SICK PIECE OF SHIT KEEPS HACKING MY SITE!!! - WickedFire - Affiliate Marketing Forum

crossfittn · 03-25-2007, 12:06 AM

OK guys I'm really trying hard to figure this one out but if you go to google and type Phentermine, then click on the listing for PhenForum.com, he's got it so my site redirects to like... e-topps.info with a pharmacy PPC page.

phentermine - Google Search

BUT if I type my URL in directly it doesn't do it. So, he's only stealing my Google traffic.

I've tried uploading my backup .htaccess, backup index.php, etc, but it doesn't work. I tried uploading a plain index.html with some text on it, and that DID stop the redirection. So it seems he's hacked my CMS somehow.

I'm really freaking out right now. Can someone help me? Thank you so much!!!!!!

CreationNation · 03-25-2007, 12:16 AM

EDIT: Skip to #4 first.

#1 - immediately add an htaccess user/pass to protect your CMS login area.

#2 - log in and change your passwords, make sure you are the only admin set up.

#3 - make sure you don't have an injected javascript bit punched into your index.php (look at the source, near the bottom)

#4 - I found your problem. Someone has posted a javascript link, do you have HTML enabled for posts (a BIG no no)?Tthey are redirecting your traffic via a comment/post:
<.script src="http://e-topps.info/j_pharma.js".>

delete that post from the database and it will fix, and TURN OFF html commenting/posting.

crossfittn · 03-25-2007, 12:22 AM

WOW Thank you ! Where did you find that injected post? I thought i had HTML disabled for posts but I may have missed one usergroup. I just deleted that post in my forum from "Barbarastrac" that said "hi i started today"

It seems to be ok now so that must be the one.

You're great for finding that man. Thank you for putting in the effort to solve the case!!!!!!!!!!!!!!! How the heck can I give you some good rep?

CreationNation · 03-25-2007, 12:25 AM

I found it by using CTRL+U really quick to look at the source code before it redirected (I just searched the code for "topps"). Definitely go through and make sure HTML posting is turned off for all user groups/commenting, I even turn it off for admin on my forums.

Good luck!

crossfittn · 03-25-2007, 12:28 AM

Thank you! How do i give you good rep?

CreationNation · 03-25-2007, 12:30 AM

Middle button on the left under my IM icons, with the "+" on it - thanks!

crossfittn · 03-25-2007, 12:36 AM

Done, thank you for your fast help!

photoads · 03-25-2007, 06:32 AM

Was this in your database or was it on a page? Only I have had some tosser giving me the same sort of trouble. Checking the permissions of your pages can help prevent further, I also changed passwords for the account.

I hope this is the last you see of this parasite ...

CreationNation · 03-25-2007, 10:43 PM

His was someone making a html post - and they embedded a javascript redirect.

photoads · 03-25-2007, 10:55 PM

I still got hassle with this shit. I thought I had gotten rid of the parasite but today I had 6 index pages with

Quote:

put onto it. It seems to have only targetted index.php pages so I am guessing something is planted on my server.

I have looked over my server but see nothing I am going to call someone in as the server management I have I think will brush it aside. On webhostingtalk.com if you search in this forum for iframe you'll see we are not alone Technical & Security Issues - WebHostingTalk Forums
Take a look @ this one
Strange code inserted into HTML Pages by WebServer - WebHostingTalk Forums

quicktoshoot · 03-26-2007, 01:41 AM

it has nothing to do with your server and everything to do with you not filtering user input securely.

CreationNation · 03-26-2007, 09:45 AM

Quote:

Originally Posted by photoads

I still got hassle with this shit. I thought I had gotten rid of the parasite but today I had 6 index pages with put onto it. It seems to have only targetted index.php pages so I am guessing something is planted on my server.

I have looked over my server but see nothing I am going to call someone in as the server management I have I think will brush it aside. On webhostingtalk.com if you search in this forum for iframe you'll see we are not alone Technical & Security Issues - WebHostingTalk Forums
Take a look @ this one
Strange code inserted into HTML Pages by WebServer - WebHostingTalk Forums

There are various ways for hack/script kiddies to do this. Check my #2 post in this thread to start.

Also, if you are running "stock" scripts like PHPNews, Cutenews or any one of thousands of scripts out there that are open source, make sure they are 100% up to date (even though sometimes that doesn't even help). If you have a combo of an unprotected admin login area, with an outdated News script, etc. then you're ripe for hacking.

Also another culprit could be outdated/unsecured mailing list signup areas/login areas. I personally was a dork and had this happen to me. A punk was accessing through one of those and injecting a javascript bit into the footer of my index page.

