In this thread we present a known SE Spam detection,

pol

See: This is a suspicious page
Result for 2014-09-03 18:30:00 UTC
Website: htxp://elkinhighschoolreunion.com
Start URL: htxp://elkinhighschoolreunion.com/2010/01/1967-holly-neaves
Start URL was redirected to another page: htxp://www.elkinhighschoolreunion.com/2010/01/1967-holly-neaves/
Checked URL: htxp://www.elkinhighschoolreunion.com/2010/01/1967-holly-neaves/
Trojans detected:
Object: htxp://www.elkinhighschoolreunion.com/2010/01/1967-holly-neaves/
SHA1: 3b2aca1992ff8bfc73f060dab3a64693087fb0fc
Name: TrojWare.JS.Agent.caa
https://www.virustotal.com/nl/url/ef22d65cd54bfcdb5267cdf1796b28abc43274568ecab7acaf91d51107d1e3a6/analysis/

Various incidents of known Spam SEO: http://sitecheck.sucuri.net/results/www.elkinhighschoolreunion.com

Web application version:
WordPress version: WordPress 2.9.2
All in One SEO Pack version: 1.6.10.2
WordPress theme: htxp://www.elkinhighschoolreunion.com/nc/wp-content/themes/mystique/
Wordpress internal path: /home/content/00/7403700/html/nc/wp-content/themes/mystique/index.php
WordPress version outdated: Upgrade required.
Outdated WordPress Found: WordPress Under 3.9.1

polonus

Read about the malcode: http://stayaway2.blogspot.com/search/label/TrojWare.JS.Agent.caa

and an earlier post of mine: https://forum.avast.com/index.php?topic=152464.0

pol

Re: http://killmalware.com/sbc-pr.org/
Redirects: SE visitors redirects
Visitors from search engines are redirected
to: htxp://needabus.charterbusontario.com/ohwd.html?h=696727
see: https://www.virustotal.com/nl/url/8cfecc855383c0746c9d57ba0d2bbb4647a45bc5e889db6e6f9804eb0f6bb0a7/analysis/1409953544/ - i get a “There is nothing to see here”.
21 sites infected with redirects to this URL
Site blacklisted for being used to distribute malware.
backuop exploit on cPanel 11.44.1.17

Also consider: http://www.urlvoid.com/ip/70.38.76.97/

polonus

This site was probably infested via a Plesk 11.0 vulnerability - Untrusted search path vulnerability.
For SEO spam see: http://sitecheck.sucuri.net/results/elektromontagen-ns.de
w.sharethis.com/button/buttons.js
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected potentially suspicious initialization of function pointer to JavaScript method eval = eval;
Threat dump: See attached
Threat dump MD5: 837547ABDE283EDCF7EE57C624A04B74
File size[byte]: 144141
File type: ASCII
MD5: 66CD2D4EC9CCEB39708E69C7A7A1C2F6
Scan duration[sec]: 5.670000 (Quttera scan data)

avast! Webshield particularly barks on: htxp://elektromontagen-ns.de/index.php/de/
Comodo flags:

This is a suspicious page
Result for 2014-09-10 19:59:45 UTC
Website: htxp://elektromontagen-ns.de
Checked URL: htxp://elektromontagen-ns.de/index.php/en/
Suspicious code detected:
Object: htxp://w.sharethis.com/button/buttons.js
SHA1: e5a119b6445e80d18391a21d15f4ac75831a376c
Name: Suspicious-WI.
Trojans detected:
Object: htxp://elektromontagen-ns.de/index.php/en/
SHA1: 6321b47e173c1db8354bec0808e7421ad7575deb
Name: TrojWare.JS.Agent.caa

pol

I have to report tht DrWeb’s URL Checker misses these detections altogether:
htxp://elektromontagen-ns.de/ redirects to htxp://elektromontagen-ns.de/index.php/de/

Checking: htxps://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js
File size: 83.91 KB
File MD5: 4b347e8ecd50a18b0712f6082582b56d

htxps://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js - archive JS-HTML

htxps://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js/JSTag_1[100d6][4ece] - Ok
htxps://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js - Ok

Checking: htxp://w.sharethis.com/button/buttons.js
File size: 140.76 KB
File MD5: 66cd2d4ec9cceb39708e69c7a7a1c2f6

htxp://w.sharethis.com/button/buttons.js - archive JS-HTML

htxp://w.sharethis.com/button/buttons.js/JSTag_1[581d][1daf0] - Ok
htxp://w.sharethis.com/button/buttons.js - Ok

Checking: htxp://elektromontagen-ns.de/index.php/de/
Engine version: 7.0.10.8210
Total virus-finding records: 5447568
File size: 10.79 KB
File MD5: e8b8c5cd3b142d28decd5b8d47579d6e

htxp://elektromontagen-ns.de/index.php/de/ - archive JS-HTML

htxp://elektromontagen-ns.de/index.php/de//JSTAG_1[776][1eb] - Ok
htxp://elektromontagen-ns.de/index.php/de//JSTAG_2[a58][1ab] - Ok
htxp://elektromontagen-ns.de/index.php/de//JSTAG_3[dc0][1c9] - Ok
htxp://elektromontagen-ns.de/index.php/de//JSTAG_4[fce][2c3] - Ok
htxp://elektromontagen-ns.de/index.php/de//JSTAG_5[1bb0][19f] - Ok
htxp://elektromontagen-ns.de/index.php/de//JSTAG_6[2834][2c3] - Ok
htxp://elektromontagen-ns.de/index.php/de/ - Ok (actually not OK as we now know - pol)

polonus

The following site has probably been compromised via this uri:
htxp://ostbyitrysil.net/wp-admin/setup-config.php

Internal Server Error 500-error?v1 htxp://ostbyitrysil.net
Website Malware mw-redir-fakeav533 htxp://ostbyitrysil.net/404javascript.js
Internal Server Error 500-error?v1 htxp://ostbyitrysil.net/wp-admin/setup-config.php x
Website Malware mw-redir-fakeav533 htxp://ostbyitrysil.net
Website Malware MW:HTA:7 htxp://ostbyitrysil.net
Site error detected. Details: http://labs.sucuri.net/db/malware/500-error?v1
HTTP/1.1 500 Internal Server Error due to malicious injection gone wrong.

