Spamhuntress

Someone e-mailed me an example of a hacked site (the hack is currently offline, with the hacked version set up on a hidden page for me to check).

Update: Lots of homepages affected. Check this google search.

It was the homepage of the company that was hacked, with a few links added at the bottom. In addition to those two visible links, there are some hidden links that are identical to the links you’ll find if you follow the .txt links. The links are only visible if you check the source code, so I believe the txt files are meant as includes in the hacked php file.

The first link is: buybeer4me.info/scr/18.txt

It’s got some obfuscated javascript that actually points to the second link:

bestrezult.com/scr/1.txt

The links in that document point to another hacked site:

dinuba.ca.gov/minutes/agendas/.~ss/

When I loaded one of the pages referenced in the spam, I got this. Keep in mind that I had images disabled, so the page might look somewhat …different in reality:

It’s obviously malicious, and I found a post referring to the site it’s loaded from:

mvsps

This entry was posted on Saturday, June 30th, 2007 at 3:10 pm and is filed under Parasites. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.