Simply fraud - Detected SutraTDS HTTP GET request

There is an enormous lot of this serp hijacking going on for various domains.
Here an example.

See: htxp://urlquery.net/report.php?id=54525
Attack was logged here: http://sakrare.ikyon.se/log.php?id=38981
Serp hijacking - Visitors with referer are redirected to hxtp://adam-golf.ru/herz?8 (status finished - http://zulu.zscaler.com/submission/show/18d4ad5f4397cf244328c295dfecd67a-1336860733)
So this was short-lived, but it can happen again: htxp://sitecheck.sucuri.net/results/gestaltpartners.se/
various security warnings,

polonus

Hi forum friends,

That these detections for “Detected SutraTDS HTTP GET request” (just google this search term given between " ") are seriously involving grand money sums is shown that it comes up in Daily Stock tips, where this flagged site was mentioned: http://urlquery.net/report.php?id=46380
Yes, folks, SERP hijacking is going on on a immense scale to-day.
Just for that reason checking URLs at urlQuery.net may be well worth finding up this specific IDS alert. Off course other IDS alerts for RNN, Blackhole, etc. etc. are also important issues you like to be alerted to and other url scanners may not present them that way. Suricata w Emerging Threats will add a complete new additional rule based security layer to url scanning,

polonus

Interesting screenshots here:
hXtp://xylibox.blogspot.com/2011/12/sutra-tds-v34.html

Hi !Donovan,

Thanks for that very informative link, bookmarked it :slight_smile:
So this could lead to click fraud performed and also ransomware
Good you have posted this here, so that users that follow these postings are aware of these threats,
I mean webmasters included. As I notice how many webservers does not even have minimal security protection
and are vulnerable via holes in outdated unpatched website software, plug-ins etc, this is alarming really,

polonus

Another with also additional malware involved, see: htxp://urlquery.net/report.php?id=54850
urlQuery Client Internal IP ET MALWARE All Numerical .ru Domain Lookup Likely Malware Related
Not found with a static scanner: htxp://zulu.zscaler.com/submission/show/75fd5df2419190372c36e7bba699c5c9-1337007972
but again detected here at Sucuri’s: htxp://sitecheck.sucuri.net/results/bigtopfleamarket.com/

polonus

Indeed. urlQuery gives one of the exploits as a link by the css file:
GET /siga?7 HTTP/1.1
Host: herzplas.ru

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: hXtp://bigtopfleamarket.com/bt.css

The number URL that Suricata detected is given in attached screenshot.