Recently I had a security incident where ... / 2013-12-18

2013-12-18 Recently I had a security incident where ... 6 years ago
Recently I had a security incident where a site was flagged as hosting malware but it took quite some searching to find the actual source of the problem. Access with a windows webbrowser with Avast security gave a big fat security alert mentioning 'js-hideme-h trj'.

I couldn't find the offending code until I checked the site with Sucuri SiteCheck website security scanner which found:
Known javascript malware.
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState(); 
This is a bit of obfuscated javascript code. Some more searching found the full code:
autson javascript
Sorry about the inline image for this code but I found out some virus scanners don't like even the text version of this javascript code. Also available: autson javascript obfuscated css. When your virusscanner stops you from accessing that javascript: look for a virusscanner that doesn't protect your browser from code which wants to mislead search-engine bots.
To run this bit of code in spidermonkey I need to change the document.write to print and test it:
koos@vm-u-04:~$ js test.js
<style undefined>.dnn{position:absolute;top:-9999px}</style>
Now that is CSS (cascading style sheet) code to hide a bit of page from the browser (outside the viewport) and this is indeed a sign of evil SEO (search engine optimization) tricks happening. There was only one link after that bit of css, and it was:
<p class="dnn">By A <a href="" title="web design company">Web Design</a></p>
Which indeed uses that CSS class dnn. A websearch for '' found me Malicious Joomla Extensions which explains the problem more clearly and shows that in a different version of the extension the code to be shown is fetched from a server which means even worse code can be included.

Be careful with your joomla (or other CMS) plugins.

Tags: , ,

, reachable as PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004122 seconds.