[resolved] Extratorrent

Discussion in 'Missed Ads' started by Nameless, Dec 3, 2014.

  1. Nameless

    Nameless Beta Tester

    Joined:
    Mar 19, 2014
    Messages:
    731
    Can not figre this out, soon as i double click a window is opened with an add.

    http://extratorrentlive.com/torrent...ing.Street.Siege.2014.BRRip.XviD.AC3-EVO.html

    I tried to block the following: bntags.com, show_ads_adsterra.js, mgid.com, dt07.net and eacdn.com but they all failed even checked my log and all i can find was this:

    Code:
    Address: http://betfred.mobi/siteservices/affiliate/tracking.ashx?Affid=30092&Btag=a_34999b_12989c_4247&target=http://promotions.betfred.com/media/casino/deposit-10-play-with-60/&btag=a_34999b_12989c_&affid=30092&siteid=34999&adid=12989&c=4247&utm_source=30092&utm_medium=Pops&utm_term=d10p60&utm_content=Casino&utm_campaign=Media&AutoRedirect=1&entrypoint=1
    Time: 12/03/2014 17:45:23
    Status: Request blocked
    Request details:
    
    The request was sent from the following web page:
    http://activewin.adsrv.eacdn.com/C.ashx?btag=a_34999b_12989c_&affid=30092&siteid=34999&adid=12989&c=4247&utm_source=30092&utm_medium=Pops&utm_term=d10p60&utm_content=Casino&utm_campaign=Media&AutoRedirect=1&IAref=http%3A%2F%2Fwww.nsdfsfi1q8asdasdzz.com%2Fads%3Fkey%3D6510e769e2a24926da3298d2db66200f%26scrWidth%3D1280%26scrHeight%3D1024%26tz%3D0
    
    The request was blocked by the following filtering rule:
    
    /tracking.ashx?
    
    
    Code:
    Address: http://activewin.adsrv.eacdn.com/T.ashx?btag=a_34999b_12989c_&affid=30092&siteid=34999&adid=12989&c=4247&utm_source=30092&utm_medium=Pops&utm_term=d10p60&utm_content=Casino&utm_campaign=Media&AutoRedirect=1&t=635532255224300000&AutoRedirect=1
    Time: 12/03/2014 17:45:23
    Status: Request processed
    Request details:
    
    The request was sent from the following web page:
    http://activewin.adsrv.eacdn.com/I.ashx?btag=a_34999b_12989c_&affid=30092&siteid=34999&adid=12989&c=4247&utm_source=30092&utm_medium=Pops&utm_term=d10p60&utm_content=Casino&utm_campaign=Media&AutoRedirect=1
    
    Bytes received: 305
    Bytes sent: 1244
    
    Im stumped.
     
  2. offguard

    offguard Beta Tester

    Joined:
    Dec 12, 2013
    Messages:
    44
    Try this.

    ||pl4350.anwufkjjja.com/6510e769e2a24926da3298d2db66200f.js
     
  3. Nameless

    Nameless Beta Tester

    Joined:
    Mar 19, 2014
    Messages:
    731
    Thanks offguard i have no idea where you found that i will have another look at the code tomorrow see if i can find where it was hidden im off bed now.

    I just added ||anwufkjjja.com as i doubt anything good will come from the domain.
     
  4. offguard

    offguard Beta Tester

    Joined:
    Dec 12, 2013
    Messages:
    44
    It was inline script, near the bottom of the page.

    adg0001.jpg

    Escaped code:

