SE visitors redirect flagged by avast?

See: http://killmalware.com/writemymortgage.com/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://redoperabwo dot ru
redoperabwo dot ru is reported by Google as suspicious
1243 sites infected with redirects to this URL

See: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwritemymortgage.com%2F
WordPress version outdated: Upgrade required.
Suspicious domain detected: http://sucuri.net/malware/malware-entry-mwblacklisted35

Javascript check suspicious: uspicious

rm" action=“htxp://redoperabwo dot ru/parking.php” method=“get” name=“searchform”><input type=“hidden” name=“ses” value="y3jlptezotu0ndq5njgmdgnpzd1yzwrvcgvyywj3by5ydtuzmmnjy…

404-error check: Suspicious 404 Page:
.ru/parking.php" method=“get” name=“searchform”><input type=“hidden” name=“ses” value="y3jlptezotu0ndq5njkmdgn

External links to: htxp://www.sedo.com/services/parking.php3
because virus tracker classification: writemymortgage dot com,192.254.234.8,ns6495.hostgator dot com,Parked/expired,

polonus

This one is not flagged: http://killmalware.com/schultzerbse.de/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://itsme.eu/
5 sites infected with redirects to this URL
Not flagged here: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fschultzerbse.de
http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fschultzerbse.de%2F&useragent=Fetch+useragent&accept_encoding=

polonus

Following site is not flagged by avast! SE redirect may not be actual!
http://killmalware.com/alagez.org/#
Sucuri flags known javascript malware and outdated Joomla CMS: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Falagez.org
See: http://www.rexswain.com/cgi-bin/httpview.cgi?url=http://www.alagez.org/&uag=MSIE+8.0+Trident&ref=http://www.google.com&aen=&req=GET&ver=1.1&fmt=AUTO
No alerts: http://urlquery.net/report.php?id=1395585874110
Only embedded content now: htxp://alagez.org/images/joomla_logo_black.jpg
IP = PHISH up and alive: http://support.clean-mx.de/clean-mx/phishing.php?response=alive&email=abuse@ispsystem.net
The so-called redirection destionation: https://www.google.com/safebrowsing/diagnostic?site=industry.bee.pl/
https://www.virustotal.com/nl/ip-address/46.21.144.53/information/

polonus

Here we can detect how that SE visitors redirect was wrought - via uploaded Joomla backdoor * all PHP files were infested/
Visitors from search engines are redirected
to: hxtp://www.stlp.4pu.com/
7342 sites infected with redirects to this URL

Web Rep: http://www.webutations.org/go/review/stlp.4pu.com

Re: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fpavementrestore.org%2F
Site with malware: http://sucuri.net/malware/entry/MW:SPAM:SEO & http://sucuri.net/malware/malware-entry-mwspamseom/js/caption.js
Joomla Version 1.5.18 - 1.5.26 for: http://pavementrestore.org//media/syste
Joomla Version 1.5.18 to 1.5.26 for: http://pavementrestore.org//language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.

pol

See SE redirect here: http://killmalware.com/millennium-international.net/#
Is not SE friendly as checked against this : http://www.webconfs.com/redirect-check.php
Either hxtp://millennium-international.net/ is NOT REDIRECTING to any URL or the redirect is NOT SEARCH ENGINE FRIENDLY
and the destination: Either htxp://tonycar.com/css/4.php is NOT REDIRECTING to any URL or the redirect is NOT SEARCH ENGINE FRIENDLY

polonus

See how the use of this Backlink Checker can help your evaluation of a particular SE redirect.
See: http://killmalware.com/uscoptic.com/#
See: http://smallseotools.com/backlink-checker/
See how WOT, Quttera and McAfee’s Site Advisor treats the redirect site: Total backlinks: 178
Example: https://www.mywot.com/en/scorecard/medicsph.ru
Strongly advise to use this for evaluation purposes (use inside a VM or sandbox please),
as we even learn that site is down now: http://www.statscrop.com/www/medicsph.ru (backlink on page 2)

pol

See: http://maldb.com/northlinkva.com/#
Conditional redirects found. Visitors from search engines are redirected
to: htxp://canadianonlinedrugs dot com/
Redirect to this URL found in 9 sites

