Messages

1

Trade Pulse Support / Re: A new hack? User agent hack?

« on: May 23, 2014, 12:31:37 AM »

I got the same problem on my sites. Cleaned. But how to fix this vulnerability?

That is a good question. I feel the attacker is getting in through some sort of back door, I can't believe he managed to get the admin passes for my sites as well as for other TP users.

2

Trade Pulse Support / Re: Sites skimming from TP

« on: May 12, 2014, 12:43:28 PM »

Got this one today: http://security-opggymtp-chk.in/js?t=53616c7465645f5fe99e374c7f31c926a93246888e15d159bc80bdda655540d0a7fde37b83077462bd0986a97052f9971214d649cf463cec

3

Trade Pulse Support / Re: A new hack? User agent hack?

« on: April 27, 2014, 11:12:56 AM »

Hi Shoplifter,
please send me your TP info to kildoozer@scriptpulse.com, I'll check this asap.

Sending now.

I cleaned it out by going into the admin and disabling the redirects. So far so good. I double checked the lock and ran lock.php again but the files in /data/settings are all 777

4

Trade Pulse Support / A new hack? User agent hack?

« on: April 25, 2014, 08:58:23 PM »

Nearly every one of my TP sites now seems to have files  /tp/data/settings/ modified to add a virus site.

For example:

/tp/data/settings/out_redir.set:
a:1:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}}
/tp/data/settings/in_redir.set:
a:1:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}}
/tp/data/settings/outconf.php:
a:1:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}}
/tp/data/settings/in_redir.set.adm:
a:2:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}s:10:"url_mobile";s:0:"";}
/tp/data/settings/in_conf.php:
a:1:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}}
/tp/data/settings/out_redir.set.adm:
a:2:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}s:10:"url_mobile";s:0:"";}

I gather that this may redirect that particular user agent to the attack site. In fact the user agent redirect setting in both the in and out areas of the tp control panel are selected.
It seems that the attacker has added a record to the data files in /tp/data/settings to do this. These files are all chmod 777 even if the TP install is locked. Classy stuff, whoever did this knows the software well.

5

Trade Pulse Support / Re: Sites skimming from TP

« on: April 25, 2014, 01:35:56 PM »

This has really gone on for far too long. Every day it's a new illegal browser locking site like http://gbhpolices.biz/parabola.html

I have about 50 sites still running TP and the only reasons I haven't changed them is that I didn't have the time. But seeing as this is costing any chance of sales or SEO I will have to start moving them over the weekend.

6

Trade Pulse Support / Re: Sites skimming from TP

« on: January 14, 2014, 09:42:55 PM »

I was just testing a few of my sites out and the free version skim is being sent to some outrageous sites.

If the first click on any thumb is literally disabling the clients browser or infecting his machine then I would say it is a very serious issue.

7

Trade Pulse Support / Compatible with PHP 5.3 now?

« on: May 13, 2013, 06:21:16 PM »

Is it working with 5.3 nowadays?

Moving to a new server setup and it seems unlikely we can get 5.2

Thanks!

8

Trade Pulse Support / Re: How to deal with TP hack

« on: June 13, 2012, 06:05:24 PM »

What does the include say ... ?  Is it reading from a folder on your server ?   Is it calling up and iframe ? 

It's encoded and I don't know what it says. It seems to cause TP to send about every 4th click to some tube site.

9

Trade Pulse Support / Re: How to deal with TP hack

« on: June 12, 2012, 07:35:09 PM »

So I am finding that the geoip.inc in most of my installs has an include in it again.

Was this found to be dangerous or not ?

 

10

Trade Pulse Support / Re: New update available everyday!

« on: March 14, 2012, 11:41:36 AM »

This has happened on my cleaned and locked sites as geoip.inc is not locked.

The good news is that you can update the file without unlocking the whole site from the CLI again lol.

 

11

Trade Pulse Support / Re: How to deal with TP hack

« on: March 14, 2012, 11:27:48 AM »

geoip.inc is now being hacked on my servers. I see that this one is not locked down.

I wonder if they can modify this to send certain coded traffic somewhere else. 

This is just silly now. 

12

Trade Pulse Change Log / Re: TP Version 1.0.9 build 44

« on: March 06, 2012, 01:39:08 PM »

This has been a real eye opener for me, I just did updates to all sites and checked tpupdater.php in each and found 22 hacked sites.

This explains a lot, as even after Killdozer helped me out I could not figure out why I would see a 20% or so skim if I did manual clicks to thumbs on my sites. In a lot of cases I thought the sites had already been cleaned and updated as the scanner was showing ok etc.

In my case it was already showing version 44 on many of the sites so whomever is doing this is very much paying attention to what is going on and is being more than clever about it.

The next big step is finding the shell exec door scripts (if there are any) that this guy is using, or it is only a short matter of time before the next exploit even with the file lock.

13

Trade Pulse Support / Re: build 43 / hacked again

« on: February 28, 2012, 11:58:24 AM »

Kildoozer sent U email/icq message anyway we ened tp/ftp access - email to info@scriptpulse.com AND kildoozer@scriptpulse.com

Message sent to Killdozer. Thanks for the help!

14

Trade Pulse Support / Re: build 43 / hacked again

« on: February 23, 2012, 12:32:22 PM »

Four of my sites were hacked again, the scanner shows the wrong date and checksum for tp_in.php. Doing an upgrade seems to clear the tp_in.php scan error.

One of the sites is now blocked by Google safe browsing with the following message:

What happened when Google visited this site?
Of the 16 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-02-23, and the last time suspicious content was found on this site was on 2012-02-23.
Malicious software includes 5 scripting exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 3 domain(s), including simplenssentinel.de.gg/, smartjcchecker.de.gg/, simple-dtnetwork.it.cx/.

4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including ringostart.osa.pl/, safesoftcy.com/, simplenssentinel.de.gg/.

This site was hosted on 1 network(s) including AS30266 (A1COLO).

Arrrrgggghhhh....

15

Trade Pulse Support / Re: build 43 / hacked again

« on: January 31, 2012, 12:30:09 PM »

2 Shoplifter: what updater said? I mean all files were updated successfully?

After an update the scan is clear, but I have others saying they are getting safe browsing warnings on my sites. I can't see the warning with Chrome so I am not sure what is up.

Traffic is way down tho so something is wrong that I cannot see.