What I have started doing recently is not using those open source news scripts etc. as the more something like that is used, the more of a target hackers/script kiddies will consider it. There are even sites out there that, once they hack your page, they post and brag about it.

Revist my #2 post in this thread, and make sure to do those things. Also, make sure all your scripts are up to date, including any forum installs, etc.

03-25-2007, 12:06 AM	#1 (permalink)
crossfittn Senior Member Join Date: Feb 2007 Posts: 537	SICK PIECE OF SHIT KEEPS HACKING MY SITE!!! OK guys I'm really trying hard to figure this one out but if you go to google and type Phentermine, then click on the listing for PhenForum.com, he's got it so my site redirects to like... e-topps.info with a pharmacy PPC page. phentermine - Google Search BUT if I type my URL in directly it doesn't do it. So, he's only stealing my Google traffic. I've tried uploading my backup .htaccess, backup index.php, etc, but it doesn't work. I tried uploading a plain index.html with some text on it, and that DID stop the redirection. So it seems he's hacked my CMS somehow. I'm really freaking out right now. Can someone help me? Thank you so much!!!!!! __________________ Toasted Jacket Lentils - biased

03-25-2007, 12:16 AM	#2 (permalink)
CreationNation Senior Member Join Date: Jun 2006 Location: Manassas, VA USA Posts: 306	EDIT: Skip to #4 first. #1 - immediately add an htaccess user/pass to protect your CMS login area. #2 - log in and change your passwords, make sure you are the only admin set up. #3 - make sure you don't have an injected javascript bit punched into your index.php (look at the source, near the bottom) #4 - I found your problem. Someone has posted a javascript link, do you have HTML enabled for posts (a BIG no no)?Tthey are redirecting your traffic via a comment/post: <.script src="http://e-topps.info/j_pharma.js".> delete that post from the database and it will fix, and TURN OFF html commenting/posting. __________________ Deron www.creationnation.com www.ultimatemetal.com www.metalages.com

03-25-2007, 12:22 AM	#3 (permalink)
crossfittn Senior Member Join Date: Feb 2007 Posts: 537	WOW Thank you ! Where did you find that injected post? I thought i had HTML disabled for posts but I may have missed one usergroup. I just deleted that post in my forum from "Barbarastrac" that said "hi i started today" It seems to be ok now so that must be the one. You're great for finding that man. Thank you for putting in the effort to solve the case!!!!!!!!!!!!!!! How the heck can I give you some good rep? __________________ Toasted Jacket Lentils - biased

03-25-2007, 12:25 AM	#4 (permalink)
CreationNation Senior Member Join Date: Jun 2006 Location: Manassas, VA USA Posts: 306	I found it by using CTRL+U really quick to look at the source code before it redirected (I just searched the code for "topps"). Definitely go through and make sure HTML posting is turned off for all user groups/commenting, I even turn it off for admin on my forums. Good luck! __________________ Deron www.creationnation.com www.ultimatemetal.com www.metalages.com

03-25-2007, 12:28 AM	#5 (permalink)
crossfittn Senior Member Join Date: Feb 2007 Posts: 537	Thank you! How do i give you good rep? __________________ Toasted Jacket Lentils - biased

03-25-2007, 12:30 AM	#6 (permalink)
CreationNation Senior Member Join Date: Jun 2006 Location: Manassas, VA USA Posts: 306	Middle button on the left under my IM icons, with the "+" on it - thanks! __________________ Deron www.creationnation.com www.ultimatemetal.com www.metalages.com

03-25-2007, 12:36 AM	#7 (permalink)
crossfittn Senior Member Join Date: Feb 2007 Posts: 537	Done, thank you for your fast help! __________________ Toasted Jacket Lentils - biased

03-25-2007, 06:32 AM	#8 (permalink)
photoads I like big jugs Join Date: Nov 2006 Location: Toronto ... Posts: 364	Was this in your database or was it on a page? Only I have had some tosser giving me the same sort of trouble. Checking the permissions of your pages can help prevent further, I also changed passwords for the account. I hope this is the last you see of this parasite ... __________________ -------------------------------------------- I intend to live forever .... So far so good

03-25-2007, 10:43 PM	#9 (permalink)
CreationNation Senior Member Join Date: Jun 2006 Location: Manassas, VA USA Posts: 306	His was someone making a html post - and they embedded a javascript redirect. __________________ Deron www.creationnation.com www.ultimatemetal.com www.metalages.com

03-26-2007, 01:41 AM	#11 (permalink)
quicktoshoot Junior Member Join Date: Mar 2007 Posts: 8	it has nothing to do with your server and everything to do with you not filtering user input securely.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode