Hi Steven Winderlich,

Even in websniffer I get that message, but a tool like Intellitamper will allow to map all of the domain when I would launch that uri in it.
So from that uri in the Killmalware results we could conclude this could have been part of an earlier attack to work a PHP shell code injection.
Read: http://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/ link article author = Andrew Brandt.
Dom XSS Scanner could not have been worked there, because it also comes up with the "Disallowed Key Characters"message.
Assume they used wget.

Asafaweb Scan finally works, see: https://asafaweb.com/Scan?Url=www.ibibo.com%2F%3Fphp%252520echo%252520%24base_url%253b%253f%25253E
Although no asp site we detect excessive header info Server: Ibibo-WS & X-Powered-By: PHP/5.3.3
and site is vulnerable to Clickjacking, a warning for that also.

Site has a iFrame check issue:
Suspicious

htxp://www.ibibo.com/pages/hotelsearch’
And again we get An Error Was Encountered The URI you submitted has disallowed characters.

But going to htxp://www.ibibo.com/pages/hotelsearch creates no problems, → http://urlquery.net/report.php?id=1405269174833
so ’ at the end is creating that alert, it is diallowed.

Here we see part of a similar php request being performed: http://urlquery.net/report.php?id=1398430504560
which has led to no compromise apparently.

polonus

P.S. All external link should also be checked:
htxp://www.redbus.in → ‘buses’
htxp://www.redbus.in → ‘buses’
htxps://itunes.apple.com/in/app/goibibo-flight-bus-hotel-boo → ‘’
htxp://www.redbus.in/mobile.aspx → ‘’
htxps://itunes.apple.com/app/id733712604?mt=8&&referrer=clic → ‘’
htxp://www.windowsphone.com/en-in/store/app/redbus-in/b38038 → ‘’
htxp://www.redbus.in/ → ‘’
htxp://www.tradus.com → ’ ’
htxp://www.tradus.com/ → ‘’
htxp://www.gaadi.com → ’ ’
htxp://www.gaadi.com/ → ‘’
htxp://www.ibiboads.com → ‘’
httx://www.ibiboads.com/ → ‘’
htxp://techcircle.vccircle.com/2014/06/11/ibibogroup-appoint → ’ ibibogroup appoints prakash s’

D