My spidey sense are freakin buzzin big time on this one.

F

Fred

- - The Problem - -

I'm using DreamWeaver MX 2004 to update disjointed rollovers on a web
page for a client of mine in Wilmington Delaware (yea, its the state
you never remembered in high school). Any way when I test the pages on
my PC everything works fine but............when I post the file to the
server and view it with either IE (version 6.0.2900) and FireFox
(version 1.5.0.4) a single JavaScript call gets inserted into the
page.

Here's the call.

<script language='javascript'
src='http://127.0.0.1:1027/js.cgi?pca&r=11020'></script>

THIS FREAKS ME OUT!

Does any one know what the heck is going on. I've executed some
Googles on this line of code and have come up with nothing.

I would have never found the issue in the first place if it was not
for the page loading properly. There is this funky code called
this....

op_stop(); ;op_start();

that put a hault to page in the middle of the download.



- - - More Information

When I hit the URL http://127.0.0.1:1027/js.cgi?pca&r=11020
I get this script.

var blockedReferrer = 'blockedReferrer';
NS_ActualWrite=document.write;
// Popup Blocker -->
RanPostamble=0;
NS_ActualOpen=window.open;
function NS_NullWindow(){this.window;}
function nullDoc() {
this.open = NS_NullWindow;
this.write = NS_NullWindow;
this.close = NS_NullWindow;
}
function NS_NewOpen(url,nam,atr){
if((nam!='' && nam==window.name) || nam=='_top'){
return(NS_ActualOpen(url,nam,atr));}
obj=new NS_NullWindow();
obj.focus = NS_NullWindow;
obj.blur = NS_NullWindow;
obj.opener = this.window;
obj.document = new nullDoc();
return(obj);
}
function NS_NullWindow2(){this.window;}
function NS_NewOpen2(url,nam,atr){
if((nam!='' && nam==window.name) || nam=='_top'){
return(NS_ActualOpen(url,nam,atr));}
return(new NS_NullWindow2());
}
function op_stop() { NS_ActualOpen2=window.open;
window.open=NS_NewOpen2; }
function op_start() { window.open=NS_ActualOpen2; }
function noopen_load() {
op_stop(); if(zl_orig_onload) zl_orig_onload(); op_start();
}
function noopen_unload() { op_stop(); if(zl_orig_onunload)
zl_orig_onunload(); op_start(); }
function postamble() {

if(!RanPostamble) {
RanPostamble=1;
zl_orig_onload = window.onload;
zl_orig_onunload = window.onunload;
window.open=NS_ActualOpen;
}
}
window.open=NS_NewOpen;
document.ignore = new Object();



- - Ino Found on the Bad IP - -


I've executed several IP searches and have come up pretty much empty.

All I can conclusively say is that IP address registrar is.....
whois.ripe.net

I wonder if this name is related to http://ripe.net/
I'm willing to be they are. When I executed a reverse dns on this name
I discovered that these mothers are through holy grail of shitty
registrars Network Solutions. All ripe.net's details are hidden.


Does ANYONE know what the heck this problem is? Is it a virus? has my
system been compromised? Where the heck do I start.










http://www.webhostingtalk.com/showthread.php?threadid=387710
 
P

Phil Weldon

'Fred' wrote, in part:
| when I post the file to the
| server and view it with either IE (version 6.0.2900) and FireFox
| (version 1.5.0.4) a single JavaScript call gets inserted into the
| page.
|
| <script language='javascript'
| src='http://127.0.0.1:1027/js.cgi?pca&r=11020'></script>
|
| THIS FREAKS ME OUT!
..
..
| - - - More Information
|
| When I hit the URL http://127.0.0.1:1027/js.cgi?pca&r=11020
| I get this script.
..
..
| I wonder if this name is related to http://ripe.net/
| I'm willing to be they are. When I executed a reverse dns on this name
| I discovered that these mothers are through holy grail of shitty
| registrars Network Solutions. All ripe.net's details are hidden.
|
|
| Does ANYONE know what the heck this problem is? Is it a virus? has my
| system been compromised? Where the heck do I start.
_____

WHAT IP address? 127.0.0.1 is just a loop back to the same machine and 1027
is just a port on the same machine.
127.0.0.1 is 'local host', YOU.

Nothing you posted is in any way related to RIPE NCC or any other registrar.
RIPE NCC is one of the five Regional Internet Registries; far from being
'ripe.net' details being hidden, RIPE NCC has a large website (and enables
Internet address management for its region; Europe, the Middle East, and
Central Asia.) ARIN does the same for North America.

http://127.0.0.1:1027/js.cgi?pca&r=11020 is not a valid URL, just a loop
back.

The URL you cite
<http://www.webhostingtalk.com/showthread.php?threadid=387710>
seems to have no connection with your post.

