Samuel Krieg wrote:
> Hi
>
> I'm receiving some spam with links like
> http://www.somewebsite.tld/image.htm ( filename may differ like
> join.htm or shop.htm ). The uri redirects to another viagra website.
>
> But the somewebsite.tld looks like a normal site (I'm pretty sure it is).
>
> Some examples :
> http://www.apnalounge.com/shop.htm
>
> http://www.tvoftheabsurd.com/join.htm
>
> I need to understand how it works.. Is the hosting server beeing
> abused ? Any ideas/solutions ?
Odds are good they are being abused. Looking at tvoftheabsurd's main page
they've got a PHP wordpress 2.2 login page. Wordpress has been known to have
exploits in the past.
Ahh, yes. here's one for WP 2.2:
http://www.securityfocus.com/bid/24344
Oh, and another that allows arbitrary file upload:
http://www.securityfocus.com/bid/24642
That latter one is probably how the redirect page got uploaded.
apnalounge.com also makes extensive use of PHP and seems to have a lot of
"cobbled together" code. Nothing jumps out at me, but I'd again not be
surprised to find out some part is exploitable.
>
> Thank you.
>
