Recently I had a security incident where ... / 2013-12-18

2013-12-18 Recently I had a security incident where ...
Recently I had a security incident where a site was flagged as hosting malware but it took quite some searching to find the actual source of the problem. Access with a windows webbrowser with Avast security gave a big fat security alert mentioning 'js-hideme-h trj'.

I couldn't find the offending code until I checked the site with Sucuri SiteCheck website security scanner which found:
Known javascript malware.
Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState(); 
This is a bit of obfuscated javascript code. Some more searching found the full code:
autson javascript
Sorry about the inline image for this code but I found out some virus scanners don't like even the text version of this javascript code. Also available: autson javascript obfuscated css. When your virusscanner stops you from accessing that javascript: look for a virusscanner that doesn't protect your browser from code which wants to mislead search-engine bots.
To run this bit of code in spidermonkey I need to change the document.write to print and test it:
koos@vm-u-04:~$ js test.js
<style undefined>.dnn{position:absolute;top:-9999px}</style>
Now that is CSS (cascading style sheet) code to hide a bit of page from the browser (outside the viewport) and this is indeed a sign of evil SEO (search engine optimization) tricks happening. There was only one link after that bit of css, and it was:
<p class="dnn">By A <a href="http://www.autson.com/" title="web design company">Web Design</a></p>
Which indeed uses that CSS class dnn. A websearch for 'autson.com' found me Malicious Joomla Extensions which explains the problem more clearly and shows that in a different version of the extension the code to be shown is fetched from a server which means even worse code can be included.

Be careful with your joomla (or other CMS) plugins.

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.55 2021/11/09 13:09:49 koos Exp $ in 0.006267 seconds.