Fuck - Server corrupted - Search Results from Google redirects... - GoFuckYourself.com

MaDalton · 03-29-2011, 10:57 AM

question: how often do you click on the google search results for your own sites?

was made aware of this today and would have never noticed this myself:

if i go to www.fourstrokeentertainment.com directly nothing bad happens

but if i click on the search result in google i got redirected to some nasty polish URL which i won't post here for your security

any way i can automatically check my sites regularly?

fuckers.

Agent 488 · 03-29-2011, 11:00 AM

happened to me back in the day with my wordpress sites. interesting to check the url of that polish site in alexa.

MaDalton · 03-29-2011, 11:03 AM

http://www.alexa.com/siteinfo/osa.pl#

k0nr4d · 03-29-2011, 11:20 AM

you sure its not on your end? I just googled you and went in and its fine..

SZNY · 03-29-2011, 11:37 AM

Same here it works perfect, just land on your domain. Maybe its something with the computer you working with (virus)

Si · 03-29-2011, 11:41 AM

Quote:

Originally Posted by SZNY

Same here it works perfect, just land on your domain. Maybe its something with the computer you working with (virus)

There is a malware going round that fucks google searches up and redirects them to some random shit.

Could be that.

SZNY · 03-29-2011, 11:49 AM

Quote:

Originally Posted by Si

There is a malware going round that fucks google searches up and redirects them to some random shit.

Could be that.

server or client sided?

directfiesta · 03-29-2011, 12:01 PM

Quote:

Originally Posted by Si

There is a malware going round that fucks google searches up and redirects them to some random shit.

Could be that.

Exactly, I have that on my netbook ... Goes to other search results/pages, sometimes something like Zagonga ( or similar ) .
Reformat was to be done anyway ....

pristine · 03-29-2011, 12:08 PM

if you get malware then you're retarded and shouldn't be using a computer to begin with

DangerX !!! · 03-29-2011, 12:32 PM

Perhaps htaccess settings?

nation-x · 03-29-2011, 12:45 PM

Your machine has been infected with a rootkit like TDSS.

http://threatinfo.trendmicro.com/vin...11209-TDSS.xml

Klen · 03-29-2011, 12:51 PM

Use http://www.stopthehacker.com/ .I was one of the contributors

DangerX !!! · 03-29-2011, 12:55 PM

Quote:

Originally Posted by MaDalton

question: how often do you click on the google search results for your own sites?

was made aware of this today and would have never noticed this myself:

if i go to www.fourstrokeentertainment.com directly nothing bad happens

but if i click on the search result in google i got redirected to some nasty polish URL which i won't post here for your security

any way i can automatically check my sites regularly?

fuckers.

From curiosity, which OS do you use and which anti-virus?

MaDalton · 03-29-2011, 01:18 PM

Quote:

Originally Posted by k0nr4d

you sure its not on your end? I just googled you and went in and its fine..

Quote:

Originally Posted by SZNY

Same here it works perfect, just land on your domain. Maybe its something with the computer you working with (virus)

hosting company had already fixed it before i posted here - seems related to phpmyadmin

Quote:

Originally Posted by pristine

if you get malware then you're retarded and shouldn't be using a computer to begin with

read above, then go fuck yourself, asshat

rogueteens · 03-29-2011, 01:24 PM

Quote:

Originally Posted by MaDalton

hosting company had already fixed it before i posted here - seems related to phpmyadmin

So, was it a hack?

MaDalton · 03-29-2011, 01:36 PM

Quote:

Originally Posted by KlenTelaris

Use http://www.stopthehacker.com/ .I was one of the contributors

interesting, gonna check this out

Quote:

Originally Posted by rogueteens

So, was it a hack?

yes, gotta find out what exactly - they just said it's fixed - which it is

directfiesta · 03-29-2011, 01:53 PM

Quote:

Originally Posted by MaDalton

interesting, gonna check this out

yes, gotta find out what exactly - they just said it's fixed - which it is

probably a mysql injection ...

SmokeyTheBear · 03-29-2011, 01:54 PM

i cleaned someones server recently that had this sort of hack. not only was it redirecting google searchers but it setup a whole series of doorway pages that would surely get your domain banned in google

seeandsee · 03-29-2011, 01:59 PM

can be malware on your pc redirecting your SE traffic

MaDalton · 03-29-2011, 02:02 PM

Quote:

Originally Posted by seeandsee

can be malware on your pc redirecting your SE traffic

you need to read before you post

AdultKing · 03-29-2011, 02:03 PM

We have been testing for several common compromises on actual sites during our web crawling efforts for our search engine. A staggering 5% of all sites we crawl have had problems with injections, redirects, poorly constructed permissions leaving directories open and most commonly fully search-able directory structures.

