Hacker stealing revenue?

20 replies
(Long post follows, but I want to give as much info as possible because I really need help here)

I've been fighting off a hacker for a week now. The person seems to have gained access to my hosting account or at least my ftp login. It's annoying, but I've held my own by changing passwords, scanning my computer, etc.

Now it seems like they might have been hijacking my clicks and revenue for quite some time. Of four sites, one gets almost no traffic, and that's fine because it supports a brick-and-mortar business and the main goal of the site is to get the phone ringing. If I get 10 visits a day on that site and one phone call, it's doing its job. I barely even look at that site.

Of the other three sites, two get solid traffic (hundreds of visits a day, tens of thousands of page views a month) and one gets a steady flow (30-50 visits a day).

Here's the thing: Over time, the AdSense clicks and revenue on the low-traffic, ignored site are what I expected when I signed up. CTR is x percent. On the other three sites, including one with a pretty loyal following, the CTR has been miserably low. Placement on one site is totally in-your-face. On the others it's more subtle because I thought CPA and affiliate things would be more profitable.

So I looked at all four sites, trying to find the difference between the three that perform so poorly and the one that performs to expectations. Lo and behold, what I found in the source code was that the three non-performers are pulling some weird (and huge) javascript files in their heads, and the one that performs as expected does not.

Try as I might, I have not been able to get the sites to function properly without pulling these files. They run on totally unrelated themes so it seems odd that they would all need to pull these strange files.

Oh, and I'm not getting results from my CPA campaigns either. One (Indeed job search) actually produced revenue within its first hour of being up, but died shortly thereafter -- very suspicious.

I have these javascript files but can't make heads or tails of them, and I do know a little bit about programming Jscript. Any javascript experts want to take a look? Any advice on how to proceed?

Sorry for the long post, and thanks in advance for any help.
#hacker #revenue #stealing
  • Profile picture of the author TheRichJerksNet
    No idea what you are running for your site as the one in your signature is "BLANK" as in no sites pulls up but I can view the html.

    Looks like you have a hacker problem and whatever system you are running you need to get it secured. If code is showing up here and there then you may have SQL Injection problems or there may be a keylogger on your computer.

    Oh by the way - I would remove the affiliate SEO link from my signature, we are not allowed to post affiliate links.

    James
    {{ DiscussionBoard.errors[763098].message }}
    • Originally Posted by TheRichJerksNet View Post

      No idea what you are running for your site as the one in your signature is "BLANK" as in no sites pulls up but I can view the html.

      Looks like you have a hacker problem and whatever system you are running you need to get it secured. If code is showing up here and there then you may have SQL Injection problems or there may be a keylogger on your computer.

      Oh by the way - I would remove the affiliate SEO link from my signature, we are not allowed to post affiliate links.

      James
      So you can't see the site at all? You get a white screen?
      Signature
      {{ DiscussionBoard.errors[763123].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by SurviveUnemployment View Post

        So you can't see the site at all? You get a white screen?
        That is correct ...

        James
        {{ DiscussionBoard.errors[763139].message }}
  • Profile picture of the author Mary Green
    I have to agree that it sounds like something is going on with the database. Have you tried to get support from your host company? Chances are whatever changes you are making, the hacker can still get in somehow (maybe through the database problem).

    I noticed you are using Drupal, Have you done any searches to try and find out what kind of hackers people with Drupal are getting and how you can get rid of them. Im sure someone else has had the same problem.
    {{ DiscussionBoard.errors[763126].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by Mary Green View Post

      I have to agree that it sounds like something is going on with the database. Have you tried to get support from your host company? Chances are whatever changes you are making, the hacker can still get in somehow (maybe through the database problem).

      I noticed you are using Drupal, Have you done any searches to try and find out what kind of hackers people with Drupal are getting and how you can get rid of them. Im sure someone else has had the same problem.
      Hi Mary,
      Yes that is correct Drupal has had hacking as well as Joomla, it's just not as much as wordpress because they are not as popular.

      OP - Maybe check this - drupal hacked - Google Search

      James
      {{ DiscussionBoard.errors[763151].message }}
  • Profile picture of the author 1Probiz
    I have dealt with exactly the same thing this week. All my sites were hacked. I have no idea when. After 8 months of learning and implementing IM, I have made not one sale.

    My hosting company told me to change the public_html folder name to public_html-hacked, then create a new public_html folder in ftp and reload everything into the new folder. So far it works, the extensive javascrpt code is gone. I also changed my password.
    Signature

    Yhvonne
    100% Bounce Free traffic to your website.
    http://www.adcyclones.com/content.php?p_id=14&spon=60
    The Free Affiliate Program for Charity http://www.playfreepoker4cash.com
    MyLine2mg. This is free http://myline2mg.com//?marriah

    {{ DiscussionBoard.errors[763197].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by 1Probiz View Post

      I have dealt with exactly the same thing this week. All my sites were hacked. I have no idea when. After 8 months of learning and implementing IM, I have made not one sale.

