Redirect site malicious?

See: http://killmalware.com/weddinganniversarygifts.biz/
See: http://urlquery.net/report.php?id=9766279 Detected a Dynamic DNS URL IDS alert
See: https://www.virustotal.com/nl/url/08b6357eeaa840e9db43fda027874a9acc1bc7953399dc44dca936a379560cd4/analysis/
Given clean here: http://quttera.com/detailed_report/www.isfart.fartit.com
100/100% malicious: http://zulu.zscaler.com/seen/1988bb17f6322cf4edd2dad294093182-1353006942
Why see vuln. here: https://asafaweb.com/Scan?Url=www.isfart.fartit.com e.g. custom errors: fail.

See why Bitdefender TrafficLight extension blocks: https://www.mywot.com/en/scorecard/isfart.fartit.com?utm_source=addon&utm_content=rw-viewsc
Avast does not block or flag site!

pol

Site has a reputation of being malicious, sucuri blocks: http://labs.sucuri.net/?blacklist=isfart.fartit.com
Thanks, Pondus, for reporting!

polonus

See detection here: http://maldb.com/spusipa.com/#
Not blocked by avast! → Conditional redirects found. Visitors from search engines are redirected
to: htxp://lllelllrlllee.4pu.com/ IDS Detected a Dynamic DNS URL
http://dnscheck.pingdom.com/?domain=lllelllrlllee.4pu.com&timestamp=1394064330&view=1
Redirect to this URL found in 443 sites → http://labs.sucuri.net/?details=lllelllrlllee.4pu.com
See yellow here: http://urlquery.net/report.php?id=9789649
History of badness for IP: https://www.virustotal.com/nl/ip-address/184.168.208.181/information/

pol

Detected 8 hrs ago: http://killmalware.com/universalweb.dk/#
Nothing flagged here: http://urlquery.net/report.php?id=9809645
Redirect because of outdated software OSCM Joomla:
Web application version:
Joomla Version: 1.6.5
Joomla Version 1.6 or 1.7 for: htxp://universalweb.dk/media/system/js/caption.js
Joomla Version 1.6.x for: htxp://universalweb.dk/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Visitors from search engines are redirected
to: htxp://iopsiw.ignorelist.com/
1076 sites infected with redirects to this URL
code hick-up: universalweb.dk/modules/artfeaturecarousel/js/jquery.featureCarousel.js benign
[nothing detected] (script) universalweb dot dk/modules/artfeaturecarousel/js/jquery.featureCarousel.js
status: (referer=universalweb.dk/)saved 32771 bytes e0f284bbfd3c6a9f5c0309f207ab507b774ac2c5
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable $.fn
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var $.fn = 1;
error: line:1: …^
suspicious:

polonus

SE visitors redirects
Chain of redirects found:
to: htxp://canadiangenericsstore.com/
13 sites infected with redirects to this URL
to: htxp://tdson.com/glav
273 sites infected with redirects to this URL found 59 minutes ago on: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fbasarinedir.com
See why? Web application version:
WordPress version: WordPress 3.8.1
Wordpress Version 3.8 based on: htxp://basarinedir.com/wp-includes/js/autosave.js
WordPress theme: htxp://basarinedir.com/wp-content/themes/daily/
Known spam detect: http://sucuri.net/malware/entry/MW:SPAM:SEO
Spam Check: Suspicion of Spam
mxtp://buy-pharm-online.com/buy-accutane/ title=“accutane buy”>accutane buy basarined…
Site-wide check: Suspicious

privacy. get free pills (vagra - cialis - levtra). worldwide 

  • < External links check: htxp://www.makromama.com.tr --> 'pet shop' benign htxp://buy-pharm-online.com/buy-accutane/ --> 'accutane buy' => https://www.mywot.com/en/scorecard/buy-pharm-online.com?utm_source=addon&utm_content=popup-donuts

