Malware Found

Jazspeak
Posts: 7295
Joined: Fri Oct 17, 2008 4:20 pm

Malware Found

Post by Jazspeak » Sun Nov 25, 2012 8:45 am

theobserver.com redirects to hxxp://ibontu.25u.com and caused an alert from my AV for URL:Mal.

Guest

RE: ibontu.25u.com

Post by Guest » Sun Nov 25, 2012 9:05 am

Kaspersky blocked this website as dangerous, if I ignore this warning and go to this website, it redirects to bing.com

marco2981
Posts: 2500
Joined: Mon Feb 07, 2011 6:55 am

RE: Malware Found

Post by marco2981 » Sun Nov 25, 2012 10:24 am

ibontu.25u.com is blocked as dangerous site but unblocking redirected me to it.bing.com

Image

theobserver.com didn't redirect me to that site

marco2981
Posts: 2500
Joined: Mon Feb 07, 2011 6:55 am

RE: Malware Found

Post by marco2981 » Sun Nov 25, 2012 10:26 am

The site doesn't work anymore
Image

Jazspeak
Posts: 7295
Joined: Fri Oct 17, 2008 4:20 pm

RE: Malware Found

Post by Jazspeak » Sun Nov 25, 2012 11:17 am

<quote user="marco2981">
"theobserver.com didn't redirect me to that site"
[/quote]

Maybe the redirect is IP or country based.

Edit: I just tried again by clicking theobserver.com link in Google SSL search page and was again immediately redirected to hxxp://ibontu.25u.com with the resulting AV warning. Going directly to theobserver.com did not produce the redirect.

Jazspeak
Posts: 7295
Joined: Fri Oct 17, 2008 4:20 pm

RE: Malware Found

Post by Jazspeak » Sun Nov 25, 2012 11:18 am

<quote user="marco2981">
"The site doesn't work anymore"
[/quote]

I hope that means that another one bites the dust.

Guest

RE: Malware Found

Post by Guest » Sun Nov 25, 2012 11:25 am

Here is what I see when I open theobserver.com in my browser (Firefox), in my case that does not redirect to ibontu.25u.com for some reason.

Guest

RE: Malware Found

Post by Guest » Sun Nov 25, 2012 11:32 am

theobserver.com redirects to ibontu.25u.com only from search engines (Google, Yandex).

Examples:

From Yandex:

Code: Select all

http://yandex.ru/yandsearch?text=theobserver.com

From Google:

Code: Select all

http://www.google.ru/search?ie=UTF-8&hl=ru&q=theobserver.com

Jazspeak
Posts: 7295
Joined: Fri Oct 17, 2008 4:20 pm

RE: Malware Found

Post by Jazspeak » Sun Nov 25, 2012 11:41 am

<quote user="инфинити">
theobserver.com redirects to ibontu.25u.com only from search engines (Google, Yandex).
[/quote]

I wonder if that means that the infection is in the site's meta-data that is read by the search engines rather than in the main body of the site.

I have e-mailed theobserver.com manager to alert him to the problem.

alphacentauri
Posts: 3291
Joined: Mon Nov 02, 2009 12:52 pm

RE: Malware Found

Post by alphacentauri » Sun Nov 25, 2012 2:33 pm

I run into a lot of malware-infected sites where you only get the malware if a search engine listing is the referrer, and only the first time you visit from your IP with a particular browser. It's very difficult to convince the site owners that they have a problem, because when they check the URL, there is no problem. When I have managed to get someone to take reports seriously, they reported that their .htaccess file had been hacked. Malzilla is invaluable in investigating these:
http://malzilla.sourceforge.net/
(The download link is in a small navigation bar at the top of the page.)

Add: This is what I get when I use Malzilla, using my Google search result URL as the referrer:

Code: Select all

=========================
Server IP(s):
0.0.0.0

=========================
HTTP headers: 

HTTP/1.1 302 Moved Temporarily
Date: Sun, 25 Nov 2012 14:43:52 GMT
Server: Apache
Location: http://ibontu.25u.com/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

That is in the lower pane of the Malzilla window. The upper pane, that would have the html code, is blank. When I try a second time with the same referrer, same IP, same user agent, it goes to the Observer site normally.

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests