2013-12-18
Recently I had a security incident where ...
Recently I had a security incident where a site was flagged as hosting malware but it took quite some searching to find the actual source of the problem. Access with a windows webbrowser with Avast security gave a big fat security alert mentioning 'js-hideme-h trj'. I couldn't find the offending code until I checked the site with Sucuri SiteCheck website security scanner which found:Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();This is a bit of obfuscated javascript code. Some more searching found the full code:
![]()
Sorry about the inline image for this code but I found out some virus scanners don't like even the text version of this javascript code. Also available: autson javascript obfuscated css. When your virusscanner stops you from accessing that javascript: look for a virusscanner that doesn't protect your browser from code which wants to mislead search-engine bots.
To run this bit of code in spidermonkey I need to change the document.write to print and test it:koos@vm-u-04:~$ js test.js <style undefined>.dnn{position:absolute;top:-9999px}</style>Now that is CSS (cascading style sheet) code to hide a bit of page from the browser (outside the viewport) and this is indeed a sign of evil SEO (search engine optimization) tricks happening. There was only one link after that bit of css, and it was:<p class="dnn">By A <a href="http://www.autson.com/" title="web design company">Web Design</a></p>Which indeed uses that CSS class dnn. A websearch for 'autson.com' found me Malicious Joomla Extensions which explains the problem more clearly and shows that in a different version of the extension the code to be shown is fetched from a server which means even worse code can be included. Be careful with your joomla (or other CMS) plugins.