Hi, I was just checking my apache log for http://review.onyxbits.de when I noticed a visitor with a very strange referrer (DO NOT FOLLOW THIS LINK, YOUR SYSTEM SECURITY MIGHT BE AT RISK!): hxxp://akiiilma.mindnmagick.com/asian-ass-lesbian-licking.html (AGAIN: DO NOT FOLLOW WITHOUT TAKING PRECAUTIONS!) Ok, obviously a p0rn site and completely unrelated to my website. Out of curiosity, I copied and pasted the URL into my browser and found it to be some kind of search engine trap with lot's of keywords on it and an instant redirect to another p0rn site (maybe so the whole thing can be advertised via spam mail without directly compromising the main website?). Once there, a popup window pops up, urging me to install some video codec. Hitting the Cancel button opens another popup, informing me, that I really need this codec to view this website and opens the original popup again. In other words: You cannot cancel or close the thing and your browser is blocked until you accept the download, which is called "codec.v.1.0.exe". (don't worry, I am using Linux, so there is no risk for me here). Ok, the whole thing obviously is about getting some malware on your computer, but what bugs me is the question, why that doorway page redirected to my site. I checked the logs of my main website (http://www.onyxbits.de) and found a similar entry there as well. Anybody any idea, why they would send me visitors?
Happened to my site too, not by this website but others. I think it has to do with the site targetting the url of other sites as keywords. Not sure if that's possible but I can't explain why else they'd link to other sites they have nothing to do with.
Well, the log line looks like this: 92.48.107.121 - - [28/Aug/2008:09:42:24 +0200] "GET /content/privacy-policy HTTP/1.0" 404 3030 "http://akiiilma.mindnmagick.com/asian-ass-lesbian-licking.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2; Deepnet Explorer)" Code (markup): Funnily, the IP address seems to be a server and no DSL or dialup line. Also the page in question does not really seem to contain a link. On second thought, the requested page does not exist and even it it ever did, it did so only very briefly. Hm, guess it's some kind of automated attack. Would fit the pattern.