Author Topic: Popups? Site Hijacked?  (Read 2920 times)

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Popups? Site Hijacked?
« on: October 12, 2012, 07:59:47 PM »
This is concerning.  I've noticed a couple times that I've gotten popups as a result from clicking around on digitalpaint.org.  There should not be any popups...  I'm concerned there might have been some kind of malicious php injection or something.  Has anybody else seen them?  I can't seem to find where they're hiding in the html, either.  If anybody can help with this, it would be much appreciated.

RoBiNandL!nk

  • Autococker
  • Posts: 571
Re: Popups? Site Hijacked?
« Reply #1 on: October 12, 2012, 08:06:32 PM »
Yes i have, usually when i click on Contact

edit-- OR the first time i visit the site for the day and click any of the headers.

Foxhound

  • Autococker
  • Posts: 952
Re: Popups? Site Hijacked?
« Reply #2 on: October 12, 2012, 08:52:51 PM »
Never for me

CheMiCal

  • Autococker
  • Posts: 690
Re: Popups? Site Hijacked?
« Reply #3 on: October 12, 2012, 10:04:45 PM »
toxiic strikes again

deadfroggy

  • Autococker
  • Posts: 562
Re: Popups? Site Hijacked?
« Reply #4 on: October 12, 2012, 10:52:18 PM »
I have when i visit the news page.
Its like this american survey thingy.

Rick

  • Map Committee
  • Autococker
  • Posts: 2190
Re: Popups? Site Hijacked?
« Reply #5 on: October 12, 2012, 11:52:54 PM »
I get it on other sites but not this one :)

deadfroggy

  • Autococker
  • Posts: 562
Re: Popups? Site Hijacked?
« Reply #6 on: October 13, 2012, 12:25:10 AM »
I got this when i went to the news one if its any help.

Rockyar_96

  • 68 Carbine
  • Posts: 370
Re: Popups? Site Hijacked?
« Reply #7 on: October 13, 2012, 03:14:02 AM »
got that one, too.

T3RR0R15T

  • Map Committee
  • Autococker
  • Posts: 2593
Re: Popups? Site Hijacked?
« Reply #8 on: October 13, 2012, 04:05:30 AM »
Maybe this (screens.html)?

Code: [Select]
<!--INSERTADTHISPAGE-->
...
<script language="javascript" type="text/javascript">
document.write("<"+"script type='text/javascript' src='http://wrapper.gamespy.com/a?pagetype=pnh_content&amp;size=728x90'>");
document.write("<"+"/script>");
</script>
<noscript>
<iframe valign=top WIDTH=728 HEIGHT=90 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000" SRC="http://wrapper.gamespy.com/a?pagetype=pnh_content&amp;size=728x90&amp;sizew=728&amp;sizeh=90&amp;js=false">
</iframe>
</noscript>
...
<!--ACCIPITERADINSERT /SITE=PQ/AREA=HOSTED/TIER=3/GENRE=ACTION/AAMSZ=IAB_FULL_BANNER-->

deadfroggy

  • Autococker
  • Posts: 562
Re: Popups? Site Hijacked?
« Reply #9 on: October 13, 2012, 06:05:18 AM »
i get the popup everytime now...

could it be this?
<SCRIPT type=text/javascript src="http://m1.webstats.motigo.com/c.js?id=365163&amp;lang=EN&amp;i=3"></SCRIPT>
<BR>&nbsp;</FONT></CENTER></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
<SCRIPT type=text/javascript>mws_ae._i.src=mws_x;</SCRIPT>
<NOSCRIPT></NOSCRIPT>

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: Popups? Site Hijacked?
« Reply #10 on: October 13, 2012, 10:30:16 AM »
i get the popup everytime now...

could it be this?
<SCRIPT type=text/javascript src="http://m1.webstats.motigo.com/c.js?id=365163&amp;lang=EN&amp;i=3"></SCRIPT>
<BR>&nbsp;</FONT></CENTER></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
<SCRIPT type=text/javascript>mws_ae._i.src=mws_x;</SCRIPT>
<NOSCRIPT></NOSCRIPT>
Ah, that's probably it.  I forgot they had an update that required switching the img src out for javascript.  Lame.

Clipz

  • Committee Member
  • Autococker
  • Posts: 1497
Re: Popups? Site Hijacked?
« Reply #11 on: October 13, 2012, 02:24:24 PM »

deadfroggy

  • Autococker
  • Posts: 562
Re: Popups? Site Hijacked?
« Reply #12 on: October 13, 2012, 02:38:05 PM »
Ah, that's probably it.  I forgot they had an update that required switching the img src out for javascript.  Lame.
no problem.

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: Popups? Site Hijacked?
« Reply #13 on: October 13, 2012, 08:34:10 PM »
The javascript code they put in looks all kinds of sketchy:

