…not to be a worry wart…the problems are mine. I have been dealing with hackers a LOT the past couple of months. Most of the problems have been due to a server level hack on my hosting company’s servers, affecting not just my site, but THOUSANDS of web sites on the companies dozens of servers.

I’ve seen spam appended to hundreds of files, using css code to hide the spam links (the worst hack adding 2508 spam links to nearly every index, login, home, default, auth, and admin file in hundreds of my directories), and I had to edit them by hand.

I’ve just found tonight, in a script I’ve been using for over a year, an URL shortener found here…

http://developers.jccorp.net/

that a subfolder of this short URL script had been hacked (I had NO CHMOD 777 folders ANYWHERE on my site), and that the same spam I had been removing from my pages, that were pointing to OTHER hacked sites on mostly .edu college and university websites, was now SOURCING and FORWARDING from my site.

I can not tell you how bloody angry I became at finding this.

The appended spam code was and is looking like this…

< u style=display:none >< a href="http://survivalring.org/url/ 1/2/30/840505780197.html">cheap cialis < a href="http://survivalring.org/url/ 1/2/30/8411792520159.html">order cialis < a href="http://survivalring.org/url/ 1/2/30/8421918768617.html">hydrocodone withdrawal < a href="http://survivalring.org/url/ 1/2/30/potentiate-hydrocodone/">potentiate hydrocodone < a href="http://survivalring.org/url/ 1/2/30/8502024412430.html">cialis compare levitra viagra < a href="http://survivalring.org/url/ 1/2/30/8441589492944.html">levitra vs cialis < a href="http://survivalring.org/url/ 1/2/30/phentermine-without-prescription/">phentermine without prescription < a href="http://survivalring.org/url/ 1/2/30/8471141010198.html">phentermine side effects … and on and on…

It took a good 20 minutes for my FTP program to delete thousands of spam files from that subfolder above at /url/1/2/.

The latest hack that affected me BEFORE this hack was one that hit, again, the index/admin/default/etc php and him files, and REPLACED all of my code with the following code.

< script language="javascript" >

myreg=new RegExp(”lycos\.co.uk”,”i”);
if ( ! myreg.test(”‘”+top.location+”‘”) ) {
nwreg=new RegExp (”http://([^/]+)?(/([a-z0-9A-Z\-\_]+)?[^']+)”,”i”);
rn=nwreg.exec(”‘”+self.location+”‘”);
if ( parent.frames.length==2) { top.location=”http://” + rn[1] + rn[2]; }
else { top.location=”http://” + rn[1] + “/” + rn[3]; }
}

i f(window == window.top) {
var address=window.location;
var s=’< html>< head>< title>‘+’< /title>< /head>‘+
‘< frameset cols="*,140" frameborder="0" border="0" framespacing="0" onload="return true;" onunload="return true;">‘+
‘< frame src="'+address+'?" name="memberPage" marginwidth="0" marginheight="0" scrolling="auto" noresize>‘+
‘< frame src="http://ads.tripod.lycos.co.uk/ad/google/frame.php?_url='
+escape(address)+'&gg_bg=&gg_template=&mkw=&cat=noref" name="LycosAdFrame"
marginwidth="0" marginheight="0" scrolling="auto" noresize>‘+
‘< /frameset>‘+
‘< /html>‘;

document.write(s);
}
< /script>
< html>
< bgsound src="http://www.freewebtown.com/dahaya/music.mid" loop="-1">
< title>
=-=-=-=v4 Team=-=-=-=
< /title>
< BODY BGCOLOR="000000.">
< p align="center">< span style="height: 30px">< b>
< font color="#ffffff" face="Comic Sans MS" size="7"><<–==HaCkeD By V4 Team==–>>< /font>
< strong>< span style lang="ar-sa">< font color="#000000" face="Fixedsys" size="7">
< /font>< /span>< /p>
< p align="center">< font color="#ff0000" face="Comic Sans MS" size="7">V.4
CrackerS< /font>