      My hosting company told me to change the public_html folder name to public_html-hacked, then create a new public_html folder in ftp and reload everything into the new folder. So far it works, the extensive javascrpt code is gone. I also changed my password.
      Your hosting company told you this bad advice ?? Hostmonster, correct ??

      I would be moving personally myself because just rename the folder and slpping in a new folder will not correct the problem. The hackers got in the first time and unless security measures have been put in place they will just do the same thing again.

      Look into Web Hosting, Reseller Hosting, and Dedicated Website Hosting w/ cPanel - HostGator - Their servers do not allow SQL Injection as they run PhpSuExec which runs the files under the hostname and not the root like many servers do.

      James
      {{ DiscussionBoard.errors[763208].message }}
      • Profile picture of the author 1Probiz
        Thanks James. I assume you mean security measures that hostmonster should put in place. I could not wrap my nontechnical brain around how they got in, and why it wouldn't happen again.

        Will go over to HostGator.

        Yhvonne
        Signature

        Yhvonne
        100% Bounce Free traffic to your website.
        http://www.adcyclones.com/content.php?p_id=14&spon=60
        The Free Affiliate Program for Charity http://www.playfreepoker4cash.com
        MyLine2mg. This is free http://myline2mg.com//?marriah

        {{ DiscussionBoard.errors[763271].message }}
        • Profile picture of the author TheRichJerksNet
          Originally Posted by 1Probiz View Post

          Thanks James. I assume you mean security measures that hostmonster should put in place. I could not wrap my nontechnical brain around how they got in, and why it wouldn't happen again.

          Will go over to HostGator.

          Yhvonne
          Yhvonne,
          Yes your host has certain responsibilities, you are paying them to host your site and it is in their best interest to run a business effective and that means taking care of the customer on their end. This means they should have secured servers, atleast as secure as they can.

          We all know nothing is 100% secure but they still should take the measures needed to make sure their customers are safe as possible when it comes to the server.

          It is more important now than ever especialy with SpyBots getting more and more advanced to the point of possible internet warfare.

          James
          {{ DiscussionBoard.errors[763309].message }}
  • Profile picture of the author GeorgR.
    his site works here, at least in my FireFox.
    Signature
    *** Affiliate Site Quick --> The Fastest & Easiest Way to Make Affiliate Sites!<--
    -> VISIT www.1UP-SEO.com *** <- Internet Marketing, SEO Tips, Reviews & More!! ***
    *** HIGH QUALITY CONTENT CREATION +++ Manual Article Spinning (Thread Here) ***
    Content Creation, Blogging, Articles, Converting Sales Copy, Reviews, Ebooks, Rewrites
    {{ DiscussionBoard.errors[763205].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by GeorgR. View Post

      his site works here, at least in my FireFox.
      Hi GeorgR
      Works under Safari for me also but Netscape 7.2 for Mac nothing but blank which probably could be due to some js code.

      Edit - well site is pulling now so the OP must have change something....

      James
      {{ DiscussionBoard.errors[763220].message }}
  • Great. Now all four sites are down completely. *******s.
    Signature
    {{ DiscussionBoard.errors[763319].message }}
  • Profile picture of the author HeySal
    You have a javascript redirect virus planted courtesy of your pals in Russia.

    These are lethal - you might have to have your host actually pull some of their files, too.
    In fact, if your website is a small one (even if it's not) you might have to shut it down and rebuild it.

    These hackers build holes all over the place so they can get back in once they are shut out. HTML pages stop them - but anything else will be loaded with false Java codes - you need someone who KNOWS that code inside and out to look at it all.

    These hackers aren't quick fix little issues - they are site destroyers. My website is half HTML and half interactive - mysql, php, java -- all the stuff that these creeps prey on.
    The hacker got in by having an actual human register for membership and within a half a year they completely destroyed the interactive parts of my site. The only thing standing right now is the static HTML pages. 3 years to build and it's devastated. My tech is extreme high level and he had trouble just shutting the ^&$#@S out - they had built holes all over before planting codes and were coming back in faster than we could shut them out for awhile before he could stop them. It's been unreal - he has to go over EVERY page and change the codes back.