The number of insecure sites is staggering.

MaDalton · 03-29-2011, 02:26 PM

Quote:

Originally Posted by AdultKing

We have been testing for several common compromises on actual sites during our web crawling efforts for our search engine. A staggering 5% of all sites we crawl have had problems with injections, redirects, poorly constructed permissions leaving directories open and most commonly fully search-able directory structures.

The number of insecure sites is staggering.

actually i would think 5% is a very low number - lol

but it's almost a full time job if you have more than one website

MaDalton · 03-29-2011, 02:34 PM

ok, it was wordpress, nothing serious was harmed, just my traffic :-/

you better check your sites too from time to time

pimpware · 03-29-2011, 02:56 PM

I got something like that yesterday.

crazy queries from google linking to folders that didn't exist on my website(redirecting). Nonsense text and pics.

It was a php and htaccess injection attack.

Removed all php files and disabled htaccess and even today I'm getting traffic from that crazy queries coming from google. I wonder how this will screw my indexed files and rankings, hope google "think" and "be smart" enough to not fuck my stuff.

MaDalton · 03-29-2011, 02:59 PM

Quote:

Originally Posted by pimpware

I got something like that yesterday.

crazy queries from google linking to folders that didn't exist on my website(redirecting). Nonsense text and pics.

It was a php and htaccess injection attack.

Removed all php files and disabled htaccess and even today I'm getting traffic from that crazy queries coming from google. I wonder how this will screw my indexed files and rankings, hope google "think" and "be smart" enough to not fuck my stuff.

all my model blogs link to that site and i lost 90% of my traffic since last weekend. if this was the cause it seriously blows

pimpware · 03-29-2011, 03:06 PM

Quote:

Originally Posted by MaDalton

all my model blogs link to that site and i lost 90% of my traffic since last weekend. if this was the cause it seriously blows

From all my blogs and adult websites the one hacked was one from mainstream

and in portuguese language, all those queries are in english so if I'm lucky google will "understand" that was not my fault ... fuck i'm pissed with this

pimpware · 03-29-2011, 03:18 PM

Oh crap, can be a coincidence but some specific keywords that were giving me the first places on google (those with a map) I had almost always the letter A B or C, now it's almost gone

alias · 03-29-2011, 03:34 PM

Google webmaster tools is pretty good at finding those problems and emailing you, just verify the site in question and adjust settings.

MaDalton · 03-29-2011, 03:54 PM

Quote:

Originally Posted by alias

Google webmaster tools is pretty good at finding those problems and emailing you, just verify the site in question and adjust settings.

yeah, working on that

rogueteens · 03-29-2011, 04:14 PM

What should i check for to see if i'm infected or not?

pimpware · 03-29-2011, 04:20 PM

Quote:

Originally Posted by rogueteens

What should i check for to see if i'm infected or not?

htaccess file or your stats, look for nonsense queries coming from google

and check some new folder you didn't create ... full of crap

MaDalton · 03-29-2011, 04:35 PM

Quote:

Originally Posted by rogueteens

What should i check for to see if i'm infected or not?

just search for your generic URL on Google and then click on the search result. if it doesnt go to your site you have a problem. typing the url in the browser won't do it - thats the tricky thing here

edit: you can also look at your stats, you would see a massive drop in search engine traffic

now that i checked i would say i have that problem since last year october

429mg · 03-29-2011, 04:41 PM

@MaDalton: are you using the I Love Social Bookmarks plugin for WP?

Supz · 03-29-2011, 04:46 PM

Could be something on your computer.

