SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. redirect.dec_ip.1

redirect.dec_ip.1

Description:
Detected suspicious redirect to a third-party site whose IP address specified in a non-dotted decimal notation. For example hxxp://1755118211 is a decimal representation of hxxt://104 .156 .250 .131

Redirects to "1755118211" and "1760468715" are associated with a Rig exploit kit campaing in 2016 and 2017.

Samples of HTTP headers of responses of infected sites
In 2016

HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.1
Date: Sat, 13 Aug 2016 13:31:28 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: hxxp://​1755118211

in 2017

HTTP/1.1 302 Found
Server: nginx/1.10.1
Date: Mon, 27 Mar 2017 13:16:01 GMT
Content-Type: text/html
Content-Length: 0
Connection: close
X-Powered-By: PHP/5.3.10-1ubuntu3.23
Access-Control-Allow-Origin: *
Location: hxxp://1760468715​/
e-hub[.]com
Vary: Accept-Encoding

Affecting: Mostly websites on nginx servers.

For more information check: Websites compromised in ‘Decimal IP’ campaign