[resolved] Extratorrent

Nameless

Beta Tester
Can not figre this out, soon as i double click a window is opened with an add.

http://extratorrentlive.com/torrent/3900557/He.Who.Dares.Downing.Street.Siege.2014.BRRip.XviD.AC3-EVO.html

I tried to block the following: bntags.com, show_ads_adsterra.js, mgid.com, dt07.net and eacdn.com but they all failed even checked my log and all i can find was this:

Code:
Address: http://betfred.mobi/siteservices/affiliate/tracking.ashx?Affid=30092&Btag=a_34999b_12989c_4247&target=http://promotions.betfred.com/media/casino/deposit-10-play-with-60/&btag=a_34999b_12989c_&affid=30092&siteid=34999&adid=12989&c=4247&utm_source=30092&utm_medium=Pops&utm_term=d10p60&utm_content=Casino&utm_campaign=Media&AutoRedirect=1&entrypoint=1
Time: 12/03/2014 17:45:23
Status: Request blocked
Request details:

The request was sent from the following web page:
http://activewin.adsrv.eacdn.com/C.ashx?btag=a_34999b_12989c_&affid=30092&siteid=34999&adid=12989&c=4247&utm_source=30092&utm_medium=Pops&utm_term=d10p60&utm_content=Casino&utm_campaign=Media&AutoRedirect=1&IAref=http%3A%2F%2Fwww.nsdfsfi1q8asdasdzz.com%2Fads%3Fkey%3D6510e769e2a24926da3298d2db66200f%26scrWidth%3D1280%26scrHeight%3D1024%26tz%3D0

The request was blocked by the following filtering rule:

/tracking.ashx?
Code:
Address: http://activewin.adsrv.eacdn.com/T.ashx?btag=a_34999b_12989c_&affid=30092&siteid=34999&adid=12989&c=4247&utm_source=30092&utm_medium=Pops&utm_term=d10p60&utm_content=Casino&utm_campaign=Media&AutoRedirect=1&t=635532255224300000&AutoRedirect=1
Time: 12/03/2014 17:45:23
Status: Request processed
Request details:

The request was sent from the following web page:
http://activewin.adsrv.eacdn.com/I.ashx?btag=a_34999b_12989c_&affid=30092&siteid=34999&adid=12989&c=4247&utm_source=30092&utm_medium=Pops&utm_term=d10p60&utm_content=Casino&utm_campaign=Media&AutoRedirect=1

Bytes received: 305
Bytes sent: 1244
Im stumped.
 

Nameless

Beta Tester
Thanks offguard i have no idea where you found that i will have another look at the code tomorrow see if i can find where it was hidden im off bed now.

I just added ||anwufkjjja.com as i doubt anything good will come from the domain.
 

offguard

Beta Tester
It was inline script, near the bottom of the page.

adg0001.jpg

Escaped code:

Code:
    	    <script type="text/javascript">var _0xc250=["\x39\x2E\x38\x28\x22\x3C\x30\x20\x33\x3D\x27\x34\x5C\x2F\x35\x27\x20\x36\x3D\x27\x22\x2B\x28\x37\x2E\x32\x3D\x3D\x27\x31\x3A\x27\x3F\x27\x31\x3A\x27\x3A\x27\x61\x3A\x27\x29\x2B\x22\x2F\x2F\x62\x2E\x63\x2E\x64\x2F\x65\x2E\x66\x27\x3E\x3C\x5C\x2F\x30\x3E\x22\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x73\x63\x72\x69\x70\x74\x7C\x68\x74\x74\x70\x73\x7C\x70\x72\x6F\x74\x6F\x63\x6F\x6C\x7C\x74\x79\x70\x65\x7C\x74\x65\x78\x74\x7C\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x7C\x73\x72\x63\x7C\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x7C\x77\x72\x69\x74\x65\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x68\x74\x74\x70\x7C\x70\x6C\x34\x33\x35\x30\x7C\x61\x6E\x77\x75\x66\x6B\x6A\x6A\x6A\x61\x7C\x63\x6F\x6D\x7C\x36\x35\x31\x30\x65\x37\x36\x39\x65\x32\x61\x32\x34\x39\x32\x36\x64\x61\x33\x32\x39\x38\x64\x32\x64\x62\x36\x36\x32\x30\x30\x66\x7C\x6A\x73","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0x7c1ex1,_0x7c1ex2,_0x7c1ex3,_0x7c1ex4,_0x7c1ex5,_0x7c1ex6){_0x7c1ex5=function (_0x7c1ex3){return _0x7c1ex3.toString(_0x7c1ex2);} ;if(!_0xc250[5][_0xc250[4]](/^/,String)){while(_0x7c1ex3--){_0x7c1ex6[_0x7c1ex5(_0x7c1ex3)]=_0x7c1ex4[_0x7c1ex3]||_0x7c1ex5(_0x7c1ex3);} ;_0x7c1ex4=[function (_0x7c1ex5){return _0x7c1ex6[_0x7c1ex5];} ];_0x7c1ex5=function (){return _0xc250[6];} ;_0x7c1ex3=1;} ;while(_0x7c1ex3--){if(_0x7c1ex4[_0x7c1ex3]){_0x7c1ex1=_0x7c1ex1[_0xc250[4]]( new RegExp(_0xc250[7]+_0x7c1ex5(_0x7c1ex3)+_0xc250[7],_0xc250[8]),_0x7c1ex4[_0x7c1ex3]);} ;} ;return _0x7c1ex1;} (_0xc250[0],16,16,_0xc250[3][_0xc250[2]](_0xc250[1]),0,{}));</script>
Unescaped code:

