Jump to content

Does this site contain some form of new exploit?


Recommended Posts

I do not advise you to follow the link in unsandboxed environment 

 

hxxp://www.geeksday.tk/2016/05/blog-post.html

 

It links to a fake looking youtube player window which is in fact just a picture. If it' s not a virus it seems rather pointless.

Can someone knowledgeable confirm whether this is safe or not? I want know if I could have been infected or not

 

 

Edited by thisisu
link broken
Link to post
Share on other sites

Hi::)

First, please edit your post to "munge" or obfuscate the possibly malicious link -- this is for the safety of all forum users.:excl:

Please use code tags or "hxxp" or other means to render it NON-clickable.

Then, until a forum staff member can relocate this thread, it might be advisable to post your query in the special forum area reserved for such matters HERE

Thank you very much for your understanding,

Edited by daledoc1
clarify
Link to post
Share on other sites

Yes, a forum mod stepped in.

I've posted the VT link.

It's not 100% guarantee, but VT suggests that it might be safe.

But, for prompt attention by the Research Team and for the safety of our forum guests and members, the discussion would be best continued in the appropriate sub-forum.

Thank you again,

Edited by daledoc1
Link to post
Share on other sites

The site is using obfuscated JavaScript to hide its coding...

 

</script>
<script type='text/javascript'>//<![CDATA[
var _0xb39f=["\x28\x33\x28\x65\x29\x7B\x62\x20\x74\x3D\x33\x28\x65\x2C\x74\x29\x7B\x32\x2E\x77\x3D\x65\x3B\x32\x2E\x44\x3D\x74\x3B\x32\x2E\x31\x72\x28\x29\x3B\x32\x2E\x54\x3D\x31\x70\x3B\x32\x2E\x78\x3D\x32\x2E\x77\x2E\x37\x28\x22\x2E\x6C\x20\x35\x20\x61\x22\x29\x3B\x32\x2E\x31\x6C\x28\x32\x2E\x77\x29\x3B\x32\x2E\x31\x65\x28\x29\x7D\x3B\x74\x2E\x31\x4E\x3D\x7B\x64\x3A\x7B\x48\x3A\x6A\x20\x70\x28\x22\x2F\x39\x2F\x76\x2F\x22\x2C\x22\x67\x22\x29\x2C\x45\x3A\x6A\x20\x70\x28\x22\x5B\x3F\x26\x5D\x71\x3D\x22\x2C\x22\x67\x22\x29\x2C\x31\x37\x3A\x6A\x20\x70\x28\x22\x28\x7A\x3A\x2F\x2F\x5B\x5E\x2F\x5D\x2B\x29\x2F\x39\x2F\x76\x2F\x28\x5B\x5E\x2F\x3F\x26\x5D\x2B\x29\x2E\x2A\x5B\x3F\x26\x5D\x71\x3D\x28\x5B\x5E\x24\x26\x5D\x2B\x29\x28\x3F\x3A\x5B\x5E\x24\x5D\x2B\x29\x3F\x22\x2C\x22\x67\x22\x29\x2C\x76\x3A\x6A\x20\x70\x28.........

 

To hide the code...

 

