Finding Malicious Redirectors

Below are some uri fields you can look for which are commonly used in redirecting to exploit kits.

*&ab_iframe=*
*&tds-sid=*
*/go.php?sid=*
*/got.php?sid=*
*/in.cgi?*
*/linko02.php*
*/in.php*
*/index.php?go=1
*.in/?site=*
*/i.php?go=1
*/r.php?l=http*
*/404.php?go=1
*/?go=1
*/?go=2
*/vc.php?go=2
*/ep/links/moving.php
*/track.php?c00*
*.cgi?8
*/sword/in.cgi?*

this is also useful

HTTP Request Type = GET
HTTP Status Code = 302
HTTP URI = *.cgi?*

and regex on the HTTP URI for “\.cgi\?\d+?$”

Comments are closed.