Link Fabulous - I Have To Pull Our Trade

cd34 · 2008-07-29, 06:22 PM

Having looked at his pages expecting to see something that two clients were recently nailed with, there are two possibilities.

1) he already found it, removed it, submitted his request in webmaster-tools for reinclusion and it hasn't been processed yet (takes about 24-48 hours)

or

2) a particular counter on there loading through javascript has been compromised or is sending out exploits. The only code on each of the pages that I see that appears consistent is the sextracker counter.

However, on the page you showed, I see nothing suspicious -- almost pointing at case #1 since there is no counter code.

He is using adcycle, which could have rotated in a bad banner, but, based on the number of links in google that are flagged, I'm still leaning towards #1.

I don't know the guy, but, figured the data point might at least help someone out that may have been hit and is trying to clean the mess up. Or, maybe noticed the problem, but, not the google issue.

I had a client that had over 19000 files modified through a compromised FTP account over a period of 45 days. We changed the password, cleaned things up, he changed the password back to what it was (doh!), and in the middle of the night, another 9400 pages were modified.

Might give the benefit of the doubt, perhaps someone can contact him, but, this type of attack appears to be more common and much more noticeable as people move to Firefox 3 which complains quite loudly when visiting exploited sites.

SheepGuy · 2008-07-29, 07:06 PM

The same thing happened to me a few months back.
What caused it was a weak FTP password on my end that allowed some scumbag to access my sever and insert a string of malicious java-script. Google noticed it before I did unfortunately.
Luckily I noticed it shortly after and though it took almost 2 weeks to fix it with the google gang and get the warning removed, the only other people who noticed are buddies and they let me know.
It shouldn't have taken that long to get google fixed up, but like an idiot I just removed the malicious code, didn't change my password, and asked google to take another look.
They did, and the code was back.
I removed the code again and since I've changed all of my passwords to alphanumeric strings of gibberish I haven't had any problems.
I would cut this guy some slack, it's very likely not something he did on purpose.

plateman · 2008-07-29, 07:11 PM

yeah I'll hold off, I just can't take any chances with my site getting a pen.

2008-07-29, 07:06 PM	#2
SheepGuy It's the end of the world as we know it, and I feel fine Join Date: Jul 2006 Location: Canada Posts: 2,527	The same thing happened to me a few months back. What caused it was a weak FTP password on my end that allowed some scumbag to access my sever and insert a string of malicious java-script. Google noticed it before I did unfortunately. Luckily I noticed it shortly after and though it took almost 2 weeks to fix it with the google gang and get the warning removed, the only other people who noticed are buddies and they let me know. It shouldn't have taken that long to get google fixed up, but like an idiot I just removed the malicious code, didn't change my password, and asked google to take another look. They did, and the code was back. I removed the code again and since I've changed all of my passwords to alphanumeric strings of gibberish I haven't had any problems. I would cut this guy some slack, it's very likely not something he did on purpose. __________________ If the Environment was a bank, they would have saved it by now. Last edited by SheepGuy; 2008-07-29 at 07:11 PM..

2008-07-29, 07:11 PM	#3
plateman What can I do - I was born this way LOL Join Date: Oct 2003 Location: ohio Posts: 3,086	yeah I'll hold off, I just can't take any chances with my site getting a pen. __________________ Submit to: Porn O Plenty XXX Links Reality Here

2008-07-29, 06:22 PM	#1
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	Having looked at his pages expecting to see something that two clients were recently nailed with, there are two possibilities. 1) he already found it, removed it, submitted his request in webmaster-tools for reinclusion and it hasn't been processed yet (takes about 24-48 hours) or 2) a particular counter on there loading through javascript has been compromised or is sending out exploits. The only code on each of the pages that I see that appears consistent is the sextracker counter. However, on the page you showed, I see nothing suspicious -- almost pointing at case #1 since there is no counter code. He is using adcycle, which could have rotated in a bad banner, but, based on the number of links in google that are flagged, I'm still leaning towards #1. I don't know the guy, but, figured the data point might at least help someone out that may have been hit and is trying to clean the mess up. Or, maybe noticed the problem, but, not the google issue. I had a client that had over 19000 files modified through a compromised FTP account over a period of 45 days. We changed the password, cleaned things up, he changed the password back to what it was (doh!), and in the middle of the night, another 9400 pages were modified. Might give the benefit of the doubt, perhaps someone can contact him, but, this type of attack appears to be more common and much more noticeable as people move to Firefox 3 which complains quite loudly when visiting exploited sites. __________________ SnapReplay.com a different way to share photos - iPhone & Android