GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Wtf Is this shit? Strange redirects on of my sites (https://gfy.com/showthread.php?t=1109618)

tonyparra 05-15-2013 09:25 PM
Wtf Is this shit? Strange redirects on of my sites
 
Have i been hacked? Or just some wayward script/image? I saw it in pingdom, its a wordpress site, im using the theme on several sites, and none have these redirects. I dont any social plugins or use add this, and the links dont lead to add this anyways:

Remove the following redirect chain if possible:

http://addthis.mathtag.com/red/pixel?pid=11112
http://sync.mathtag.com/sync/img?mt_...1112%26ssrc%3?
http://sync.mathtag.com/sync/img?mt_...1112%26ssrc%3?
http://su.addthis.com/red/usync?pid=...3-27b656e74328
Remove the following redirect chain if possible:

http://cm.g.doubleclick.net/pixel?go...gle_gid&ssrc=1
http://cm.g.doubleclick.net/pixel?go...c=1&google_tc=
http://su.addthis.com/red/usync?pid=...&google_cver=1
Remove the following redirect chain if possible:

http://dpm.demdex.net/ibs:dpid=420&d...nc%3Fpid%3D16?
http://dpm.demdex.net/demconf.jpg?et...ddthis.com%2F?
http://su.addthis.com/red/usync?pid=... 656811&ssrc=3
Remove the following redirect chain if possible:

http://ib.adnxs.com/getuid?http%3A%2...UID%26ssrc%3D1
http://ib.adnxs.com/bounce?%2Fgetuid...%2526puid%253?
http://su.addthis.com/red/usync?pid=...0963602&ssrc=1
Remove the following redirect chain if possible:

http://segment-pixel.invitemedia.com...&sscs_active=1
http://cm.g.doubleclick.net/pixel?go...OBUB4tNORjCQ==
http://g-pixel.invitemedia.com/gmatc...o ogle_cver=1
Remove the following redirect chain if possible:

http://adadvisor.net/adscores/g.pixel?sid=9201991568
http://su.addthis.com/red/usync?pid=11121&puid=&ssrc=3
Remove the following redirect chain if possible:

http://ds.reson8.com/vendor.gif?v=CS&c=51945a355739fb23
http://ds.reson8.com/pop.gif?RCOUNT=1
Remove the following redirect chain if possible:

http://i.w55c.net/ping_match.gif?st=...uid%3D_wfivef?
http://su.addthis.com/red/usync?pid=...5793d2f&ssrc=1
Remove the following redirect chain if possible:

http://tacoda.at.atwola.com/atx/sync...default?ssrc=3
http://su.addthis.com/red/usync?pid=...158svpj&ssrc=3
Remove the following redirect chain if possible:

http://tags.bluekai.com/site/13961?i...Fusync%3Fpid%?
http://su.addthis.com/red/usync?pid=...H%2Cdal&ssrc=1

bean-aid 05-15-2013 09:30 PM
Do you have backups? Looks like you have an injection. I didn't click any of your links btw, just my experience to wipe it out and replace with a backup.

EnterpriseVpsSolutions 05-15-2013 09:34 PM
There are site testing tools to see if its infected. sitecheck.sucuri.net is one such site. Also try running maldet on the system or some anti-virus tool, It suck losing data but as the last recourse would be a full system restore.

Colmike9 05-15-2013 09:39 PM
See if your host knows how to remove it without losing your stuff (Backup first ;) )

Dankasaur 05-15-2013 09:42 PM
Quote:
Originally Posted by beaner (Post 19626986)
Do you have backups? Looks like you have an injection. I didn't click any of your links btw, just my experience to wipe it out and replace with a backup.
That's not very productive... They'll just inject the stuff again... Best to remove the injections and pinpoint where they are doing it and have it patched... Reverting to a backup is only a temporary solution and not even a good one.