Via Backlink Checker found this report: http://scamfraudalert.org/2014/01/06/bestpricedrugs24-org/
WOT is somewhat milder in it’s web rep report: https://www.mywot.com/en/scorecard/bestpricedrugs24.org?utm_source=addon&utm_content=popup-donuts

See for this Russian based redirect: http://toolbar.netcraft.com/site_report?url=http://bestpricedrugs24.org
Site not malicious an sich. Most malware from IP being closed also from mentioned site:
http://support.clean-mx.de/clean-mx/viruses.php?email=noc@arpnetworks.com&response=

pol

This conditional SE redirect isn’t malicious, is it?
See: http://killmalware.com/toy4kid.ru/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://ifyoucan.ru/miss.php?r=toy4kid.ru/&p=
180 sites infected with redirects to this URL
For: htxp://toy4kid.ru/ Found redirect to htxp://grame.ru/honda.php. The Redirect is Search Engine Friendly.
Either htxp://ifyoucan.ru/miss.php?r=toy4kid.ru/&p= is NOT REDIRECTING to any URL or the redirect is NOT SEARCH ENGINE FRIENDLY
Bitdefender TrafficLight blocks: http://www.urlvoid.com/scan/ifyoucan.ru/
badness history on IP: https://www.virustotal.com/nl/ip-address/78.110.50.117/information/

polonus

polonus

See: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Frefuge7laux.fr
Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:htxp://miamiheattickets.com/http.php
Either hxtp://miamiheattickets.com/http.php is NOT REDIRECTING to any URL or the redirect is NOT SEARCH ENGINE FRIENDLY
Site has Namo WebEditor v5.0 Remote File Uploader, vulnerable to upload of PhP Shells via → inurl:/module/upload_image/
Also consider: http://evuln.com/tools/malware-scanner/miamiheattickets.com/

Content that was returned by your request for the URL: htxp://refuge7laux.fr/tarifs-refuge-7laux.php
Note: Content displayed is from the redirect location, the URL htxp://miamiheattickets.com/http.php
Additionally, a 404 Not Found
8:error was encountered while trying to use an ErrorDocument to handle the request.

Additional for the nameserver: http://knujon.com/nameservers/NS61.1AND1.FR.html (spam domain servers)

polonus

See: http://urlquery.net/report.php?id=1395932925136
See: http://killmalware.com/eplantern.com/# & http://evuln.com/labs/pityhandsdown.ru/

Nothing here: http://zulu.zscaler.com/submission/show/03ad865f2236a88bd04daf3856a52280-1395932833

Backlink info: http://www.runfo.ru/r/REGRU-REG-RIPN/286.html & http://labs.sucuri.net/?malware&entry=2012-09-16
http://www.domaintuno.com/d/eplantern.com
Either htxp://pityhandsdown.ru/pavilion?8 is NOT REDIRECTING to any URL or the redirect is NOT SEARCH ENGINE FRIENDLY
Either htxp://eplantern.com/ is NOT REDIRECTING to any URL or the redirect is NOT SEARCH ENGINE FRIENDLY

Why site needs this affirmation of security? → http://www.scamadviser.com/is-eplantern.com-a-fake-site.html

pol

See: http://killmalware.com/almansoor.com/#
Cannot connect → http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Falmansoor.com
Source is clear here:

 <font style='position: absolute;overflow: hidden;height: 0;width: 0'><a href="htxp://canadian-**SPAM**-center dot com">canadian online **SPAM**</a></font>

htxp://canadian-SPAM-center.com/ not flagged
Redirection given was terminated because of violation of use by:
htxp://tinyurl.com/nospam.php?id=bp5bg4v

The TinyURL (bp5bg4v) you visited was used by its creator in violation of our terms of use. TinyURL has a strict no abuse policy and we apologize for the intrusion this user has caused you. Such violations of our terms of use include:

Spam - Unsolicited Bulk E-mail
Fraud or Money Making scams
Malware
or any other use that is illegal.
If you received spam, please note that TinyURL did not send this spam and we do not operate any email lists. We can not remove you from spammer’s database as we have no association with spammers, but instead we recommend you use spam filtering software.