You ask 'Where the heck should I start?'
Over would be a good place.
Follow the general principles of protection against malware.
Be sure of your 'facts'.
Only you have the context of the script you posted, so the interpretation is
up to you, but I can tell you that 'local host' (127.0.0.1) in the 'Hosts'
file is used to block malicious websites, pop-ups, and cookies.

Hope this helps.

Phil Weldon




|
|
| - - The Problem - -
|
| I'm using DreamWeaver MX 2004 to update disjointed rollovers on a web
| page for a client of mine in Wilmington Delaware (yea, its the state
| you never remembered in high school). Any way when I test the pages on
| my PC everything works fine but............when I post the file to the
| server and view it with either IE (version 6.0.2900) and FireFox
| (version 1.5.0.4) a single JavaScript call gets inserted into the
| page.
|
| Here's the call.
|
| <script language='javascript'
| src='http://127.0.0.1:1027/js.cgi?pca&r=11020'></script>
|
| THIS FREAKS ME OUT!
|
| Does any one know what the heck is going on. I've executed some
| Googles on this line of code and have come up with nothing.
|
| I would have never found the issue in the first place if it was not
| for the page loading properly. There is this funky code called
| this....
|
| op_stop(); ;op_start();
|
| that put a hault to page in the middle of the download.
|
|
|
| - - - More Information
|
| When I hit the URL http://127.0.0.1:1027/js.cgi?pca&r=11020
| I get this script.
|
| var blockedReferrer = 'blockedReferrer';
| NS_ActualWrite=document.write;
| // Popup Blocker -->
| RanPostamble=0;
| NS_ActualOpen=window.open;
| function NS_NullWindow(){this.window;}
| function nullDoc() {
| this.open = NS_NullWindow;
| this.write = NS_NullWindow;
| this.close = NS_NullWindow;
| }
| function NS_NewOpen(url,nam,atr){
| if((nam!='' && nam==window.name) || nam=='_top'){
| return(NS_ActualOpen(url,nam,atr));}
| obj=new NS_NullWindow();
| obj.focus = NS_NullWindow;
| obj.blur = NS_NullWindow;
| obj.opener = this.window;
| obj.document = new nullDoc();
| return(obj);
| }
| function NS_NullWindow2(){this.window;}
| function NS_NewOpen2(url,nam,atr){
| if((nam!='' && nam==window.name) || nam=='_top'){
| return(NS_ActualOpen(url,nam,atr));}
| return(new NS_NullWindow2());
| }
| function op_stop() { NS_ActualOpen2=window.open;
| window.open=NS_NewOpen2; }
| function op_start() { window.open=NS_ActualOpen2; }
| function noopen_load() {
| op_stop(); if(zl_orig_onload) zl_orig_onload(); op_start();
| }
| function noopen_unload() { op_stop(); if(zl_orig_onunload)
| zl_orig_onunload(); op_start(); }
| function postamble() {
|
| if(!RanPostamble) {
| RanPostamble=1;
| zl_orig_onload = window.onload;
| zl_orig_onunload = window.onunload;
| window.open=NS_ActualOpen;
| }
| }
| window.open=NS_NewOpen;
| document.ignore = new Object();
|
|
|
| - - Ino Found on the Bad IP - -
|
|
| I've executed several IP searches and have come up pretty much empty.
|
| All I can conclusively say is that IP address registrar is.....
| whois.ripe.net
|
| I wonder if this name is related to http://ripe.net/
| I'm willing to be they are. When I executed a reverse dns on this name
| I discovered that these mothers are through holy grail of shitty
| registrars Network Solutions. All ripe.net's details are hidden.
|
|
| Does ANYONE know what the heck this problem is? Is it a virus? has my
| system been compromised? Where the heck do I start.
|
|
|
|
|
|
|
|
|
|
| http://www.webhostingtalk.com/showthread.php?threadid=387710
|
 
M

mzlindyone

All I can conclusively say is that IP address registrar is.....
whois.ripe.net
Click to expand...

127.0.0.1 is localhost - your own computer. Referring back to
localhost is a method used by many content & URL blocking programs,
like popup blockers and "net nanny" type content monitors. Could also
be Dreamweaver is adding something to the upload. That's just some
suggestions for possible non-malicious causes.

However, do you have an antivirus program? If not, why not?? Without
one you're endangering not only your computer but your clients'
livelihoods.

You could also try your question in alt.www.webmaster - they'd know
more about what the javascript is doing.

Carol
 
E

edgewalker

Fred said:
I've executed several IP searches and have come up pretty much empty.

All I can conclusively say is that IP address registrar is.....
whois.ripe.net
Click to expand...

You had them 'look up' themselves when you fed them 127.0.0.1

....your spidey sense needs tweaking bigtime.

Looks to me like a filtering proxy pop-up blocker, but I didn't look that
closely.
 
B

Befunge Sudoku

var blockedReferrer = 'blockedReferrer';
NS_ActualWrite=document.write;
// Popup Blocker -->
Click to expand...

I think that might be a clue. What firewall are you using?
 
Top