« Fake affiliate links on root site
Cross scripting spammer »

Church site has rogue file?

The website of the Western Boulevard Presbyterian Church in Raleigh, has what appears to be a rogue file on their website

A file that was uploaded September 4, 2006:

http://wbpresbyterian.org/contact/read.php

I’ve received several pieces of comment spam referencing that file and certain keywords. When those keywords are attached, the file serves as a spammy redirect.

There’s no e-mail address available to notify the church, so I called them. Twice. The office administrator hung up on me. Twice. I have no idea what to think, except at the very least, her handling of the situation was very rude. I managed to explain the situation roughly, but didn’t get far enough to tell her what the file was.

I wasn’t planning on making this public, but the behavior I encountered was bizarre enough, I just have to get some answers.

Did she think I was crank calling? Did she know about it already? If so, why’s the file still there?

And did the spammers hack their site?

Here’s what I know about the spammers:

The spammers are using proxies instead of spambots.

The javascript redirect goes through this site:

more777.info

And it redirects to bettingcasinosite.com. Both sites have basically the same whois:

Registrant:
N/A
Michael (info@asiawood.ru)
Lenina, 6
Kurgan
null,640000
RU
Tel. +7.9128351001

Creation Date: 12-Aug-2006
Expiration Date: 12-Aug-2007

Domain servers in listed order:
ns2.bettingcasinosite.com
ns1.bettingcasinosite.com

I found that e-mail address elsewhere on the net. Translated with Babelfish from http://wood.yondi.ru/inner_id_60400_c_firms_page_4.phtm
Export of construction lumber into the countries of Asia. Form of the activity: Wholesale trade Price- sheet the address: 640022, Kurgan region, Kurgan, Polovinskaya ul, 10a bodies: (3522) 578302 fax: (3522) 578344 e-mail: info@asiawood.ru

The payoff links are go.php on 66.230.172.114

——–

Update: I found several sites with read.php used for spammy redirect. And a mention of a version of Phorum being vulnerable to cross site scripting. That might be what happened to that church - except what was that file doing there in the first place? It didn’t appear to be in use. So how was it found?

This entry was posted on Thursday, September 7th, 2006 at 9:03 am and is filed under Redirects. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Church site has rogue file?”

  1. Spamhuntress » Blog Archive » Vizaweb and Asianwood Says:
    September 8th, 2006 at 3:04 am

    […] I’ve so far found three sites hosted on Vizaweb that have files on them used by one particular spammer. One I’ve termed Asiawood, and described briefly before. […]

  2. Spamsucks Says:
    September 13th, 2006 at 1:52 pm

    Wonderful find. Search google with “read.php?q=” and you will see places like mtsa.edu and others hacked with the read.php redirect junk to a spammers search engine.
    Old west rules should apply. “Wanted dead or alive” for spammers.

Leave a Reply