Gals4free

Hey guys,

Allright, i posted my problem a few days ago without to much usefull feedback to get the problem solved. So since i need this solved, im offering $100 to anyone who can permanently solve my problem.

I run www.gals4free.net, and since about a week, when i click to see galleries i sometimes get www.mea-movies.com (NOTE: not the original mia-movies.com, but someone who is ripping that site). This is very odd, as:

1. I dont trade with that site
2. Its not gallery specific, as i checked this and got it even on my own galleries
3. its not some other trade trying to fuck me
4. its no spy/adware as i checked this from many different pc's by now.

I had the more common stuff ruled out, ATX got checked twice and its for sure not that. My bet is on comus, but with Tony in hospital and someone else checking, who said its not comus, i cant be 100%. Apache got checked, and so did htaccess.

So basicly, anyone who knows the permanent solution to this and it actually works, ill be more then happy to send $100.

ICQ me if you think you know : 59661018

Regards

Steve

Link to old topic incase you can pick up usefull info there : http://www.gofuckyourself.com/showthread.php?p=7518727

__________________
At Kodify we have in excess of 5M visitors a day through our network that consists of www.PornTube.com www.4Tube.com www.PornerBros.com and www.Fux.com. We operate a very successful Content Publishing Platform at http://content.porntube.com where you can expose your content to our audience!

FunForOne

Only help I can give you is a bump

DamageX

I second that, for now.

__________________

xXxtreme2005

strange but ill bump it for ya

__________________


GOT TRAFFIC?.......I BUY TRAFFIC ICQ 318-368-640

ssp

Are you using a free tradescript? Could it be that the 1% of your traffic is sent to a website of the tradescript owner? Perhaps you clicked too much and excessive clicks get sent to that site. Hope this helps you.

Gals4free

nope... clearly states in my first post i use ATX

__________________
At Kodify we have in excess of 5M visitors a day through our network that consists of www.PornTube.com www.4Tube.com www.PornerBros.com and www.Fux.com. We operate a very successful Content Publishing Platform at http://content.porntube.com where you can expose your content to our audience!

klinton

are you 100 % sure that none of your trades doesn't redirect to mia-movies in any way ?

anyway, bump for you.

brilsmurf

bump for you!

__________________
The Best Adult Web Hosting of 2008 - http://www.adulthosting.com
Affiliate Program – http://www.sxcash.com

nosey

add mea-movies.com to your trade script & disable it

__________________

| Domain whois privacy Free || GFY favored Hosting |
$Chaturbate || FpcTraffic FPCPlugs || PlugRush Traffic

boner 2.0

Another bump... Very strange

__________________

Gals4free

Wont stop it.. i was checking the ATX logs with ATX scripter today, and the hits that go to mea-movies are not going through ATX.. so im pretty sure its something on comus site, before they send the url to atx.

__________________
At Kodify we have in excess of 5M visitors a day through our network that consists of www.PornTube.com www.4Tube.com www.PornerBros.com and www.Fux.com. We operate a very successful Content Publishing Platform at http://content.porntube.com where you can expose your content to our audience!

nosey

yeah its not atx...

clear cache & cookies,
click here > http://www.gals4free.net/ct/cx.php?i=000&s=100&t=1
second click redirects to mea-movies.com

re-install comus, script is corrupt

__________________

| Domain whois privacy Free || GFY favored Hosting |
$Chaturbate || FpcTraffic FPCPlugs || PlugRush Traffic

wdsguy

bump for ya

tranza

Damn, that's a tough one... I have no idea...

__________________
I'm just a newbie.

taibo

bump.. somebody in here should know

sixzeros

Just took a look at Comus for you.

It looks like someone has stolen your FTP account and has placed their own code on the system, and have removed comus.

They've renamed the main cx.php to ctx.php and they are using zend encoded PHP scripts, so it is hard to see exactly what they have dumped on there, but we know at least it is a simple script of less than 1000 bytes long.

It would appear that they have also dumped a trojan on the machine, because they appear to be able to change files that neither comus nor your FTP account would naturally have the ability/permissions to change.

One way someone can test if they might be infected is to check the file size of /ct/cx.php if it less than 10k then you have a very suspect situation.

I suggest you move everything to a new server, and be very selective about what PHP files you copy over, best bet is to reinstall comus and your trade scripts clean, and then import the data and templates only.

I thought I posted earlier but it didnt seem to take, I suggested using commview, its a packet sniffer that lets you see what headers are being generated, so you can see exactly what is happening in your browser.. You would have been able to see that clicks were bouncing from index page -> cx.php -> ctx.php -> ATX .. and by comparing the path to a non-hacked site you'd see the different path and the culprit files. ctx.php should not be there.

I've never actually seen anyone do this before, its a first, but now that it has happened, I'll make something in Comus that will run an auto integrity check of the main files, it should make it impossible for anyone to do this again.

I feel for ya bro, F@$@#$'n hackers suck

-----------------
sixzeros - Comus Thumbs Author

Dirty F

Well at least you know where to find the asswiper. Contact his host and shit.

brilsmurf

franck, you still need a transfer? i can do it now

__________________
The Best Adult Web Hosting of 2008 - http://www.adulthosting.com
Affiliate Program – http://www.sxcash.com