Description:
Detected suspicious redirect to a third-party site whose IP address specified in a non-dotted decimal notation. For example hxxp://1755118211 is a decimal representation of hxxt://104 .156 .250 .131
Redirects to "1755118211" and "1760468715" are associated with a Rig exploit kit campaing in 2016 and 2017.
Samples of HTTP headers of responses of infected sites
In 2016
HTTP/1.1 301 Moved Permanently Server: nginx/1.10.1 Date: Sat, 13 Aug 2016 13:31:28 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: hxxp://1755118211
in 2017
HTTP/1.1 302 Found Server: nginx/1.10.1 Date: Mon, 27 Mar 2017 13:16:01 GMT Content-Type: text/html Content-Length: 0 Connection: close X-Powered-By: PHP/5.3.10-1ubuntu3.23 Access-Control-Allow-Origin: * Location: hxxp://1760468715/ e-hub[.]com Vary: Accept-Encoding
Affecting: Mostly websites on nginx servers.
For more information check: Websites compromised in ‘Decimal IP’ campaign