Traffic leak - AFF hack?

[CrazyWhiteMan]

Hi,

So about a month ago traffic to my website decreased by around 20%. Initially I though it was google panda update and I was out of luck. The website is hornygamer.com

However, I noticed something weird - traffic has decreased by a similar percentages from all sources - organic, direct, and referral.

I am using trade expert paid version, as well as google analytics they both show a decrease in traffic from all sources, which made be alarmed, especially since I know for a fact that the traffic from certain referrals did not change.

So, I made the following test:

I purchased a monthly advert on juicyads and sent the traffic to hornygamer.com for about a week. Juicyads said the incoming traffic was about 400/day. Google analytics said it's about 200/day.

Then after a week, I modified the juicyads advert only by changing the URL, leaving the banner the same, and I directed the traffic to a different website. Juicyads reported roughly similar daily traffic sent. However, the google analytics on my other website reported stats a lot more closer to juicyads figures.

So, this led me to believe something is not right.

Then right now I went on a bunch of proxy servers, and tried to access hornygamer.com First few times everything loaded normally, but then some proxy servers redirected to adultfriendfinder!

So, I am suspecting that somewhere on my server there's some sneaky code that is hijacking a percentage of my traffic to AFF.

Did this happen to anyone here before? Can you guys check if you get anything from adultfriendfinder when going to hornygamer.com? I got no pop-ups, sliders, or pop-unders, or redirects.

[newB]

Google link to your site directed me to AFF landing page (pid=p1011105)

[hausarzt]

Wanted hornygamer, got hornygamer. No redirect.
Checked on my android using Chrome.

[pornmasta]

hello i visit you website about 2 time per day and i've never seen this.

btw you were used to list shark's games and now i see that there is games from them listed on gamcore that aren't listed on your website. (it is the first time that you ar not the first to list them)

[Meloman]

1. Typing in hornygamer.com brought me to hornygamer.com

2. Searching hornygamer on google and clicking the link brought me to:

Adult Dating and One Night Stands - AdultFriendFinder

[pornmasta]

Quote:

Originally Posted by Meloman

1. Typing in hornygamer.com brought me to hornygamer.com

2. Searching hornygamer on google and clicking the link brought me to:

Adult Dating and One Night Stands - AdultFriendFinder

yes me too.

check your htaccess file

[takethebluepill]

Same....when going from the google result, I can see a total of three hops until it lands on an AFF page. On the second attempt it then goes to your regular front page. I will try to recreate and provide you with the identity of the hops so that you can get rid of the scum.

[xXXtesy10]

all newbies eat ass

[ctggls]

Super strange, i've nerver seen something similar ... Better do something fast you're losing a lot of traffic...

[freecartoonporn]

its redirecting to adultfriendfinder pid=p1011105

someone got your website good.,

look htaccess

[takethebluepill]

Also, appears to be IP based. It only redirects on the first visit to your site, but not on subsequent visits...even after removing cookies.

[disinfected]

I've had similar issues in past. It is not just the obvious code that creates the problem, it is the sleeper files that put so far into your file structures.

What does host say?

If you want another server manager to eradicate all the shit hit up Chris from admin at way3 dut com and tell him the guy who owns videostripgames.com said you may be able to help.

How many sites do you have on the server, because it will likely effect them all. My breaches always stemmed from wordpress vulnerability.

[CourtneyR_FFN]

CrazyWhiteMan just send you a Private message.

[takethebluepill]

Here's your redirect sequence:

Google - Search for horny gamer
First Hop: axuv.com
Second Hop: escort-ankara.pro
Final: AFF

[Oracle Porn]

most likely one of your scripts got hacked

[WDF]

Talk to Courtney FFN about the aff link if it is not yours.

[CrazyWhiteMan]

Everyone - thank you for all your help, I appreciate it.

I'm trying to find the source of the leak now, and hopefully get this fixed ASAP. Will let you know how it goes.

[Seth Manson]

someone snuck in a 301 or 302 redirect

[TimS]

Searched on Yahoo and was sent to AFF from the search result.

2nd time it goes to your site.

3 hops as outlined above.

[tigermtb]

Sounds like a traffic hijack... either in htaccess or some other code on your website.

You may also sometimes see this with shady advertisers who will redirect a portion of your traffic.

Contact me on an unrelated matter, would like to discuss with you.

[CrazyWhiteMan]

OK, I think I found what it is. I did a quick google search for "pid=p1011105" and seems other websites got infected with exactly the same thing. Which lead me to this:
Apache Binary Backdoors on Cpanel-based servers | Sucuri Blog

Working with my host to fix this now...

[CrazyWhiteMan]

Some more info on this exploit for those interested: Stealthy, malware-spewing server attack not limited to Apache ? The Register

[disinfected]

Interesting. My host never would install C-Panel on my servers even after asking for it. Was what I used with previous hosts. He has his own server admin software that I can add sites and all of that.

Anyway, good luck. If the issue keeps coming back and becomes "one of those things", give my previous post a read.

[takethebluepill]

In the meantime you can go to /usr/local/apache via ssh and do a string search in all files in the directory for axuv (which is first redirect) and you should be able to find the infected file and entry.

[takethebluepill]

Nevermind

[Jel]

should those of us with cpanel hosting be worried? Any easy way to check all sites within a host?

[takethebluepill]

Check out his last link above about the exploit. That article provides a script to check your files.

[Jel]

I'm a tech dumbass, so guess I'll be using the wing and a prayer method

[Seth Manson]

Sure hope AFF bans the webmaster with pid=p1011105.

[Useless Warrior]

Quote:

Originally Posted by Jel

I'm a tech dumbass, so guess I'll be using the wing and a prayer method

I never thought of you as the praying type.

Anyway, it's really something you should leave for your host to patch.

[Captain Kawaii]

Quote:

Originally Posted by Seth Manson

Sure hope AFF bans the webmaster with pid=p1011105.

It's great read when you copy/paste and right click that pid into Google search.

[takethebluepill]

Quote:

Originally Posted by Seth Manson

Sure hope AFF bans the webmaster with pid=p1011105.

Unfortunately if Aff does ban him, the culprit will simply change the redirect destination to another program. As noted above, the page does not redirect directly to AFF, but instead hops through 2 sites first, allowing the final address to be altered without having to change the entries on the hijacked servers.
Best bet might be to send a complaint to the first hops, axuv.com, provider. That address is likely hardcoded into the exploit. If that site goes down, then at least no one will profit from stealing your traffic.

[Jel]

Quote:

Originally Posted by Useless Warrior

I never thought of you as the praying type.

Anyway, it's really something you should leave for your host to patch.

Aw c'mon... my persona screams the praying type

yeah, I'll do my usual extremely undetailed request and let them take it from there

[takethebluepill]

You probably already know this....hornygamer.com is offline.

[CrazyWhiteMan]

OK, I finally got this fixed.

We found the surest way to get rid of this malware was to reset the server, so I had the OS reinstalled, and all is good now. Thank you all for your help.

[pornmasta]

bump....