hacker alert - GoFuckYourself.com

jpoker · 10-07-2005, 11:36 AM

one of our MGPs just got hacked and was dishing out a trojan. I discovered an iframe in the HTML code that had this as the src:

"hahaha104;hahaha116;hahaha116;hahaha112;hahaha58; hahaha47;hahaha47;hahaha116;hahaha114;hahaha97;hah aha102;hahaha102;hahaha115;hahaha97;hahaha108;haha ha101;hahaha46;hahaha98;\
hahaha105;hahaha122;hahaha47;hahaha100;hahaha108;h ahaha47;hahaha97;hahaha100;hahaha118;hahaha52;haha ha52;hahaha49;hahaha46;hahaha112;hahaha104;hahaha1 12;"

I've just heard of this happening to a couple of other people as well so I suggest you check your sites to see if it has occured to you as well.

So far I have no idea how the code was actually inserted. We run autogallery sql 3.03 and tm3. The server otherwise looks clean from what the security guys can tell.

- jpoker

diggz · 10-07-2005, 12:18 PM

You are using a version of AGSQL with a security hole. I suggest you visit jmbsoft.com and PATCH!

jpoker · 10-07-2005, 02:20 PM

Thanks, I will look into that.

KyleHoppes · 10-07-2005, 02:22 PM

Quote:

Originally Posted by jpoker

one of our MGPs just got hacked and was dishing out a trojan. I discovered an iframe in the HTML code that had this as the src:

"hahaha104;hahaha116;hahaha116;hahaha112;hahaha58; hahaha47;hahaha47;hahaha116;hahaha114;hahaha97;hah aha102;hahaha102;hahaha115;hahaha97;hahaha108;haha ha101;hahaha46;hahaha98;\
hahaha105;hahaha122;hahaha47;hahaha100;hahaha108;h ahaha47;hahaha97;hahaha100;hahaha118;hahaha52;haha ha52;hahaha49;hahaha46;hahaha112;hahaha104;hahaha1 12;"

I've just heard of this happening to a couple of other people as well so I suggest you check your sites to see if it has occured to you as well.

So far I have no idea how the code was actually inserted. We run autogallery sql 3.03 and tm3. The server otherwise looks clean from what the security guys can tell.

- jpoker

Is your autogallery username and password "admin" ?

Makingcoin · 10-07-2005, 02:42 PM

Sorry to hear that bro, I will check out my sites now.

jpoker · 10-07-2005, 11:12 PM

Quote:

Originally Posted by KyleHoppes

Is your autogallery username and password "admin" ?

I've been known to do silly things, but I didn't leave the default password
as admin, though i did leave the username as 'admin' and that opens me up to brute force attacks i guess.

Fucksakes · 10-07-2005, 11:17 PM

my server been pretty fucking slow too

Fucksakes · 10-07-2005, 11:19 PM

may I ask where you are hosted?

High Quality · 10-07-2005, 11:22 PM

Ouch, that sounds no fun.

Ace_luffy · 10-07-2005, 11:22 PM

that's scares me

phonesex · 10-07-2005, 11:24 PM

Id call the hosting company fast

darksoul · 10-07-2005, 11:27 PM

do you have any php scripts ?
those are usually the culprit.

SmokeyTheBear · 10-07-2005, 11:33 PM

that doesnt look like the full code..

traffsale.biz ?

SmokeyTheBear · 10-07-2005, 11:38 PM

looks like thats the domain registered a few days ago..

oh its that idiot..

http://traffsale.biz/dl/adv435.php

SmokeyTheBear · 10-07-2005, 11:38 PM

same guy that got sleazy and thehun

SmokeyTheBear · 10-07-2005, 11:40 PM

pretty sure this site has something to do with it

( affiliate / trade partner)

http://marta.sexmadams.net/?rev=variusmanx

SmokeyTheBear · 10-07-2005, 11:42 PM

http://traffsale.biz/dl/

theres the directory of the crapola

SmokeyTheBear · 10-07-2005, 11:45 PM

looks like a directory of ip's of infected users..

http://traffsale.biz/dl/ips/

SmokeyTheBear · 10-08-2005, 01:32 PM

looks like he changed a few things

ServerGenius · 10-08-2005, 01:49 PM

chkrootkit

pornguy · 10-08-2005, 01:54 PM

The good thing is, that this guy will continue to get away with this, because itis far more important to arrest pornographers than hackers.

