Home > General > Affiliate Marketing Forum

---

Warning imobitrax exploit (41)

---

Hi all,
Over the weekend I had someone exploiting my imobitrax and stealing my traffic worth $x,xxx before I noticed it. I'm creating this thread in order to warn everybody and how to avoid it happening to you.

The Story
Basically what happened is that I noticed the traffic I was running had dropped massivly in EPC. For me it raised a big warning flag and I went to the network that I was running with to find out wtf happenend.
My rep said everything looked normal and the epcs on his side was the same like always. I got confused and checked my own offerurl I was using and I found something weird.



Some fucker had changed my offerurl, but this time I just thought I accidentally ctrl+c and ctrl+v'd some random shit so I changed it back and didn't bother.
The next day the same thing happened and now I knew someone had been messing with my url and I immediately changed the password to imobitrax and my other server related stuff and hope it would put an end to this madness.
This day everything seemed to be working and I went to bed. When I woke up the morning after I saw it had been changed again. This was very alarming for me so I paused all the traffic and did some serious stalking on the url that the guy replaced mine with.
The full url they were using is this:
http://www.sendglobalnews.com/chedit...=xxx&data2=xxx

When I checked it from a UK ip(the campaign was in uk) I got redirected to 3 different offers. Upforit, Fling and Benaughty. I asked them all what person have this affiliateID and on all the 3 networks it was the same person. The owner of just-fuck.com mr Mantas Lisauskas. If you aren't doing adult this is one of the top adult dating affiliates. Quite sad that someone that big has to steal money from other affiliates. If it's someone else running under him and using him as a front I don't know but his account have been stealing a good amount of my traffic.

Solution
I sent a ticket to imobitrax about my problem and Bill answered very fast and told me that I forgot to remove the install.php file after installing imobitrax. As I understood it you can create new admin accounts using the install.php file if the owner hasn't removed it. So he used that file and created an admin account on my imobitrax and was able to change my campaigns and everything.
Bill removed the user and the file from my server right away which I'm very grateful for.
So to everybody using imobitrax, make sure you removed your install.php file and check your database that there isn't any other useraccount than your own. I highly doubt I'm the only person that has been fucked over.

TL/DR
If you installed imobitrax, you need to remove the install.php file from the server. Otherwise someone can create an admin account and fuck your stuff up like MANTAS LISAUSKAS aka just-fuck.com did to me.

If Mantas is on this forum I'd be happy to hear an explanation.

---

Yup this imobitrax exploit seems to have been getting around. I know a few affs that said their server was hacked recently through this.

Are you going to contact that mantas hacker guy?

---

Right now the networks is trying to find out what happened and stuff. If they won't do anything I'll talk with him.

---

Thanks for posting this. I just checked some of my campaigns and found the below link. That same dude got me. At least you got his name. I hope I can run into him one day

http://www.sendglobalnews.com/chedit...etd.php?subid=

---

Is cpv lab the same way? I had it installed by beyond hosting. But will go through my folder again.

---

I think imobitrax made their tracker based around cpvlab, if someone has both the install files maybe we could compare them to see.

---

If someone else finds their links changed please post it also so we can see how many people actually got fucked.

---

Need to pay attention to the instructions - they tell you to remove install.php for security reasons. Imagine how simple it is to have a VA scan top adult placements, collect all domains that use imobitrax and then bulk check which of them have install.php still on the server. Makes me sick that someone would stoop so low, I'm curious what the networks' stance is on this.

---

No.

This is not true.

---

It can't just be me that sees the glaring similarities between the two. Maybe it's just the UI.

---

wow I am 99% sure I deleted my install.php and yet I decided to double check after seeing this post and it was there. Thanks for the warning

---

Wow this is interesting. A big guy like him is stealing traffic? Cool story...

---

Okay this might explain a lot lol. I didn't put 2 and 2 together though, too blinded trying to make money I guess. The following has been going on for last month or so.

Daily I would test new offers and do good and then everything would go to shit. I would add offers from different networks constantly trading them out. I was thinking they were using some PPV trick to steal the cookie or something. Every day I start with new offers and would get leads then nothing the next day. Changing networks and offers constantly(seriously like 40 offers in one survey campaign). I started changing domains daily thinking they were popping over me. I would bid highest direct linking for any offer I was using on my lps so they couldn't steal my cookie lol. I even tried framing the offers with fresh domains hoping that would help keep them from highjacking them.

