0

Recently I was visiting a web site that was is hosted in China (I can tell by the IP, it's assigned to an University over there).

When I accessed their page today, it loaded but after the initial content was loaded, I was redirected to a Pokemon/Mario Bros weird page. Anyway, I was surprised. I've used Wireshark and I could see that upon the GET request and Server was sending an HTTP 302 "Moved Temporarily". I did connect then through an Internet proxy to see whether it's linked in some way to my IP. And surprise, I was able to connect without any redirection. Now I'm wondering, did they discover that I was connecting from outside China (Central Europe) and did a redirect based on my IP in Apache? Or is the site infected by some malware? If the later, How could I check the URL in a say sandbox for malicious code? Would a proxy, prevent a redirect?

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
cyzczy
  • 1,518
  • 5
  • 21
  • 34

3 Answers3

1

My impression is that there is either a 302 setup at the domain level itself (possibly due to malicious intent), or as you mentioned an Apache (or nginx or whatever) redirect somehow setup on the web server itself. Whether this was intended or a result of malware I have no way of knowing with the given information. However, for an XSS attack, that usually requires the use of an external link with javascript written into the link itself. If you navigate directly to the website itself, XSS is most likely not the issue. As far as scanning for malware, you could use a remote scanner, but that will not provide as accurate results as scanning the filesystem itself, which I would imagine you don't have access to do.

SuperAdmin
  • 320
  • 1
  • 11
0

Try to connect using different proxies to evaulate the behavior from each country. In that way you'll see the true content of the page if you suspect is related to the IP origin.

Anyway, is a wild guess without knowing the page, the ip, etc... but it could be too some kind of xss or hacking done to the page. I think somebody is redirecting to all people to some "hook" page, or just earning money for each visit because of ads. If is not redirecting you always... it could have some kind of "user selection" IDK... maybe by IP as you suspect or whatever.

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
  • I've used virustotal initially, the result, detection ratio: 0 / 64 and all of the URL scanners returned result "Clean site", so I was thinking that they might have configured an redirect on their server for my IP specifically. I'm not sure why they even bothered. I guess, I'm not entirely sure, but I have the impression that the content they provide is not shared legally ? – cyzczy Mar 25 '17 at 19:11
0

I would suggest the following to further investigate. As you doubt it is a potentially compromised website, use a VM to perform these.

  1. Try with proxies from a couple of different locations and see if the redirection response is location based,
  2. Use a web proxy like burp, intercept each request and see at what stage the redirection is happening. ie; is it happening when you submit a form? If yes what are the parameters going through?
  3. Is the immediate response from the target domain a 302 redirect to that pokemon site? If yes, the site may be compromised.
  4. Is the redirect happening after a delay? Then examine the html source of the immediate response and see what kind of active content is being served [js, flash...] and what they are doing.

There are endless possibilities. But these are the ones coming to my mind right now and I think worth looking into.

hax
  • 3,851
  • 1
  • 16
  • 34