Wtf Is this shit? Strange redirects on of my sites - GoFuckYourself.com

tonyparra · 05-15-2013, 09:25 PM

bean-aid · 05-15-2013, 09:30 PM

Do you have backups? Looks like you have an injection. I didn't click any of your links btw, just my experience to wipe it out and replace with a backup.

EnterpriseVpsSolutions · 05-15-2013, 09:34 PM

There are site testing tools to see if its infected. sitecheck.sucuri.net is one such site. Also try running maldet on the system or some anti-virus tool, It suck losing data but as the last recourse would be a full system restore.

Colmike9 · 05-15-2013, 09:39 PM

See if your host knows how to remove it without losing your stuff (Backup first ;) )

Dankasaur · 05-15-2013, 09:42 PM

Quote:

Originally Posted by beaner

Do you have backups? Looks like you have an injection. I didn't click any of your links btw, just my experience to wipe it out and replace with a backup.

That's not very productive... They'll just inject the stuff again... Best to remove the injections and pinpoint where they are doing it and have it patched... Reverting to a backup is only a temporary solution and not even a good one.

tonyparra · 05-15-2013, 09:47 PM

Quote:

Originally Posted by beaner

Do you have backups? Looks like you have an injection. I didn't click any of your links btw, just my experience to wipe it out and replace with a backup.

The links dont lead anywhere i tried them, I cant find a reference to this stuff in any of the source code

brassmonkey · 05-15-2013, 09:47 PM

thanx for posting it here

tonyparra · 05-15-2013, 09:51 PM

Quote:

Originally Posted by EnterpriseVpsSolutions

There are site testing tools to see if its infected. sitecheck.sucuri.net is one such site. Also try running maldet on the system or some anti-virus tool, It suck losing data but as the last recourse would be a full system restore.

Full system restore not an option. I checked it on googles virus total:

https://www.virustotal.com/en/file/0...ec33/analysis/

Doesnt seem to carry a virus but is used to capture traffic? So its redirecting some traffic?

2013 · 05-15-2013, 10:02 PM

your links gave me herpes

bean-aid · 05-15-2013, 10:03 PM

Quote:

Originally Posted by Dankasaur

That's not very productive... They'll just inject the stuff again... Best to remove the injections and pinpoint where they are doing it and have it patched... Reverting to a backup is only a temporary solution and not even a good one.

Restore site, get rid of virus and/or malware, pinpoint the hole. I highly doubt his site is being attacked by a watchful eye and needs immediate attention regarding security breach.

Which is very likely to be a wordpress hole. But it would suck without the backup. Host may be able to help. They should be able to run a scan of the entire server.

tonyparra · 05-15-2013, 10:12 PM

Quote:

Originally Posted by beaner

Host may be able to help. They should be able to run a scan of the entire server.

they ran a malware scan and didnt find anything

Colmike9 · 05-15-2013, 10:17 PM

Quote:

Originally Posted by tonyparra

they ran a malware scan and didnt find anything

Do you have it on G Webmaster Tools? If so, does that detect anything?

harvey · 05-15-2013, 10:55 PM

say hi to your Ukraine friends!

and yes, that's an injection known as CAP of type network or traffic capture. Teel your host to look for something like the info below

Quote:

SHA256: 087b5875e50f96f1c60b993342ab814346f13ecdbb50a16527 88b873745fec33
SHA1: ea934a5b9510fe54f939579dcbc2e15c0303d64a
MD5: 43811ffb30ce880d19aa20c693a138e0
File size: 35.1 MB ( 36819703 bytes )
File name: pcaptest1.pcap
File type: Network capture

tonyparra · 05-16-2013, 09:37 AM

Quote:

Originally Posted by harvey

say hi to your Ukraine friends!

and yes, that's an injection known as CAP of type network or traffic capture. Teel your host to look for something like the info below

Host still cant find this would it be in certain areas?