MaDalton · 03-29-2011, 04:48 PM

Quote:

Originally Posted by 429mg

@MaDalton: are you using the I Love Social Bookmarks plugin for WP?

no, i dont

Pushcube · 03-29-2011, 05:12 PM

It's a XSS exploit. It's simple to fix so don't panic

If you have access to your .htaccess file add the following to prevent it happening:

Code:

RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]
RewriteRule ^(.*)$ ? [F,L]

If you have SSH you can hunt down modified files by:

Code:

grep -r "eval(base64_decode" *

I don't think I should post the infection PHP code here(obviously), but it will appear at the top of all the modified files, you will know it when you see it. Something like this:

PHP Code:


			
eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQblahblahblahblahblahblah etc et etc etc"));

I'd also update to the latest version of PHP on your server(s) if you haven't already. Hope this helps

MaDalton · 03-29-2011, 05:24 PM

Quote:

Originally Posted by Pushcube

It's a XSS exploit. It's simple to fix so don't panic

If you have access to your .htaccess file add the following to prevent it happening:

Code:

RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]
RewriteRule ^(.*)$ ? [F,L]

If you have SSH you can hunt down modified files by:

Code:

grep -r "eval(base64_decode" *

I don't think I should post the infection PHP code here(obviously), but it will appear at the top of all the modified files, you will know it when you see it. Something like this:

PHP Code:


			
eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQblahblahblahblahblahblah etc et etc etc"));

I'd also update to the latest version of PHP on your server(s) if you haven't already. Hope this helps

thanks a lot

valuable info instead of insults or ignorance, who would have thought

AdultKing · 03-29-2011, 08:20 PM

Quote:

Originally Posted by MaDalton

actually i would think 5% is a very low number - lol

but it's almost a full time job if you have more than one website

5% of the number of websites we have fully crawled is a very very very big number lol, they say space is really really big (according to Douglas Adams), well so is the web!

I have no idea what the standard ratio of infected sites is on the web, however we are learning alot from our crawling efforts and it's interesting to see the stats and patterns that emerge when undertaking such a project.

I hope you get your problems sorted out quickly, just take comfort in that most of these attacks are completely automated by the attackers and if anything it helps you make your sites even more secure than before.

03-29-2011, 10:57 AM	#1
MaDalton I am Amazing Content! Industry Role: Join Date: Feb 2004 Posts: 39,822	Fuck - Server corrupted - Search Results from Google redirects... question: how often do you click on the google search results for your own sites? was made aware of this today and would have never noticed this myself: if i go to www.fourstrokeentertainment.com directly nothing bad happens but if i click on the search result in google i got redirected to some nasty polish URL which i won't post here for your security any way i can automatically check my sites regularly? fuckers. __________________ AmazingContent.com - providing only the best content and service since 2003 Monetize your content on Veegaz.com - one of Germanies largest VOD sites Got German traffic? We convert it into money for you! Skype: madalton02826 - Email: oltecconsult [at] gmail [dot] com

03-29-2011, 11:03 AM	#3
MaDalton I am Amazing Content! Industry Role: Join Date: Feb 2004 Posts: 39,822	http://www.alexa.com/siteinfo/osa.pl# __________________ AmazingContent.com - providing only the best content and service since 2003 Monetize your content on Veegaz.com - one of Germanies largest VOD sites Got German traffic? We convert it into money for you! Skype: madalton02826 - Email: oltecconsult [at] gmail [dot] com

03-29-2011, 11:20 AM	#4
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,228	you sure its not on your end? I just googled you and went in and its fine.. __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development

03-29-2011, 11:37 AM	#5
SZNY SZNY Industry Role: Join Date: May 2004 Location: Sexy Republic Posts: 2,800	Same here it works perfect, just land on your domain. Maybe its something with the computer you working with (virus) __________________ Telegram: sandroanthonio

03-29-2011, 12:32 PM	#10
DangerX !!! Confirmed User Industry Role: Join Date: Feb 2011 Location: La Isla Bonita Power Level: ❤❤❤❤❤❤❤❤❤❤ Posts: 886	Perhaps htaccess settings? __________________ This is sig area!

03-29-2011, 11:00 AM	#2
Agent 488 Registered User Industry Role: Join Date: Feb 2006 Posts: 22,511	happened to me back in the day with my wordpress sites. interesting to check the url of that polish site in alexa.

