You visit a site and it looks good and clean. However, if you keep the page open, after maybe 20-30 seconds, you get redirected to a casino or pharma affiliate page. What is going on?
HTTP/1.1 200 OK
Date: Tue, 29 Jan 2013 17:18:02 GMT
Refresh: 25; url="httx://www.dodonet.biz"
This tells the browser to redirect to a malicious domain after 25 seconds. Note that the domain and the refresh time varies per infection. These are some of the other domains we are seeing on this type of attack:
This infection seems to be mostly targeted at outdated Joomla sites (running < 1.5.25), but as it becomes more common the attackers will likely start to use it against all CMS applications. If you suspect your site may be compromised with this infection, you can verify it on our free scannerSiteCheck.
You can also search your PHP code for a similar entry adding the refresh header (be aware that it might be encoded using base64 or hex):
It also confuses many types of malware/security scanners because most of them will not wait 20+ seconds to see what happens. It’s probably why we’re seeing this big change in attacks.
If you have any question or comments, let us know.