SurveysForCharity.org CPA Lead Hack?
Something i’ve noticed recently was the fact that many wordpress blogs are randomly spitting out this cpalead code, which has been unsuccessful in actually executing itself. It seems like some sort of worm, or a feature a plug-in developer has tried to dominate the word press world with.
More to the fact two months ago i did a search for the string “http://www.surveysforcharity.org/thankyou-overlay.php” and it only bought back about 2 pages in Google.
Now it’s bringing back ten or so more pages meaning what ever is happening.. is well.. happening.
If anyone has anymore information on what ever the heck this thing is please post it in my comments section and i’ll update the original post with credit to yourself or to your blog!
Below is the original code this CPALead script attempts to put into the footer of each post.
<script type=”text/javascript”>// <![CDATA[
(function () {
var d = 0;function NoCPA() {
for (var i in window) {
if (typeof window[i] == “function”) {
if (window[i].toString().indexOf(“http://www.surveysforcharity.org/thankyou-overlay.php”) != -1) {
var r = new RegExp(“if \\(([a-zA-Z0-9]*) != ([a-zA-Z0-9]*)\\) \\{“);
var hash = r.exec(window[i].toString());
if (!hash) {
r = new RegExp(“if\\(([a-zA-Z0-9]*)!=([a-zA-Z0-9]*)\\)\\{“);
hash = r.exec(window[i].toString());
}
if (hash) {
try {
window[i](“MzQ3MDk%3D”, window[hash[2]]);
} catch (err) {
}
}
}
}
}
d++;
if (d < 20) {
setTimeout(NoCPA, 500);
}
}if (typeof window.myGatewayStart == “function”) {
if (typeof window.createOverlay == “function”) {
window.createOverlay = function (gateid) {return false;};
NoCPA();
}
}
})();
// ]]></script><script type=”text/javascript”>// <![CDATA[
(function () {
var d = 0;function NoCPA() {
for (var i in window) {
if (typeof window[i] == “function”) {
if (window[i].toString().indexOf(“http://www.surveysforcharity.org/thankyou-overlay.php”) != -1) {
var r = new RegExp(“if \\(([a-zA-Z0-9]*) != ([a-zA-Z0-9]*)\\) \\{“);
var hash = r.exec(window[i].toString());
if (!hash) {
r = new RegExp(“if\\(([a-zA-Z0-9]*)!=([a-zA-Z0-9]*)\\)\\{“);
hash = r.exec(window[i].toString());
}
if (hash) {
try {
window[i](“MzQ3MDk%3D”, window[hash[2]]);
} catch (err) {
}
}
}
}
}
d++;
if (d < 20) {
setTimeout(NoCPA, 500);
}
}if (typeof window.myGatewayStart == “function”) {
if (typeof window.createOverlay == “function”) {
window.createOverlay = function (gateid) {return false;};
NoCPA();
}
}
})();
// ]]></script><script type=”text/javascript”>// <![CDATA[
(function () {
var d = 0;function NoCPA() {
for (var i in window) {
if (typeof window[i] == “function”) {
if (window[i].toString().indexOf(“http://www.surveysforcharity.org/thankyou-overlay.php”) != -1) {
var r = new RegExp(“if \\(([a-zA-Z0-9]*) != ([a-zA-Z0-9]*)\\) \\{“);
var hash = r.exec(window[i].toString());
if (!hash) {
r = new RegExp(“if\\(([a-zA-Z0-9]*)!=([a-zA-Z0-9]*)\\)\\{“);
hash = r.exec(window[i].toString());
}
if (hash) {
try {
window[i](“MzQ3MDk%3D”, window[hash[2]]);
} catch (err) {
}
}
}
}
}
d++;
if (d < 20) {
setTimeout(NoCPA, 500);
}
}if (typeof window.myGatewayStart == “function”) {
if (typeof window.createOverlay == “function”) {
window.createOverlay = function (gateid) {return false;};
NoCPA();
}
}
})();
// ]]></script><script>// <![CDATA[(function () {