    These hackers are on a campaign and are infecting websites like locusts infect crop fields. Nobody is safe from them.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[763614].message }}
    • Originally Posted by HeySal View Post

      You have a javascript redirect virus planted courtesy of your pals in Russia.
      How did you know they were in Russia? I didn't say anything about it. I will defeat these *******s, but I'm pretty sure they've stolen thousands of dollars from me, and it pisses me off mightily.
      Signature
      {{ DiscussionBoard.errors[763806].message }}
      • Profile picture of the author Digital Storm
        Originally Posted by SurviveUnemployment View Post

        How did you know they were in Russia? I didn't say anything about it. I will defeat these *******s, but I'm pretty sure they've stolen thousands of dollars from me, and it pisses me off mightily.
        Just switch hosting providers and reupload the files... You are wasting your time with these scumbags - they are not worth it.

        I know - I have been hacked more times then I care to recall since 1994 (or was it 1995?) when I first started marketing on the internet. A problem like this can consume you and you want to defeat the pieces of shit. But in the long run you can't do anything to them so why bother trying to defeat them on the same server where they have an advantage it appears.

        Get a new hosting company or a new account with the same company and only upload files from your hard drive and not files from the existing website account since they may have done something to your files.

        This will get rid of your problem presuming your local hard drive files are not tainted you should be fine.

        Take care and good luck,

        Robert
        {{ DiscussionBoard.errors[765216].message }}
  • Profile picture of the author Anomaly1974
    I had this happen to me on a site I thought was waaaaaaaaaaaaaaaay too small to be messed with. Still, all of my email from that account now goes to spam, do not pass go, do not collect two hundred dollars. I had to completely rebuild the site and while they were still on the servers, they at least quit destroying my site. I now have a new host so I am hoping it will no longer be a problem but good luck dealing with it. While it is not any consolation, I do know how you feel.
    Signature

    “They did not know it was impossible so they did it”
    -Samuel Clemens" (As Mark Twain)

    {{ DiscussionBoard.errors[765758].message }}
  • UPDATE:

    After a long afternoon of Googling and sifting through code, I found the culprit and (fingers crossed) removed it. There was some malicious javascript code in two files that are called on every page. The code is complex and I don't know exactly what it is doing.

    When I googled the code itself, guess what I found: a script called -- get this! -- "market fixer" that was developed by an Israeli calling himself Ikariam. (Don't visit the site with java or javascript turned on because gosh only knows what kind of malware they have embedded, but it's at Ikariam Market Fix - Israel )

    They actually had two scripts, one for Firefox and one for IE, I think.

    I don't blame my host for this. They're knowledgeable and helpful and did everything they could to help resolve this. What happened, I think was a cross-site scripting attack. I visited a website that ran a script that gave up all my passwords. They're all changed now, and I put a master password on my browser, so (fingers crossed) maybe that will keep them away for a while.
    Signature
    {{ DiscussionBoard.errors[766060].message }}
  • Ugh. I don't think this is resolved yet. My CTRs are still waaaay below expectations (far less than one percent) on the three hacked sites and within expectations (between 1-5 percent) on the clean one.

    I'm almost 100 percent sure that they're somehow re-directing the clicks. How else could I be showing tens of thousands of impressions and clicks that I can count on my fingers?

    This really stinks.

    Has anyone else had your revenue stolen? How did you resolve it?
    Signature
    {{ DiscussionBoard.errors[821020].message }}
    • Profile picture of the author kentaiwan98
      It could be that your site has been vetted by Adsense team. Have you any site related data that you can compare? Is performance deteriorating, have your sites been smartpriced (I think that's the term), try removing the ads on some of the sites and replace with Adbrite or similar to get an idea of CTR.

      You can also find ways to measure your own CTR rates and cf. to Google's. Google throws away lots of clicks, I found out by accident.

      Kenneth
      {{ DiscussionBoard.errors[821281].message }}
  • Profile picture of the author esh
    I would recommend you to go to DreamHost, their Customer support is OUTSTANDING!
    Dont use any of their promo codes since, it doesn't allow you to add an existing site to dreamhost. Also install any software such as drupal with their 1-click-install, similar to fantastico, so you can prevent XSS or SQL injection attack. Why not use wordpress and phpbb together?
    (its well secured).

    And if you have a local copy of the sites use that. Zip the site and use putty a program that allows a shell access to your hosting account, and unzip the whole site in matter of minutes! Dns propagation takes atleast 5 hours you need to wait before doing everything. In the mean while take a note of all the sites you use and from ANOTHER computer send a bulk email to them to change the password for you.

    Next you can do is download Hijack This software, scan the affected computer and send the report it sends to the popular internet forums such as techsupportforum.com or daniweb.com, someone will find what affected your computer.

    Also consider applying to Lifelock.com so that if your credit card is also stolen, you can prevent it.

    Hope i covered everything and this helps!

    Best,
    Esh
    {{ DiscussionBoard.errors[821082].message }}

Trending Topics