See: htxp://preferredhotelrates.com/
SE visitors redirects
Visitors from search engines are redirected
to: htxp://opec.lflink.com/
opec.lflink.com is reported by Google as suspicious
7166 sites infected with redirects to this URL
Detection missed here: http://www.websicherheit.at/web-security-test-scanner/
Confirmed here: http://sitecheck.sucuri.net/results/preferredhotelrates.com/ISSUE DETECTED DEFINITION INFECTED URL
Website Malware malware-entry-mwblacklisted35 htxp://preferredhotelrates.com/about-us
Web application version:
Joomla Version 1.5.18 - 1.5.26 for: http://preferredhotelrates.com//media/system/js/caption.js
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.20 or 3.3

Mentioned in this list: http://johnpc.home.xs4all.nl/vulnerable_sites-ips.txt
Potentially suspicious file:
plugins/content/plugin_jw_ts/tabs_slides_comp.js
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected potentially suspicious initialization of function pointer to JavaScript method write __tmpvar652329893 = write;
Threat dump: http://jsfiddle.net/pA3SS/
Threat dump MD5: F04E022C0C9DA0CC04D2535F19F19EEC
File size[byte]: 5367
File type: ASCII
MD5: BE7C24CC472F71F680EC3371FEC7C320
Scan duration[sec]: 0.279000

probably not a malicious redirect…

preferredhotelrates.com
https://www.virustotal.com/en/file/b7c5c25306d140814fff2b0d287efd5c269a3ee315a8952c7a73ff00db23f4ca/analysis/1404660754/

the redirect site opec.lflink.com/ seems down

Hi Pondus,

That could be why scanners do not detect. → http://wepawet.iseclab.org/view.php?hash=4b87b798f3a22ffd1fa2814bd2d26c9b&t=1362597312&type=js
However site stays vulnerable because of Joomla being out of date and exploitable.

Code is suspicious, see screenshot attached.

Either preferredhotelrates dot com is NOT REDIRECTING to any URL or the redirect is NOT SEARCH ENGINE FRIENDLY.

Here urlquery dot net is not detecting.
Killmalware has it: SE visitors redirects
Visitors from search engines are redirected
to: htxp://kasiacleaningservice.com/blog/?p=5510&comment=497630
120 sites infected with redirects to this URL
as does Sucuri’s: http://sitecheck.sucuri.net/results/virgonova.com
Website Malware malware-entry-mwblacklisted35 htxp://kasiacleaningservice.com/blog/?p=5510&comment=497630
Unable to properly scan your site. Site empty (no content): Content-Length: 0
Misused or defaced server.

pol

This site has a malware history in the past: https://www.virustotal.com/nl/file/4e32b9ce70e50bed88eac0a76b0a005dea7e7f88dcaba61968ef20a8c6d7bc15/analysis/
SE visitors redirects
Chain of redirects found:
to: htxp://tinyurl.com/d3z22b6
3890 sites infected with redirects to this URL
to: htxp://www.96khz-productions.com//administrator/components/com_config/views/application/tmpl/www/all.php
6799 sites infected with redirects to this URL
Site blacklisted and probably compromised.
Server redirect
Code: 404,
Content cannot be read!

See code attached

Loads of scanners will miss this SE redirect: http://killmalware.com/nvshu.org/#
Sucuri misses, Web Security Test, zulu Zscaler etc.
Redleg’s file viewer has it: The location line in the header above has redirected the request to: htxp://t.ypjd.net/t.php?jiechi-wen-nvshu.org