*

SE visitors redirects
Visitors from search engines are redirected
to: hxtp://tinyurl.com/bp5bg4v *
1097 sites infected with redirects to this URL (now as we know terminated because of abuse).

On IP we also saw a dead PHISH flagged: http://support.clean-mx.de/clean-mx/phishing.php?id=3978548

pol

Following site with SE redirects has vulnerable CMS: Web application version:
Joomla Version: 2.5.6
Joomla Version 2.5.x - 3.0.x for: htxp://www.uboncloud.com/media/system/js/caption.js
Joomla Version 2.5.x for: htxp://www.uboncloud.com/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
SE visitors redirects
Chain of redirects found:
to: htxp://thecialispill.com
6 sites infected with redirects to this URL
See: https://www.mywot.com/en/scorecard/thecialispill.com?utm_source=addon&utm_content=rw-viewsc
to: htxp://pickupdrugstore.com/
7 sites infected with redirects to this URL server redirect detected by Web Security Test: Code: 301, htxp://pickupdrugstore.com/
Redirect to external server! → https://www.mywot.com/en/scorecard/pickupdrugstore.com?utm_source=addon&utm_content=rw-viewsc
avast flags this redirect site as infested with IRL;Mal

Security warnings, see: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.uboncloud.com

Known Spam:SEO → http://labs.sucuri.net/db/malware/malware-entry-mwspamseo

Missed completely here: http://zulu.zscaler.com/submission/show/9c9cf6e1356b6e57a586e1f66a4e0c9d-1396287019

So anayway from the redirect we are being protected by the avast! Webshield.

Read on that general brand of spam scam: http://spamtrackers.eu/wiki/index.php/Canadian_Family_Pharmacy

polonus

Zscaler misses the conditional redirect here: http://zulu.zscaler.com/submission/show/eca6f4a4e763c39f0a6c2db930b2d46b-1396387424
But sucuri gives the warning: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fxn--k5caa.com%2F
and http://sucuri.net/malware/entry/MW:HTA:7
See: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fxn--k5caa.com%2F&useragent=Fetch+useragent&accept_encoding=
Quttera also flags the suspicious redirect: index
Severity: Suspicious
Reason: Detected suspicious redirection to external web resources at HTTP level.
Details: Detected HTTP redirection to htxp://dietprescriptioninc.net/. About that campaign: http://evuln.com/labs/dietprescriptioninc.net/
http://domain-kb.com/www/dietprescriptioninc.net
DNS check - errors and warnings: http://dnscheck.pingdom.com/?domain=dietprescriptioninc.net+&timestamp=1396388156&view=1
File size[byte]: 18446744073709551615
File type: Unknown

Malware history for IP: http://support.clean-mx.de/clean-mx/viruses.php?ip=46.235.44.82&sort=id%20desc
Nothing here: http://urlquery.net/report.php?id=1396388315497
MD5: 00000000000000000000000000000000
Scan duration[sec]: 0.001000

kraken’s Virus Tracker comes up with the following status: xn–k5caa dot com,46.235.44.82,ns3.webreus dot nl,Criminals,
this means that site has active malware up.
Hoster webreus dot nl had malware infections recently and server abuse:
http://webwereld.nl/datacenter/54341-sidn-roept-hoster-webreus-op-het-matje (link article author - webwereld editors)

polonus

See: http://killmalware.com/ovmpcllc.org/#
Unable to properly scan your site. Site empty (no content).
SE visitors redirects
Visitors from search engines are redirected
to: htxp://pkjlapok.1dumb.com/
1227 sites infected with redirects to this URL
http://labs.sucuri.net/db/malware/malware-entry-mwblacklisted35
No IP address found for the domain ‘htxp://pkjlapok.1dumb.com’ Very poor webrep: https://www.mywot.com/en/scorecard/pkjlapok.1dumb.com
(no DNS answer).
Virus Tracker classifies as with live up active malware: ovmpcllc dot org,65.254.248.197,ns1.fatcow dot com,Criminals,

