beavis - 3:06 am on Feb 17, 2012 (gmt 0)
OK, this is getting even crazier. Here is an update:
1. There are no iframes on www.othersite.com. I checked the page source code, but also, the actual site content displayed in my browser is very subtly different between the malicious site and my site --- At the top of every page on my site is the text "My Domain", while at the top of every page on the malicious site is the text "His Domain".
2. All of the internal links on the malicious site are to pages on www.othersite.com. They are not pulling graphics, etc. from my server.
3. Here is where it gets crazier... When looking at the source code for the home page on the malicious site, I found some additional code in the footer area:
<img src="http://www.secondmaliciousdomain.com/images/1.gif" style="border-style:none; width:1px; height:1px;" /><img src="http://www.secondmaliciousdomain.com/images/2.gif" style="border-style:none; width:1px; height:1px;" /></div>
Then, I went back to the home page on my server AND THE SAME MALICIOUS CODE IS ON MY HOME PAGE!
Can anyone now tell me more on how this whole set up is working? Obviously, the first order of business is to very shortly replace my home page with a backup that doesn't have the above code!