( If this redirect is not what you expected SEE: Redirects. for some tips on clearing redirects.)
Content displayed is from the redirect location, the URL htxp://t.ypjd.net/t.php?jiechi-wen-nvshu.org
Dynamic Content - policy ref: htxp://www.dsparking.com/w3c/p3p.xml
IP badness history: https://www.virustotal.com/nl/ip-address/208.73.211.191/information/

polonus

See: http://app.webinspector.com/public/reports/show_website?site=http%3A%2F%2Fwww.clicmotoshop.com
Object: htxp://www.clicmotoshop.com/
SHA1: 8f9e82fa15940564bd46e53c9ecb2add86b01180
Name: TrojWare.JS.Agent.caa
Confirmed as being SEO Spam here: http://sitecheck.sucuri.net/results/www.clicmotoshop.com
Vulnerable site because Web application version:
Joomla Version 1.5.8 to 1.5.14 for: htxp://www.clicmotoshop.com/media/system/js/caption.js
Joomla Version 1.5.14 for: htxp://www.clicmotoshop.com/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.20 or 3.3
Javascript check:
Suspicious

nguage=“javascript”> function dnnviewstate() { var a=0,m,v,t,z,x=new array(‘9091968376’,‘8887918192818786347374918784939277359287883421333333338896’,‘778787’,'9499907

SEO Spam infection missed overall here: https://www.virustotal.com/nl/url/efc428d25c9322261a322b123aa3e434f3a08a8509f459d77fda3dc89264e675/analysis/1404927680/

But the avast! Web Shield detects this on that site as: JS:Clickjack-A[Trj].
We are being protected.

Damian

And another one: http://app.webinspector.com/public/reports/show_website?site=http%3A%2F%2Fvmsix.com
SEO Spam malware: http://sitecheck.sucuri.net/results/vmsix.com
Iframe check:
Suspicious
htxp://affl.sucuri.net/?affl=8fedd13cfe82ba6b5fd4a93876cc2065&noredir&trid=sitecheckwarnnew3’
Javascript check:
Suspicious

‘+x[1]+’}</‘+x[0]+’>');}dnnviewstate();

known javascript malware. details: h…

Included scripts checked:

Suspect - please check list for unknown includes

Suspicious Script:

sucuri.net//js/bootstrap.min.js

getmama-encoded-javascript.html’>new malware – eval + getmama + encoded javascript 
new malware – eval + getmama + encoded javascript
 
<a href='htxps://sucuri.net/wordpress

polonus

VirusTotal does not have it: https://www.virustotal.com/nl/url/9c623d1af66a3cc4f6ec981b3478c13479505a0a171e1a2b2bacc6a8e8a4ec46/analysis/
as does Quttera’s: http://quttera.com/detailed_report/www.opf.pt
Sucuri gives it all: http://sitecheck.sucuri.net/results/www.opf.pt Infested with SEO-Spam
and Javascript Check

Suspicious

guage=“javascript”>function dnnviewstate(){var a=0,m,v,t,z,x=new array(‘9091968376’,‘8887918192818786347374918784939277359287883421333333338896’,‘778787’,'949990

Read: http://vel.joomla.org/articles/844-spotting-spam-code-in-malicious-extensions.html (link author = Vel)

Trojan detected:
Object: htxp://www.opf.pt/
SHA1: 5388db16362c6f84c0131cfaa2a236f45c767918
Name: TrojWare.JS.Agent.caa

Malcode on other domain with same IP: https://www.virustotal.com/nl/url/4abeed786ba49572fcfc80142193f23eef1c52c657ea6835b15a0418db5ec1b1/analysis/

polonus

iFrame malware on site missed by many scanners.
Detected here: http://killmalware.com/ffinlo.com/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://uk.cvrcc.com/?ffinlo.com
3 sites infected with redirects to this URL → https://www.mywot.com/en/scorecard/cvrcc.com?utm_source=addon&utm_content=popup
Missed at recommended scanner: http://sitecheck.sucuri.net/results/ffinlo.com/
and here: http://zulu.zscaler.com/submission/show/f2a218aa5842b6bad801f378ea2b2f9f-1405256029
Google browser diff: Not identical

Google: 5683 bytes Firefox: 0 bytes
Diff: 5683 bytes

First difference:
=“eng”> discount authentic michael kors handbags uk outlet dot online < ffinlo dot com <meta http-equiv=“content-type” content=“text/html; charset=iso-8859-1”…