SE visitors redirects
Visitors from search engines are redirected
to: htxp://supasweb.ru/blackmuscats?5
supasweb.ru is reported by Google as suspicious
75 sites infected with redirects to this URL → http://labs.sucuri.net/?note=2012-08-02

PHP vulnerabilities: http://www.cvedetails.com/version/106044/PHP-PHP-5.2.17.html
Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4, a max upload vulnerability exists,
with users not aware of this. Also …/wp-includes/css/buttons.css?ver=3.9.2 vulnerable.
Website content is just the Setup Configuration File WordPress 3.9.2 where probably the injection code wrought the server code error interfered,
Website is blacklisted by http://whois.lookup.bz/ostbyitrysil.net
Site unreachable?
Google safebrowsing check: his site is currently listed as suspicious - visiting this web site may harm your computer.

Google works to provide the most accurate and up-to-date phishing and malware information. However, it cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be identified in error.

Code: 301, htxp://supasweb.ru/blackmuscats?5

Redirect to external server! FAKE AV redirect, see log: http://sakrare.ikyon.se/log.php?id=49208
& https://www.badwarebusters.org/main/itemview/30145

polonus

An extensive report on the above hack: http://www.joomlaspanish.org/foros/f135/web-hackeada-y-nueva-instalaci�n-87872.html (in Spanish)

Damian

This one missed by VT: https://www.virustotal.com/nl/url/0953b74ad19ed4cdb02721d3d2b9fe7943a96893f9e0e904373d402b7b277eb6/analysis/1410536893/
Malware detected here: http://sitecheck.sucuri.net/results/ad-twice.com
ndex
Severity: Suspicious
Reason: Detected suspicious redirection to external web resources at HTTP level.
Details: Detected HTTP redirection to htxp://bizaz.bij.pl/pop/go.php?sid=1.
26 sites infected with redirects to this URL
Application: Mozilla/4.7 [nl] (WinNT; U) [Netscape]

redirTime = "1";
	redirURL = "htxp://wXw.ad-twice.nl/nl";
	function redirTimer() { self.setTimeout("self.location.href = redirURL;",redirTime); }

pol

URL is undetected by Avast.

Also not detected by Kaspersky Lab and Trend Micro.

Submitted via form.

Thank you, Steven Winderlich, for checking.
This is an interesting analysis, because site did not follow redirect to htxps://klant.bhosted.nl/login.php
Redirects to (location header) /login.php.
_http-generator: ERROR: Script execution failed (use -d to debug) :o
control panel log-in. TSLA status unknown. Comodo registered, Various security headers not according to best policy! Delegation errors for that sub domain. DNS check for main redirect domain: ttp://dnscheck.sidn.nl/?time=1410549401&id=1769470&view=basic&test=standard →
Name server ns1.bhosted.nl
Name server ns2.bhosted.eu
Name server ns3.bhosted.nl error!
Could not find reverse address for 2001:15c8:0:5:0:0:0:5 (5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.0.0.0.0.0.0.8.c.5.1.1.0.0.2.ip6.arpa.).
PTR record(s) for the address could not be found in the .arpa-zone. (ip6.arpa. for IPv6 addresses and in-addr.arpa. for IPv4).
Name server ns4.bhosted.nl

polonus

SEO Spam infected site generally detected as here: https://www.virustotal.com/nl/url/2bb5781b0cd9742bccc168286ab33bc29833e0f93b5ab1b79600ea3b43fab38f/analysis/1410699981/
avast! Webshield detects object on IP as infested with JS:Hide-Link-A[Trj].
Quttera misses it altogether: http://quttera.com/detailed_report/blog.bookrenter.com
Sucuri delivers an extended report here: http://sitecheck.sucuri.net/results/blog.bookrenter.com
backported vulnerable WP theme: Wordpress internal path: /home/content/14/6832014/html/wp-content/themes/bookrenter/index.php
IP badness history: https://www.virustotal.com/nl/ip-address/184.168.244.29/information/
Malware is sometimes long OVERDUE!: http://support.clean-mx.com/clean-mx/viruses.php?review=184.168.244.29&sort=id%20DESC

pol

Update SE campaign still going on → htxp://needabus.charterbusontario.com/ohwd.html?h=696727
SE visitors redirects
Visitors from search engines are redirected
to: htxp://needabus.charterbusontario.com/ohwd.html?h=696727
21 sites infected with redirects to this URL
Missed: https://www.virustotal.com/en/url/b78d57d98d6f81714319905c74339279dd72819d1fe4e8319bd25b8b903b216b/analysis/1426773421/
Quttera detects: index
Severity: Suspicious
Reason: Detected suspicious redirection to external web resources at HTTP level.
Details: Detected HTTP redirection to htxp://needabus.charterbusontario.com/ohwd.html?h=696727 * Code 302
File size[byte]: 0
File type: Unknown
Page/File MD5: 00000000000000000000000000000000
Scan duration[sec]: 0.001000

• This specific URL was identified in malicious campaigns to disseminate malware.
  Sucuri blacklisted: http://labs.sucuri.net/?blacklist=needabus.charterbusontario.com

pol