Popups? Site Hijacked?

[jitspoe]

This is concerning.  I've noticed a couple times that I've gotten popups as a result from clicking around on digitalpaint.org.  There should not be any popups...  I'm concerned there might have been some kind of malicious php injection or something.  Has anybody else seen them?  I can't seem to find where they're hiding in the html, either.  If anybody can help with this, it would be much appreciated.

[RoBiNandL!nk]

Yes i have, usually when i click on Contact

edit-- OR the first time i visit the site for the day and click any of the headers.

[Foxhound]

Never for me

[CheMiCal]

toxiic strikes again

[deadfroggy]

I have when i visit the news page.
Its like this american survey thingy.

[Rick]

I get it on other sites but not this one

[deadfroggy]

I got this when i went to the news one if its any help.

[Rockyar_96]

got that one, too.

[T3RR0R15T]

Maybe this (screens.html)?

Code: [Select]

<!--INSERTADTHISPAGE-->
...
<script language="javascript" type="text/javascript">
document.write("<"+"script type='text/javascript' src='http://wrapper.gamespy.com/a?pagetype=pnh_content&amp;size=728x90'>");
document.write("<"+"/script>");
</script>
<noscript>
<iframe valign=top WIDTH=728 HEIGHT=90 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000" SRC="http://wrapper.gamespy.com/a?pagetype=pnh_content&amp;size=728x90&amp;sizew=728&amp;sizeh=90&amp;js=false">
</iframe>
</noscript>
...
<!--ACCIPITERADINSERT /SITE=PQ/AREA=HOSTED/TIER=3/GENRE=ACTION/AAMSZ=IAB_FULL_BANNER-->


[deadfroggy]

i get the popup everytime now...

could it be this?
<SCRIPT type=text/javascript src="http://m1.webstats.motigo.com/c.js?id=365163&amp;lang=EN&amp;i=3"></SCRIPT>
<BR>&nbsp;</FONT></CENTER></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
<SCRIPT type=text/javascript>mws_ae._i.src=mws_x;</SCRIPT>
<NOSCRIPT></NOSCRIPT>

[jitspoe]

i get the popup everytime now...

could it be this?
<SCRIPT type=text/javascript src="http://m1.webstats.motigo.com/c.js?id=365163&amp;lang=EN&amp;i=3"></SCRIPT>
<BR>&nbsp;</FONT></CENTER></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
<SCRIPT type=text/javascript>mws_ae._i.src=mws_x;</SCRIPT>
<NOSCRIPT></NOSCRIPT>

Ah, that's probably it.  I forgot they had an update that required switching the img src out for javascript.  Lame.

[Clipz]

toxiic strikes again

hahaha.

[deadfroggy]

Ah, that's probably it.  I forgot they had an update that required switching the img src out for javascript.  Lame.

no problem.

[jitspoe]

The javascript code they put in looks all kinds of sketchy:

Code: [Select]