Errors and warnings on site, see: https://asafaweb.com/Scan?Url=ffinlo.com

polonus

Site vulnerable because of outdated Drupal → Drupal under 6.31 or 7.27
http://killmalware.com/chudovperjax.ru/#
Missed by most scanners:
http://www.urlvoid.com/scan/chudovperjax.ru/
Injection check:
Suspicious Text before HTML

order bupropion
Javascript check:
Suspicious

<span c…

404-error check:
Suspicious

Suspicious 404 Page:
.ru/click’ "+ “target=_blank><img src='//counter.yadro dot ru/hit?t14.6;r”+ escape(document.referrer)+((typeof(screen)=="und

polonus

Some scanners I use are showing some issues:
http://sitecheck.sucuri.net/results/chudovperjax.ru
http://zulu.zscaler.com/submission/show/842c036f7d61b89902ddeccd334af142-1405367207
Some not:
http://urlquery.net/report.php?id=1405367350576
https://www.virustotal.com/en/url/28969c8058f4a122061eae6959d58b8578d88a42874ed73615c6c8ceb865ea73/analysis/1405367300/
No a/v solution is detecting so far.

Seems work needs to be done here in protecting avast! users against these specific sort of threats.

Hi mchain,

Seems a pharmaco-spam site for a known anti-depressant (bupopion aka Wellbutrin)
see what quttera flags attached.
misc/jquery.js?9
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected potentially suspicious initialization of function pointer to JavaScript method eval __tmpvar1141815228 = eval; That could be part of a dangerous website JQuery injection and theme hack attack and so it should be flagged!

Here the network is spreading all sorts of live malware for various domains: http://www.worldguide.pt/clean-mx/viruses.php?inetnum=204.12.0.0%20-%20204.12.127.255&sort=id%20DESC&response=alive
Part of this: http://killmalware.com/jacksongray.com/#
SE visitors redirects
Chain of redirects found:
to: htxp://www.topmichaelkorsoutletsales.com/
0 sites infected with redirects to this URL
to: htxp://www.millionculturalrelicsin.info/
11 sites infected with redirects to this URL
Completely missed here: http://zulu.zscaler.com/submission/show/014919d31b53184977f1e6bff10d5e64-1405511544
Sucuri has it: ISSUE DETECTED DEFINITION INFECTED URL
Website Malware MW:HTA:7 htxp://jacksongray.com/ ( View Payload )
Suspicious conditional redirect. Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:htxp://www.millionculturalrelicsin.info/

pol

Detected by Sucuri’s http://sitecheck.sucuri.net/results/www.sacketsharborny.com
Infected with SEO Spam: SEO Spam MW:SPAM:SEO htxp://www.sacketsharborny.com
SEO Spam MW:SPAM:SEO htxp://www.sacketsharborny.com/404testpage4525d2fdc
SEO Spam MW:SPAM:SEO htxp://www.sacketsharborny.com/index.php/visit-and-stay-here/entertainment
Missed here: http://killmalware.com/www.sacketsharborny.com/
and here: http://zulu.zscaler.com/submission/show/036bdad4be0bae6b4312a11f0ef7a9a1-1405708939
Comodo detects: rojans detected:
Object: http://www.sacketsharborny.com/
SHA1: 67565f1579f03e2e26162038b3788ef02aeb4d75
Name: TrojWare.JS.Agent.caa
Flagged twice here: https://www.virustotal.com/nl/url/a9278f1241b22751e1c6ac0ec05ee21e8b0442b66b6c1d729790ff56e4c008f2/analysis/1405709366/
Also consider: http://sameid.net/ip/50.87.39.164/
Site was vulnerable because of Web application details:
Running cPanel 11.42.1.21: radioislam.tv:2082
cPanel version 11.42.1.21 outdated: Upgrade required.
Outdated cPanel Found: cPanel 11.42.1.21

