Greenguy's Board - View Single Post - Link Fabulous

cd34 · 2008-07-29, 06:22 PM

Having looked at his pages expecting to see something that two clients were recently nailed with, there are two possibilities.

1) he already found it, removed it, submitted his request in webmaster-tools for reinclusion and it hasn't been processed yet (takes about 24-48 hours)

or

2) a particular counter on there loading through javascript has been compromised or is sending out exploits. The only code on each of the pages that I see that appears consistent is the sextracker counter.

However, on the page you showed, I see nothing suspicious -- almost pointing at case #1 since there is no counter code.

He is using adcycle, which could have rotated in a bad banner, but, based on the number of links in google that are flagged, I'm still leaning towards #1.

I don't know the guy, but, figured the data point might at least help someone out that may have been hit and is trying to clean the mess up. Or, maybe noticed the problem, but, not the google issue.

I had a client that had over 19000 files modified through a compromised FTP account over a period of 45 days. We changed the password, cleaned things up, he changed the password back to what it was (doh!), and in the middle of the night, another 9400 pages were modified.

Might give the benefit of the doubt, perhaps someone can contact him, but, this type of attack appears to be more common and much more noticeable as people move to Firefox 3 which complains quite loudly when visiting exploited sites.

2008-07-29, 06:22 PM	#3
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	Having looked at his pages expecting to see something that two clients were recently nailed with, there are two possibilities. 1) he already found it, removed it, submitted his request in webmaster-tools for reinclusion and it hasn't been processed yet (takes about 24-48 hours) or 2) a particular counter on there loading through javascript has been compromised or is sending out exploits. The only code on each of the pages that I see that appears consistent is the sextracker counter. However, on the page you showed, I see nothing suspicious -- almost pointing at case #1 since there is no counter code. He is using adcycle, which could have rotated in a bad banner, but, based on the number of links in google that are flagged, I'm still leaning towards #1. I don't know the guy, but, figured the data point might at least help someone out that may have been hit and is trying to clean the mess up. Or, maybe noticed the problem, but, not the google issue. I had a client that had over 19000 files modified through a compromised FTP account over a period of 45 days. We changed the password, cleaned things up, he changed the password back to what it was (doh!), and in the middle of the night, another 9400 pages were modified. Might give the benefit of the doubt, perhaps someone can contact him, but, this type of attack appears to be more common and much more noticeable as people move to Firefox 3 which complains quite loudly when visiting exploited sites. __________________ SnapReplay.com a different way to share photos - iPhone & Android