WARNING: I don’t recommend interacting with any of the domains in this post.
Please use caution if you wish investigate further.
The server at www[.]astrostyle.com appears to have been compromised.
The chain of events:
Followed by two 302 redirects to www3[.]yh1wrlj9w1uxd8.4pu.com and then www1[.]cwvsnwnq1fu-4.4pu.com
Binary load (scandsk.exe) comes from www2[.]dfhfyuiythfgyhtdfrrt.avli.biz
Checkin -> report[.]o793i7q31793iqg3.com
using forged User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Followed by requests to:
using forged User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre
Watching for the “pma_visited_theme2” cookie may help identify an encounter with the initial redirect.
The presence of the forged user agents may be seen after a successful compromise.
The organization hosting www[.]astrostyle.com has been contacted.