tonyparra 05-15-2013 09:47 PM
Quote:
Originally Posted by beaner (Post 19626986)
Do you have backups? Looks like you have an injection. I didn't click any of your links btw, just my experience to wipe it out and replace with a backup.
The links dont lead anywhere i tried them, I cant find a reference to this stuff in any of the source code

brassmonkey 05-15-2013 09:47 PM
thanx for posting it here :1orglaugh

tonyparra 05-15-2013 09:51 PM
Quote:
Originally Posted by EnterpriseVpsSolutions (Post 19626989)
There are site testing tools to see if its infected. sitecheck.sucuri.net is one such site. Also try running maldet on the system or some anti-virus tool, It suck losing data but as the last recourse would be a full system restore.
Full system restore not an option. I checked it on googles virus total:

https://www.virustotal.com/en/file/0...ec33/analysis/

Doesnt seem to carry a virus but is used to capture traffic? So its redirecting some traffic? :helpme

2013 05-15-2013 10:02 PM
your links gave me herpes

bean-aid 05-15-2013 10:03 PM
Quote:
Originally Posted by Dankasaur (Post 19626995)
That's not very productive... They'll just inject the stuff again... Best to remove the injections and pinpoint where they are doing it and have it patched... Reverting to a backup is only a temporary solution and not even a good one.
Restore site, get rid of virus and/or malware, pinpoint the hole. I highly doubt his site is being attacked by a watchful eye and needs immediate attention regarding security breach.

Which is very likely to be a wordpress hole. But it would suck without the backup. Host may be able to help. They should be able to run a scan of the entire server.

tonyparra 05-15-2013 10:12 PM
Quote:
Originally Posted by beaner (Post 19627008)
Host may be able to help. They should be able to run a scan of the entire server.
they ran a malware scan and didnt find anything :(

Colmike9 05-15-2013 10:17 PM
Quote:
Originally Posted by tonyparra (Post 19627024)
they ran a malware scan and didnt find anything :(
Do you have it on G Webmaster Tools? If so, does that detect anything?

harvey 05-15-2013 10:55 PM
say hi to your Ukraine friends!

and yes, that's an injection known as CAP of type network or traffic capture. Teel your host to look for something like the info below

Quote:
SHA256: 087b5875e50f96f1c60b993342ab814346f13ecdbb50a16527 88b873745fec33
SHA1: ea934a5b9510fe54f939579dcbc2e15c0303d64a
MD5: 43811ffb30ce880d19aa20c693a138e0
File size: 35.1 MB ( 36819703 bytes )
File name: pcaptest1.pcap
File type: Network capture

tonyparra 05-16-2013 09:37 AM
Quote:
Originally Posted by harvey (Post 19627066)
say hi to your Ukraine friends!

and yes, that's an injection known as CAP of type network or traffic capture. Teel your host to look for something like the info below
Host still cant find this would it be in certain areas?

_Richard_ 05-16-2013 09:52 AM
Quote:
Originally Posted by harvey (Post 19627066)
say hi to your Ukraine friends!

and yes, that's an injection known as CAP of type network or traffic capture. Teel your host to look for something like the info below
:thumbsup:thumbsup:thumbsup

Antonio 05-16-2013 10:50 AM
1 check your httaccess
2 if wordpress, check the theme php files

look for: nVRNj9owEL33Z1gqShqj+iMOdr3e....
#c3284d#

and all other stuff the it crowd guy posted

Diomed 05-16-2013 12:39 PM
Christ you guys know too much.

grzepa 05-16-2013 01:11 PM
is it safe to use addthis widget ?

tonyparra 05-16-2013 02:30 PM
Quote:
Originally Posted by grzepa (Post 19627952)
is it safe to use addthis widget ?
Im not using or want to use the widget. I have this theme on several other sites, on several other host, none of the same redirects

harvey 05-16-2013 02:41 PM
so, did you fix it?

tonyparra 05-16-2013 04:40 PM
Quote:
Originally Posted by harvey (Post 19628088)
so, did you fix it?
:mad: no have headache now need beer try later

signupdamnit 05-16-2013 04:49 PM
I've read about some apache hacks lately where instead of merely messing with the configuration or site files they have been replacing the actual binary. See http://www.webhostingtalk.com/showthread.php?t=1260736


All times are GMT -7. The time now is 02:10 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123