User login
These days Google flagged wensh.net as a malicious site. This is because the server was hacked, probably a few days ago. I've already submitted a ticket about this to the hosting company and am still waiting for a reply.
The hacker is pretty smart. The server now will redirect any http request to a malicious site if the http request is referred from a search engine (as far as I know, Google and Yahoo). If I type in the address bar of the browser http://www.wensh.net and hit enter, I have no problem visiting the site, and there's no malicious software/link at all. However, if I try to access the site by clicking the link in a search engine (eg. search site:wensh.net in Yahoo and click a link in the result), the server will not show the site but instead return a 302 code and redirect to the following address:
http://89.28.13.202/in.html?s=ix
which is a malicious website. Warning: if you want to try this, it is strongly suggested that you use your firewall to block the ip 89.28.13.202 first.
The difference between the two ways of accessing the site is the "referrer" section in the http request. In the 1st way, there's no "referrer" section or it would be empty. And here's a sample server log in this case:
"GET / HTTP/1.1" 200 5861 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111318 Ubuntu/8.10 (intrepid) Firefox/3.0.4"
In the 2nd way, the "referrer" section would indicate the address of the search engine. In this case, the log would be:
"GET / HTTP/1.1" 302 290 "http://siteexplorer.search.yahoo.com/search?p=http%3A%2F%2Fwensh.net&bwm=p&bwms=p&fr=sfp&fr2=seo-rd-se" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111318 Ubuntu/8.10 (intrepid) Firefox/3.0.4"
