Home > Paid Traffic Sources > Facebook & Instagram

[HELP] Are my servers compromised? Might be getting hacked. (6)

09-21-2017 03:07 AM #1 mrfacebook (Member)
[HELP] Are my servers compromised? Might be getting hacked.

Hey guys,

I recently launched several BH campaigns on Facebook across several ad accounts, domains and individual servers associated with each domain.

My Problem
I'm showing thousands of clicks on my Facebook accounts, but only ~1/5 of those in Voluum.

What i've tried
I reduced my cloaking restrictions to the barebones and still no change - thinking they were being filtered out.

I test clicked all of my ads on each account and found that one of them sent me to a survey LP that most certainly wasn't mine. The domain is no longer active, but here it is for reference:
http://app1359.cdn4-network14-server...flxP0d0AJGo%3D

Checked my server files but couldn't find anything obvious (i'm not the best at reading hardcore code, though).

I've since just moved all the traffic over to a separate server provider all together, can't tell if it solved anything yet though.

Has anyone ever experienced anything like this? I haven't been able to duplicate the survey LP to pop, but I think they're just blocking multiple hits from the same IP.

09-21-2017 03:11 AM #2 mrfacebook (Member)

Update: just tested from the new IP - having the same problem. Someone is 100% stealing my traffic and I can't seem to find out at what stage it's happening.

New survey LP that they're sending users to (turn volume down, there's a beep at the start): http://game6414.cdn6-network16-serve...Go%3d&t=pcdesk

09-21-2017 07:18 AM #3 colesy ()

Which cloaker? Have you tried turning it off altogether?

Check network activity in Chrome and see at exactly which stage you are redirected to that url.

09-21-2017 10:06 AM #4 mrfacebook (Member)

I'm using JCI and have tried turning it off.

It looks like this hacker found its way into all of my safe sites.

Found these nasty php files installed at the same time/date on all of my safe pages...
Click image for larger version.  Name: RJzhU_boQPWrxKv75t6GLg.png  Views: 84  Size: 23.2 KB  ID: 16959

Installed some security plugins to each page and manually had to track down and delete the php files from each.

Turns out the scumbag is from Russia and has never heard of who.is protection.
Click image for larger version.  Name: 9HKpDhcfRESc3S0yMWPflg.png  Views: 75  Size: 18.4 KB  ID: 16960

Homegirl Anna Pogoda from Russia runs an entire ring of these sites.
http://website.informer.com/email/pogoda.anna@mail.ru

Well this was a costly learning lesson that you should always triple-check if you're even remotely suspicious of malicious activity on your campaigns. The things people will do to make a few bucks...

09-21-2017 10:58 AM #5 caurmen (Administrator)

Glad you got it sorted - that must have been a rough couple of days.

Any idea what the vulnerability was they used to get in? Always good to keep on top of these things...

09-23-2017 10:43 PM #6 danielt (Member)

this is why using WP sucks. most likely via e plugin that sends out silent usage data ( like referrals )
then there should be a backdoor in the code to let the violator ( yes, that's a term ) in

Home > Paid Traffic Sources > Facebook & Instagram