Website hacked?

General area for talk about ZSNES. The best place to ask for related questions as well as troubleshooting.

Moderator: ZSNES Mods

Post Reply
BFeely
Rookie
Posts: 32
Joined: Mon Nov 22, 2004 8:14 pm
Contact:

Website hacked?

Post by BFeely »

Is your website hacked? The zsnes.com homepage is advertising illegal casinos. Better clear that up before the Nintendo lawyers shut you down.
BFeely
Rookie
Posts: 32
Joined: Mon Nov 22, 2004 8:14 pm
Contact:

Re: Website hacked?

Post by BFeely »

In addition, the WHOIS e-mail addresses are bouncing. Please fix that ASAP too before zsnes.com gets shut down by ICANN.
badinsults
"Your thread will be crushed."
Posts: 1236
Joined: Wed Jul 28, 2004 1:49 am
Location: Not in Winnipeg
Contact:

Re: Website hacked?

Post by badinsults »

As far as I can tell, the only ad script being run on the front page is from Google. But yes, this does look like it was manually added somehow.
<pagefault> i'd break up with my wife if she said FF8 was awesome
kode54
Zealot
Posts: 1140
Joined: Wed Jul 28, 2004 3:31 am
Contact:

Re: Website hacked?

Post by kode54 »

There are three ads running on the main site.

This is one that pops up a new tab the first time you click within the page, including clicking to dismiss any of the other ads:

Code: Select all

<!-- BEGIN S0005157 POP -->

<script>
var _gunggo={settings:{siteID:"S0005157",pop:{type:"tab"}}};
_gunggo.settings.pop.freqcap={frequency:2,duration:1};
</script>
<script src="//cdn.directrev.com/js/gp.min.js?s=S0005157"></script>

<!-- END S0005157 POP -->
The second:

Code: Select all

<td class='PHeader'>

<script type="text/javascript"><!--
google_ad_client = "pub-7645045873107134";
google_ad_width = 300;
google_ad_height = 250;
google_ad_format = "300x250_as";
google_ad_type = "text_image";
google_ad_channel ="2957165506";
google_color_border = "C8CFD8";
google_color_bg = "C8CFD8";
google_color_link = "000000";
google_color_url = "203040";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
  src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>

</td>
And the third:

Code: Select all

<td colspan='3' class='PSubHeader'>
<script type="text/javascript"><!--
google_ad_client = "pub-7645045873107134";
google_ad_width = 468;
google_ad_height = 15;
google_ad_format = "468x15_0ads_al";
google_ad_channel ="0528548908";
google_color_border = "A4A9B0";
google_color_bg = "A4A9B0";
google_color_link = "000000";
google_color_url = "203040";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
  src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
<br />
</td>
In the middle of the main page body is a plain text ad that doesn't appear to include any trackers:

Code: Select all

<p>If you are interested in online casinos, but don't know which one is good - 
<a href="hxtxtxpx://oxnxlxixnxexcxaxsxixnxox-xxx.xcxoxmx/">Best 
online casino</a> review site can help you with decision. 
And if you 
just want 
to try free slots you also can visit this <a 
href="hxtxtxpx://sxlxoxtxsx-xzx.cxoxmx/">online slots</a> website, there you 
will find a lot of different slots games without fees.

								</p>
And finally, at the footer of the page:

Code: Select all

					<div style="text-align:center">
						<script type="text/javascript">
							if (typeof topbar_banner_0_ad == "function") { topbar_banner_0_ad(); }
						</script>
					</div>
E: Looks like xehas.org, the site of Radio, who the main site claims is the current maintainer, is some Japanese portal for loan information that hasn't been updated since 2013.
paulguy
Zealot
Posts: 1076
Joined: Sat Jul 02, 2005 2:01 am
Contact:

Re: Website hacked?

Post by paulguy »

Clickjack ads are obnoxious. Shame.
Maybe these people were born without that part of their brain that lets you try different things to see if they work better. --Retsupurae
BFeely
Rookie
Posts: 32
Joined: Mon Nov 22, 2004 8:14 pm
Contact:

Re: Website hacked?

Post by BFeely »

That middle online casino one has to go; this website is hosted in the US and online casinos are illegal in the US.
Because it is entered inline and not in an ad frame, that is what suggests that the site may have been hijacked.

I traced the IP of that online casino to a foreign VPS provider called FastVPS/bill2fast . com despite them using CloudFlare, and I reported them to abuse.
BFeely
Rookie
Posts: 32
Joined: Mon Nov 22, 2004 8:14 pm
Contact:

Re: Website hacked?

