Okay so I took a second to try to compile where my own actions have led.
Bear with me, this is a little lengthier than usual.
I have been trying to report as many new hijacked IP addresses as I can each time I see new spam for these morons.
a) Report rogue redirections to website operators and hosting companies who have been exploited.
b) For each IP providing hosting and dns services for any of the Eva Pharmacy brands to the hosting companies.
I have a very basic tool called the Phishing Reporterator™ which makes that task a little easier.
You can get it, for now, here:
http://ge.tt/8yd6FXS/v/0?cRed: that download section of spamtrackers refuses to accept any file type. I really don't like that interface. If you can make this live there it would be great.
That takes care of the easier stuff - alerting site owners and their hosting company that they've been compromised.
The bigger deal is: organizing so we can send a single, clear, easy to understand warning about the server compromise.
I have a boilerplate message I've been sending that's pretty detailed:
Quote:
to: [site owner], [hosting company abuse email]
Your web server has been hacked by EvaPharmacy [ip.add.re.ss]
Hello
The subject says it all.
I've been investigating a Russian rogue online pharmacy group known as EvaPharmacy since 2005.
EvaPharmacy host all of their illicit rogue pharmacy websites on other people's servers, like yours, by performing scans and attempting to find servers with very weak Root passwords. A server you control - at IP address ip.add.re.ss - is now under their control. I know this because your IP address shows up when I perform a "dig" command on a recently spammed domain of theirs.
%dig roguedomain.com
; <<>> DiG 9.8.3-P1 <<>> roguedomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9530
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;roguedomain.com. IN A
;; ANSWER SECTION:
roguedomain.com. 600 IN A ip.add.re.ss
;; AUTHORITY SECTION:
roguedomain.com. 600 IN NS ns1.roguedomain.com.
roguedomain.com. 600 IN NS ns2.roguedomain.com.
;; ADDITIONAL SECTION:
ns1.roguedomain.com. 172800 IN A other.ip.add.ress
ns2.roguedomain.com. 172800 IN A other.ip.add.ress
How can you tell your server has been taken over?
Using SSH, run the following command:
ps w | grep tirqd
If infected, you will be shown at least one running instance of the binary program "tirqd", which is EvaPharmacy's web-mirroring and DNS software.
You may also notice that one or all of the following commands are now missing from your server, as they usually remove them when they take your server over:
passwd
restart
reboot
shutdown
Your server is now being used to host at least one domain for a rogue pharmacy website. The one I was sent (via spam) today was "roguedomain [dot] com".
This server needs to be taken offline and repaired, and obviously the root password needs to be changed, but as mentioned you may not be able to do that.
This is obviously a criminal act. I thought you should be aware.
Sincerely
[Signature]
This has resulted in (often) no response at all from any of the contactees, however I do see that action is taken usually within a day.
This is to get started.
SiL
Posted: Sun Nov 25, 2012 6:32 pm 