 (function(e)
 {
   var t=function(e,t)
   {
     this.elem=e;
     this.settings=t;
     this.addAjaxHtml();
     this.ajaxcall=null;
     this.lielem=this.elem.find(".verticlemenu li a");
     this.menuHelper(this.elem);
     this.addEvents()
   };
   t.prototype=
   {
     regex:
     {
       islabel:new RegExp("/search/label/","g"),issearch:new RegExp("[?&]q=","g"),labelsearch:new RegExp("(http://[^/]+)/search/label/([^/?&]+).*[?&]q=([^$&]+)(?:[^$]+)?","g"),label:new RegExp("(http://[^/]+)/search/label/([^/?&$]+)","g"),search:new RegExp("(http://[^/]+)/search/?[?&]q=(.*)","g")
     }
     ,addEvents:function()
     {
       var t=this;
       this.lielem.hover(function()
       {
         if(e(this).data("menuloaded")!=="true")
         {
           t.li=e(this);
           t.url=t.li.attr("href");
           t.container=t.li.closest("ul").siblings("ul");
           t.hoverOver()
         }
       }
       ,function()
       {
         t.hoverOut()
       }
       )
     }
     ,hoverOver:function()
     {
       var t=this;
       this.getAJAXUrl();
       if(!this.ajaxUrl)return;
       this.ajaxcall=e.ajax(
       {
         type:"GET",url:t.ajaxUrl,dataType:"jsonp",data:t.ajaxData,beforeSend:function()
         {
           t.showLoader()
         }
         ,success:function(e)
         {
           t.hideLoader();
           t.addArrow();
           t.showPosts(e)
         }
         ,error:function(e)
         {
           t.showError(e)
         }
       }
       )
     }
     ,hoverOut:function()
     {
       this.ajaxcall.abort();
       this.hideLoader()
     }
     ,getAJAXUrl:function()
     {
       if(this.url)
       {
         var e=this;
         this.ajaxData=
         {
           alt:"json","max-results":this.settings.numPosts
         };
         this.url.search(this.regex.islabel)!==-1&&this.url.search(this.regex.issearch)!==-1?this.ajaxUrl=this.url.replace(this.regex.labelsearch,function(t,n,r,i)
         {
           e.ajaxData.q=i;
           return[n,"/feeds/posts/default/-/",r,"/"].join("")
         }
         ):this.url.search(this.regex.islabel)!==-1&&this.url.search(this.regex.issearch)===-1?this.ajaxUrl=this.url.replace(this.regex.label,function(t,n,r)
         {
           delete e.ajaxData.q;
           return[n,"/feeds/posts/default/-/",r,"/"].join("")
         }
         ):this.url.search(this.regex.islabel)===-1&&this.url.search(this.regex.issearch)!==-1?this.ajaxUrl=this.url.replace(this.regex.search,function(t,n,r)
         {
           e.ajaxData.q=r;
           return[n,"/feeds/posts/default"].join("")
         }
         ):this.ajaxUrl=!1
       }
       else this.ajaxUrl=!1
     }
     ,showLoader:function()
     {
       e("<span></span>",
       {
         "class":"loader"
       }
       ).appendTo(this.li.closest("li"))
     }
     ,hideLoader:function()
     {
       this.li.closest("li").find("span.loader").remove()
     }
     ,showPosts:function(t)
     {
       var n=this,r=[],i,s,o;
       t.feed.openSearch$totalResults.$t>0?e.each(t.feed.entry,function(t,u)
       {
         i=u.title.$t;
         e.each(u.link,function(e,t)
         {
           t.rel==="alternate"?s=t.href:s="#"
         }
         );
         o=u.media$thumbnail?u.media$thumbnail.url.replace(/\/s72\-c\//,"/s100-c/"):n.settings.defaultImg;
         r.push('<li><span class="imgCont"><img alt="',i,'" src="',o,'"/></span><a rel="nofollow" title="',i,'" href="',s,'">',i,"</a></li>")
       }
       ):r.push("<h5>","Sorry!!, No Posts to Show","</h5>");
       this.container.html(r.join(""));
       this.lielem.removeData("menuloaded");
       this.li.data("menuloaded","true")
     }
     ,showError:function(e)
     {
       if(e.statusText==="error")
       {
         this.hideLoader();
         this.addArrow();
         this.container.html("<h5>Error!! Could not fetch the Blog Posts!</h5>")
       }
     }
     ,addArrow:function()
     {
       this.lielem.closest("li").find("span").remove();
       this.lielem.removeClass("hoverover");
       this.li.addClass("hoverover");
       e("<span></span>",
       {
         "class":"menuArrow"
       }
       ).appendTo(this.li.closest("li"))
     }
     ,menuHelper:function(t)
     {
       var n=this;
       t.find(">li").hover(function()
       {
         var t=e(this);
         t.find("a:first").addClass("hoverover");
         var r=e(this).find("ul.verticlemenu li").height()*e(this).find("ul.verticlemenu li").length;
         t.find("ul.postslist").css(
         {
           "min-height":r+"px"
         }
         );
         n.requestFirstAjax(t)
       }
       ,function()
       {
         e(this).find("a:first").removeClass("hoverover")
       }
       )
     }
     ,addAjaxHtml:function()
     {
       this.elem.find("ul ul").remove();
       this.elem.addClass("adajaxmenu").find(">li").find("ul:first").addClass("verticlemenu").wrap(e("<div></div>",
       {
         "class":this.settings.divClass
       }
       ));
       e("ul.verticlemenu").after(e("<ul></ul>",
       {
         "class":"postslist"
       }
       ))
     }
     ,requestFirstAjax:function(e)
     {
       e=e.find(".verticlemenu li:first-child a");
       this.url=e.attr("href");
       this.container=e.closest("ul").siblings("ul");
       this.li=e;
       this.hoverOver()
     }
   };
   e.fn.ajaxBloggerMenu=function(n)
   {
     var r=
     {
       numPosts:4,divClass:"submenu",postsClass:"postslist",defaultImg:"/default.png"
     }
     ,i=e.extend(
     {
     }
     ,r,n);
     return this.each(function()
     {
       var n=new t(e(this),i)
     }
     )
   }
 }
 )(jQuery);
 window.onload=function()
 {
   var e=document.getElementById("mycontent");
   if(e==null)
   {
     window.location.href="http://www.themexpose.com/"
   }
   e.setAttribute("href","http://www.themexpose.com/");
   e.setAttribute("ref","dofollow");
   e.setAttribute("title","Free Blogger Templates");
 e.innerHTML="ThemeXpose"}

