The hack that I found using www.canadian-pharmacy-24.com is identical to the one that uses www.awc-drugstore.com except for the image.
You will have to click on the image to make it large enough to read.
purplewingsorg.php?q=via is the URL that is detected by the redirect code.
viapurplewingsorgjpg is the name of the image file the hack uses on this site.
Again we find hacks naming the image file by using the domain named with via added to the front and the PHP file is always the domain name. They all contain the string “?=via” as shown above.
I think it is safe to assume via is short for Viagra.
Also notice that they are following the same pattern of not using “.jpg”.
Pharma Hack 