    pol

  • Here we do not see the search engine redirect: http://fetch.scritch.org/%2Bfetch/?url=sanie.net&useragent=Fetch+useragent&accept_encoding=
    But here it is being detected: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fsanie.net
    http://sucuri.net/malware/malware-entry-mwblacklisted35
    and also why: Joomla Version: 2.5.1
    Joomla Version 2.5.x - 3.0.x for: htxp://sanie.net/media/system/js/caption.js
    Joomla Version 2.5.x for: htxp://sanie.net/language/en-GB/en-GB.ini
    Joomla version outdated: Upgrade required.
    Conditional redirects found. Visitors from search engines are redirected
    to: htxp://korawi.4pu.com/
    Redirect to this URL found in 934 sites
    https://www.virustotal.com/nl/domain/korawi.4pu.com/information/

    pol

    The redirection mentioned here: http://killmalware.com/relaxbich.com/ is being performed using the wXw.changeip.com - service.
    A DNS look-up gets 11004 [11004] Valid name, no data record (check DNS setup)
    Unable to properly scan site. Unable to connect.
    The redirect is being blacklisted: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.ertyuiop.itsaol.com
    Unable to properly scan your site. Site returning error: HTTP/1.1 503 Service Unavailable
    The redirect from there went here: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.june9.com to
    wXw.august13.com which is malicious according to Bitdefender’s TrafficLight and see for bad web rep here:
    https://www.mywot.com/en/scorecard/august13.com?utm_source=addon&utm_content=popup-donuts
    See: https://www.virustotal.com/nl/domain/august13.com/information/
    The took a lot of trouble to appear with a clean bill: http://www.scamadviser.com/is-august13.com-a-fake-site.html
    Enough alerts on same IP: http://urlquery.net/report.php?id=9857891 Detected a Dynamic DNS URL IDS alert.

    polonus

    A conditional redirect found here as header returned htxp: canadian-domain-hosting dot com/ → 209.15.208.77
    The location line in the header above has redirected the request to see: http://jsunpack.jeek.org/?report=b42c50960b9a73b78ed1be559a864c0f3ecb7824
    Is this as expected? Redirect to this URL found in 2411 sites → 404: Page not found – the page htxp goo.gl/ qSaO2ycanadian-domain-hosting dot com does not exist. If you typed in or copied/pasted this URL, make sure you included all the characters, with no extra punctuation.
    Redleg’s file viewer has detected some potential problems in these files. First scroll down through the code listed out after the list of links, this is the code returned by the request for the URL you entered and check for any problems. Next, these link(s) will open the individual URL(s) in this tool, check through the code that is returned, compare the code being returned to a know clean copy, etc.

    1 → /js/jquery/jquery.js
    2 → /js/jquery/jquery.dropdown.js → http://jsunpack.jeek.org/?report=9418ab6495d5dcc855419dd2c48ee0b175a27cc5

    jsunpack flags: wXw.ntchosting dot com/tld-search/api-search.js.php?lang=en benign
    [nothing detected] (script) wXw.ntchosting dot com/tld-search/api-search.js.php?lang=en
    status: (referer=canadian-domain-hosting dot com/js/DOMAssistantCompressed-2.8.1.js)saved 96584 bytes 747ff428cbb40bdeca38e778a0e1e53d91d88492
    info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
    info: [javascript variable] URL=wXw.ntchosting dot com/order/?
    info: [img] wXw.ntchosting dot com/tld-search/
    info: [iframe] wXw.ntchosting dot com/tld-search/blank.html
    info: [decodingLevel=0] found JavaScript
    error: line:3: SyntaxError: invalid flag after regular expression:
    error: line:3: filter(function(){return this.name&&!this.disabled&&(this.checked||/select|textarea/i.test(this.nodeName)||/text|hidden|password|search/i.test(this.type))}).map(function(E,F){var G=o(this).val();return G==null?null:o.isArray(G)?o.map(G,function(I,H){retur
    error: line:3: ^
    error: undefined function T.insertBefore
    error: undefined variable T
    suspicioushttp://dnscheck.pingdom.com/?domain=ntchosting.com
    -< second nameserver (hosted.by.liquidnetlimited dot com) accredited registrar: http://www.webhosting.info/registrars/reports/total_domains/LIQUIDNETLIMITED.COM
    http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fcanadian-domain-hosting.com&useragent=Fetch+useragent&accept_encoding=