Not very reassuring result: http://sameid.net/ip/65.254.248.197/http://urlquery.net/report.php?id=1396456207187

Badness history of IP: https://www.virustotal.com/nl/ip-address/65.254.248.197/information/

See reply by Jan Dembrowski here: http://wordpress.org/support/topic/google-doesnt-redirect-my-sites-error-message-server-not-found-pkjlapok1dumb

For malcode see: http://pastebin.com/hSWF0s1q

pol

This site with redirects is a vulnerable asp.net site: https://asafaweb.com/Scan?Url=truckinkrazy.com error and warnings!
see: http://maldb.com/truckinkrazy.com/#
This time Zscaler scanner seems to be aware something is not right there: http://zulu.zscaler.com/submission/show/4d3d552ca090cb341c90bae2a9e5d7fc-1396469693
Conditional redirects found. Visitors from search engines are redirected
to: htxp://gqillqigqilqigqiqlqiigqilqiiiqgg.esmtp.biz/1.php
Redirect to this URL found in 90 sites
See web rep for rediret → https://www.mywot.com/en/scorecard/gqillqigqilqigqiqlqiigqilqiiiqgg.esmtp.biz?utm_source=addon&utm_content=popup
older exploit: http://malware-traffic-analysis.net/2013/12/27/index.html
Bitdefender TrafficLight blocks redirect. 6 flag: https://www.virustotal.com/nl/url/c02af33d959527e69385136871886bef5812aed9810c9b08976748553a5efbb7/analysis/1396470163/
dynamic dns → taken down

polonus

See: http://maldb.com/alcazone.com/# & http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Falcazone.com
http://sucuri.net/malware/entry/MW:HTA:7http://urlquery.net/report.php?id=1396525671490
virus tracker info: alcazone dot com,195.110.124.188,ns1.register dot it,Parked/expired,
appl. Notepad di win98

pol

Here we see the results of a hack of an Apache file named .htaccess
(read redleg’s analysis here: https://www.badwarebusters.org/main/itemview/26675 )
on System Details:
Running on: Apache/2.2.26
System info: (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
as a SE visitors redirects
Visitors from search engines are redirected
to: htxp://flyghtairline.ru/access/index.php
11 sites infected with redirects to this URL
See: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fpantathailand.net%2F
For redirect see: http://labs.sucuri.net/?details=flyghtairline.ru

Blacklisting status: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=pantathailand.net
and http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=flyghtairline.ru/

There is also an iFrame (hidden frameset) going to

 <frame name="main" src="htxp://www.ethailandhost.com/panta/index.htm"> 

without additional malware: http://wepawet.iseclab.org/view.php?hash=5016999753c2685999697d65e36ea289&t=1355950873&type=js

pol

Been with us quite some time, this attack and conditional redirect still making victims: http://maldb.com/doungjaihouse.com/
Read on this malware injection: http://www.mintrix.net/blog/2012/04/04/damn-you-hackers-go-to-hell/
and https://www.badwarebusters.org/main/itemview/28544 read Redlegs comments in the thread.
How it was being performed: http://ninjafirewall.com/malware/index.php?threat=2012-05-03.01
Missed here altogether: http://quttera.com/detailed_report/doungjaihouse.com
avast! Webshield blocksthe site | {gzip}as infested with HTML:Script-inf
We are being protected. Redirect to URL found in 1747 sites.

polonus

Still with malware and still flagged by AOS: http://urlquery.net/report.php?id=1480717200395
Known Spam SEO, another example from the past: https://forum.avast.com/index.php?topic=147881.10

Website seems now a domain for sale. Illegal Pharmacy Spam / Dating Scam.

polonus