polonus

Blacklisted by Yandex: https://www.virustotal.com/nl/url/a5b6f9763016a2f8cde7b573098f3f128da0df479543bc6cdf7c77fd5036e55f/analysis/1405711467/
Found to be suspicious: http://zulu.zscaler.com/submission/show/ad67cae331de03997f52a653dcaddca6-1405711429
Site likely compromised (hacked) and potentially harmful: http://sitecheck.sucuri.net/results/hpft.ru/
http://killmalware.com/hpft.ru/#
SE visitors redirects
Chain of redirects found:
to: htxp://avicennahealth.org/templates/beez/html/mod_poll/1/all.php
0 sites infected with redirects to this URL
to: htxp://www.caribsoft-online.biz/templates/rhuk_solarflare_ii/images/index.php
www.caribsoft-online.biz is reported by Google as suspicious
860 sites infected with redirects to this URL
external link to hxtp://inetlog.ru/ blocked
external link with bad web rep: https://www.mywot.com/en/scorecard/hpft.ru?utm_source=addon&utm_content=warn-viewsc

polonus

Not only that, FF 30.0 gets into the act, too re hxxp://www.caribsoft-online.biz/ when you click that too.

See attached below:

Missed by a couple of scanners: http://www.urlvoid.com/scan/kopuzlartekstil.com/
and here: http://app.webinspector.com/public/reports/23182778
and here: http://zulu.zscaler.com/submission/show/ad7a82e36464664f7c34c557cb33aa1c-1405716708
and here: https://www.virustotal.com/nl/url/23c007d64fd172b5e45424285754f40b0f1b131e3ed4042738a30210a0e7e3ff/analysis/1405717202/
Blacklisted by Yandex: https://www.virustotal.com/nl/url/a5b6f9763016a2f8cde7b573098f3f128da0df479543bc6cdf7c77fd5036e55f/analysis/1405711467/
confirmned here: http://sitecheck.sucuri.net/results/kopuzlartekstil.com/
ISSUE DETECTED DEFINITION INFECTED URL
Website Malware MW:HTA:7 htxp://kopuzlartekstil.com/ ( View Payload )
Suspicious conditional redirect. Details: http://sucuri.net/malware/entry/MW:HTA:7

polonus
Redirects users to:htxp://bkamedic.com -
Phishing on same IP: http://support.clean-mx.de/clean-mx/phishing.php?review=5.250.244.27&sort=id%20DESC

Flagged here: http://sitecheck.sucuri.net/results/palmgren.net
ISSUE DETECTED DEFINITION INFECTED URL
Website Malware malware-entry-mwhta7?v3 htxp://palmgren.net/404testpage4525d2fdc ( View Payload )
Website Malware malware-entry-mwhta7?v3 htxp://palmgren.net/404javascript.js ( View Payload )
Website Malware malware-entry-mwhta7?v3 htxp://palmgren.net ( View Payload )
Website Malware MW:HTA:7 htxp://palmgren.net ( View Payload )
Known javascript malware. Details: htxp://sucuri.net/malware/malware-entry-mwhta7?v3
Location: htxp://softwareid.ru/zisec/index.php
SE visitors redirects
Visitors from search engines are redirected
to: htxp://softwareid.ru/zisec/index.php
10 sites infected with redirects to this URL
Flagged: http://killmalware.com/palmgren.net/#

This should not be available: htxps://secure.servage.net/**/login/ ** broken by me, polonus
nor this wXw.servage.net/products_services/website_builder/ HTTP/1.1
“This Servage Hosting customer has not yet uploaded any index file.”

Redirect host down: GET //softwareid dot ru/ HTTP/1.1
Host: softwareid dot ru — > no response

polonus

https://forum.avast.com/index.php?action=post;topic=151778.0;last_msg=1107250
Confirmed here: http://urlquery.net/report.php?id=1405782274390

website unknown in the system

D