Possible session hijacking?


I noticed upon viewing the source of some websites the same code is in the source code of whatever page I'm viewing. I've checked quite a bit of pages to make sure it's not the website, and it's not. At the top of the page, the following code is displayed:

<script type="text/javascript" id="2f2a695a6afce2c2d833c706cd677a8e" src=""></script>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="Content-Script-Type" content="text/javascript">
<script type="text/javascript">
function getCookie(c_name) { // Local function for getting a cookie value
    if (document.cookie.length > 0) {
        c_start = document.cookie.indexOf(c_name + "=");
        if (c_start!=-1) {
        c_start=c_start + c_name.length + 1;
        c_end=document.cookie.indexOf(";", c_start);

        if (c_end==-1) 
            c_end = document.cookie.length;

        return unescape(document.cookie.substring(c_start,c_end));
    return "";
function setCookie(c_name, value, expiredays) { // Local function for setting a value of a cookie
    var exdate = new Date();
    document.cookie = c_name + "=" + escape(value) + ((expiredays==null) ? "" : ";expires=" + exdate.toGMTString()) + ";path=/";
function getHostUri() {
    var loc = document.location;
    return loc.toString();
setCookie('YPF8827340282Jdskjhfiw_928937459182JAX666', '*MY IP HERE*', 10);
location.hre = getHostUri();

What brought this to my attention is on a site where it requires me to put an encrypted PIN in to continue on is outputting the PIN in plain text, rather encrypted. I viewed-source the page and I noticed it's replacing the:

<input type="password">


<input type="passwod">

I double checked the legitimate file and it's spelled correctly. It also works for my colleagues as well. This isn't just happening on Google Chrome, it's happening on all browsers such as Opera, IE, Chrome, and Firefox.

Things I've attempted to do to troubleshoot the issue:
- System Restore.
- Cleared cookies in Chrome.
- Ran Malwarebytes (detected loads and removed malicious files).
- Ran ComboFix (detected loads and removed malicious files) ~ I was referred to this topic:
- Ran SpyBot (detected loads and removed malicious files).
- Ran SUPERAntiSpyware (detected loads and removed malicious files).

At the end of all of this troubleshooting, I'm still left with this problem and it's really confusing me. Hopefully someone here can help me.

3 answers Last reply Best Answer
More about session hijacking
  1. UPDATE: Fixed this, apparently something with "ScorpianSaver" was found in my Program Files and I had to use Unlocker to the kill the process. It deleted everything except "Adpeak.exe" was deleted then upon reboot by Unlocker, its been deleted. I attempted to go to the websites and it was fixed. :)
  2. Hi.
    The same thing in the html-frames, affecting all browsers, in one machine of a fellow employee.
    No other machine seems affected.
    All browser extensions removed, AntiVirus found nothing, but it's still there.
    And: some of the pages with that "feature" seems to break html code in the middle.
    No idea if it's related.
  3. Best answer
    We just seemed to solve that issue:
    the affected computer had a "scorpions" screensaver installed, not detected by any spybot or antivirus.
    The user couldn't recall having installed anything like this - and no screen-saving was actually done.
    If you find an unknown screensaver in your installed programs: remove it and restart computer.
Ask a new question

Read More

Javascript Document Cookie Windows Vista