We’re finding buckets of infected forums, blogs, wikis and tikis. A lot of “compromised” educational (.edu) sites, most likely from unpatched vulnerabilities.
Take a look at some of these examples (offensive screens are thumbnailed for the easily offended):
As you can see, a vast number of hits of sites that have been taken over by porn on the University of Southern California system (usc.edu).
But it’s not only USC.
We have Virginia Tech:
On this one Virginia Tech page, we get some really nasty porn (which we’ve covered up), with an offer to view more porn after installation of a fake codec:
Here’s the University of Maryland:
Searching Google for this one term brings up some rather disturbing stuff:
Similarly, searching for “amatuer porn movies free” on Google brings up more nasty stuff, including this:
Now, in the case of the Callutheran site, it’s a WIKI – there is a PHP script that loads HTML from here a porn site (http://www(dot)bigvideosonline.com/lesbians/index(dot)php?id=1403&style=orange). How did the script get there? We don’t really know, but suspect it could MediaWiki vulnerability.
A search for “Cheating Wives movies frees inurl:edu” brings us this:
And here’s more, Indian River Community College and USC:
Sniffing around one place, we find wide open access:
So there’s an open directory listing with a keyword list and two PHP scripts that load the security scam hijacker porn pages or re-direct to rogue applications like Privacy Protector:
It literally goes on and on and on and on and on.
Alex Eckelberry
(With copious credit to Sunbelt researcher Adam Thomas)