 

Link to post
Share on other sites

4 minutes ago, David H. Lipman said:

The site is using obfuscated JavaScript to hide its coding...

 


</script>
<script type='text/javascript'>//<![CDATA[
var _0xb39f=["\x28\x33\x28\x65\x29\x7B\x62\x20\x74\x3D\x33\x28\x65\x2C\x74\x29\x7B\x32\x2E\x77\x3D\x65\x3B\x32\x2E\x44\x3D\x74\x3B\x32\x2E\x31\x72\x28\x29\x3B\x32\x2E\x54\x3D\x31\x70\x3B\x32\x2E\x78\x3D\x32\x2E\x77\x2E\x37\x28\x22\x2E\x6C\x20\x35\x20\x61\x22\x29\x3B\x32\x2E\x31\x6C\x28\x32\x2E\x77\x29\x3B\x32\x2E\x31\x65\x28\x29\x7D\x3B\x74\x2E\x31\x4E\x3D\x7B\x64\x3A\x7B\x48\x3A\x6A\x20\x70\x28\x22\x2F\x39\x2F\x76\x2F\x22\x2C\x22\x67\x22\x29\x2C\x45\x3A\x6A\x20\x70\x28\x22\x5B\x3F\x26\x5D\x71\x3D\x22\x2C\x22\x67\x22\x29\x2C\x31\x37\x3A\x6A\x20\x70\x28\x22\x28\x7A\x3A\x2F\x2F\x5B\x5E\x2F\x5D\x2B\x29\x2F\x39\x2F\x76\x2F\x28\x5B\x5E\x2F\x3F\x26\x5D\x2B\x29\x2E\x2A\x5B\x3F\x26\x5D\x71\x3D\x28\x5B\x5E\x24\x26\x5D\x2B\x29\x28\x3F\x3A\x5B\x5E\x24\x5D\x2B\x29\x3F\x22\x2C\x22\x67\x22\x29\x2C\x76\x3A\x6A\x20\x70\x28.........

 

To hide the code...