    Code:
        	    <script type="text/javascript">var _0xc250=["\x39\x2E\x38\x28\x22\x3C\x30\x20\x33\x3D\x27\x34\x5C\x2F\x35\x27\x20\x36\x3D\x27\x22\x2B\x28\x37\x2E\x32\x3D\x3D\x27\x31\x3A\x27\x3F\x27\x31\x3A\x27\x3A\x27\x61\x3A\x27\x29\x2B\x22\x2F\x2F\x62\x2E\x63\x2E\x64\x2F\x65\x2E\x66\x27\x3E\x3C\x5C\x2F\x30\x3E\x22\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x73\x63\x72\x69\x70\x74\x7C\x68\x74\x74\x70\x73\x7C\x70\x72\x6F\x74\x6F\x63\x6F\x6C\x7C\x74\x79\x70\x65\x7C\x74\x65\x78\x74\x7C\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x7C\x73\x72\x63\x7C\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x7C\x77\x72\x69\x74\x65\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x68\x74\x74\x70\x7C\x70\x6C\x34\x33\x35\x30\x7C\x61\x6E\x77\x75\x66\x6B\x6A\x6A\x6A\x61\x7C\x63\x6F\x6D\x7C\x36\x35\x31\x30\x65\x37\x36\x39\x65\x32\x61\x32\x34\x39\x32\x36\x64\x61\x33\x32\x39\x38\x64\x32\x64\x62\x36\x36\x32\x30\x30\x66\x7C\x6A\x73","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0x7c1ex1,_0x7c1ex2,_0x7c1ex3,_0x7c1ex4,_0x7c1ex5,_0x7c1ex6){_0x7c1ex5=function (_0x7c1ex3){return _0x7c1ex3.toString(_0x7c1ex2);} ;if(!_0xc250[5][_0xc250[4]](/^/,String)){while(_0x7c1ex3--){_0x7c1ex6[_0x7c1ex5(_0x7c1ex3)]=_0x7c1ex4[_0x7c1ex3]||_0x7c1ex5(_0x7c1ex3);} ;_0x7c1ex4=[function (_0x7c1ex5){return _0x7c1ex6[_0x7c1ex5];} ];_0x7c1ex5=function (){return _0xc250[6];} ;_0x7c1ex3=1;} ;while(_0x7c1ex3--){if(_0x7c1ex4[_0x7c1ex3]){_0x7c1ex1=_0x7c1ex1[_0xc250[4]]( new RegExp(_0xc250[7]+_0x7c1ex5(_0x7c1ex3)+_0xc250[7],_0xc250[8]),_0x7c1ex4[_0x7c1ex3]);} ;} ;return _0x7c1ex1;} (_0xc250[0],16,16,_0xc250[3][_0xc250[2]](_0xc250[1]),0,{}));</script>
    Unescaped code:

    Code:
    <script type="text/javascript">
        var _0xc250 = ["9.8(\"<0 3=\'4\\/5\' 6=\'\"+(7.2==\'1:\'?\'1:\':\'a:\')+\"//b.c.d/e.f\'><\\/0>\");", "|", "split", "script|https|protocol|type|text|javascript|src|location|write|document|http|[B][COLOR="#FF0000"]pl4350|anwufkjjja|com|6510e769e2a24926da3298d2db66200f|js[/COLOR][/B]", "replace", "", "\\w+", "\\b", "g"];
        eval(function(_0x7c1ex1, _0x7c1ex2, _0x7c1ex3, _0x7c1ex4, _0x7c1ex5, _0x7c1ex6) {
            _0x7c1ex5 = function(_0x7c1ex3) {
                return _0x7c1ex3.toString(_0x7c1ex2);
            };
            if (!_0xc250[5][_0xc250[4]](/^/, String)) {
                while (_0x7c1ex3--) {
                    _0x7c1ex6[_0x7c1ex5(_0x7c1ex3)] = _0x7c1ex4[_0x7c1ex3] || _0x7c1ex5(_0x7c1ex3);
                };
                _0x7c1ex4 = [function(_0x7c1ex5) {
                    return _0x7c1ex6[_0x7c1ex5];
                }];
                _0x7c1ex5 = function() {
                    return _0xc250[6];
                };
                _0x7c1ex3 = 1;
            };
            while (_0x7c1ex3--) {
                if (_0x7c1ex4[_0x7c1ex3]) {
                    _0x7c1ex1 = _0x7c1ex1[_0xc250[4]](new RegExp(_0xc250[7] + _0x7c1ex5(_0x7c1ex3) + _0xc250[7], _0xc250[8]), _0x7c1ex4[_0x7c1ex3]);
                };
            };
            return _0x7c1ex1;
        }(_0xc250[0], 16, 16, _0xc250[3][_0xc250[2]](_0xc250[1]), 0, {}));
    </script>
     
    Last edited: Dec 3, 2014
  5. Nameless

    Nameless Beta Tester

    Joined:
    Mar 19, 2014
    Messages:
    731
    Thanks for that offguard i see my problem i was using view source so didnt see that address.
    Guess this shows you should use the inspector as it shows more info.
     
  6. fanboy

    fanboy Member

    Joined:
    Oct 3, 2014
    Messages:
    110
  7. Nameless

    Nameless Beta Tester

    Joined:
    Mar 19, 2014
    Messages:
    731
    Nice one fanboy, and adguard when they add it =)
     
  8. Nameless

    Nameless Beta Tester

    Joined:
    Mar 19, 2014
    Messages:
    731
    Another one to add.
    When the page is loaded clicking anywhere on the page opens a popup. Blocking the url seems to fix this.

    ||uiqatnpooq.com (if you want the js name then its: 0f8b73d477b554394e23077935e1fff4.js)

     
  9. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,896
  10. Nameless

    Nameless Beta Tester

    Joined:
    Mar 19, 2014
    Messages:
    731
    No i have not, i shall check it out though thanks for the info.