Plished? Hijacked? Bad Bad Bad

[Timbalu]

I deleted one of the articles that was corrupted by this and it made no difference, crap still in the article when I refresh.

What does that tell you????
For me it seems obvious you have it cached somewhere, else you could not refresh.
And these are cached in your db ... maybe in entryproperties or somewhere else, or even in templates_c.

Ian

[rj]

Well the upgrade went well. Finished, and the blog loads faster!
But the hijack or whatever it is can still be found at

http://angelicreikiamerica.com/question ... o-hombres/

I deleted a few more artilces that had stuff in them there, and took out all the offending nuggets full of crap inactive to see if anything changed on this hijack page or whatever it is.

Nope, nothing changes.

I just dont understand what this is or what purpose it serves anyone, or why I Google holds me liable am liable for a URL that is not mine. What is this thing? I can't even find anyone who has a name for it, so I dont know how to ask for help. hand loading and reading over 6000 big artilcles in the DB seems beyond a reasonable solution. I doubt I could even accomplish that in the now 40 hours I have left even if I went without sleep.

Has anyone actually LOOKED at that url and maybe a PAGE VIEW to maybe find what is going on.

I think that is the issue. I have no idea what is going on. It makes no sense to me. What is this?

Thanx, RJ
One other question. The ftp program I use with FIREFOX has everything now at 777.
What should the serendipity folders and files be? And the Public_HTML everything is in?

[rj]

At the Adense forum they told me to AD BLOCK the URL.
The function does not accept more than 64 characters and the offending url is 80.
So I added just the top of the domain which took me to an ftp page.

http://angelicreikiamerica.com

only four folders. The one called elsinore/ is a long long list of links, everyone of them using my page.
All seem to be from the same copy of my page from dec 31 jan1

and this tag in the parent directory mean anything

Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at angelicreikiamerica.com Port 80

[Timbalu]

I deleted a few more artilces that had stuff in them there, and took out all the offending nuggets full of crap inactive to see if anything changed on this hijack page or whatever it is.

How in detail did you do it? Inside Serendipity with edit entry and save? Or Outside via sql dump or PhpMyAdmin?

Nope, nothing changes.

As I said there is still some sort of cache active.

• Download the database as dump.
  Open it in a good editor (not windows notepad) like...
  Search for phrases like: "hombres desnudos cojiendo" you can find as crap.
  Erase that entry
  and so on
  upload the database again.

I just dont understand what this is or what purpose it serves anyone, or why I Google holds me liable am liable for a URL that is not mine.

You are the owner and you have the responsibility to keep your server clean

I think you don't like reading. You get answers, but you do not follow them consequently enough.
Hopefully this is just a flash, elsewhere I could not help further.
About the perms read Dons link and faq, and make yourself familiar with permisssions. You can't manage a server without knowing these basics. This is what 'kleiner chemiker' told you some time ago, remember?

Ian

[Timbalu]

In addition:
If you look at your source code you see:

Code: Select all

<div class="plugin_comment_wrap"><div class="plugin_comment_subject"><p>fotos de hombres peludos en tangas</p>===skipped===</div>

<div class="plugin_comment_date">Sat, 01.01.2011 23:34</div>
<div class="plugin_comment_body"><p>hombres follando a las mujeres dormidas</p>===skipped===<p>hombres viejos desnudos</p>Ha...Now you know why I didn't
 post any [...]</div>

which means this is some sort of comment spam on the one hand

Since you only allow comments to registered users, you should check which user did this to you.
This points to a totally new direction.

• The registration of users is potentionally vulnerable and open

or

• some of your registered users got highjacked and their login is open to the hacker.

Thats is why there are also entries with spam in the keywords and the description meta tag, which should got infected by editing entries via the metadesc plugin.

I think now you know what to do.

Good luck.

Ian

Edit:
I never really understood that http://angelicreikiamerica.com isn't yours and it just takes your content.
If this isn't some sort of dns highjacking, it must be inside your htaccess or you web servers config pointing your site to the mentioned one.

[rj]

Boy, thankx!!! That is the kind of info I need to get on to this!
I'll check out a dump first and

[rj]

HAPPILY RESOLVED!
Did a WHO IS, founc the register and server - JUSTHOST.COM and after a bit of explaining, JUSTHOST suspended the nasty account. So it seems it was just someone taking the PAGE SOURCE and messing with it.
Thanx one and all! I suppose I should still do a db dump and check though hey?

[Timbalu]

But this does not really tell why google came up and taking you into response for this.
I would definitely check through the dump.

Ian

[rj]

I think it does. It is the same reason it showed up in statcounter. They copied the adense and counter code. Statcounter explained a litttle to me saying this is not a professional job, because they left those codes in which meant they would be found out. A pro hacker would have removed them. And no one so far has been able to explain how this benefits them. But I will take your advice. There are 3 other similar URLs doing this. One went dead, and the other two go to websites that have been inactive for 5 years. I dont know much about these kind of things, but I think it is THOSE websites which have been hacked.

[rj]

I searched my SQL dump and it seems fine. Thanx for all your help. I found a guy to help me with server security in this process no matter that was not the issue. And the Serendipity upgrade sped up the load time of the blog a lot. And thank YOU for all your help.

Thanx agan
RJ

[Don Chambers]

Always great to hear about a happy ending! keep up the great work with Serendipity!!