweb dot dk/modules/artfeaturecarousel/js/jquery.featureCarousel.js
status: (referer=universalweb.dk/)saved 32771 bytes e0f284bbfd3c6a9f5c0309f207ab507b774ac2c5
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable $.fn
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var $.fn = 1;
error: line:1: …^
suspicious:
polonus
SE visitors redirects
Chain of redirects found:
to: htxp://canadiangenericsstore.com/
13 sites infected with redirects to this URL
to: htxp://tdson.com/glav
273 sites infected with redirects to this URL found 59 minutes ago on: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fbasarinedir.com
See why? Web application version:
WordPress version: WordPress 3.8.1
Wordpress Version 3.8 based on: htxp://basarinedir.com/wp-includes/js/autosave.js
WordPress theme: htxp://basarinedir.com/wp-content/themes/daily/
Known spam detect: http://sucuri.net/malware/entry/MW:SPAM:SEO
Spam Check: Suspicion of Spam
mxtp://buy-pharm-online.com/buy-accutane/ title=“accutane buy”>accutane buy basarined…
Site-wide check: Suspicious
privacy. get free pills (vagra - cialis - levtra). worldwide …
<
External links check:
htxp://www.makromama.com.tr --> 'pet shop' benign
htxp://buy-pharm-online.com/buy-accutane/ --> 'accutane buy' => https://www.mywot.com/en/scorecard/buy-pharm-online.com?utm_source=addon&utm_content=popup-donuts
pol
Here we do not see the search engine redirect: http://fetch.scritch.org/%2Bfetch/?url=sanie.net&useragent=Fetch+useragent&accept_encoding=
But here it is being detected: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fsanie.net
http://sucuri.net/malware/malware-entry-mwblacklisted35
and also why: Joomla Version: 2.5.1
Joomla Version 2.5.x - 3.0.x for: htxp://sanie.net/media/system/js/caption.js
Joomla Version 2.5.x for: htxp://sanie.net/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Conditional redirects found. Visitors from search engines are redirected
to: htxp://korawi.4pu.com/
Redirect to this URL found in 934 sites
→ https://www.virustotal.com/nl/domain/korawi.4pu.com/information/
pol
The redirection mentioned here: http://killmalware.com/relaxbich.com/ is being performed using the wXw.changeip.com - service.
A DNS look-up gets 11004 [11004] Valid name, no data record (check DNS setup)
Unable to properly scan site. Unable to connect.
The redirect is being blacklisted: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.ertyuiop.itsaol.com
Unable to properly scan your site. Site returning error: HTTP/1.1 503 Service Unavailable
The redirect from there went here: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.june9.com to
wXw.august13.com which is malicious according to Bitdefender’s TrafficLight and see for bad web rep here:
https://www.mywot.com/en/scorecard/august13.com?utm_source=addon&utm_content=popup-donuts
See: https://www.virustotal.com/nl/domain/august13.com/information/
The took a lot of trouble to appear with a clean bill: http://www.scamadviser.com/is-august13.com-a-fake-site.html
Enough alerts on same IP: http://urlquery.net/report.php?id=9857891 Detected a Dynamic DNS URL IDS alert.
polonus
A conditional redirect found here as header returned htxp: canadian-domain-hosting dot com/ → 209.15.208.77
The location line in the header above has redirected the request to see: http://jsunpack.jeek.org/?report=b42c50960b9a73b78ed1be559a864c0f3ecb7824
Is this as expected? Redirect to this URL found in 2411 sites → 404: Page not found – the page htxp goo.gl/ qSaO2ycanadian-domain-hosting dot com does not exist. If you typed in or copied/pasted this URL, make sure you included all the characters, with no extra punctuation.
Redleg’s file viewer has detected some potential problems in these files. First scroll down through the code listed out after the list of links, this is the code returned by the request for the URL you entered and check for any problems. Next, these link(s) will open the individual URL(s) in this tool, check through the code that is returned, compare the code being returned to a know clean copy, etc.
