# Safe to say it's compromised.



## OnePostWonder (Nov 13, 2013)

Happened upon this while I was reading about a certain drug.  I think the site is legitimate, but is the modus operandi here that the malicious party leaves the site looking normal so it takes longer for the webmaster to be alerted to it?

*International Academy of Law and Mental Health*
http://www.ialmh.org/template.cgi - *LINKS ON THIS SITE MAY BE COMPROMISED*

Internet Officer Redirect Checker:

Checked link: http://www.ialmh.org/otc

Type of redirect: 301 Moved Permanently

Redirected to: http://www.ialmh.org/otc/

---------------------------------------

Checked link: http://www.ialmh.org/otc/

Type of redirect: 302 Found

Redirected to: http://www.ialmh.org/temp/r.php 

--------------------------------------

Checked link: http://www.ialmh.org/temp/r.php

Type of redirect: “meta refresh” redirect after 2 seconds

Redirected to: http://otc-med-pharm.com/

--------------------------------------

*Source of r.php*


```
<script src="//mc.yandex.ru/metrika/watch.js" type="text/javascript"></script>
<script type="text/javascript">
try { var yaCounter20997100 = new Ya.Metrika({id:20997100});
} catch(e) { }
</script>
<b>One moment...</b>
<meta http-equiv='refresh' content='2; url=http://otc-med-pharm.com/'>
```

So is it "r" for "refresh", "redirect", or "Russian"?  

Also, I know Yandex is a widely-used search engine in Russia and is safe, and the script is kind of like Google Metrics (correct me if I'm wrong), but I don't think what's going on here is exactly correct.

*Edit:* I didn't exactly make my purpose for posting this clear.  Should the webmaster be contacted about this?  There is a link to contact them, but I'm a bit reluctant because I'm unsure of where my email might actually be going.  Could that be compromised as well?


----------

