Tiltedkilt.com redirecting to Fiesta

*First thought neosploit…turns out fiesta.*

This compromise only redirects visitors coming from a search engine.

http://sitecheck.sucuri.net/results/tiltedkilt.com

http://www.tiltedkilt.com/menu/ (come from search engine like google/bing)

Paste of redirecting JS

http://flownacme.info/showads.php?2&seoref=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3Dtilted%2520kilt%2520menu%26source%3Dweb%26cd%3D1%26sqi%3D2%26ved%3D0CC8QFjAA%26url%3Dhttp%253A%252F%252Fwww.tiltedkilt.com%252Fmenu%252F%26ei%3DA3ARUdGgIem1ygGewoHoBw%26usg%3DAFQjCNE5woagSo26HJaev5A8eSwYUJWQ7w%26bvm%3Dbv.41934586%2Cd.aWM&HTTP_REFERER=http%3A%2F%2Fwww.tiltedkilt.com%2Fmenu%2F > Redirect

http://bitsawalli.www1.biz/w4bm607/counter.php?id=2
http://bitsawalli.www1.biz/w4bm607/?2
http://bitsawalli.www1.biz/w4bm607/?0ae2960a13391f965c0807090b0d015809525e065b060b55095700020d5252 > PDF
http://bitsawalli.www1.biz/w4bm607/?02c3ea533044d71d52511508575a040a0901580707510e0709040603510557 > JAR (application/x-java-archive)
http://bitsawalli.www1.biz/w4bm607/?40f2f7e2da7d541555420709540c540b0d035d0604075e060d060302525307 > JAR (application/x-java-archive)
http://bitsawalli.www1.biz/w4bm607/?05a155a358a6daa4554d040a070e500a09065a0557055a0709030401015107;1;3 > EXE from PDF (application/octet-stream)
http://bitsawalli.www1.biz/w4bm607/?4a53229d5fcb1ebd511950080009085d0d520e07500202500d57500306565b;1;1 > EXE from JAR (application/octet-stream)
http://bitsawalli.www1.biz/w4bm607/?4a53229d5fcb1ebd511950080009085d0d520e07500202500d57500306565b;1;1;1 > empty > DL confirm
http://bitsawalli.www1.biz/w4bm607/?5ff3f9fb5fcb1ebd501e03085402575b0c555d0704095d560c500303525d04;1;2 > EXE from JAR (application/octet-stream)
http://bitsawalli.www1.biz/w4bm607/?5ff3f9fb5fcb1ebd501e03085402575b0c555d0704095d560c500303525d04;1;2;1 > empty > DL confirm
http://bitsawalli.www1.biz/w4bm607/?05a155a358a6daa4554d040a070e500a09065a0557055a0709030401015107;1;3;1 > empty > DL confirm

Nothing new here, low AV detection, payload looks like locker.

Updated NeoSploit Post with more indicators.

Comments are closed.