Redirect mobile phone browsers to some undesired URL
Belongs in 91.223.167.0/24AS197615, NASZASIEC-NET in Poland.
traceroute agrees, hopping through hosts named 'naszasiec.ip4.epix.net.pl' and
ending at 'ip-91-223-167-117.naszasiec.net'.
Downloaded to my WordPress honey pot's fake WSO web shell, via FilesMan action,
uploadFile sub-action. The downloader was hoping to put a file /var/www/html/.htaccess/.htaccessPNB1PN
in place.
- Copy
*filetodc1.php - Run tidy on, and hand edit
dc1.phpto fix HTML problems, yieldingf1.php
Seems to put in place a .htaccess file that selectively redirects
(via Apache mod_rewrie)
mobile phone browser accesses of document root (/var/www/html/)
for the WordPress
Apache server
to http://googleads.g.doubleclick.cn.com/udoe19.html
I got ERROR 403: Forbidden when I tried to access that URL using wget.
The URL is clearly formed to trick the human eye.
The weird part is that it wants to leave in place the HTML generated by my fake WSO, to display if a non-mobile phone browser does the same access. I can't tell if the downloader is buggy, or it got confused by the fake WSO, or some other possibility.
Domain name googleads.g.doubleclick.cn.com resolves to 5.188.62.23,
an IP address in 5.188.62.0/24as44050, assigned to some Ukrainian
entity.