$ cat ponmocup-domains_2012-10-17.txt www.meier-gemuese.ch www.systemworx.ch www.subash.ch importas.ch www.bth.ch www.epigeos.ch www.ambu-wiesendamm.ch kantine-postzentrum.ch www.smartek.ch www.humitas.ch www.hotel-hohentwiel.de www.gran-canaria-insider.info www.jordanbad.de www.fachschaft.biz maxifood-group.com $ cat ponmocup-finder.sh #!/bin/bash echo "date started: `date`" cat $1 | \ while read domain; do echo -ne "checking domain: $domain --> "; wget -Sv --tries=1 --connect-timeout=3 --read-timeout=3 --dns-timeout=10 --user-agent="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Ponmocup-Finder_v1" --referer="http://www.google.com/search?q=ponmocup-finder+check" http://${domain}/ -O ${domain}_out.txt > ${domain}_wget_log.txt 2>&1 redir=`egrep -m 1 "Location: " ${domain}_wget_log.txt` match=`echo $redir | cut -d"?" -f2- | egrep "$domain" | wc -l` if [ $match -gt 0 ] then echo -ne "seems to be INFECTED: " echo -ne `echo $redir | cut -d" " -f2 | cut -d"?" -f1` egrep -m 2 "Resolving " ${domain}_wget_log.txt | tail -1 | sed -e 's/Resolving/ --> DNS:/g' else echo "seems to be CLEAN" rm ${domain}_out.txt gzip ${domain}_wget_log.txt fi done echo "date finished: `date`" $ ./ponmocup-finder.sh ponmocup-domains_2012-10-17.txt | tee ponmocup-domains_2012-10-17_log.txt date started: Wed Oct 17 10:32:21 CEST 2012 checking domain: www.meier-gemuese.ch --> seems to be INFECTED: http://cianchette.northarkboers.com/url --> DNS: cianchette.northarkboers.com... 178.211.33.205 checking domain: www.systemworx.ch --> seems to be CLEAN checking domain: www.subash.ch --> seems to be INFECTED: http://53088.akitahusky.com/url --> DNS: 53088.akitahusky.com... 77.79.11.96 checking domain: importas.ch --> seems to be INFECTED: http://53090.akitahusky.com/url --> DNS: 53090.akitahusky.com... 77.79.11.96 checking domain: www.bth.ch --> seems to be CLEAN checking domain: www.epigeos.ch --> seems to be CLEAN checking domain: www.ambu-wiesendamm.ch --> seems to be CLEAN checking domain: kantine-postzentrum.ch --> seems to be INFECTED: http://chanrat.heattreatalloy.com/w/1.0/arj --> DNS: chanrat.heattreatalloy.com... 31.210.96.155 checking domain: www.smartek.ch --> seems to be INFECTED: http://www.smartek.ch/fr/ --> DNS: qushawnda.thebabiesandbeyondpeds.com... 31.210.96.155 checking domain: www.humitas.ch --> seems to be CLEAN checking domain: www.hotel-hohentwiel.de --> seems to be INFECTED: http://larico.mellodj.com/t.gif --> DNS: larico.mellodj.com... 31.210.96.156 checking domain: www.gran-canaria-insider.info --> seems to be INFECTED: http://kandira.uksportbook.com/__utm.gif --> DNS: kandira.uksportbook.com... 31.210.96.157 checking domain: www.jordanbad.de --> seems to be INFECTED: http://facuri.chelseyfatula.com/__utm.gif --> DNS: facuri.chelseyfatula.com... 31.210.96.155 checking