Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home General
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Dedirock's website seemingly got hacked and is showing a phishing page

13»

Comments

  • zedzed Member

    I mean there clearly wasn't any violence either, but ok.

  • vsys_hostvsys_host Member, Patron Provider

    @oloke said:

    @vsys_host said:

    @oloke said:
    both domains:

    point to servers at @vsys_host , we should probably report them

    @wadhah said:

    @oloke said:
    both domains:

    point to servers at @vsys_host , we should probably report them

    We have to stop this LET host on LET host violence

    On what grounds are you blaming a provider without an abuse report?
    Did anyone even try to report this to the official email first?

    Such activity is strictly prohibited, and we have already handled the issue. We take down malicious content fast — but only when we actually get a report.

    And frankly, posting a public accusation like this — especially coming from another hosting provider — is downright unprofessional.

    Hi!

    On what grounds are you blaming a provider without an abuse report?

    Sorry, if I didn't make it clear :#

    I'm not blaming you (vsys.host) for anything here. Bad actors could've bought servers from anyone.
    I meant we should report those ip addresses to you via abuse report and proper procedure.

    Such activity is strictly prohibited, and we have already handled the issue.

    Thank you for handling that so quickly <3

    You are welcome <3

    Thanked by 2oloke cainyxues
  • vsys_hostvsys_host Member, Patron Provider

    @wadhah said:

    @vsys_host said:

    @oloke said:
    both domains:

    point to servers at @vsys_host , we should probably report them

    @wadhah said:

    @oloke said:
    both domains:

    point to servers at @vsys_host , we should probably report them

    We have to stop this LET host on LET host violence

    On what grounds are you blaming a provider without an abuse report?
    Did anyone even try to report this to the official email first?

    Such activity is strictly prohibited, and we have already handled the issue. We take down malicious content fast — but only when we actually get a report.

    And frankly, posting a public accusation like this — especially coming from another hosting provider — is downright unprofessional.

    so you read that and your understanding is that I think you (the company) personally hacked the website?

    Come on mate, you may need to relax a bit

    Relaxing is easy. Cleaning up ghosts nobody reports — that’s the hard part 😉

    @wadhah said:

    @vsys_host said:

    @oloke said:
    both domains:

    point to servers at @vsys_host , we should probably report them

    @wadhah said:

    @oloke said:
    both domains:

    point to servers at @vsys_host , we should probably report them

    We have to stop this LET host on LET host violence

    On what grounds are you blaming a provider without an abuse report?
    Did anyone even try to report this to the official email first?

    Such activity is strictly prohibited, and we have already handled the issue. We take down malicious content fast — but only when we actually get a report.

    And frankly, posting a public accusation like this — especially coming from another hosting provider — is downright unprofessional.

    so you read that and your understanding is that I think you (the company) personally hacked the website?

    Come on mate, you may need to relax a bit

    Host-on-host violence? 😄
    Nah, just self-defense: we prefer proper abuse tickets over public crossfire.

    Relaxing is easy. Cleaning up ghosts nobody reports - that’s the hard part 😉

    Thanked by 6wadhah tentor oloke cainyxues Ballinwrld mandala
  • tpolltpoll Member, Patron Provider

    a quick patch is needed

    Thanked by 1DediRock
  • MorphmasterMorphmaster Member

    Wow...... every hour is amateur hour.

  • xvpsxvps Member
    edited September 2025

    @TandM said:

    @Hotmarer said:
    Wordpress ...

    Yeah, probably a leaky plugin or something like that.
    There's some code in the homepage HTML with regards to a "Header Fix Tester", which contains Ukrainian comments, and references to statswpmy.com and trackingmyadsas.com, both registered to an Ukrainian registrar, which is probably the culprit.

    Don’t be this naïve.

    The comments are in Russian, and a hacker would never register a domain name in his own name, where everyone could look it up with WHOIS.

