According to Linkedin, www.e-cybercity.mu is the web site the Business Parks of Mauritius Ltd. When I visited the web site I was puzzled to see a redirect to a different web site.
The information displayed in the screenshot below immediately caused some suspicion given that I was not expecting to be see information which is unrelated to Business Parks of Mauritius Ltd. On seeing the "2016 Annual Visitor Survey()" I wondered about how I got to that web page.
The initial HTTP request was :
page.onResourceReceived - {"body":"","bodySize":50088,"contentType":"text/html; charset=UTF-8","headers":[{"name":"Server","value":"nginx"},{"name":"Date","value":"Mon, 31 Oct 2016 16:19:00 GMT"},{"name":"Content-Type","value":"text/html; charset=UTF-8"},{"name":"Transfer-Encoding","value":"chunked"},{"name":"Connection","value":"keep-alive"},{"name":"Keep-Alive","value":"timeout=15"},{"name":"Vary","value":"Accept-Encoding"},{"name":"Expires","value":"Thu, 19 Nov 1981 08:52:00 GMT"},{"name":"Cache-Control","value":"no-store, no-cache, must-revalidate, post-check=0, pre-check=0"},{"name":"Pragma","value":"no-cache"},{"name":"Link","value":"‹http://www.e-cybercity.mu/wp-json/›; rel=\"https://api.w.org/\", ‹http://www.e-cybercity.mu/›; rel=shortlink"},{"name":"Set-Cookie","value":"PHPSESSID=r9jqn6j87hb1u644u8nu2q8i36; path=/\nqtrans_front_language=en; expires=Tue, 31-Oct-2017 16:19:00 GMT; Max-Age=31536000; path=/"},{"name":"ngpass_ngall","value":"1"},{"name":"Content-Encoding","value":"gzip"}],"id":1,"redirectURL":null,"stage":"start","status":200,"statusText":"OK","time":"2016-10-31T16:19:01.626Z","url":"http://www.e-cybercity.mu/"}
followed by page.onResourceRequested - {"headers":[{"name":"Accept","value":"text/css,*/*;q=0.1"},{"name":"Referer","value":"http://www.e-cybercity.mu/"},{"name":"User-Agent","value":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1"}],"id":3,"method":"GET","time":"2016-10-31T16:19:01.636Z","url":"http://www.e-cybercity.mu/wp-content/themes/scroller/style.css?ver=4.6.1"}
The following HTTP requests looked suspicious:
page.onResourceReceived - {"body":"","bodySize":1555,"contentType":"text/plain; charset=utf-8","headers":[{"name":"Date","value":"Mon, 31 Oct 2016 16:19:05 GMT"},{"name":"Content-Type","value":"text/plain; charset=utf-8"},{"name":"Transfer-Encoding","value":"chunked"},{"name":"Connection","value":"keep-alive"},{"name":"Set-Cookie","value":"__cfduid=d398a1ebba56a18de6b6a65a79435090e1477930745; expires=Tue, 31-Oct-17 16:19:05 GMT; path=/; domain=.pastebin.com; HttpOnly"},{"name":"X-Powered-By","value":"PHP/5.5.5"},{"name":"Cache-Control","value":"public, max-age=1801"},{"name":"Content-Encoding","value":"gzip"},{"name":"Vary","value":"Accept-Encoding"},{"name":"CF-Cache-Status","value":"HIT"},{"name":"Expires","value":"Mon, 31 Oct 2016 16:49:06 GMT"},{"name":"Server","value":"cloudflare-nginx"},{"name":"CF-RAY","value":"2fa86d3609f22c90-MBA"}],"id":51,"redirectURL":null,"stage":"start","status":200,"statusText":"OK","time":"2016-10-31T16:19:06.114Z","url":"https://pastebin.com/raw/P4k4pc9v"}
There was another HTTP request to https://go.padsdel.com/afu.php?id=473791 followed by
page.onResourceReceived - {"body":"","bodySize":1021,"contentType":"text/html; charset=UTF-8","headers":[{"name":"Server","value":"nginx"},{"name":"Date","value":"Mon, 31 Oct 2016 16:19:11 GMT"},{"name":"Content-Type","value":"text/html; charset=UTF-8"},{"name":"Transfer-Encoding","value":"chunked"},{"name":"Connection","value":"keep-alive"},{"name":"Vary","value":"Accept-Encoding"},{"name":"X-Powered-By","value":"PHP/5.6.23"},{"name":"Set-Cookie","value":"reverse=31VT43DSuA8NOnqXBfJipLprpeK4Bmvc-qaoxWpUEVM; expires=Mon, 31-Oct-2016 17:19:12 GMT; Max-Age=3600; path=/"},{"name":"Content-Encoding","value":"gzip"}],"id":85,"redirectURL":null,"stage":"start","status":200,"statusText":"OK","time":"2016-10-31T16:19:12.944Z","url":"http://r7mediar.com/?l=8xGxf2RJpeR6F1Z&s=219594586224&z=473791&g=MU&tr=15"}
[DEBUG - 2016-10-31T16:19:12.948Z] Session [bb418980-9f85-11e6-b21d-5f1fe065c99e] - page.onResourceReceived - {"contentType":"text/html; charset=UTF-8","headers":[{"name":"Server","value":"nginx"},{"name":"Date","value":"Mon, 31 Oct 2016 16:19:11 GMT"},{"name":"Content-Type","value":"text/html; charset=UTF-8"},{"name":"Transfer-Encoding","value":"chunked"},{"name":"Connection","value":"keep-alive"},{"name":"Vary","value":"Accept-Encoding"},{"name":"X-Powered-By","value":"PHP/5.6.23"},{"name":"Set-Cookie","value":"reverse=31VT43DSuA8NOnqXBfJipLprpeK4Bmvc-qaoxWpUEVM; expires=Mon, 31-Oct-2016 17:19:12 GMT; Max-Age=3600; path=/"},{"name":"Content-Encoding","value":"gzip"}],"id":85,"redirectURL":null,"stage":"end","status":200,"statusText":"OK","time":"2016-10-31T16:19:12.954Z","url":"http://r7mediar.com/?l=8xGxf2RJpeR6F1Z&s=219594586224&z=473791&g=MU&tr=15"}
The following HTTP request is for the Chrome logo:
page.onResourceReceived - {"contentType":"image/png","headers":[{"name":"Date","value":"Mon, 31 Oct 2016 16:18:59 GMT"},{"name":"Content-Type","value":"image/png"},{"name":"Content-Length","value":"5370"},{"name":"Last-Modified","value":"Fri, 13 Mar 2015 19:46:47 GMT"},{"name":"ETag","value":"\"55033ea7-14fa\""},{"name":"Expires","value":"Thu, 26 Oct 2017 16:18:59 GMT"},{"name":"Cache-Control","value":"max-age=31104000, public, must-revalidate, proxy-revalidate"},{"name":"Pragma","value":"public"},{"name":"Age","value":"16"},{"name":"X-Cache","value":"HIT"},{"name":"X-Cache-Hits","value":"341"},{"name":"Accept-Ranges","value":"bytes"}],"id":97,"redirectURL":null,"stage":"end","status":200,"statusText":"OK","time":"2016-10-31T16:19:16.572Z","url":"http://om7zz.allaff.0981.ws/templates/_common//browser_survey/logos/chrome58x58.png"}
www.-e-cybercity.mu is using WordPress as its Content Management System. It is unlikely that a "Chrome Option Survey" on a business web site would rely on a "paste tool". Given that the visitor is driven to another web site which is unrelated to any business in Mauritius, it is likely that the Content Management System, namely the WordPress software, was compromised.