domain: www.fachschaft.biz --> seems to be INFECTED: http://zhukova.golfnewsnewmexico.com/delivery/lg.php --> DNS: zhukova.golfnewsnewmexico.com... 31.210.96.156 checking domain: maxifood-group.com --> seems to be INFECTED: http://okoegwale.telecomchicago.com/imghover --> DNS: okoegwale.telecomchicago.com... 31.210.96.155 date finished: Wed Oct 17 10:32:37 CEST 2012 $ cat \ www.meier-gemuese.ch_wget_log.txt \ www.subash.ch_wget_log.txt \ importas.ch_wget_log.txt \ kantine-postzentrum.ch_wget_log.txt \ www.smartek.ch_wget_log.txt \ www.hotel-hohentwiel.de_wget_log.txt \ www.gran-canaria-insider.info_wget_log.txt \ www.jordanbad.de_wget_log.txt \ www.fachschaft.biz_wget_log.txt \ maxifood-group.com_wget_log.txt \ | egrep "(^Location: )" | egrep -v "/www.google.(com|ch)/" Location: http://cianchette.northarkboers.com/url?sa=t&source=web&cd=10&ved=03dgOdWAW&url=http://www.meier-gemuese.ch/&ei=25MheKvI56m0pY2MzFY08J+1pw==&usg=bJYPTKAC4w-y9By09frPZR&sig2=ZfvSB-WHUuHZOtRiXS7qrN [following] Location: http://53088.akitahusky.com/url?sa=N&source=web&cd=21&ved=07WaV9DfT&url=http://www.subash.ch/&ei=2ZUvfanJ4qi9qo2IzlI3+5i1oQ==&usg=OsRdZcw3ZbajFR5lMc4YdK&sig2=ZxU8gu9PjTbM6quQX2iVLn [following] Location: http://53090.akitahusky.com/url?sa=N&source=web&cd=21&ved=07WaV9DfT&url=http://importas.ch/&ei=2ZUvfanJ4qi9qo2IzlI3+5i1oQ==&usg=OsRdZcw3ZbajFR5lMc4YdK&sig2=ZxU8gu9PjTbM6quQX2iVLn [following] Location: http://chanrat.heattreatalloy.com/w/1.0/arj?auid=151893&o=2399749916&callback=MM_127454_1&url=http%3A%2F%2Fkantine-postzentrum.ch%2F&ref=http%3A%2F%2Fkantine-postzentrum.ch%2F&cb=2399749916 [following] Location: http://www.smartek.ch/fr/ [following] Location: http://qushawnda.thebabiesandbeyondpeds.com/t.gif?_=1341643996932&count=horizontal&counturl=http%3A%2F%2Fwww.smartek.ch%2F&id=twitter_tweet_button_2&lang=id&original_referer=http%3A%2F%2Fwww.smartek.ch%2F&text=Penelitian%20Hubungkan%20Kotoran%20Kucing%20dengan%20Bunuh%20Diri%20Perempuan%20-%20Yahoo!%20News%20Indonesia&url=http%3A%2F%2Fwww.smartek.ch%2F&via=yahoo_id&type=share&size=m&twttr_referrer=http%3A%2F%2Fwww.smartek.ch%2F&twttr_widget=1&twttr_hask=0&twttr_li=0&twttr_pid=v3:1341640385427767411434927 [following] Location: http://larico.mellodj.com/t.gif?_=1342138846960&count=horizontal&id=twitter-widget-0&lang=it&original_referer=http%3A%2F%2Fwww.hotel-hohentwiel.de%2F&size=m&text=Parma%2C%20the%20point%20on%20the%20market:%2012-07%20-%20Parma%20-%20ALL%20WEB%20MARKET&url=http%3A%2F%2Fwww.hotel-hohentwiel.de%2F&type=share&twttr_referrer=http%3A%2F%2Fwww.hotel-hohentwiel.de%2F&twttr_widget=1&twttr_hask=0&twttr_li=0&twttr_pid=v3:1337053439869214318659107 [following] Location: