Worked this URL decoder on SE visitor redirect

See: http://killmalware.com/van-benthem.eu/
See: http://www.netdemon.net/decode.cgi?url=http%3A%2F%2Fpuppa.freewww.biz%2Foplaxmrqwtfa.cgi%3F3
See: http://scanurl.net/?u=http%3A%2F%2Fwww.van-benthem.eu&uesb=Check+This+URL#results
Site with warnings and blacklisted: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.van-benthem.eu
Read for the file malware: http://labs.sucuri.net/?malware&entry=2012-12-16

polonus

Another one: http://killmalware.com/velangshagen.org/
See: http://scanurl.net/?u=http%3A%2F%2Fvelangshagen.org%2F&uesb=Check+This+URL#results
See: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fvelangshagen.org%2F
Log about such an attack: http://sakrare.ikyon.se/log.php?id=49208

polonus

See this one: http://maldb.com/nathanenglish.com/
And the malware report from Redleg here: https://www.badwarebusters.org/main/itemview/29514
WOT flags redirect, also see: http://labs.sucuri.net/?details=www.online-open.com

polonus

See: http://maldb.com/captoon.com/#
See: htxp://www.unphp.net/decode/5aed3426b8e42b8368019f623a9d2231/ / |{gzip} and
avast! Webshield alerts for PHP:Redirectot-AF[Trj] there.
Site with warnings not blacklisted: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fcaptoon.com
See: http://sucuri.net/malware/malware-entry-mwblacklisted35
redirect link blocked by Birdefender’s TrafficLight etc: https://www.virustotal.com/nl/url/d0fae3325b67c86dfb7f160080f90119b11553694b92847828158832c6658236/analysis/
See: http://urlquery.net/report.php?id=1396880899731 IDS alert for Detected a Dynamic DNS URL
http://dnscheck.pingdom.com/?domain=korawi.4pu.com&timestamp=1396880985&view=1
Missed here: http://quttera.com/detailed_report/korawi.4pu.com
kraken’s Virus Tracker classifies as: korawi.4pu.com,198.71.128.88,ns2.changeip.org,Criminals,
meaning there is active malware that is up there.

pol

See: http://maldb.com/technofarm.ru/
Conditional redirects found. Visitors from search engines are redirected
to: htxp://spywarepc.info/0/go.php?sid=2
Redirect to this URL found in 123 sites
Not detected or low risk given: http://www.brightcloud.com/tools/url-ip-lookup.php
Site with warnings: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Ftechnofarm.ru
Suspicious conditional redirect: http://sucuri.net/malware/entry/MW:HTA:7
Kraken’s Virus Tracker classification: technofarm dot ru,213.189.197.228,dns0.zenon dot net,Criminals,
meaning there is active malware up there.

pol

See: http://maldb.com/motabitz.net/
On the original hack: http://forum.directadmin.com/archive/index.php/t-29370.html (link reply = scsi)
Redirect site is a known infection source: https://www.virustotal.com/nl/url/820cdccaaa8472570b43dbe2fd55198408e06193b26d465d755997ea1198d0f8/analysis/
and is found here: htxp://gpt0.ru/in.cgi?3 is in Dr.Web malicious sites list!
https://urlquery.net/report.php?id=1396050571854
Flagged there is ET CURRENT_EVENTS TDS Sutra - request in.cgi an IDS alert for Detected SutraTDS URL pattern.
Also site alerted as belonging to ET RBN Known Russian Business Network IP group 323 (IDS alert)
GET /in.cgi?3 HTTP/1.1
Host: gpt0 dot ru is infested! → http://scanurl.net/?u=gpt0.ru%2Fin.cgi%3F3&uesb=Check+This+URL#results
Avast! Webshield detects an object |{gzip} infested with JS:ScriptPE-inf[Trj].
kraken’s Virus Tracker classification:
gpt0 dot ru,72.52.4.90,ns1.sedoparking dot com,Criminals, missed detection? http://zulu.zscaler.com/submission/show/c8e7c23d09232a9db523a81841de309b-1397064561

pol