function mws_a(_b, _c) {
     var _d = new Date();
     var _e = document;
     var _f = _e.referrer;
     try {
         if (top && top.document && top.document.referrer) {
             _f = top.document.referrer;
         }
     } catch (_g) {
         _f = 'frame';
     }
     if (_f) {
         var rc = _f;
         var i = rc.indexOf('?');
         if (i >= 0) rc = rc.substring(0, i);
         i = rc.lastIndexOf('/');
         if (i >= 0) rc = rc.substring(0, i + 1);
         var l = '' + _e.location;
         if (l == _f || 0 == l.indexOf(rc)) _f = '';
     }
     var _h = 'fa6b310b5dcfafc1' + '.' + Math.floor(_d.getTime() / 1000).toString() + '.' + Math.floor(Math.random() * 10000).toString();
     this._i = new Image();
     this._i.onLoad = this._j;
     this._k = function () {
         var b = 1;
         var o = 0;
         var p = new Array("Shockwave Flash", "Shockwave for Director", "RealPlayer", "QuickTime", "VivoActive", "LiveAudio", "VRML", "Dynamic HTML Binding", "Windows Media Services");
         var np = navigator.plugins;
         for (var x = 0; x < p.length; x++) {
             for (var i = 0; i < np.length; i++) {
                 if (np[i].name.indexOf(p[x]) >= 0) {
                     o |= b;
                 }
                 b *= 2;
             }
         }
         return o;
     };
     this._l = function () {
         if (!_e.body) _e.write('<body>');
         var db = _e.body;
         var o = 0;
         var b = 1;
         var p = new Array("D27CDB6E-AE6D-11CF-96B8-444553540000", "2A202491-F00D-11CF-87CC-0020AFEECF20", "23064720-C4F8-11D1-994D-00C04F98BBC9", "", "", "", "90A7533D-88FE-11D0-9DBE-0000C0411FC3", "9381D8F2-0288-11D0-9501-00AA00B911A5", "22D6F312-B0F6-11D0-94AB-0080C74C7E95");
         db.addBehavior("#default#clientcaps");
         for (var i = 0; i < p.length; i++) {
             if (p[i] && db.isComponentInstalled("{" + p[i] + "}", "componentid")) {
                 o |= b;
             }
             b *= 2;
         }
         return o;
     };
     this._m = function () {
         var n = navigator;
         var ver = n.appVersion;
         var verIE = parseInt(ver.substring(ver.indexOf("MSIE") + 5, ver.indexOf("MSIE") + 6));
         if (verIE > 0) ver = verIE;
         else ver = parseInt(ver);
         if ((n.appName == "Netscape" && ver >= 3)) return this._k();
         if (verIE >= 5 && n.appVersion.indexOf('Win') >= 0 && n.userAgent.indexOf('Opera') < 0) return this._l();
         return "";
     };
     this._n = function () {
         var _o = '';
         var _p = '';
         if (0) {
             var _q = Math.floor(_d.getTime() / 1000);
             var _r = this._s('D');
             var _t = this._s('A');
             if (_q > _r && _t < 2) {
                 this._u('D', _q + 30, 86400);
                 this._u('A', _t + 1, 86400);
                 if (this._s('A')) _o = 'p';
             }
             _p = 'v';
             var _v = this._s('V');
             if (!_v) {
                 this._u('V', 1, 86400);
                 if (this._s('V')) _p = 'u';
             }
         }
         var _w = "http://m1.webstats.motigo.com/n?id=" + _c + "&r=" + escape(_f) + "&w=" + screen.width + "&h=" + screen.height + "&c=" + screen.colorDepth + "&v=3" + "&k=8331b5f75ed4ee02249068bb7e358bd0" + "&f=" + _p + _o + "&u=" + _h + "&p=" + this._m();
         mws_x = _w;
         var _y = (_e.getElementById && _e.getElementsByTagName) ? 1 : 0;
         var _z = 1;
         if (_y) {
             var a = _e.getElementById('mws' + _b);
             if (a && a.href && a.href == 'http://webstats.motigo.com/') {
                 a.href += 's?id=' + _b;
                 if ('23') {
                     a.href += '&iid=' + '23.' + _d.getTime().toString();
                 }
                 var _aa = a.getElementsByTagName('img')[0];
                 if (_aa) {
                     _z = 0;
                     if ('') {
                         var _ab = '?id=' + _b + '&lang=';
                         var _ac = '<object width="128" height="64" type="application/x-shockwave-flash" data="' + _ab + '"><param name="movie" value="' + _ab + '"/></object>';
                         a.innerHTML = _ac;
                     } else {
                         if (!0) {
                             _aa.onload = function () {
                                 _aa.width = 80;
                                 _aa.height = 15;
                             };
                         }
                         _aa.src = 'http://m1.webstats.motigo.com/n80x15.gif?id=AAWSawZNDNHgfTt31_FQ7sNcnkcw';
                     }
                 }
                 a.target = "_blank";
             }
         }
         if (_y && _z) {
             var _ad = '<a href="http://webstats.motigo.com/s?id=' + _b + '">Counter code appears to be damaged&nbsp;(error&nbsp;' + _z + ').&nbsp;Please insert an unmodified copy</a>';
             _e.writeln(_ad);
         }
         if (!0) {
             _e.writeln('<scr' + 'ipt type="text/javascript">mws_ae._i.src=mws_x;</scr' + 'ipt>');
         }
         if ('p' == _o || !0) { /*np*/
         }
     };
     this._j = function () {};
     this._u = function (_af, _ag, _ah) {
         _af = 'w4u_' + _af + '=';
         var _ai = new Date();
         _ai.setTime(_ai.getTime() + (_ah * 1000));
         document.cookie = _af + _ag + ";\040expires=" + _ai.toGMTString() + ";\040path=/";
     };
     this._s = function (_af) {
         _af = 'w4u_' + _af + '=';
         var ca = document.cookie.split(';');
         for (var i = 0; i < ca.length; i++) {
             var c = ca[i];
             while (c.charAt(0) == "\040") c = c.substring(1, c.length);
             if (c.indexOf(_af) == 0) {
                 var i = parseInt(c.substring(_af.length, c.length));
                 return isNaN(i) ? 0 : i;
             }
         }
         return 0;
     };
 }
 if (!this.mws_ae) {
     this.mws_ae = new mws_a(365163, "AAWSawZNDNHgfTt31_FQ7sNcnkcw");
     this.mws_ae._n();
 }
I ran it through a formatter to make it readable - it was all on just one line before.  Clearly written to obfuscate what it does.