03-29-2011, 12:08 PM	#9
pristine So Fucking Banned Industry Role: Join Date: Dec 2010 Posts: 1,176	if you get malware then you're retarded and shouldn't be using a computer to begin with

03-29-2011, 12:45 PM	#11
nation-x Confirmed User Industry Role: Join Date: Mar 2004 Location: Rock Hill, SC Posts: 5,370	Your machine has been infected with a rootkit like TDSS. http://threatinfo.trendmicro.com/vin...11209-TDSS.xml

03-29-2011, 12:51 PM	#12
Klen Industry Role: Join Date: Aug 2006 Location: Little Vienna Posts: 32,235	Use http://www.stopthehacker.com/ .I was one of the contributors

03-29-2011, 01:54 PM	#18
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	i cleaned someones server recently that had this sort of hack. not only was it redirecting google searchers but it setup a whole series of doorway pages that would surely get your domain banned in google __________________ hatisblack at yahoo.com

03-29-2011, 01:59 PM	#19
seeandsee Check SIG! Industry Role: Join Date: Mar 2006 Location: Europe (Skype: gojkoas) Posts: 50,945	can be malware on your pc redirecting your SE traffic __________________ BUY MY SIG - 50$/Year Contact here

03-29-2011, 02:03 PM	#21
AdultKing Raise Your Weapon Industry Role: Join Date: Jun 2003 Location: Outback Australia Posts: 15,601	We have been testing for several common compromises on actual sites during our web crawling efforts for our search engine. A staggering 5% of all sites we crawl have had problems with injections, redirects, poorly constructed permissions leaving directories open and most commonly fully search-able directory structures. The number of insecure sites is staggering.

03-29-2011, 02:34 PM	#23
MaDalton I am Amazing Content! Industry Role: Join Date: Feb 2004 Posts: 39,822	ok, it was wordpress, nothing serious was harmed, just my traffic :-/ you better check your sites too from time to time __________________ AmazingContent.com - providing only the best content and service since 2003 Monetize your content on Veegaz.com - one of Germanies largest VOD sites Got German traffic? We convert it into money for you! Skype: madalton02826 - Email: oltecconsult [at] gmail [dot] com

03-29-2011, 02:56 PM	#24
pimpware Confirmed User Join Date: Jan 2006 Location: Pt Posts: 1,673	I got something like that yesterday. crazy queries from google linking to folders that didn't exist on my website(redirecting). Nonsense text and pics. It was a php and htaccess injection attack. Removed all php files and disabled htaccess and even today I'm getting traffic from that crazy queries coming from google. I wonder how this will screw my indexed files and rankings, hope google "think" and "be smart" enough to not fuck my stuff. __________________ icq: 284494832 realsexforyou.com

03-29-2011, 03:18 PM	#27
pimpware Confirmed User Join Date: Jan 2006 Location: Pt Posts: 1,673	Oh crap, can be a coincidence but some specific keywords that were giving me the first places on google (those with a map) I had almost always the letter A B or C, now it's almost gone __________________ icq: 284494832 realsexforyou.com

03-29-2011, 03:34 PM	#28
alias aliasx Join Date: Apr 2001 Posts: 19,010	Google webmaster tools is pretty good at finding those problems and emailing you, just verify the site in question and adjust settings. __________________ https://porncorporation.com

03-29-2011, 04:14 PM	#30
rogueteens So fucking bland Industry Role: Join Date: Jul 2006 Location: England Posts: 8,005	What should i check for to see if i'm infected or not? __________________ Free traffic and backlinks from one of the fastest growing adult pinsites on the net - SAUCY PICTURES! Easily my best performing webcam sponsor - CLICK HERE!!

03-29-2011, 04:41 PM	#33
429mg Confirmed User Industry Role: Join Date: Jul 2010 Location: Rotterdam Posts: 151	@MaDalton: are you using the I Love Social Bookmarks plugin for WP? __________________ Got a gay blog? Submit your posts to Male Sharing

03-29-2011, 04:46 PM	#34
Supz Arthur Flegenheimer Industry Role: Join Date: Jul 2006 Location: New York City Posts: 11,056	Could be something on your computer.

03-29-2011, 05:12 PM	#36
Pushcube Registered User Industry Role: Join Date: Dec 2007 Location: Ireland Posts: 54	It's a XSS exploit. It's simple to fix so don't panic If you have access to your .htaccess file add the following to prevent it happening: Code: RewriteCond %{QUERY_STRING} base64_encode.(.) [NC,OR] RewriteRule ^(.)$ ? [F,L] If you have SSH you can hunt down modified files by: Code: grep -r "eval(base64_decode" I don't think I should post the infection PHP code here(obviously), but it will appear at the top of all the modified files, you will know it when you see it. Something like this: PHP Code: `eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQblahblahblahblahblahblah etc et etc etc"));` I'd also update to the latest version of PHP on your server(s) if you haven't already. Hope this helps __________________ Server Optimisation - Pentesting - Secure WP Installs.