10-07-2005, 11:36 AM	#1
jpoker Confirmed User Join Date: Feb 2003 Location: Vancouver Posts: 362	hacker alert one of our MGPs just got hacked and was dishing out a trojan. I discovered an iframe in the HTML code that had this as the src: "hahaha104;hahaha116;hahaha116;hahaha112;hahaha58; hahaha47;hahaha47;hahaha116;hahaha114;hahaha97;hah aha102;hahaha102;hahaha115;hahaha97;hahaha108;haha ha101;hahaha46;hahaha98;\ hahaha105;hahaha122;hahaha47;hahaha100;hahaha108;h ahaha47;hahaha97;hahaha100;hahaha118;hahaha52;haha ha52;hahaha49;hahaha46;hahaha112;hahaha104;hahaha1 12;" I've just heard of this happening to a couple of other people as well so I suggest you check your sites to see if it has occured to you as well. So far I have no idea how the code was actually inserted. We run autogallery sql 3.03 and tm3. The server otherwise looks clean from what the security guys can tell. - jpoker

10-07-2005, 02:42 PM	#5
Makingcoin Confirmed User Join Date: Aug 2002 Location: The Ditch Posts: 8,919	Sorry to hear that bro, I will check out my sites now. __________________ www.MAKINGCOIN.com icq. 166-662-831 "Start making large coin!" Daddy I Get Paid To Be A Whore - Coming Soon

10-07-2005, 11:22 PM	#9
High Quality Confirmed User Join Date: Feb 2002 Location: Vegas Posts: 5,741	Ouch, that sounds no fun. __________________ RecurCash.com - Averaging $38/sale with 60% revshare in the first 4 months alone! Convert your TEEN traffic today @ better than 1:500 guaranteed. ICQ me: 18287590!

10-07-2005, 11:22 PM	#10
Ace_luffy www.creationcrew.com Industry Role: Join Date: Feb 2005 Location: CREATIONCREW.COM CREATIONCREW.COM CREATIONCREW.COM CREATIONCREW.COM CREATIONCREW.COM CREATIONCREW.COM Posts: 12,110	that's scares me __________________ ++ Adult and Mainstream Websites Designs \| 10 banners for only $50 \| html5 Banners ++ email : [email protected] Telegram : https://t.me/creationcrew \| HTML5/Responsive Site - Div/CSS - ElevatedX - NATs - Wordpress

10-07-2005, 11:24 PM	#11
phonesex Confirmed User Join Date: Mar 2005 Location: Phone Sex Pays! Believe it! Posts: 3,437	Id call the hosting company fast __________________ Phone Sex Pays Make $1.50 a minute! CLICK HERE TO SIGN UP NOW

10-07-2005, 12:18 PM	#2
diggz Registered User Join Date: Apr 2005 Location: Sig Spot. Check. Posts: 302	You are using a version of AGSQL with a security hole. I suggest you visit jmbsoft.com and PATCH!

10-07-2005, 02:20 PM	#3
jpoker Confirmed User Join Date: Feb 2003 Location: Vancouver Posts: 362	Thanks, I will look into that.

10-07-2005, 11:17 PM	#7
Fucksakes Shit... Fuck! What the Hell? Industry Role: Join Date: Dec 2003 Posts: 7,567	my server been pretty fucking slow too

10-07-2005, 11:19 PM	#8
Fucksakes Shit... Fuck! What the Hell? Industry Role: Join Date: Dec 2003 Posts: 7,567	may I ask where you are hosted?

10-07-2005, 11:27 PM	#12
darksoul Confirmed User Join Date: Apr 2002 Location: /root/ Posts: 4,997	do you have any php scripts ? those are usually the culprit. __________________ 1337 5y54\|)m1n: 157717888 BM-2cUBw4B2fgiYAfjkE7JvWaJMiUXD96n9tN Cambooth

10-07-2005, 11:33 PM	#13
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	that doesnt look like the full code.. traffsale.biz ? __________________ hatisblack at yahoo.com

10-07-2005, 11:38 PM	#14
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	looks like thats the domain registered a few days ago.. oh its that idiot.. http://traffsale.biz/dl/adv435.php __________________ hatisblack at yahoo.com

10-07-2005, 11:38 PM	#15
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	same guy that got sleazy and thehun __________________ hatisblack at yahoo.com

10-07-2005, 11:40 PM	#16
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	pretty sure this site has something to do with it ( affiliate / trade partner) http://marta.sexmadams.net/?rev=variusmanx __________________ hatisblack at yahoo.com

10-07-2005, 11:42 PM	#17
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	http://traffsale.biz/dl/ theres the directory of the crapola __________________ hatisblack at yahoo.com

10-07-2005, 11:45 PM	#18
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	looks like a directory of ip's of infected users.. http://traffsale.biz/dl/ips/ __________________ hatisblack at yahoo.com

10-08-2005, 01:32 PM	#19
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	looks like he changed a few things __________________ hatisblack at yahoo.com

10-08-2005, 01:49 PM	#20
ServerGenius Confirmed User Join Date: Feb 2002 Location: Amsterdam Posts: 9,377	chkrootkit __________________ \| http://www.sinnerscash.com/ \| ICQ: 370820 \| Skype: SinnersCash \| AdultWhosWho \|

10-08-2005, 01:54 PM	#21
pornguy Too lazy to set a custom title Industry Role: Join Date: Mar 2003 Location: Homeless Posts: 62,911	The good thing is, that this guy will continue to get away with this, because itis far more important to arrest pornographers than hackers. __________________ PornGuy skype me pornguy_epic AmateurDough The Hottes Shemales online! TChicks.com \| Angeles Cid \| Mariana Cordoba \| MAILERS WELCOME!