Post by BFeely »

Maybe we have a rogue webmaster or the owner of that illegal casino site is lying. This is from the abuse reply I got:

"Dear ______!

Our customer reply is:

"Hello, our links do have to zsnes.com site. The administrator of the site contacted us and asked for permission to publish those links. I see no reason that the site zsnes.com hacked. If the one who complained, said that zsnes.com hacked the site, he can write zsnes.com administrator of the site and resolve the problem with him. We do not influence the arbitration zsnes.com site."

Respectfully, Dmitry Skalenko
FASTVPS customer care"
Nach
ZSNES Developer
ZSNES Developer
Posts: 3904
Joined: Tue Jul 27, 2004 10:54 pm
Location: Solar powered park bench
Contact:

Re: Website hacked?

Post by Nach »

Can someone post a screenshot of what they're seeing?

I'm looking at the homepage, I don't see anything obviously wrong. I turned off my add-blockers and still don't see anything too obnoxious.
May 9 2007 - NSRT 3.4, now with lots of hashing and even more accurate information! Go download it.
_____________
Insane Coding
BFeely
Rookie
Posts: 32
Joined: Mon Nov 22, 2004 8:14 pm
Contact:

Re: Website hacked?

Post by BFeely »

It appears the text itself in the homepage has been manipulated - see the circled part in https://imgur.com/nFP2p4f
To ensure it isn't a virus on my own computer I tried it on my phone too, and on my phone using Orweb (Tor browser for mobile) and it is still there.
Here is the offending portion of the source code:

Code: Select all

								<p>
									ZSNES is a Super Nintendo emulator programmed by zsKnight and _Demo_. 
									On April 2, 2001 the ZSNES project was GPL'ed and its source released 
									to the public. It currently runs on Windows, Linux, FreeBSD, and DOS.
									Remember that this is a public beta so don't expect this to run on your
									machine.
								</p>

								<p>If you are interested in online casinos, but don't know which one is good - 
<a href="http://onlinecasino-x.com/">Best 
online casino</a> review site can help you with decision. 
And if you 
just want 
to try free slots you also can visit this <a 
href="http://slots-z.com/">online slots</a> website, there you 
will find a lot of different slots games without fees.

								</p>
Note that the injected content isn't even tabbed like the rest of the page.
BFeely
Rookie
Posts: 32
Joined: Mon Nov 22, 2004 8:14 pm
Contact:

Re: Website hacked?

Post by BFeely »

That Directrev ad causes popups on mobile; the ad just above the introduction appeared to offer illegal ROMs so the webmaster should investigate ASAP before Nintendo does.
Nach
ZSNES Developer
ZSNES Developer
Posts: 3904
Joined: Tue Jul 27, 2004 10:54 pm
Location: Solar powered park bench
Contact:

Re: Website hacked?

Post by Nach »

Thanks for the information. I e-mailed _Demo_, hopefully he can clarify what's going on.
May 9 2007 - NSRT 3.4, now with lots of hashing and even more accurate information! Go download it.
_____________
Insane Coding
Nach
ZSNES Developer
ZSNES Developer
Posts: 3904
Joined: Tue Jul 27, 2004 10:54 pm
Location: Solar powered park bench
Contact:

Re: Website hacked?

Post by Nach »

I just noticed someone manipulated the contributors list to add some evil links.

Image
May 9 2007 - NSRT 3.4, now with lots of hashing and even more accurate information! Go download it.
_____________
Insane Coding
franpa
Gecko snack
Posts: 2374
Joined: Sun Aug 21, 2005 11:06 am
Location: Australia, QLD
Contact:

Re: Website hacked?

Post by franpa »

Everything seems to look good now, went through all the pages and checked any URL's I came across. The popup advert is also gone which is good.
Core i7 920 @ 2.66GHZ | ASUS P6T Motherboard | 8GB DDR3 1600 RAM | Gigabyte Geforce 760 4GB | Windows 10 Pro x64
BFeely
Rookie
Posts: 32
Joined: Mon Nov 22, 2004 8:14 pm
Contact:

Re: Website hacked?

Post by BFeely »

I can confirm it is fixed too.
BFeely
Rookie
Posts: 32
Joined: Mon Nov 22, 2004 8:14 pm
Contact:

Re: Website hacked?

Post by BFeely »

Just one more thing: Since you use Google Adsense, you need to comply with certain privacy policy requirements. These requirements are described at https://support.google.com/adsense/answer/1348695?hl=en
Post Reply