I do recall one day looking over the db and in user table I seen 2 logins. I don't recall the other user name but I remember thinking ahh maybe it's the default one and I just removed it. Feel pretty stupid knowing I checked the db for extra logins but still didn't use the info when I found it. I knew something was up but was over thinking it.

I've had better luck since then now that I think about it. I actually ordered a new server and cpvlab, last night to start fresh and see if that helped. I bought a random ass domain for tracking thinking they couldn't pop on the short word without it costing them too much. CPVLab knew I was dumb though and kept reminding me to remove the file so I did already though.

The thanks button can't thank you for me on this one.

Thanks a ton man, you wouldn't believe how much time and aggravation I have put in trying to figure out how people were stealing my leads. Thought it was just shady PPV tactics lol. Now I can stop spending so much time on this and concentrate on actual work.

---

I wish i had the same problem. Than i would have someone to blame for my bad stats.

---

wow he doesn't even use whois block on just-fuck

---

You're lucky they told you who did it the hacking... I had something similiar happen to me and it was from an affiliate from F5 Media... and they didnt even want to tell me who it was without me first bringing a lawyer in.. shady eh?

---

This is so weird. Why would he do all this if he's a big affiliate?

I will hit up Cupid and see what they say.

---

Yeah, Imobitrax didn't do anything wrong as they write that you need to remove it. But I know I'm not the only one skipping that step.



They didn't tell me who it was, they just confirmed that is was the same person on each network. With a bit of internet stalking it's not hard to find out who's the owner behind the domains.

I also think it's very weird. Sure it's easy money doing it but why ruin your reputation for it.
It could also be someone running under his account because if it would be a new account it would probably get banned right away.

---

Would you still be able to do it if he had whois protected? I think you just got lucky if he didnt have it protected... most hackers are going to be extra careful...

Also if he really is a big affiliate what if someone hacked you and placed his link in there on purpose in order for cupid to kick him out of their program? Would seem like a way to get rid of your competitors...

---

Was hoping he is on STM so he could explain if he wasn't the one doing it.

---

tap1on, do you work with Cupid? If so you probably have more leverage to have them investigate how this happened and get back to you.

I would think if he has done this to others Cupid would have had more complaints about his affiliate id. It does seem very odd that someone would do this and be so careless in covering his tracks.

---

ya it might be someone trying to frame him also, I had someone buy a ton of traffic via stolen credit cards on a traffic source and then at the end they swapped out their aff links / lander to mine to try to frame me. Fortunately I had a history with the traffic source so everything was cleared up, but people do some seriously shady shit in this industry. If there is money involved, don't ever underestimate what people will do, rich or poor

---

I definitely don't underestimate the shadiness of people in this industry. Just surprised it was so easy to find the person. Someone who does this kind of f-ed up shit would normally be better about staying anonymous so makes you wonder who is behind it.

---

The network he runs the stolen traffic through absolutely can do something about it, and should. We had almost the same scenario happen 3 weeks ago and it resolved smoothly. We looked at the conversion data and the referrers from the thief's account and saw the same tracking domains as the original affiliate. So we just had the original affiliate submit the proper proof of ownership for those tracking domains the traffic was coming from and proof of the hack. We were able to move all the earned funds over to the legit affiliate and chargeback 100% on the thief. After receiving a letter from our legal with the explanation and options the thief returned a signed letter of acceptance, and we closed his account.

---

This is why Oregon is so cool

---

Good tip to know if someone has exploited your imobitrax is to check if you have than one of the default traffic sources, admoda, admob etc.

---

Guys as soon as you find a precise carrier / OS combo that converts just bypass your tracker, and send your traffic directly to the offer.

---

Best advice there. Not only stopping this issue.. but speeding up the process taking another redirect out the chain.

---

Yeah that makes sense too, I had double of each default traffic source too. Thought it was some weird bug and removed the extras. I'll def pay more attention when little things happen in the future that's for sure. That guy taught me an expensive lesson, won't slip like that again.