    Infested site on same IP → https://www.virustotal.com/nl/url/submission/?force=1&url=http%3A%2F%2Fdtemplar.com%2F
    see: https://www.virustotal.com/nl/url/4b9a8b7240451726e64906b75d5262a074c43b4b5bb24b5227e343e472dd7fe5/analysis/1394733400/
    See: http://urlquery.net/report.php?id=9879871

    Site seems clean → http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fcanadian-domain-hosting.com&useragent=Fetch+useragent&accept_encoding=
    Quttera’s flags one file as suspicious:
    index
    Severity: Suspicious
    Reason: Detected suspicious redirection to external web resources at HTTP level.
    Details: Detected HTTP redirection to htxp://goo.gl/qSaO2ycanadian-domain-hosting dot com/ →
    http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fgoo.gl%2Fqsao2ycanadian-domain-hosting.com&useragent=Fetch+useragent&accept_encoding=
    Threat dump MD5: 00000000000000000000000000000000
    File size[byte]: 18446744073709551615
    File type: Unknown
    MD5: 00000000000000000000000000000000
    Scan duration[sec]: 0.001000

    polonus

    In the following example the site is blacklisted, probably compromised and blacklisted.
    Re: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fiecpr.org
    Web application version:
    Joomla Version 1.5.18 - 1.5.26 for: htxp://iecpr dot org/media/system/js/caption.js
    Joomla Version 1.5.18 to 1.5.26 for: htxp://iecpr dot org/language/en-GB/en-GB.ini
    Joomla version outdated: Upgrade required.
    The chain of redirects given here: http://maldb.com/iecpr.org/#
    4 detect here: http://www.urlvoid.com/scan/iecpr.org/
    Malware initially was launched from here: https://www.mywot.com/en/scorecard/haphuongfoundation.net?utm_source=addon&utm_content=popup-donuts
    and seems to still be there: http://www.avgthreatlabs.com/website-safety-reports/domain/iecpr.org/

    Misused server for IP: http://support.clean-mx.de/clean-mx/phishing.php?id=4077385
    Re: https://www.virustotal.com/nl/ip-address/204.93.163.15/information/

    Quttera flags this:
    /enlaces/2-enlaces-y-recursos/31-universidad-interamericana
    Severity: Potentially Suspicious
    Reason: Detected unconditional redirection to external web resource.
    Details:
    Threat dump: http://jsunpack.jeek.org/?report=577eff90cdc68456e73cbbf63be8a9064b7fdf93
    Threat dump MD5: 41F21BD0CD7476C72ED33BED244A9033
    File size[byte]: 468
    File type: ASCII
    MD5: 93FEFEC752276C2C1630B8CAAB47579A
    Scan duration[sec]: 0.003000

    Translating to this code issue:
    nter dot edu/i/sites/all/modules/panels/js/panels.js?maeuox benign
    [nothing detected] (script) inter dot edu/i/sites/all/modules/panels/js/panels.js?maeuox
    status: (referer=inter dot edu/i/index.php)saved 746 bytes b269ff5761894d8e846827c2bf007ea2ca4eae30
    info: [decodingLevel=0] found JavaScript
    error: undefined variable jQuery
    error: undefined variable Drupal
    error: undefined variable Drupal.Panels
    error: line:1: SyntaxError: missing ; before statement:
    error: line:1: var Drupal.Panels = 1;
    error: line:1: …^
    suspicious

    polonus