http://kandira.uksportbook.com/__utm.gif?utmwv=5.3.2&utms=19&utmn=2063651777&utmhn=feedjit.com&utmcs=UTF-8&utmsr=1280x768&utmsc=24-bit&utmul=en-us&utmje=0&utmfl=10.3%20r181&utmdt=TF&utmhid=817479706&utmr=http%3A%2F%2Fwww.gran-canaria-insider.info%2F&utmp=/wa/tf.html%3Fr%3D315328872&utmac=UA-248353-18&utmcc=__utma%3D96727048.1823635908.1321258533.1340083563.1340087476.21%3B%2B__utmz%3D96727048.1340087476.21.21.utmcsr%3Dpalingseru.com%7Cutmccn%3D(referral)%7Cutmcmd%3Dreferral%7Cutmcct%3D/5682/10-penampakan-hantu-paling-terkenal-di-dunia%3B&utmu=D~ [following] Location: http://facuri.chelseyfatula.com/__utm.gif?utmwv=5.3.3&utms=1&utmn=1283213372&utmhn=travel.detik.com&utmcs=UTF-8&utmsr=1024x768&utmvp=1007x635&utmsc=24-bit&utmul=en-us&utmje=0&utmfl=8.0%20%20r22&utmdt=detikTravel%20-%20Home&utmhid=1389669032&utmr=http%3A%2F%2Fwww.jordanbad.de%2F&utmp=/&utmac=UA-891770-53&utmcc=__utma%3D1.407439852.1342085232.1342085232.1342085232.1%3B%2B__utmz%3D1.1342085232.1.1.utmcsr%3Dgoogle%7Cutmccn%3D(organic)%7Cutmcmd%3Dorganic%7Cutmctr%3Dtravel%2520detik%3B&utmu=qhAAAAAg~ [following] Location: http://zhukova.golfnewsnewmexico.com/delivery/lg.php?bannerid=22469&campaignid=4402&zoneid=1636&channel_ids=,&loc=http%3A%2F%2Fwww.fachschaft.biz%2F&cb=bb76661ec9 [following] Location: http://okoegwale.telecomchicago.com/imghover?iact=hm&ei=DWHtT5bOA8WHrAe26tm9DQ&q=tempat+rak+kertas&tbs=&page=1&tbnh=117&tbnw=117&start=0&ndsp=18&dur=846&tbnid=ocMcioxgunWKXM:&hovh=225&hovw=225&vpx=758&vpy=238&imgurl=http%3A%2F%2Fmaxifood-group.com%2F&imgrefurl=http%3A%2F%2Fmaxifood-group.com%2F&ved=1t:1527,r:11,s:0,i:103&vetl=ms [following] $ cat ponmocup-domains_2012-10-17_a.txt www.patisserielaperle.ch www.jordanbad.de www.ccbk.de www.quolibet.ch scc.ticino.com www.cepsuisse.com anatoliytymchuk.ru $ ./ponmocup-finder.sh ponmocup-domains_2012-10-17_a.txt | tee ponmocup-domains_2012-10-23_log.txt date started: Tue Oct 23 09:54:05 CEST 2012 checking domain: www.patisserielaperle.ch --> seems to be INFECTED: http://formedtouch.com/cgi-bin/r.cgi --> DNS: formedtouch.com... 69.43.161.177 checking domain: www.jordanbad.de --> seems to be INFECTED: http://facuri.chelseyfatula.com/pview --> DNS: facuri.chelseyfatula.com... 31.210.96.155 checking domain: www.ccbk.de --> seems to be INFECTED: http://48732.akitahusky.org/url --> DNS: 48732.akitahusky.org... 77.79.11.96 checking domain: www.quolibet.ch --> seems to be INFECTED: http://zhiyrahz.gillspools.com/b --> DNS: zhiyrahz.gillspools.com... 31.210.96.155 checking domain: scc.ticino.com --> seems to be INFECTED: http://zykkiah.genjac.com/url --> DNS: zykkiah.genjac.com... 178.211.33.203 checking domain: www.cepsuisse.com --> seems to be INFECTED: http://trialworld.net/cgi-bin/r.cgi --> DNS: trialworld.net... 69.43.161.177 checking domain: anatoliytymchuk.ru --> seems to be INFECTED: http://caritay.anydevil.com/url --> DNS: caritay.anydevil.com... 178.211.33.202 date finished: Tue Oct 23 09:54:18 CEST 2012