Website Hijinks Part 3 was offline last night. I assume that someone got to the bad guys webhost and had him termed for abuse. By this morning the site was online and pointing to a new IP address. These bad guys are experienced at playing wack-a-mole. If you take out one site, he’s ready to pop up in a new location.
I contacted the new webhost (still no word from them) as well the bad guys dynamic dns provider everydns. everyDNS responded before I returned from lunch. They have pulled the guys dns and redirected it to a “termed for abuse” webpage. So I’ve got one confirmed kill thus far. ๐Ÿ™‚
The problem is that doesn’t slow him down much. The guy just goes to his registrar and change authorized dns servers. So I’ve contacted the guys registrar to see if we can terminate the domain itself for abuse. That will prevent any further exploitation on these sites with the iframe pointing to Of course, the bad guy will then register a new domain, but he will have to start from scratch. Since no one has figured out how this was done in the first place, we’ll probably find all the sites infected again with the new url.