See: http://killmalware.com/writemymortgage.com/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://redoperabwo dot ru
redoperabwo dot ru is reported by Google as suspicious
1243 sites infected with redirects to this URL
See: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwritemymortgage.com%2F
WordPress version outdated: Upgrade required.
Suspicious domain detected: http://sucuri.net/malware/malware-entry-mwblacklisted35
Javascript check suspicious: uspicious
rm" action=“htxp://redoperabwo dot ru/parking.php” method=“get” name=“searchform”><input type=“hidden” name=“ses” value="y3jlptezotu0ndq5njgmdgnpzd1yzwrvcgvyywj3by5ydtuzmmnjy…
404-error check: Suspicious 404 Page:
.ru/parking.php" method=“get” name=“searchform”><input type=“hidden” name=“ses” value="y3jlptezotu0ndq5njkmdgn
External links to: htxp://www.sedo.com/services/parking.php3
because virus tracker classification: writemymortgage dot com,192.254.234.8,ns6495.hostgator dot com,Parked/expired,
polonus
Here we can detect how that SE visitors redirect was wrought - via uploaded Joomla backdoor * all PHP files were infested/
Visitors from search engines are redirected
to: hxtp://www.stlp.4pu.com/
7342 sites infected with redirects to this URL
Web Rep: http://www.webutations.org/go/review/stlp.4pu.com
Re: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fpavementrestore.org%2F
Site with malware: http://sucuri.net/malware/entry/MW:SPAM:SEO & http://sucuri.net/malware/malware-entry-mwspamseom/js/caption.js
Joomla Version 1.5.18 - 1.5.26 for: http://pavementrestore.org//media/syste
Joomla Version 1.5.18 to 1.5.26 for: http://pavementrestore.org//language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
pol
See SE redirect here: http://killmalware.com/millennium-international.net/#
Is not SE friendly as checked against this : http://www.webconfs.com/redirect-check.php
Either hxtp://millennium-international.net/ is NOT REDIRECTING to any URL or the redirect is NOT SEARCH ENGINE FRIENDLY
and the destination: Either htxp://tonycar.com/css/4.php is NOT REDIRECTING to any URL or the redirect is NOT SEARCH ENGINE FRIENDLY
polonus
See how the use of this Backlink Checker can help your evaluation of a particular SE redirect.
See: http://killmalware.com/uscoptic.com/#
See: http://smallseotools.com/backlink-checker/
See how WOT, Quttera and McAfee’s Site Advisor treats the redirect site: Total backlinks: 178
Example: https://www.mywot.com/en/scorecard/medicsph.ru
Strongly advise to use this for evaluation purposes (use inside a VM or sandbox please),
as we even learn that site is down now: http://www.statscrop.com/www/medicsph.ru (backlink on page 2)
pol
See: http://maldb.com/northlinkva.com/#
Conditional redirects found. Visitors from search engines are redirected
to: htxp://canadianonlinedrugs dot com/
Redirect to this URL found in 9 sites
Via Backlink Checker found this report: http://scamfraudalert.org/2014/01/06/bestpricedrugs24-org/
WOT is somewhat milder in it’s web rep report: https://www.mywot.com/en/scorecard/bestpricedrugs24.org?utm_source=addon&utm_content=popup-donuts
See for this Russian based redirect: http://toolbar.netcraft.com/site_report?url=http://bestpricedrugs24.org
Site not malicious an sich. Most malware from IP being closed also from mentioned site:
http://support.clean-mx.de/clean-mx/viruses.php?email=noc@arpnetworks.com&response=
pol
This conditional SE redirect isn’t malicious, is it?
See: http://killmalware.com/toy4kid.ru/#
SE visitors redirects
Visitors from search engines are redirected
to: htxp://ifyoucan.ru/miss.php?r=toy4kid.ru/&p=
180 sites infected with redirects to this URL
For: htxp://toy4kid.ru/ Found redirect to htxp://grame.ru/honda.php. The Redirect is Search Engine Friendly.