    // from: https://pastecode.dev/s/7eq9ah8h
// fetch("https://trackingmyadsas.com/api/track/017f8daeb2d7faa85b5afb7b145cc0d9"

// WHOIS:
Domain Name: TRACKINGMYADSAS.COM
Name Server: NS1.THE.HOSTING
Name Server: NS2.THE.HOSTING

nslookup
> server ns1.the.hosting
Default server: ns1.the.hosting
Address: 2a0b:cf45::666#53
Default server: ns1.the.hosting
Address: 45.120.177.139#53
> trackingmyadsas.com
Server:     ns1.the.hosting
Address:    2a0b:cf45::666#53

Name:   trackingmyadsas.com
Address: 5.180.30.232
> exit

dig @ns1.the.hosting trackingmyadsas.com NS +norec

; <<>> DiG 9.20.11-4+b1-Debian <<>> @ns1.the.hosting trackingmyadsas.com NS +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52287
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;trackingmyadsas.com.       IN  NS

;; ANSWER SECTION:
trackingmyadsas.com.    3600    IN  NS  ns1.the.hosting.
trackingmyadsas.com.    3600    IN  NS  ns2.the.hosting.

;; Query time: 8 msec
;; SERVER: 2a0b:cf45::666#53(ns1.the.hosting) (UDP)
;; WHEN: Tue Sep 16 17:53:59 CEST 2025
;; MSG SIZE  rcvd: 95

    The above pretty much confirms that ns1.the.hosting is the authoritative nameserver for the domain used in the script. (aa flags)

    I didn’t know that the.hosting (aka pq.hosting) was selling domains or shared hosting, so you can use their nameservers as authoritative nameservers. After all, a trustworthy provider like the.hosting would never be involved in something like this, right?

    Provider of year: https://lowendtalk.com/profile/thehosting

    @DediRock / @angstrom

  • HostDZireHostDZire Member, Patron Provider

    @Void said:
    🔥HostDZire offers high-performance VPS and dedicated servers from top global locations including India, The Netherlands, USA, Singapore, Japan, and more.🔥

    Thanked by 16oloke tentor mandala beanman109 Void classy barbaros Sharmaishaan72 sh97 JohnnySac Ed_Chd dsbnoob cainyxues Peppery9 ebietsy DeusVult
  • s0n1cs0n1c Member

    @xvps said:

    @TandM said:

    @Hotmarer said:
    Wordpress ...

    Yeah, probably a leaky plugin or something like that.
    There's some code in the homepage HTML with regards to a "Header Fix Tester", which contains Ukrainian comments, and references to statswpmy.com and trackingmyadsas.com, both registered to an Ukrainian registrar, which is probably the culprit.

    Don’t be this naïve.

    The comments are in Russian, and a hacker would never register a domain name in his own name, where everyone could look it up with WHOIS.

    // from: https://pastecode.dev/s/7eq9ah8h
// fetch("https://trackingmyadsas.com/api/track/017f8daeb2d7faa85b5afb7b145cc0d9"

// WHOIS:
Domain Name: TRACKINGMYADSAS.COM
Name Server: NS1.THE.HOSTING
Name Server: NS2.THE.HOSTING

nslookup
> server ns1.the.hosting
Default server: ns1.the.hosting
Address: 2a0b:cf45::666#53
Default server: ns1.the.hosting
Address: 45.120.177.139#53
> trackingmyadsas.com
Server:       ns1.the.hosting
Address:  2a0b:cf45::666#53

Name: trackingmyadsas.com
Address: 5.180.30.232
> exit

dig @ns1.the.hosting trackingmyadsas.com NS +norec

; <<>> DiG 9.20.11-4+b1-Debian <<>> @ns1.the.hosting trackingmyadsas.com NS +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52287
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;trackingmyadsas.com.     IN  NS

;; ANSWER SECTION:
trackingmyadsas.com.  3600    IN  NS  ns1.the.hosting.
trackingmyadsas.com.  3600    IN  NS  ns2.the.hosting.

;; Query time: 8 msec
;; SERVER: 2a0b:cf45::666#53(ns1.the.hosting) (UDP)
;; WHEN: Tue Sep 16 17:53:59 CEST 2025
;; MSG SIZE  rcvd: 95

    The above pretty much confirms that ns1.the.hosting is the authoritative nameserver for the domain used in the script. (aa flags)

    I didn’t know that the.hosting (aka pq.hosting) was selling domains or shared hosting, so you can use their nameservers as authoritative nameservers. After all, a trustworthy provider like the.hosting would never be involved in something like this, right?