1 → /js/jquery/jquery.js
2 → /js/jquery/jquery.dropdown.js → http://jsunpack.jeek.org/?report=9418ab6495d5dcc855419dd2c48ee0b175a27cc5
jsunpack flags: wXw.ntchosting dot com/tld-search/api-search.js.php?lang=en benign
[nothing detected] (script) wXw.ntchosting dot com/tld-search/api-search.js.php?lang=en
status: (referer=canadian-domain-hosting dot com/js/DOMAssistantCompressed-2.8.1.js)saved 96584 bytes 747ff428cbb40bdeca38e778a0e1e53d91d88492
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [javascript variable] URL=wXw.ntchosting dot com/order/?
info: [img] wXw.ntchosting dot com/tld-search/
info: [iframe] wXw.ntchosting dot com/tld-search/blank.html
info: [decodingLevel=0] found JavaScript
error: line:3: SyntaxError: invalid flag after regular expression:
error: line:3: filter(function(){return this.name&&!this.disabled&&(this.checked||/select|textarea/i.test(this.nodeName)||/text|hidden|password|search/i.test(this.type))}).map(function(E,F){var G=o(this).val();return G==null?null:o.isArray(G)?o.map(G,function(I,H){retur
error: line:3: ^
error: undefined function T.insertBefore
error: undefined variable T
suspicious → http://dnscheck.pingdom.com/?domain=ntchosting.com
-< second nameserver (hosted.by.liquidnetlimited dot com) accredited registrar: http://www.webhosting.info/registrars/reports/total_domains/LIQUIDNETLIMITED.COM
http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fcanadian-domain-hosting.com&useragent=Fetch+useragent&accept_encoding=
Infested site on same IP → https://www.virustotal.com/nl/url/submission/?force=1&url=http%3A%2F%2Fdtemplar.com%2F
see: https://www.virustotal.com/nl/url/4b9a8b7240451726e64906b75d5262a074c43b4b5bb24b5227e343e472dd7fe5/analysis/1394733400/
See: http://urlquery.net/report.php?id=9879871
Site seems clean → http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fcanadian-domain-hosting.com&useragent=Fetch+useragent&accept_encoding=
Quttera’s flags one file as suspicious:
index
Severity: Suspicious
Reason: Detected suspicious redirection to external web resources at HTTP level.
Details: Detected HTTP redirection to htxp://goo.gl/qSaO2ycanadian-domain-hosting dot com/ →
http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fgoo.gl%2Fqsao2ycanadian-domain-hosting.com&useragent=Fetch+useragent&accept_encoding=
Threat dump MD5: 00000000000000000000000000000000
File size[byte]: 18446744073709551615
File type: Unknown
MD5: 00000000000000000000000000000000
Scan duration[sec]: 0.001000
polonus
In the following example the site is blacklisted, probably compromised and blacklisted.
Re: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fiecpr.org
Web application version:
Joomla Version 1.5.18 - 1.5.26 for: htxp://iecpr dot org/media/system/js/caption.js
Joomla Version 1.5.18 to 1.5.26 for: htxp://iecpr dot org/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
The chain of redirects given here: http://maldb.com/iecpr.org/#
4 detect here: http://www.urlvoid.com/scan/iecpr.org/
Malware initially was launched from here: https://www.mywot.com/en/scorecard/haphuongfoundation.net?utm_source=addon&utm_content=popup-donuts
and seems to still be there: http://www.avgthreatlabs.com/website-safety-reports/domain/iecpr.org/
Misused server for IP: http://support.clean-mx.de/clean-mx/phishing.php?id=4077385
Re: https://www.virustotal.com/nl/ip-address/204.93.163.15/information/
Quttera flags this:
/enlaces/2-enlaces-y-recursos/31-universidad-interamericana
Severity: Potentially Suspicious
Reason: Detected unconditional redirection to external web resource.
Details:
Threat dump: http://jsunpack.jeek.org/?report=577eff90cdc68456e73cbbf63be8a9064b7fdf93
Threat dump MD5: 41F21BD0CD7476C72ED33BED244A9033
File size[byte]: 468
File type: ASCII
MD5: 93FEFEC752276C2C1630B8CAAB47579A
Scan duration[sec]: 0.003000
Translating to this code issue:
nter dot edu/i/sites/all/modules/panels/js/panels.js?maeuox benign
[nothing detected] (script) inter dot edu/i/sites/all/modules/panels/js/panels.js?maeuox
status: (referer=inter dot edu/i/index.php)saved 746 bytes b269ff5761894d8e846827c2bf007ea2ca4eae30
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable Drupal
error: undefined variable Drupal.Panels
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var Drupal.Panels = 1;
error: line:1: …^
suspicious
polonus