I get a fair bit of attempted comment spam here on Fnord; almost all of it is neatly caught by Akismet and no one sees it. Since I installed Akismet in May 2006, it’s caught 185,233 spam. And mine is a trivial site!

Anyway, one made it past Akismet this morning, at which point I get an email. Some of the URLs caught my eye, showing how spammers are using innocent sites to host their malware. This is new to me, or perhaps I just hadn’t seen it before. Here we go - last bits of URLs replaced as noted, so they are broken. I assume this leads to spam/malware/bad things, so please don’t go to these locations! I’m leaving the domain names correct, though. Name and shame time, folks.

http://www.insfun.com/upfiles/.tmp/?[censored]

Looks like they’re taking advantage of someone’s upload area.

 http://www.newtondancecompany.com/Calendars/.DAV/?[censored]

A bit different. Here, they’ve gotten in via WebDAV, looks like an incorrect Apache configuration. Whoops.

http://joenweb.co.kr/shop/koso/.tmp/?[censored]

Probably a shopping cart vulnerability. Note that the directory starts with a dot, and so is less visible under Unix. Basic way to reduce your risk of detection from the sysadmin.

http://taxforum.or.kr/bbs/data/.tmp/?[censored]

BBS/forum weakness, same dot-named directory. Note also that they seem to be using the same uploaded software, using HTTP parameters to pass in via the [censored] bits.

http://www.astropoetics.com/gallery/thumbnails/.tmp/?[censored]

This time, managed to insert malware into a picture gallery. Yeesh.

http://www.steelelogic.com/2007/11/.cache/?[censored]

Cache weakness? Hard to tell on this one.

There’s lots more, though the rest are just the same upfiles/.tmp/BBS/shop hacks.