Hijacked 404

I’m minding my own business, reviewing my website logs when I notice that someone has checked to see if I’ve got formmail.pl. As you probably know, that file is included in some CMS packages thus spammers look for them. I can see that the attacker got a 404, but I wanted for verify for myself that it wasn’t there.
So I go do www.infosecblog.org/cgi-bin/formmail.pl. What happens? I see a 404 page, but the url at the top of the page is http://euscorp.net/error404.html rather than a error page from my web hosting company (powweb).
Checking with a text based browser I see that the powweb 404 has a 302 moved message forwarding me to the euscorp page.
I check into euscorp.net. They are hosted by my webhosting company. The site is very out of date and it belongs to Enterprise Utility Solutions.
Now before I go further, I should mention that other people have reported similar problems in my webhosts support forum. However they’ve been told its a problem with spyware on their machine. I’m reasonably sure I dont have local spyware.
By looking at the source of the 404 page from euscorp.net I see that there is an iframe to tgp.la/or.html. At first glance tgp.la appears to be a presecription drug spamvertized website and they are just trying to run up the counter. Again I look at the source and I see an IFrame tag which calls http://www.globolook.com/v058/wow.html.
At that globolook site they are attempting to run a chm type of exploit to download and run files on your system. I ran the files through virustotal and 6 antivirus scanners detected it. Kaspersky calls it Trojan-Downloader.Win32.WarSpy.d. Other antivirus calls it codebase. Another engine calls it adware.serch.a.
The case is not over. What is causing this? I’ve checked my machine. I am clean, and I only see this redirect on some powweb sites. I’ve put in a support ticket with powweb. We’ll see what happens. If they dont do something soon, I think I can use .htaccess to implement my own 404 pages and avoid this problem.
So bottom line is be patched, and dont go to any non-existant pages on my site. ๐Ÿ™‚