< p align="center">< font color="#ff0000" face="Comic Sans MS" size="7">ProAmk< /font>< span style>< font color="#ff0000" face="Comic Sans MS" size="7">  
&    JaDi< /font>< /span>< /p>
< p align="center">< font color="#ff0000" face="Comic Sans MS" size="7">ProHaCKErZ< /font>< /p>
< p align="center">< img border="0" src="http://members.lycos.co.uk/moadis/maroc-flag.jpg" width="284" height="272">< /p>
< span style="font-weight: 400; height: 30px">< center>
< p dir="ltr" align="center">
< font style="font-size: 60pt" face="Wingdings" size="5" color="#ffffff">N< /font>< font style="font-style: italic" color="#ffffff" face="Times New Roman" size="7">DucK
AdmiN< /font>< font style="font-size: 60pt" color="#ffffff" face="Wingdings" size="7">N< /font>< /p>
< span style>< strong style="font-weight: 400">
< p>< font color="#ffffff" face="Haettenschweiler">
< font color="#ff0000" face="Courier New" size="7">Dj-MoaD[< /font>< font face="Courier New" size="7">AT< /font>< font color="#ff0000" face="Courier New" size="7">]HotmaiL[< /font>< font face="Courier New" size="7">DOT< /font>< font color="#ff0000" face="Courier New" size="7">]Fr< /font>< /font>< / p>
< p>< font color="#ff0000" face="Courier New" size="7">ProamK< /font>< font color="#ffffff" face="Haettenschweiler">< font color="#ff0000" face="Courier New" size="7">[< /font>< font face="Courier New" size="7">AT< / font>< font color="#ff0000" face="Courier New" size="7">]< /font>< /font>< font color="#ff0000" face="Courier New" size="7">Hotmail< /font>< font color="#ffffff" face="Haettenschweiler">< font color="#ff0000" face="Courier New" size="7">[< /font>< font face="Courier New" size="7">DOT< /font>< font color="#ff0000" face="Courier New" size="7">]< /font>< /font>< font color="#ff0000" face="Courier New" size="7">Fr< /font>< /p>
< p>< font color="#ff0000" face="Courier New" size="7">Pentium-m< /font>< font color="#ffffff" face="Haettenschweiler">< font color="#ff0000" face="Courier New" size="7">[< /font>< font face="Courier New" size="7">AT< /font>< font color="#ff0000" face="Courier New" size="7">]< /font>< /font>< font color="#ff0000" face="Courier New" size="7">Hotmail< /font> < font color="#ffffff" face="Haettenschweiler">< font color="#ff0000" face="Courier New" size="7">[< /font>< font face="Courier New" size="7">DOT< font color="#ff0000" face="Courier New" size="7">]Com< /font>< /font>< /p>
< p>< font color="#ff0000" face="Courier New" size="7">An_asp< /font>< font color="#ffffff" face="Haettenschweiler">< font color="#ff0000" face="Courier New" size="7">[< /font>< font face="Courier New" size="7">AT< /font>< font color="#ff0000" face="Courier New" size="7">]< /font>< /font>< font color="#ff0000" face="Courier New" size="7">Htomail< /font>< font color="#ffffff" face="Haettenschweiler">< font color="#ff0000" face="Courier New" size="7">[< /font>< font face="Courier New" size="7">DOT< /font>< font color="#ff0000" face="Courier New" size="7">]COM< /font>< / font>< / p>
< /strong>< / span>< /center>< /span>
< /strong>< /b>< /span>

< script
language="JavaScript">
// –>< /script>< !-- http://kok.8k.COM-->< body id="CBody"
onbeforeprint="onbeforeprint()" onafterprint="onafterprint()"
onselectstart="return false" oncontextmenu="return false;">
< /BODY>< /HTML>
< /pre>< /xmp>< /noscript>

< script language="javascript" src="http://ads.tripod.lycos.co.uk/ad/test_frame_size.js">< /script>

< script language="javascript">
if (!AD_clientWindowSize()) {
document.write(”“);
}
< /script>