_Richard_ · 05-16-2013, 09:52 AM

Quote:

Originally Posted by harvey

say hi to your Ukraine friends!

and yes, that's an injection known as CAP of type network or traffic capture. Teel your host to look for something like the info below

Antonio · 05-16-2013, 10:50 AM

1 check your httaccess
2 if wordpress, check the theme php files

look for: nVRNj9owEL33Z1gqShqj+iMOdr3e....
#c3284d#

and all other stuff the it crowd guy posted

Diomed · 05-16-2013, 12:39 PM

Christ you guys know too much.

grzepa · 05-16-2013, 01:11 PM

is it safe to use addthis widget ?

tonyparra · 05-16-2013, 02:30 PM

Quote:

Originally Posted by grzepa

is it safe to use addthis widget ?

Im not using or want to use the widget. I have this theme on several other sites, on several other host, none of the same redirects

harvey · 05-16-2013, 02:41 PM

so, did you fix it?

tonyparra · 05-16-2013, 04:40 PM

Quote:

Originally Posted by harvey

so, did you fix it?

no have headache now need beer try later

signupdamnit · 05-16-2013, 04:49 PM

I've read about some apache hacks lately where instead of merely messing with the configuration or site files they have been replacing the actual binary. See http://www.webhostingtalk.com/showthread.php?t=1260736

05-15-2013, 09:25 PM	#1
tonyparra Confirmed User Industry Role: Join Date: Jul 2008 Location: In your back seat with duck tape Posts: 4,568	Wtf Is this shit? Strange redirects on of my sites Have i been hacked? Or just some wayward script/image? I saw it in pingdom, its a wordpress site, im using the theme on several sites, and none have these redirects. I dont any social plugins or use add this, and the links dont lead to add this anyways: Remove the following redirect chain if possible: http://addthis.mathtag.com/red/pixel?pid=11112 http://sync.mathtag.com/sync/img?mt_...1112%26ssrc%3? http://sync.mathtag.com/sync/img?mt_...1112%26ssrc%3? http://su.addthis.com/red/usync?pid=...3-27b656e74328 Remove the following redirect chain if possible: http://cm.g.doubleclick.net/pixel?go...gle_gid&ssrc=1 http://cm.g.doubleclick.net/pixel?go...c=1&google_tc= http://su.addthis.com/red/usync?pid=...&google_cver=1 Remove the following redirect chain if possible: http://dpm.demdex.net/ibs:dpid=420&d...nc%3Fpid%3D16? http://dpm.demdex.net/demconf.jpg?et...ddthis.com%2F? http://su.addthis.com/red/usync?pid=... 656811&ssrc=3 Remove the following redirect chain if possible: http://ib.adnxs.com/getuid?http%3A%2...UID%26ssrc%3D1 http://ib.adnxs.com/bounce?%2Fgetuid...%2526puid%253? http://su.addthis.com/red/usync?pid=...0963602&ssrc=1 Remove the following redirect chain if possible: http://segment-pixel.invitemedia.com...&sscs_active=1 http://cm.g.doubleclick.net/pixel?go...OBUB4tNORjCQ== http://g-pixel.invitemedia.com/gmatc...o ogle_cver=1 Remove the following redirect chain if possible: http://adadvisor.net/adscores/g.pixel?sid=9201991568 http://su.addthis.com/red/usync?pid=11121&puid=&ssrc=3 Remove the following redirect chain if possible: http://ds.reson8.com/vendor.gif?v=CS&c=51945a355739fb23 http://ds.reson8.com/pop.gif?RCOUNT=1 Remove the following redirect chain if possible: http://i.w55c.net/ping_match.gif?st=...uid%3D_wfivef? http://su.addthis.com/red/usync?pid=...5793d2f&ssrc=1 Remove the following redirect chain if possible: http://tacoda.at.atwola.com/atx/sync...default?ssrc=3 http://su.addthis.com/red/usync?pid=...158svpj&ssrc=3 Remove the following redirect chain if possible: http://tags.bluekai.com/site/13961?i...Fusync%3Fpid%? http://su.addthis.com/red/usync?pid=...H%2Cdal&ssrc=1 __________________ High Performance Vps $10 Linode Manage your Digital Ocean, Linode, or Favorite Cloud Server. Simple, fast, and secure Server Pilot

