Globo.com, one of the largest Brazilian web portals (ranked #107 on Alexa and #6 for Brazilian traffic) appears to be compromised and all visits to it are being redirected to a sub page inside pagesinxt.com. If you go to g1.globo.com (or any other of their sub domains), you will end up on a page full of ads about Hosting, Internet and fake email products:
That redirection has been going for a few hours at least and we detected it for the first time around 8am EST and it is still live four hours later (noon EST).
What is going on?
We are investigating, but at the bottom of any page inside google.com there is a script being loaded from sawpf.com:
<script defer src="httx://sawpf.com/1.0.js"></script>
window.location = httx://pagesinxt.com/?dn=sawpf.com&fp=3WBUwymfgey…
Who really owns your site?
Can you imagine if the author of the Easing Plugin was malicious? Instead of just that pop-up, they could have added a URL redirect to send all your users to any site they of their choosing (SPAM, porn, you name it). What if their server was hacked? The attackers could have added malware and it would have loaded to all your users.
*update 1: Lots of users on Twitter are complaining about it as well. Search for sawpf or pagesinxt to see the amount of people complaining or worried about it.
*update 2: If you click on some urls inside sawpf.com, you will be redirected to pagesinxt.com as well ( for example: httx://sawpf.com/libs/jquery/1.7.1.js )
I noted this last night at 11pm CST (USA) May 18th, 2013
Thank you very much for sharing Sucuri, much appreciated.
I’m very interested in that information, and will wait for the next information about it. thank you for the information you post.
spam ads is very common in the web, finding it and take it off
Thanks for sharing this.
Thanks for giving me the useful information