Code:
<script type="text/javascript">
    var _0xc250 = ["9.8(\"<0 3=\'4\\/5\' 6=\'\"+(7.2==\'1:\'?\'1:\':\'a:\')+\"//b.c.d/e.f\'><\\/0>\");", "|", "split", "script|https|protocol|type|text|javascript|src|location|write|document|http|[B][COLOR="#FF0000"]pl4350|anwufkjjja|com|6510e769e2a24926da3298d2db66200f|js[/COLOR][/B]", "replace", "", "\\w+", "\\b", "g"];
    eval(function(_0x7c1ex1, _0x7c1ex2, _0x7c1ex3, _0x7c1ex4, _0x7c1ex5, _0x7c1ex6) {
        _0x7c1ex5 = function(_0x7c1ex3) {
            return _0x7c1ex3.toString(_0x7c1ex2);
        };
        if (!_0xc250[5][_0xc250[4]](/^/, String)) {
            while (_0x7c1ex3--) {
                _0x7c1ex6[_0x7c1ex5(_0x7c1ex3)] = _0x7c1ex4[_0x7c1ex3] || _0x7c1ex5(_0x7c1ex3);
            };
            _0x7c1ex4 = [function(_0x7c1ex5) {
                return _0x7c1ex6[_0x7c1ex5];
            }];
            _0x7c1ex5 = function() {
                return _0xc250[6];
            };
            _0x7c1ex3 = 1;
        };
        while (_0x7c1ex3--) {
            if (_0x7c1ex4[_0x7c1ex3]) {
                _0x7c1ex1 = _0x7c1ex1[_0xc250[4]](new RegExp(_0xc250[7] + _0x7c1ex5(_0x7c1ex3) + _0xc250[7], _0xc250[8]), _0x7c1ex4[_0x7c1ex3]);
            };
        };
        return _0x7c1ex1;
    }(_0xc250[0], 16, 16, _0xc250[3][_0xc250[2]](_0xc250[1]), 0, {}));
</script>
 
Last edited:

Nameless

Beta Tester
Thanks for that offguard i see my problem i was using view source so didnt see that address.
Guess this shows you should use the inspector as it shows more info.
 

Nameless

Beta Tester
Another one to add.
When the page is loaded clicking anywhere on the page opens a popup. Blocking the url seems to fix this.

||uiqatnpooq.com (if you want the js name then its: 0f8b73d477b554394e23077935e1fff4.js)

request said:
Address: http://pl105715.uiqatnpooq.com/0f8b73d477b554394e23077935e1fff4.js
Time: 04/03/2015 13:32:46
Status: Request processed
Request details:

The request was sent from the following web page:
http://extratorrent.cc/torrent/4119107/The.Girl.Is.in.Trouble.2015.HDRip.XViD-ETRG.html

Bytes received: 3380
Bytes sent: 370
 
Top