05-15-2013, 09:34 PM	#3
EnterpriseVpsSolutions Registered User Industry Role: Join Date: May 2013 Location: Tampa Posts: 97	There are site testing tools to see if its infected. sitecheck.sucuri.net is one such site. Also try running maldet on the system or some anti-virus tool, It suck losing data but as the last recourse would be a full system restore. __________________ Enterprise Vps Solutions Internet Solutions Connecting The World Managed Services "Cpanel" - Virtual Private Server (VPS) - Control your own Cloud System - Shared Cpanel Web Hosting on HA www.Enterprisevpssolutions.com Tampa, Florida in Hivelocity Datacenter their Network Providers Global Crossing, Level3, TW Communications, Cogent, Global Telecom and Technology

05-15-2013, 09:39 PM	#4
Colmike9 (>^_^)b Industry Role: Join Date: Dec 2011 Posts: 7,224	See if your host knows how to remove it without losing your stuff (Backup first ;) ) __________________ Join the BEST cam affiliate program on the internet! I've referred over $1.7mil in spending this past year, you should join in. I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..

05-15-2013, 09:47 PM	#7
brassmonkey Pay It Forward Industry Role: Join Date: Sep 2005 Location: Yo Mama House Posts: 76,959	thanx for posting it here __________________ TRUMP 2025 KEKAW!!! - Support The Laken Riley Act!!! END DACA - SUPPORT AZ HCR 2060 52R - email: brassballz-at-techie.com

05-16-2013, 12:39 PM	#17
Diomed Converting like it's 1999 Industry Role: Join Date: Jan 2009 Location: The South Posts: 6,165	Christ you guys know too much. __________________ 10 years of experience in: CHAT SALES - PAID TRAFFIC - CONVERSION - CREATIVES - CONSULTATION

05-15-2013, 09:30 PM	#2
bean-aid So Fucking Banned Industry Role: Join Date: Jun 2011 Location: the land of woke sleuths Posts: 16,493	Do you have backups? Looks like you have an injection. I didn't click any of your links btw, just my experience to wipe it out and replace with a backup.

05-15-2013, 10:02 PM	#9
2013 So Fucking Banned Industry Role: Join Date: Jan 2013 Location: lollling Posts: 4,390	your links gave me herpes

05-16-2013, 10:50 AM	#16
Antonio Too lazy to set a custom title Join Date: Oct 2001 Location: Spartaaaaaaaaa Posts: 14,136	1 check your httaccess 2 if wordpress, check the theme php files look for: nVRNj9owEL33Z1gqShqj+iMOdr3e.... #c3284d# and all other stuff the it crowd guy posted

05-16-2013, 01:11 PM	#18
grzepa Confirmed User Join Date: Jul 2004 Posts: 1,196	is it safe to use addthis widget ? __________________ Like X-ART !!

05-16-2013, 02:41 PM	#20
harvey Confirmed User Industry Role: Join Date: Jul 2001 Location: 127.0.0.1 Posts: 9,266	so, did you fix it? __________________ This post is endorsed by CIA, KGB, MI6, the Mafia, Illuminati, Kim Jong Il, Worldwide Ninjas Association, Klingon Empire and lolcats. Don't mess around with it, just accept it and embrace the truth

05-16-2013, 04:49 PM	#22
signupdamnit Confirmed User Industry Role: Join Date: Aug 2007 Posts: 6,697	I've read about some apache hacks lately where instead of merely messing with the configuration or site files they have been replacing the actual binary. See http://www.webhostingtalk.com/showthread.php?t=1260736 __________________ You don't like my posts? Put me on ignore or fuck right off. I'll say what I want.