Samuel Krieg wrote:
> Hi
>
> I'm receiving some spam with links like
> http://www.somewebsite.tld/image.htm ( filename may differ like
> join.htm or shop.htm ). The uri redirects to another viagra website.
>
> But the somewebsite.tld looks like a normal site (I'm pretty sure it is).
>
> Some examples :
> http://www.apnalounge.com/shop.htm
>
> http://www.tvoftheabsurd.com/join.htm
>
> I need to understand how it works.. Is the hosting server beeing
> abused ? Any ideas/solutions ?


Odds are good they are being abused. Looking at tvoftheabsurd's main page they've got a PHP wordpress 2.2 login page. Wordpress has been known to have exploits in the past.

Ahh, yes. here's one for WP 2.2:
http://www.securityfocus.com/bid/24344
Oh, and another that allows arbitrary file upload:
http://www.securityfocus.com/bid/24642

That latter one is probably how the redirect page got uploaded.



apnalounge.com also makes extensive use of PHP and seems to have a lot of "cobbled together" code. Nothing jumps out at me, but I'd again not be surprised to find out some part is exploitable.

>
> Thank you.
>