Return to home page
Site Scanner
October, 2014: Our main parents, VariSearch LLC and VS-TrEx, are closed. We will continue to run for another 8-12 months.
HomeSign upMembers AreaPricingInfoNetworksNews+
Member QuotesOur LinksLive StatisticsKnown Attack SitesVictim Sites
User #57 (eaglefox) received 1.00 Credits for showing you this page
Victim sites

I didn't do this last year, but I keep seeing the same sites over and over this year, so I figured out I'd let you know about another issue with hacking: "Victim sites". 

A "victim site" is a site that gets hacked, and codes get put on it.  Then you are led to the site (usually by spam email links).  If you get infected, you blame the site owner, who often times doesn't know what's going on.

Here is a list of redirects I got this week (October, 2011).  I checked several, and they appear to be mostly legitimate sites that have been defaced (injection script on home page) and an extra folder with a whacky name, where the really nasty stuff is housed (both phishing stuff and drive-by stuff).  Some of these sites have been listed as "reported attack sites" by Google and Firefox, but not all.  Some sites are being taken down by hosts, which is a shame, when in many cases, the owner of the site had no clue.

I'll put the list of what I found, and add to it next week when I go through the spam folder again.  After the list, I'll put a few "tell-tale signs" for a risky URL.

Example email:
Subj: ACH Payment 0901816 Canceled

Payment Notification #68745890

The ACH transaction (ID:68745890 ), recently initiated from your checking account (by you or any other person), was canceled by the other financial institution