Either htxp://ifyoucan.ru/miss.php?r=toy4kid.ru/&p= is NOT REDIRECTING to any URL or the redirect is NOT SEARCH ENGINE FRIENDLY
Bitdefender TrafficLight blocks: http://www.urlvoid.com/scan/ifyoucan.ru/
badness history on IP: https://www.virustotal.com/nl/ip-address/78.110.50.117/information/
polonus
polonus
See: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Frefuge7laux.fr
Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:htxp://miamiheattickets.com/http.php
Either hxtp://miamiheattickets.com/http.php is NOT REDIRECTING to any URL or the redirect is NOT SEARCH ENGINE FRIENDLY
Site has Namo WebEditor v5.0 Remote File Uploader, vulnerable to upload of PhP Shells via → inurl:/module/upload_image/
Also consider: http://evuln.com/tools/malware-scanner/miamiheattickets.com/
Content that was returned by your request for the URL: htxp://refuge7laux.fr/tarifs-refuge-7laux.php
Note: Content displayed is from the redirect location, the URL htxp://miamiheattickets.com/http.php
Additionally, a 404 Not Found
8:error was encountered while trying to use an ErrorDocument to handle the request.
Additional for the nameserver: http://knujon.com/nameservers/NS61.1AND1.FR.html (spam domain servers)
polonus
See: http://killmalware.com/almansoor.com/#
Cannot connect → http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Falmansoor.com
Source is clear here:
<font style='position: absolute;overflow: hidden;height: 0;width: 0'><a href="htxp://canadian-**SPAM**-center dot com">canadian online **SPAM**</a></font>
htxp://canadian-SPAM-center.com/ not flagged
Redirection given was terminated because of violation of use by:
htxp://tinyurl.com/nospam.php?id=bp5bg4v
The TinyURL (bp5bg4v) you visited was used by its creator in violation of our terms of use. TinyURL has a strict no abuse policy and we apologize for the intrusion this user has caused you. Such violations of our terms of use include:
Spam - Unsolicited Bulk E-mail
Fraud or Money Making scams
Malware
or any other use that is illegal.
If you received spam, please note that TinyURL did not send this spam and we do not operate any email lists. We can not remove you from spammer’s database as we have no association with spammers, but instead we recommend you use spam filtering software.
*
SE visitors redirects
Visitors from search engines are redirected
to: hxtp://tinyurl.com/bp5bg4v *
1097 sites infected with redirects to this URL (now as we know terminated because of abuse).
On IP we also saw a dead PHISH flagged: http://support.clean-mx.de/clean-mx/phishing.php?id=3978548
pol
Following site with SE redirects has vulnerable CMS: Web application version:
Joomla Version: 2.5.6
Joomla Version 2.5.x - 3.0.x for: htxp://www.uboncloud.com/media/system/js/caption.js
Joomla Version 2.5.x for: htxp://www.uboncloud.com/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
SE visitors redirects
Chain of redirects found:
to: htxp://thecialispill.com
6 sites infected with redirects to this URL
See: https://www.mywot.com/en/scorecard/thecialispill.com?utm_source=addon&utm_content=rw-viewsc
to: htxp://pickupdrugstore.com/
7 sites infected with redirects to this URL server redirect detected by Web Security Test: Code: 301, htxp://pickupdrugstore.com/
Redirect to external server! → https://www.mywot.com/en/scorecard/pickupdrugstore.com?utm_source=addon&utm_content=rw-viewsc
avast flags this redirect site as infested with IRL;Mal
Security warnings, see: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.uboncloud.com
Known Spam:SEO → http://labs.sucuri.net/db/malware/malware-entry-mwspamseo
Missed completely here: http://zulu.zscaler.com/submission/show/9c9cf6e1356b6e57a586e1f66a4e0c9d-1396287019
So anayway from the redirect we are being protected by the avast! Webshield.
Read on that general brand of spam scam: http://spamtrackers.eu/wiki/index.php/Canadian_Family_Pharmacy
polonus
Zscaler misses the conditional redirect here: http://zulu.zscaler.com/submission/show/eca6f4a4e763c39f0a6c2db930b2d46b-1396387424
But sucuri gives the warning: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fxn--k5caa.com%2F
and http://sucuri.net/malware/entry/MW:HTA:7
See: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fxn--k5caa.com%2F&useragent=Fetch+useragent&accept_encoding=
Quttera also flags the suspicious redirect: index
Severity: Suspicious
Reason: Detected suspicious redirection to external web resources at HTTP level.