    @DediRock / @angstrom

    what the sigma

  • r3kr3k Member
    edited September 2025

    Now... if only someone used AI for security.

    Thanked by 1zed
  • blip1945blip1945 Member

    Mmm wordpress, the #1 source of pwn in 2005, and still in 2025.

    Thanked by 4nikola Ed_Chd senfie tux
  • tentortentor Member, Host Rep

    @r3k said:
    Now... if only someone used AI for security.

    Then secrets would be fed into someones dataset

    Thanked by 1oloke
  • xvpsxvps Member
    edited September 2025

    Seems like they have updated statswpmy.com, so it now send the report with telegram api.
    I guess the trackingmyadsas.com NS footprint was a fuck up.
    :D

  • DediRockDediRock Member, Patron Provider

    @allthemtings said:
    Perfect Mouse & Mouse Pad Combo?

    so many options right? you can check out this thread that was posted.

    https://lowendtalk.com/discussion/208078/perfect-mouse-mouse-pad-combo/p1

    @tentor said:
    I can hook it up

    I Can Hook It Up™

  • DediRockDediRock Member, Patron Provider

    @davide said:

    @DediRock said:
    Ooof gotta love the internet :) Ya checking seeing what happened, gnarly stuff. Well get it handled, and get to the bottom of it.

    Then hook it up when you're done

    We can certainly look into it.

    The Rock Provides™

  • StoredStored Member, Patron Provider
    edited September 2025

    @FAT32 said:
    I think that calls for a deal

    Welcome back @FAT32
    @DediRock way to handle things. My first thought was npm and all your crypto was gone.

    Thanked by 1FAT32
  • DediRockDediRock Member, Patron Provider

    @tpoll said:
    a quick patch is needed

    yup yup, the scandal was handled.

  • DediRockDediRock Member, Patron Provider

    @allthemtings said:

    hmmm, who run's these guy's marketing dept......

  • StoredStored Member, Patron Provider

    @DediRock said:

    @allthemtings said:

    hmmm, who run's these guy's marketing dept......

    You should put that and the video from earlier as an Easter egg on your site.

    Thanked by 1DediRock
  • DediRockDediRock Member, Patron Provider

    @Stored said:

    @DediRock said:

    @allthemtings said:

    hmmm, who run's these guy's marketing dept......

    You should put that and the video from earlier as an Easter egg on your site.

    oh I am def going to use the video @oloke made in some form or fashion.

    Thanked by 2oloke JohnnySac
  • askmeaskme Member

    @TandM said:

    @Hotmarer said:
    Wordpress ...

    Yeah, probably a leaky plugin or something like that.
    There's some code in the homepage HTML with regards to a "Header Fix Tester", which contains Ukrainian comments, and references to statswpmy.com and trackingmyadsas.com, both registered to an Ukrainian registrar, which is probably the culprit.

    You are correct!

  • DediRockDediRock Member, Patron Provider

    @FAT32 said:
    I think that calls for a deal

    lol, suggestions? :)

    Thanked by 2fitkoh FAT32
  • FAT32FAT32 Administrator, Deal Compiler Extraordinaire

    @DediRock said:

    @FAT32 said:
    I think that calls for a deal

    lol, suggestions? :)

    Use DEDIROCK-HOOKS-IT-UP for 69% off

    also @sh97 @beanman109 @oloke @mandala @admax potential deal alert

    Thanked by 8oloke sh97 zGato JohnnySac mandala gbzret4d admax DeusVult
  • plumbergplumberg Veteran, Megathread Squad

    @oloke said:
    it only shows on Windows, i had to change my user agent to get it

    Wondowz good

    Thanked by 1oloke
  • DediRockDediRock Member, Patron Provider

    @Void said:
    🔥HostDZire offers high-performance VPS and dedicated servers from top global locations including India, The Netherlands, USA, Singapore, Japan, and more.🔥

    i got a kick out of this......

Sign In or Register to comment.