var d = 0;function NoCPA() {
for (var i in window) {
if (typeof window[i] == “function”) {
if (window[i].toString().indexOf(“http://www.surveysforcharity.org/thankyou-overlay.php”) != -1) {
var r = new RegExp(“if \\(([a-zA-Z0-9]*) != ([a-zA-Z0-9]*)\\) \\{“);
var hash = r.exec(window[i].toString());
if (!hash) {
r = new RegExp(“if\\(([a-zA-Z0-9]*)!=([a-zA-Z0-9]*)\\)\\{“);
hash = r.exec(window[i].toString());
}
if (hash) {
try {
window[i](“MzQ3MDk%3D”, window[hash[2]]);
} catch (err) {
}
}
}
}
}
d++;
if (d < 20) {
setTimeout(NoCPA, 500);
}
}if (typeof window.myGatewayStart == “function”) {
if (typeof window.createOverlay == “function”) {
window.createOverlay = function (gateid) {return false;};
NoCPA();
}
}
})();]]></script>
I just found this in one of my clients Joomla website’s! Very odd.. Im pretty sure his computer is riddled with malware tho so that could have something todo with it!
LOL…
U R using http://userscripts.org/scripts/show/66224 userscript
That’s CPAlead removal script
Cukurgalva, it’s a totally different issue, you’re way off track
Hi..
I am having this issue when I post stuff onto my web forums.. or simply status updates. I run a social network based on the php script ‘Social Engine’. And I notice that this thing happens only when posting stuff on a Tinymce/WYSIWYG editor.
Surprised that this is not a discussion topic anywhere, and not much on google.
Have you guys found out a fix? Pls let me know..
Thanks!!
EliteTek, Cukurgalva is right. An older version of the linked Greasemonkey script isn’t running correctly, and it ends up appending itself to text fields by default. I was having a similar problem on my Tumblr that I just fixed by disabling the script. Presto – no more appending.
Here’s the script – I notice that it is completely changed in the latest version released.
// ==UserScript==
// @name CPAlead Remover
// @namespace http://cpa.vienalga.net
// @description Bypasses CPAlead.com popup
// @include http://*
// ==/UserScript==
// isolation for Opera
(function(){
// create isolated Script on DOM level
var toDOM = document.createElement(‘script’);
toDOM.innerHTML=’(‘ + (function(){
// innert NoCPA code
var d=0;
function NoCPA(){
// Seeks for “Thank you” function
for(var i in window){
if(typeof(window[i]) == ‘function’){
if(window[i].toString().indexOf(‘http://www.surveysforcharity.org/thankyou-overlay.php‘) != -1){
// seeking for gatehash variable name (FireFox)
var r = new RegExp(‘if \\(([a-zA-Z0-9]*) != ([a-zA-Z0-9]*)\\) \\{‘);
var hash = r.exec(window[i].toString());
// seeking for gatehash variable name (Opera)
if (!hash){
r = new RegExp(‘if\\(([a-zA-Z0-9]*)!=([a-zA-Z0-9]*)\\)\\{‘);
hash = r.exec(window[i].toString());
}
// executes “Thank you” function with Gateid and Gatehash args
if (hash){
try{
window[i](‘MzQ3MDk%3D’,window[hash[2]]);
}
catch(err){}
}
}
}
}
// Repeates 20 times
d++;
if (d<20){
setTimeout(NoCPA, 500);
}
}
if (typeof(window.myGatewayStart) == 'function') {
if (typeof(window.createOverlay) == 'function') {
// Removes CPAlead startup and displaying functions
window.createOverlay=function(gateid){return false;}
// Destroys CPAlead from inside
NoCPA();
}
}
// end inner NoCPA code
}).toString() + ')();';
document.body.appendChild(toDOM);
})();
// end Opera isolation