SE redirect and more

Viruses and worms
1

See: http://killmalware.com/geobiota.org/# avast does not flag the redirect site,
but it flags the originating site as infested with JS;Includer-BCE[Trj]

Going to: http://urlquery.net/report.php?id=1406589893729

Site flagged by BitDefender’s TrafficLight as malicious and Sucuri’s: https://www.virustotal.com/nl/url/854d020c8f3af30d0958d9d86c7b1b70a03b2b0e39313635b6ff61e441ac35cf/analysis/1406590305/
Site potentially harmful: http://sitecheck.sucuri.net/results/avwarehouse.com.au
nginx
php/5.3.28
CMS: joomla! 1.5 - open source content management
Site vulnerable: Web application details:
Application: Joomla! 1.5 - Open Source Content Management - http://www.joomla.org
Running cPanel 11.44.0.30: avwarehouse.com dot au:2082

Web application version:
Joomla Version 1.5.18 - 1.5.26 for: htxp://avwarehouse.com.au/media/system/js/caption.js
Joomla Version 1.5.18 to 1.5.26 for: htxp://avwarehouse.com.au/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.20 or 3.3

Web Security Austria did not find any issues with site :o
IP badness history given here: https://www.virustotal.com/nl/ip-address/103.250.214.34/information/

polonus

2

See: http://killmalware.com/firstgems.tk/#
Caused by
ISSUE DETECTED DEFINITION VULNERABLE HEADER
Outdated Web Server Nginx Found Vulnerabilities on nginx nginx/1.0.15

polonus

Found templates/joomlage0056-designcanvas/js/equalizer.js

The file index.php is the heart and soul of your template. It is the only file Joomla! will automatically load when it is asking your template to render (display) a page of your site. Since it is executable code it should contain a line similar to:

defined( ‘_JEXEC’ ) or die( ‘Restricted access’ )
In fact, all of the PHP files in the template – unless they are supposed to be called directly from the web – must have this line. If they don’t, your template is potentially vulnerable to a number of attacks commonly used by hackers, so it’s a good idea not to use it.

quote taken from http://magazine.joomla.org/issues/issue-aug-2010/item/114-Joomla-Template-Tools-Part-Two

D

3

Site just recovered from a conditional redirect, but still vulnerable because of outdated software:
Outdated Web Server Apache Found Vulnerabilities on Apache 2.2 Apache/2.2.23
http://sitecheck.sucuri.net/results/lgsroeser.lu
Scan for: htxp://wp-mojo.com/blog/?p=5510&comment=899754
Hostname: wp-mojo.com
IP address: 195.26.5.2 (HostGator)

System Details:
Running on: Apache/2.2.23
System info: (Unix) mod_ssl/2.2.23 OpenSSL/0.9.8o PHP/5.3.20
Unable to properly scan site. Site empty (no content): Content-Length: 0

Web application details:
Running cPanel 11.42.1.23: wp-mojo.com:2082
Outdated Web Server Apache Found: Apache/2.2.23
Server redirect status: Code: 302, htxp://wp-mojo.com/blog/?p=5510&comment=899754
Redirect to external server!

Suspicious external link, see: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Fwww.lgsroeser.lu%2Fxmlrpc.php%3Frsd&useragentheader=&acceptheader=
re on this: http://en.forums.wordpress.com/topic/a-strange-link-to-my-website link article author = meljvi
&
http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Fwww.lgsroeser.lu%2Fxmlrpc.php&useragentheader=&acceptheader=

polonus

4

SE redirect to a dynamic dns url: http://killmalware.com/haohungwoodchip.com/
https://www.virustotal.com/nl/url/02fe31e25e2a4d7e90276eb4727fe54c1494c4e5a62f0f4735ce6730c824a8aa/analysis/
alerted here: http://urlquery.net/report.php?id=1406677180329
Test errors Delegation:
http://dnscheck.pingdom.com/?domain=0001.2waky.com%2F&timestamp=1406677315&view=1
Failed to find name servers for 2waky dot com (parent of 0001.2waky.com/IN).

Delegation not found at parent.

No delegation could be found at the parent, making your zone unreachable from the Internet.

Not enough nameserver information was found to test the zone 0001.2waky dot com,
but an IP address lookup succeeded in spite of that.
IP badness history: https://www.virustotal.com/nl/ip-address/209.208.4.53/information/
&
https://www.virustotal.com/nl/domain/0001.2waky.com/information/

polonus

5

Site vulnerable because of outdated CMS->: http://sitecheck.sucuri.net/results/ujikichi.com
Malware: http://labs.sucuri.net/db/malware/malware-entry-mwhta7
Web application version:
WordPress version: WordPress 2.5.1
Wordpress Version 2.5 for: htxp://ujikichi.com/wp-includes/js/scriptaculous/wp-scriptaculous.js
WordPress directory: htxp://ujikichi.com/wp-content
WordPress theme: htxp://ujikichi.com/wp-content/themes/default/
WordPress version outdated: Upgrade required.
Outdated WordPress Found: WordPress Under 3.9.1

Visitors from search engines are redirected
to: htxp://cabaniaseleden.com.ar/stats.php
1062 sites infected with redirects to this URL

Missed here: http://zulu.zscaler.com/submission/show/7d72b0bc5b9f100ab9059e131fe320ac-1406747444

Server redirect status: Code: 301, Code: 301, htxp://cabaniaseleden.com.ar/stats.php

Redirect to external server! http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Fcabaniaseleden.com.ar%2Fstats.php++&useragentheader=&acceptheader=
http://labs.sucuri.net/?details=cabaniaseleden.com.ar
External link going to htxps://servicios1.afip.gov.ar/clavefiscal/qr/response.aspx?qr=p6MF7sVnU2kyy8IgBRvShg,

IP badness history: https://www.virustotal.com/nl/ip-address/210.188.201.130/information/
and this is not helpibg either to further security: http://sameip.net/ip210.188.201.130
718 domains on one and the same IP :o

polonus