Code: [Select]
function mws_a(_b, _c) {
     var _d = new Date();
     var _e = document;
     var _f = _e.referrer;
     try {
         if (top && top.document && top.document.referrer) {
             _f = top.document.referrer;
         }
     } catch (_g) {
         _f = 'frame';
     }
     if (_f) {
         var rc = _f;
         var i = rc.indexOf('?');
         if (i >= 0) rc = rc.substring(0, i);
         i = rc.lastIndexOf('/');
         if (i >= 0) rc = rc.substring(0, i + 1);
         var l = '' + _e.location;
         if (l == _f || 0 == l.indexOf(rc)) _f = '';
     }
     var _h = 'fa6b310b5dcfafc1' + '.' + Math.floor(_d.getTime() / 1000).toString() + '.' + Math.floor(Math.random() * 10000).toString();
     this._i = new Image();
     this._i.onLoad = this._j;
     this._k = function () {
         var b = 1;
         var o = 0;
         var p = new Array("Shockwave Flash", "Shockwave for Director", "RealPlayer", "QuickTime", "VivoActive", "LiveAudio", "VRML", "Dynamic HTML Binding", "Windows Media Services");
         var np = navigator.plugins;
         for (var x = 0; x < p.length; x++) {
             for (var i = 0; i < np.length; i++) {
                 if (np[i].name.indexOf(p[x]) >= 0) {
                     o |= b;
                 }
                 b *= 2;
             }
         }
         return o;
     };
     this._l = function () {
         if (!_e.body) _e.write('<body>');
         var db = _e.body;
         var o = 0;
         var b = 1;
         var p = new Array("D27CDB6E-AE6D-11CF-96B8-444553540000", "2A202491-F00D-11CF-87CC-0020AFEECF20", "23064720-C4F8-11D1-994D-00C04F98BBC9", "", "", "", "90A7533D-88FE-11D0-9DBE-0000C0411FC3", "9381D8F2-0288-11D0-9501-00AA00B911A5", "22D6F312-B0F6-11D0-94AB-0080C74C7E95");
         db.addBehavior("#default#clientcaps");
         for (var i = 0; i < p.length; i++) {
             if (p[i] && db.isComponentInstalled("{" + p[i] + "}", "componentid")) {
                 o |= b;
             }
             b *= 2;
         }
         return o;
     };
     this._m = function () {
         var n = navigator;
         var ver = n.appVersion;
         var verIE = parseInt(ver.substring(ver.indexOf("MSIE") + 5, ver.indexOf("MSIE") + 6));
         if (verIE > 0) ver = verIE;
         else ver = parseInt(ver);
         if ((n.appName == "Netscape" && ver >= 3)) return this._k();
         if (verIE >= 5 && n.appVersion.indexOf('Win') >= 0 && n.userAgent.indexOf('Opera') < 0) return this._l();
         return "";
     };
     this._n = function () {
         var _o = '';
         var _p = '';
         if (0) {
             var _q = Math.floor(_d.getTime() / 1000);
             var _r = this._s('D');
             var _t = this._s('A');
             if (_q > _r && _t < 2) {
                 this._u('D', _q + 30, 86400);
                 this._u('A', _t + 1, 86400);
                 if (this._s('A')) _o = 'p';
             }
             _p = 'v';
             var _v = this._s('V');
             if (!_v) {
                 this._u('V', 1, 86400);
                 if (this._s('V')) _p = 'u';
             }
         }
         var _w = "http://m1.webstats.motigo.com/n?id=" + _c + "&r=" + escape(_f) + "&w=" + screen.width + "&h=" + screen.height + "&c=" + screen.colorDepth + "&v=3" + "&k=8331b5f75ed4ee02249068bb7e358bd0" + "&f=" + _p + _o + "&u=" + _h + "&p=" + this._m();
         mws_x = _w;
         var _y = (_e.getElementById && _e.getElementsByTagName) ? 1 : 0;
         var _z = 1;
         if (_y) {
             var a = _e.getElementById('mws' + _b);
             if (a && a.href && a.href == 'http://webstats.motigo.com/') {
                 a.href += 's?id=' + _b;
                 if ('23') {
                     a.href += '&iid=' + '23.' + _d.getTime().toString();
                 }
                 var _aa = a.getElementsByTagName('img')[0];
                 if (_aa) {
                     _z = 0;
                     if ('') {
                         var _ab = '?id=' + _b + '&lang=';
                         var _ac = '<object width="128" height="64" type="application/x-shockwave-flash" data="' + _ab + '"><param name="movie" value="' + _ab + '"/></object>';
                         a.innerHTML = _ac;
                     } else {
                         if (!0) {
                             _aa.onload = function () {
                                 _aa.width = 80;
                                 _aa.height = 15;
                             };
                         }
                         _aa.src = 'http://m1.webstats.motigo.com/n80x15.gif?id=AAWSawZNDNHgfTt31_FQ7sNcnkcw';
                     }
                 }
                 a.target = "_blank";
             }
         }
         if (_y && _z) {
             var _ad = '<a href="http://webstats.motigo.com/s?id=' + _b + '">Counter code appears to be damaged&nbsp;(error&nbsp;' + _z + ').&nbsp;Please insert an unmodified copy</a>';
             _e.writeln(_ad);
         }
         if (!0) {
             _e.writeln('<scr' + 'ipt type="text/javascript">mws_ae._i.src=mws_x;</scr' + 'ipt>');
         }
         if ('p' == _o || !0) { /*np*/
         }
     };
     this._j = function () {};
     this._u = function (_af, _ag, _ah) {
         _af = 'w4u_' + _af + '=';
         var _ai = new Date();
         _ai.setTime(_ai.getTime() + (_ah * 1000));
         document.cookie = _af + _ag + ";\040expires=" + _ai.toGMTString() + ";\040path=/";
     };
     this._s = function (_af) {
         _af = 'w4u_' + _af + '=';
         var ca = document.cookie.split(';');
         for (var i = 0; i < ca.length; i++) {
             var c = ca[i];
             while (c.charAt(0) == "\040") c = c.substring(1, c.length);
             if (c.indexOf(_af) == 0) {
                 var i = parseInt(c.substring(_af.length, c.length));
                 return isNaN(i) ? 0 : i;
             }
         }
         return 0;
     };
 }
 if (!this.mws_ae) {
     this.mws_ae = new mws_a(365163, "AAWSawZNDNHgfTt31_FQ7sNcnkcw");
     this.mws_ae._n();
 }

I ran it through a formatter to make it readable - it was all on just one line before.  Clearly written to obfuscate what it does.