Malicious Redirects
First query (normal visit):
GET / HTTP/1.1
Host: marketingjunioren.de
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 05 Jul 2014 09:24:19 GMT
Accept-Ranges: bytes
ETag: "10938b0-55c-4f32752025000"
Server: Apache/2.2.27
Content-Length: 1372
Content-Type: text/html
Last-Modified: Mon, 24 Feb 2014 13:55:12 GMT
Strict-Transport-Security: max-age=63072000; includeSubDomains
...1372 bytes of data.
GET / HTTP/1.1
Host: marketingjunioren.de
Result:
HTTP/1.1 200 OK
Connection: close
Date: Sat, 05 Jul 2014 09:24:19 GMT
Accept-Ranges: bytes
ETag: "10938b0-55c-4f32752025000"
Server: Apache/2.2.27
Content-Length: 1372
Content-Type: text/html
Last-Modified: Mon, 24 Feb 2014 13:55:12 GMT
Strict-Transport-Security: max-age=63072000; includeSubDomains
...1372 bytes of data.
Second query (visit from search engine):
GET / HTTP/1.1
Host: marketingjunioren.de
Referer: http://www.google.com/search?q=marketingjunioren.de
Result:
The result is similar to the first query. There are no suspicious redirects found.
GET / HTTP/1.1
Host: marketingjunioren.de
Referer: http://www.google.com/search?q=marketingjunioren.de
Result:
The result is similar to the first query. There are no suspicious redirects found.
Scanned pages/files
Request | Server response | Status |
http://www.qqq258.com/ | 200 OK Content-Length: 959 Content-Type: text/html | suspicious |
Page code contains blacklisted domain: dy.99pipi.com ...[333 bytes skipped]... 22titi.com"); urltishi.push("3.22titi.com"); for(var i=0;i<urltishi.length;i++){ if (host.indexOf(urltishi[i])>=0){ istishi="1"; } } numb=url.length; urltemp = "http://www."+escape(url[Math.floor(Math.random()*numb)]); ttt="4"; //Ö¸¶¨Ìáʾ //istishi="1"; if (host.indexOf("dy.33sisi.com")>=0 || host.indexOf("zz.06xxx.com")>=0 || host.indexOf("dy.99pipi.com")>=0){ top.location.href="/zhuan/index2.htm?d="+urltemp.replace("http://www.","")+"&t="+ttt; }else if(istishi=="1"){ top.location.href="/zhuan/index3.htm?d="+urltemp.replace("http://www.","")+"&t="+ttt; }else{ top.location.href="/zhuan/?d="+urltemp.replace("http://www.","")+"&t="+ttt; } </script> | ||
http://www.qqq258.com/test404page.js | HTTP/1.1 302 Moved Temporarily Connection: close Date: Sun, 11 May 2014 13:53:19 GMT Location: http://www.02ppp.com/ Server: nginx Content-Length: 154 Content-Type: text/html | malicious |
http://www.02ppp.com/ | 200 OK Content-Length: 959 Content-Type: text/html | suspicious |
Page code contains blacklisted domain: dy.99pipi.com ...[333 bytes skipped]... 22titi.com"); urltishi.push("3.22titi.com"); for(var i=0;i<urltishi.length;i++){ if (host.indexOf(urltishi[i])>=0){ istishi="1"; } } numb=url.length; urltemp = "http://www."+escape(url[Math.floor(Math.random()*numb)]); ttt="4"; //Ö¸¶¨Ìáʾ //istishi="1"; if (host.indexOf("dy.33sisi.com")>=0 || host.indexOf("zz.06xxx.com")>=0 || host.indexOf("dy.99pipi.com")>=0){ top.location.href="/zhuan/index2.htm?d="+urltemp.replace("http://www.","")+"&t="+ttt; }else if(istishi=="1"){ top.location.href="/zhuan/index3.htm?d="+urltemp.replace("http://www.","")+"&t="+ttt; }else{ top.location.href="/zhuan/?d="+urltemp.replace("http://www.","")+"&t="+ttt; } </script> | ||
http://www.02ppp.com/test404page.js | HTTP/1.1 302 Moved Temporarily Connection: close Date: Sun, 11 May 2014 13:50:13 GMT Location: http://www.02ppp.com/ Server: nginx Content-Length: 154 Content-Type: text/html | clean |
Safe Browsing / Blacklists
Query: http://www.google.com/safebrowsing/diagnostic?site=qqq258.com
Result: This site is not currently listed as suspicious.
Result: This site is not currently listed as suspicious.
Query: http://yandex.com/infected?l10n=en&url=http://qqq258.com/
Result: qqq258.com is not infected or malware details are not published yet.
Result: qqq258.com is not infected or malware details are not published yet.