Malware Redirection with a Delay
You visit a site and it looks good and clean. However, if you keep the page open, after maybe 20-30 seconds, you get redirected to an affiliate page for cassino or pharma site. What is going on?
HTTP/1.1 200 OK
Date: Tue, 29 Jan 2013 17:18:02 GMT
Refresh: 25; url="httx://www.dodonet.biz"
Which tells the browser to redirect to a malicious domain after 25 seconds. Note that the domain and the refresh time varies per infection. These are some of the other domains we are seeing on this type of attack:
This infection seems to be mostly targeted against outdated Joomla sites (running < 1.5.25), but as they become more common the attackers may start to use it against any type of CMS. If suspect your site may be compromised with it, you can verify it on sitecheck, since it is able to identify this type of issue.
You can also search on your PHP code for a similar entry adding the refresh header (be aware that it might be encoded using base64 or hex):
It also confuses many types of malware/security scanners because most of them will not wait 20+ seconds to see what happens and if the site get redirected. And that’s probably the reason why attackers are using it now.
If you have any question or comments, let us know.