 


 (function(e)
 {
   var t=function(e,t)
   {
     this.elem=e;
     this.settings=t;
     this.addAjaxHtml();
     this.ajaxcall=null;
     this.lielem=this.elem.find(".verticlemenu li a");
     this.menuHelper(this.elem);
     this.addEvents()
   };
   t.prototype=
   {
     regex:
     {
       islabel:new RegExp("/search/label/","g"),issearch:new RegExp("[?&]q=","g"),labelsearch:new RegExp("(http://[^/]+)/search/label/([^/?&]+).*[?&]q=([^$&]+)(?:[^$]+)?","g"),label:new RegExp("(http://[^/]+)/search/label/([^/?&$]+)","g"),search:new RegExp("(http://[^/]+)/search/?[?&]q=(.*)","g")
     }
     ,addEvents:function()
     {
       var t=this;
       this.lielem.hover(function()
       {
         if(e(this).data("menuloaded")!=="true")
         {
           t.li=e(this);
           t.url=t.li.attr("href");
           t.container=t.li.closest("ul").siblings("ul");
           t.hoverOver()
         }
       }
       ,function()
       {
         t.hoverOut()
       }
       )
     }
     ,hoverOver:function()
     {
       var t=this;
       this.getAJAXUrl();
       if(!this.ajaxUrl)return;
       this.ajaxcall=e.ajax(
       {
         type:"GET",url:t.ajaxUrl,dataType:"jsonp",data:t.ajaxData,beforeSend:function()
         {
           t.showLoader()
         }
         ,success:function(e)
         {
           t.hideLoader();
           t.addArrow();
           t.showPosts(e)
         }
         ,error:function(e)
         {
           t.showError(e)
         }
       }
       )
     }
     ,hoverOut:function()
     {
       this.ajaxcall.abort();
       this.hideLoader()
     }
     ,getAJAXUrl:function()
     {
       if(this.url)
       {
         var e=this;
         this.ajaxData=
         {
           alt:"json","max-results":this.settings.numPosts
         };
         this.url.search(this.regex.islabel)!==-1&&this.url.search(this.regex.issearch)!==-1?this.ajaxUrl=this.url.replace(this.regex.labelsearch,function(t,n,r,i)
         {
           e.ajaxData.q=i;
           return[n,"/feeds/posts/default/-/",r,"/"].join("")
         }
         ):this.url.search(this.regex.islabel)!==-1&&this.url.search(this.regex.issearch)===-1?this.ajaxUrl=this.url.replace(this.regex.label,function(t,n,r)
         {
           delete e.ajaxData.q;
           return[n,"/feeds/posts/default/-/",r,"/"].join("")
         }
         ):this.url.search(this.regex.islabel)===-1&&this.url.search(this.regex.issearch)!==-1?this.ajaxUrl=this.url.replace(this.regex.search,function(t,n,r)
         {
           e.ajaxData.q=r;
           return[n,"/feeds/posts/default"].join("")
         }
         ):this.ajaxUrl=!1
       }
       else this.ajaxUrl=!1
     }
     ,showLoader:function()
     {
       e("<span></span>",
       {
         "class":"loader"
       }
       ).appendTo(this.li.closest("li"))
     }
     ,hideLoader:function()
     {
       this.li.closest("li").find("span.loader").remove()
     }
     ,showPosts:function(t)
     {
       var n=this,r=[],i,s,o;
       t.feed.openSearch$totalResults.$t>0?e.each(t.feed.entry,function(t,u)
       {
         i=u.title.$t;
         e.each(u.link,function(e,t)
         {
           t.rel==="alternate"?s=t.href:s="#"
         }
         );
         o=u.media$thumbnail?u.media$thumbnail.url.replace(/\/s72\-c\//,"/s100-c/"):n.settings.defaultImg;
         r.push('<li><span class="imgCont"><img alt="',i,'" src="',o,'"/></span><a rel="nofollow" title="',i,'" href="',s,'">',i,"</a></li>")
       }
       ):r.push("<h5>","Sorry!!, No Posts to Show","</h5>");
       this.container.html(r.join(""));
       this.lielem.removeData("menuloaded");
       this.li.data("menuloaded","true")
     }
     ,showError:function(e)
     {
       if(e.statusText==="error")
       {
         this.hideLoader();
         this.addArrow();
         this.container.html("<h5>Error!! Could not fetch the Blog Posts!</h5>")
       }
     }
     ,addArrow:function()
     {
       this.lielem.closest("li").find("span").remove();
       this.lielem.removeClass("hoverover");
       this.li.addClass("hoverover");
       e("<span></span>",
       {
         "class":"menuArrow"
       }
       ).appendTo(this.li.closest("li"))
     }
     ,menuHelper:function(t)
     {
       var n=this;
       t.find(">li").hover(function()
       {
         var t=e(this);
         t.find("a:first").addClass("hoverover");
         var r=e(this).find("ul.verticlemenu li").height()*e(this).find("ul.verticlemenu li").length;
         t.find("ul.postslist").css(
         {
           "min-height":r+"px"
         }
         );
         n.requestFirstAjax(t)
       }
       ,function()
       {
         e(this).find("a:first").removeClass("hoverover")
       }
       )
     }
     ,addAjaxHtml:function()
     {
       this.elem.find("ul ul").remove();
       this.elem.addClass("adajaxmenu").find(">li").find("ul:first").addClass("verticlemenu").wrap(e("<div></div>",
       {
         "class":this.settings.divClass
       }
       ));
       e("ul.verticlemenu").after(e("<ul></ul>",
       {
         "class":"postslist"
       }
       ))
     }
     ,requestFirstAjax:function(e)
     {
       e=e.find(".verticlemenu li:first-child a");
       this.url=e.attr("href");
       this.container=e.closest("ul").siblings("ul");
       this.li=e;
       this.hoverOver()
     }
   };
   e.fn.ajaxBloggerMenu=function(n)
   {
     var r=
     {
       numPosts:4,divClass:"submenu",postsClass:"postslist",defaultImg:"/default.png"
     }
     ,i=e.extend(
     {
     }
     ,r,n);
     return this.each(function()
     {
       var n=new t(e(this),i)
     }
     )
   }
 }
 )(jQuery);
 window.onload=function()
 {
   var e=document.getElementById("mycontent");
   if(e==null)
   {
     window.location.href="http://www.themexpose.com/"
   }
   e.setAttribute("href","http://www.themexpose.com/");
   e.setAttribute("ref","dofollow");
   e.setAttribute("title","Free Blogger Templates");
 e.innerHTML="ThemeXpose"}