(the link is displayed as): http://nacha.org/report/48969656/detailis.php?n=2145

(but it actually goes to a 'victim site'):
Victim sites: (do NOT go to these pages unless you have massive anti-everything on your pc):
  • lilydesigns.org/svxx873/index.html
  • csoftintl.com/~leo/7alhpg/index.html
  • jaimegarralda.com/pho4pel/index.html
  • justupit.com/hw1z9v5/index.html
  • kartajouer.com/nzukryo/index.html
  • 203.146.170.92/~jeewonbi/xwniz9e/index.html
  • kevalicare.com/z2byfr4/index.html
  • cedarlakepark.org/inoya0m/index.html
  • kpmandassociates.com/jpz1m9s/index.html
  • home.vicnet.net.au/~lasc/aiaeil/index.html
  • ladoduarte.com/gu2nh4/index.html
  • livekommunikation.net/me6ysi/index.html
  • laminateflooring2get.com/5zhveu/index.html
  • members.iinet.net.au/~maccadelic_new/kip5oq/index.html
  • jonmqueen.org/i2g5v0/index.html
  • laminateflooring2get.com/5zhveu/index.html
  • madhusundergroup.com/ntq4rwn/index.html
  • 68.168.100.135/~jinterio/rzlkv18/index.html
  • laboutikjewelry.com/0vnsa3/index.html
  • justpest.co.uk/9x8r4qf/index.html
  • kenyard.co.uk/oo6h3h/index.html
  • kartajouer.com/1iucz2n/index.html
  • justpest.co.uk/9x8r4qf/index.html
  • justpest.co.uk/q0mbf4v/index.html
  • cutecountrycreations.com/ni4ag3c/index.html
  • laboutikjewelry.com/0vnsa3/index.html
  • meureal.com/7ejd6a/index.html
  • -------------- 24 hours after I wrote this page, I ended up with another batch of them ------------------------
  • coptichistory.org/gpudls/index.html
  • jepretstore.com/tfum27/index.html
  • cp05.digitalpacificcom.au/~austraqc/2p2um8/index.html
  • kennelvombello.com/nl4iic/index.html
  • www.kpmandassociates.com/fxrxp0/index.html
  • cutecountrycreations.com/bqqvkx/index.html
  • laminateflooring2get.com/skmy7n/index.html
  • ash.phpwebhosting.com/~maisel/5kmq1d/index.html
  • legaljunction.in/ayqpqu/index.html
  • afghanstudents.in/jp0ec8u/index.html
  • bunduexpo.co.za/qyg10p/index.html
  • 3dc.in/xwplug5/index.html
  • jepretstore.com/kzft2u/index.html
  • ricardtech.com/r01eks1/index.html
  • magnisiakos-volou.gr/jfdu87p/index.html
  • members.iinet.net.au/~maccadelic_new/oj2rfn/index.html
  • me-me.info/0i6i8w/index.html
  • lemaripakaian.com/0ql73x/index.html
  • jenniferautry.com/fp3pau/index.html
  • madhusundergroup.com/06elcu/index.html
  • 203.146.170.92/~maikamum/92du8go/index.html
  • 203.146.170.92/~kapimovi/zk73xh8/index.html
  • 203.146.170.92/~jeewonbi/9k0on3t/index.html
  • jaba.net.pl/gaiuf4/index.html
  • looksymail.com/ovlnou7/index.html
  • kpmandassociates.com/gchne2/index.html
  • corporatestudies.org/o0udgv/index.html
  • laboutikjewelry.com/uz23zr5/index.html
  • 360companymarketingcom/wxojph/index.html
  • bunduexpo.co.za/qyg10p/index.html
  • maistel.com.br/sb1n51k/index.html
  • jenniferautry.com/fp3pau/index.html
  • csoftintl.com/~leo/6ihivzp/index.html
  • kacreativeconsulting.com/ph48ewk/index.html
  • latestautomotivenews.com/4q36c5/index.html
  • members.iinet.net.au/~maccadelic_new/oj2rfn/index.html
  • mastermindscs.com/jxatlh/index.html
  • -------------- another 24 hours later, it seems to be slowing ------------------------
  • tierpsychologie-haltungsberatung.de/bfjyetc/index.html
  • cx15.justhost.com/~thereiv1/478opuw/index.html
  • thelifecenter.us/qwtkr57/index.html
  • corporatestudies.org/3ruy6l/index.html
  • 3dc.in/ni7li5/indexhtml
  • server1.icswebhost.net/~tgscott/ig4y152/index.html
  • tassenshop.nl/xl06d7/index.html
  • coptichistory.org/h33hvzx/index.html
  • tnttoast.99k.org/pcnmme/index.html
  • sysdev.clanteam.com/eisbcfc/index.html
  • -------------- one last batch, from a few days' of phishing ---------------------------
  • crane.co.th/jl3o7ju/index.html
  • computer-shuttle-service.de/0klmga/index.html
  • tmquadrat.de/xa2lgl/index.html
  • computer-shuttle-service.de/g41h1v/index.html
  • adroitly.info/main.php
  • lzenegtnly.squirly.info/main.php
  • terremobili.com/fiksmv/index.html
  • jepretstore.com/ubvvsh8/index.html
  • computersteward.com/b7n514c/index.html
  • terreetconscience.com/i3xqkd/index.html
  • 203.146.170.92/~jeewonbi/1ryzic/index.html
  • 203.146.170.92/~maikamum/t7xuiop/index.html
  • 2.8a.5446.static.theplanet.com/~traveladmin/keq7nl/index.html
  • thevox.altervista.org/0eucq6/index.html
  • madhusundergroup.com/y5p41rp/index.html
  • server.mcdarghconsulting.com/~mcdarghc/mf452mi/index.html
  • cruisereizen.eu/qij6jt/index.html
  • server.mcdarghconsulting.com/~mcdarghc/mf452mi/index.html
  • cutecountrycreations.com/satudd6/index.html
  • cutecountrycreations.com/apba3d/index.html
  • pass66.dizinc.com/~theparak/3q1spv/index.html
  • cx15.justhost.com/~thereiv1/478opuw/index.html
  • ip-208-109-125-158.ip.secureserver.net/~theconfe/dik7n2/index.html
  • maincorpmaintenancecom.au/diwarr/index.html
  • roundsites.com/oy5tz8/index.html
  • instantinternetlifestyle.com/3pt49z/index.html
  • lamontagnesouscadre.com/ebxbxt/index.html
  • toilettassen.nl/fp7tzs/index.html
  • mantratrance.com/gt4swft/index.html

Hints about suspicious site links:
  • Any site that does not have a domain name (so it's http://#.#.#.#) should NOT be advertised
  • Sites that have a tilde (~) after the first slash (/)... (i.e.: home.somesite.com/~someshortname)
  •   This is a common trick to use a different/untracked folder on a server
  • Sites with directories with nonsense names.  A directory of "programs", or "cgi-bin" might be okay, but "0vnsa3"?  The only reason for directories like that is to get site owners to think it's something "for the server", so they ignore the folder, if they ever see it at all.

So, I'll add to this list as time permits.  If you know someone that owns one of these domains, let them know their sites are being hacked, and links to the hacked area is being spammed.  I got about 75 notes using these sites in the last 24 hours or so. 

For the most part, site-scanner can find, and cleanup can remove most of this stuff.
This site is a member of the VS-TEN Traffic Exchange Network
This site is powered by VS-TrEx Traffic Exchange Software
This site has been built with the Varisearch LLC Skeleton 2.0