Details: Detected HTTP redirection to htxp://dietprescriptioninc.net/. About that campaign: http://evuln.com/labs/dietprescriptioninc.net/
→ http://domain-kb.com/www/dietprescriptioninc.net
DNS check - errors and warnings: http://dnscheck.pingdom.com/?domain=dietprescriptioninc.net+×tamp=1396388156&view=1
File size[byte]: 18446744073709551615
File type: Unknown
Malware history for IP: http://support.clean-mx.de/clean-mx/viruses.php?ip=46.235.44.82&sort=id%20desc
Nothing here: http://urlquery.net/report.php?id=1396388315497
MD5: 00000000000000000000000000000000
Scan duration[sec]: 0.001000
kraken’s Virus Tracker comes up with the following status: xn–k5caa dot com,46.235.44.82,ns3.webreus dot nl,Criminals,
this means that site has active malware up.
Hoster webreus dot nl had malware infections recently and server abuse:
http://webwereld.nl/datacenter/54341-sidn-roept-hoster-webreus-op-het-matje (link article author - webwereld editors)
polonus
See: http://killmalware.com/ovmpcllc.org/#
Unable to properly scan your site. Site empty (no content).
SE visitors redirects
Visitors from search engines are redirected
to: htxp://pkjlapok.1dumb.com/
1227 sites infected with redirects to this URL
→ http://labs.sucuri.net/db/malware/malware-entry-mwblacklisted35
No IP address found for the domain ‘htxp://pkjlapok.1dumb.com’ Very poor webrep: https://www.mywot.com/en/scorecard/pkjlapok.1dumb.com
(no DNS answer).
Virus Tracker classifies as with live up active malware: ovmpcllc dot org,65.254.248.197,ns1.fatcow dot com,Criminals,
Not very reassuring result: http://sameid.net/ip/65.254.248.197/ → http://urlquery.net/report.php?id=1396456207187
Badness history of IP: https://www.virustotal.com/nl/ip-address/65.254.248.197/information/
See reply by Jan Dembrowski here: http://wordpress.org/support/topic/google-doesnt-redirect-my-sites-error-message-server-not-found-pkjlapok1dumb
For malcode see: http://pastebin.com/hSWF0s1q
pol
Here we see the results of a hack of an Apache file named .htaccess
(read redleg’s analysis here: https://www.badwarebusters.org/main/itemview/26675 )
on System Details:
Running on: Apache/2.2.26
System info: (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
as a SE visitors redirects
Visitors from search engines are redirected
to: htxp://flyghtairline.ru/access/index.php
11 sites infected with redirects to this URL
See: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fpantathailand.net%2F
For redirect see: http://labs.sucuri.net/?details=flyghtairline.ru
Blacklisting status: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=pantathailand.net
and http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=flyghtairline.ru/
There is also an iFrame (hidden frameset) going to
<frame name="main" src="htxp://www.ethailandhost.com/panta/index.htm">
without additional malware: http://wepawet.iseclab.org/view.php?hash=5016999753c2685999697d65e36ea289&t=1355950873&type=js
pol
Been with us quite some time, this attack and conditional redirect still making victims: http://maldb.com/doungjaihouse.com/
Read on this malware injection: http://www.mintrix.net/blog/2012/04/04/damn-you-hackers-go-to-hell/
and https://www.badwarebusters.org/main/itemview/28544 read Redlegs comments in the thread.
How it was being performed: http://ninjafirewall.com/malware/index.php?threat=2012-05-03.01
Missed here altogether: http://quttera.com/detailed_report/doungjaihouse.com
avast! Webshield blocksthe site | {gzip}as infested with HTML:Script-inf
We are being protected. Redirect to URL found in 1747 sites.
polonus
polonus
19
Still with malware and still flagged by AOS: http://urlquery.net/report.php?id=1480717200395
Known Spam SEO, another example from the past: https://forum.avast.com/index.php?topic=147881.10
Website seems now a domain for sale. Illegal Pharmacy Spam / Dating Scam.
polonus