Seems scary. I am not that computer savvy though to understand what it means.

Does this mean I'm infected now?

 

Link to post
Share on other sites

" Does this mean I'm infected now? "

Lets assume it was a malicious link and that it would create a situation for a compromise, Why post the URL such that others can click on it and get infected ?

If you tell someone "Don't do this..."  Human Nature is to do what the audience is told not to do.

 

Edited by David H. Lipman
Link to post
Share on other sites

Just now, David H. Lipman said:

" Does this mean I'm infected now? "

Lets assume it was a malicious link and that it would create a situation for a compromise, Why post the URL such that others can click on it and get infected ?

If you tell someone "Don't do this..."  Human Nature is the audience will !

 

I didn't want to click on it. I wanted to click on another link but accidentally clicked on this one because the chat was moving so fast.

Link to post
Share on other sites

Just now, David H. Lipman said:

No, you posted it here so OTHERS can Click on it and then told them not to.  Then you posted the URL again unobfuscated.

Please don't do that...

I didn't quite know the rules and I already apologized for it.

As for the second time I posted it - I thought it was not needed to obfuscate the link in a special forum area dedicated specifically to such threats...

Link to post
Share on other sites

For the suspicious and/or malicious URL and/or IP address submission location... Newest IP or URL threat

Reference: READ ME: Purpose of this forum

Quote

To contribute: please make sure you place URL links in code tags so that the link cannot be clicked on by other users. The IP does not need to be in code tags.

 

We request that contributors within their technical abilities confirm that the suspected IP or URL is not already known to the latest Malwarebytes database. Please do not simply include IP or URL simply because you do not like the content of a site.

 

Code tags below can be used to stop links from being clicked on.

[ code ]   [ / code]

 

Example:


http://www.somebadsite.com

Thank you in advance for your contributions!

 

 

Link to post
Share on other sites

And, just to add:

If you think you may be infected, based on malware that you may have picked up at the site in question or elsewhere, I suggest the following.

First, please start with the advice in this pinned topic: Available Assistance for Possibly Infected Computers.

Then, please post the requested diagnostic logs in a new, separate topic in the malware removal section of the forum.
A trained malware expert will guide you through scanning and cleanup, for free.

Thank you again,

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.