< script type="text/javascript">
function setCookie(name, value, expires, path, domain, secure) {
var curCookie = name + “=” + escape(value) +
(( expires) ? “; expires=” + expires.toGMTString() : “”) +
(( path) ? “; path=” + path : “”) +
(( domain) ? “; domain=” + domain : “”) +
(( secure) ? “; secure” : “”);
document.cookie = curCookie;
}

var ad_url = ” http://ads.tripod.lycos.co.uk/ad/google/frame.php?_url=”+
escape(self.location)+”&gg_bg=&gg_template=&mkw=&cat=noref”;
var ref=window.document.referrer;

if (parent.LycosAdFrame) {
if (parent.memberPage && parent.memberPage.document.title ) {
parent.document.title=parent.memberPage.document.title;
}

if(parent.LycosAdFrame && parent.LycosAdFrame.location && (ref != “” && (ref+”?” != window.location) && (ref.substr(ref.length-1,1) != “/”)) ) {
parent.LycosAdFrame.location.replace(ad_url);
}
set Cookie(”adFrameForcePHP”,0,0,” “);
parent.document.body.cols = “*,140″;
}
else if(top.LycosAdFrame && top.LycosAdFrame.location) {
if ((ref != “” && (ref+”?” != top.window.location) && (ref.substr(ref.length-1,1) != “?”))) {
top.LycosAdFrame.location.replace(ad_url);
}
setCookie(”adFrameForcePHP”,0,0,” “);
top.document.body.cols = “*,140″;
}
else {
if (!window.opener) {
setCookie(”adFrameForcePHP”,1,0,” “);
}
else {
setCookie(”adFrameForcePHP”,0,0,” “);
}
}
if (window.top.location.href.indexOf(”http://members.lycos.co.uk”)!=-1) {
ad_frame = 1 ;
window.top.document.body.cols=”*,140″ ;
}

function resizeGoogleAdFrame() {
window.top.document.body.cols = “*,140″;
}

if (ad_frame == 1 && AD_clientWindowSize()) {
setInterval(”resizeGoogleAdFrame()”, 30);
}

< /script>

< script language="javascript" src="http://ads.tripod.lycos.co.uk/ad/popunder_lycos_ update.php?cat=noref&CC=uk">< /script>

< script type="text/javascript" src="http://ads.tripod.lycos.co.uk/ad/ad.php?cat= noref&mkw=&CC=uk&ord=45b702e8&adpref=">< /script>

< !-- START RedSheriff Measurement V5.01 -->
< !-- COPYRIGHT 2002 RedSheriff Limited -->
< script language="JavaScript" type="text/javascript">< !--
var _rsCI='lycos-uk';
var _rsCG='noref';
var _rsDT=1;
var _rsSI=escape(window.location);
var _rsLP=location.protocol.indexOf('https')>-1?’https:’:'http:’;
var _rsRP=escape(document.referrer);
var _rsND=_rsLP+’//secure-uk.imrworldwide.com/’;

if (parseInt(navigator.appVersion)>=4) {
var _rsRD=(new Date()).getTime();
var _rsSE=0;
var _rsSV=”;
var _rsSM=0;
_rsCL=’<\/scr'+'ipt>‘;
} else {
_rsCL=’‘;
}
document.write(_rsCL);
//–>< /script>
< noscript>
< img src="//secure-uk.imrworldwide.com/cgi-bin/m?ci=lycos-uk&cg=noref" alt="">
< /noscript>
< !-- END RedSheriff Measurement V5 -->


I’m showing you the EXACT code, because after I found it, I could NOT find reference to it on any other websites via google. I did find other sites that had had the same hack. I’m hoping someone will come looking for answers, bring me more info, and we can have these bastards removed from the Gene Pool by Special Forces.

And, this REDSHERIFF crap looks to be VERY evil, from the searches I’ve found referencing it…

Needless to say, if I EVER find out who is doing this crap, I will sic the FBI, CIA, and any other alphabet agency on their worthless asses. I do not have the time to waste on these assholes that are continuously wreaking havoc, not just on my website, but on so many others on my servers and others.