Well, the bad guys tried fooling everyone by changing the filename yet again (sorry Mr Bad Guy - we're not that stupid).
You'll remember that they were using HostNOC as of the latest incarnations, and I both e-mailed, and phoned HostNOC on the 20th, the day the move was made, and the person I spoke to advised me they were giving the customer a 24 hour warning. 3 days later, and it was still online, still serving malicious content.
I've just phoned HostNOC yet again, and they're finally taking it offline, advising me the entire account would be suspended within the next 5 mins (and yes HostNOC, I'll be verifying that).
Sadly, it seems Interserver STILL haven't taken action, as .38 is STILL spewing the malicious file (again, with the new filename);
Seems it's polymorphic too, as I've recorded 2 pull downs of the file, with 2 different MD5s;
So Interserver, what's your excuse?
Part 2: Interserver, malware, and the Scottish weather
Interserver, malware, and the Scottish weather