---

Damn, we had the same issue and just noticed it yesterday.
We worked with hosting to try to find what happened and changed passwords and etc but today on some of the
campaigns i found same shit, going to http://www.metrohk.com.hk/cache/trk/us.php

If you trace is it goes to
http://www.ictrax.com/go.php?c=27&l=28&subid=289899399
http://i.imgur.com/bdHaPyX.png

It was same one for http://www.sendglobalnews.com but now it seems all redirects were removed now

Thanks for the heads up, we removed the install.php in the /account/ folder and will work with Bill on how to protect it even further.
I am scared to even thing about how long this shit been going on :/

---

https://www.facebook.com/mantas.lisauskas.5


Don't mess

---

This.

I thought I just screwed my imobi with an update somehow, but I've had multiple instances of traffic sources for a while now. Double checked the mt_account database and there were 2 new user accounts there.

Also, it's either Mantas, or some guy Jason Li from China, or both who are doing this.

---

Yo, how do I check the mt_account database and delete this cunt?

---

Open phpMyAdmin then click on the imobi database (servername_imobi), then click mt_account, it'll pull up. You'll see your account and any others, delete from there.

---

ictrax.com belongs to Mantas but I don't know if it's actually him doing it or someone is trying to frame him..

---

Hi guys,

On behalf of BaNaughty's new owner - Together Network - I want to contribute to the ongoing discussion.

First and foremost, we regret to hear, tap1on, that you ended up in a situation like this where they were stealing traffic from you causing a financial loss to your side as well as the fact that our site was involved in this scheme. Hope this can be sorted out to your benefit soon.

We'd like to highlight that we don't want to take sides in this situation since it's very unclear and has a lot of unanswered questions at the moment. tap1on did reach out to us with a request. However, it should be mentioned that what was presented to us were a link and a screen shot and we were asked whether it was the same affiliate account or not. The answer was positive. We didn't confirm whether or not it was Mantas Lisauskas though since we're bound by the Privacy Policy and can't reveal affiliates' names and contacts. Later, when the allegations regarding stolen traffic were made public and tap1on pointed at Mr. Lisauskas as a possible perpetrator we had a conversation with the latter and he refuted all the accusations. So at this point we don't have sufficient facts that prove 100% whether or not it was Mantas Lisauskas' intentional misdeed or something else has happened here.

Developing some thoughts already expressed above regarding someone trying to frame Mantas Lisauskas we do agree that a lot of facts seem odd in this case. Specifically, it's confusing why a really big affiliate would go after $x,xxx not even trying to mask his activity and openly sending the allegedly stolen traffic to his own links. Also, we can mention that for the period of time that is being considered here we haven't noticed significant changes in Mr. Lisauskas' traffic volumes or their consistency. If traffic was massively stolen from many accounts most likely we would have noticed a substantial increase in volumes. Another thing was that the stolen traffic was redirected through an unknown server in South Korea which could lead to an alternative version of what happened here.

A really good point here though is that affiliates should definitely work on securing their accounts and prevent unauthorized access to their campaigns. As we can see from this situation that, unfortunately, happened to tap1on there are guys out there eager to engage in all sorts of illegal activities to get your earned money. And one of the best ways to prevent this from happening is to take precautionary measures and make sure that such things won't happen in the future.

Thanks,
Alex

---

my campaign links went dead last night (been running for weeks fine without changing anything), just checked my imobi account db and there's 3 account names... i feel like such an idiot

---

BTW.. what a silly bug is this?
Any setup should remove/rename an install.php file right after it has successfully completed all the required steps.
perhaps a wanted mistake ?

---

Being that the installer is generally uploaded over FTP, the web server will often not have the permissions to rename or delete the install file.

The installer could have some security built in though... like requiring that you provide your license key, or just not run if there is an existing install... def not just add more users to the existing admin table, lol. The admin UI could also check for the installer and give a notice in the interface to delete the file manually.

I think it's a bit out there to suggest it's a "wanted mistake"... just an amateur mistake... like the old cpvlab exploit.

---

Pretty stupid for the install file to work that way with a existing install in place.

They can easily fix this by making the install file not function if it's been installed (forcing you do delete/rename database to setup) or
just check to see if an admin user exists and don't create.

It could also not allow you to login to the script if the install file exists.

---

Here I thought mid $x,xxx profit/day I was doing well but now hearing Mr. Lisauskas won't even touch these numbers, I'm fucking depressed as hell. Time to get drunk, feel sad and then go back to the drawing board to raise the bar even higher.

---

Home > General > Affiliate Marketing Forum