Is My Website Hacked?

Debra Weiss
(@debraweiss)

12 years, 6 months ago

I’m using the latest version of WordPress and the latest version of the Weaver theme on my website: DebraWeiss.net. I wanted to tinker with the look some today and I found I had this coding in my source.

I don’t recognize this code so I’m troubled. Here’s the coding:

<script type='text/javascript' src='http://dtym7iokkjlif.cloudfront.net/dough/1.0/recipe.js'></script>

And here’s a link to the complete JS online: http://pastebin.com/0zB8DtmA

I’ve worked with WordPress before and I’m familiar with it. What I’m not familiar with is JavaScript. So I don’t know what this code means or what it does. Can someone explain to me?

Thank you so much for any help you can offer.

Debra

Viewing 13 replies - 1 through 13 (of 13 total)

Moderator cubecolour
(@numeeja)

12 years, 6 months ago

It *could* be put in by a plugin. To find out, deactivate all of your active plugins to see whether the js is still there. If not, reactivate them again one by one checking for the code until it comes back to find out which one is putting that in.

There are references to shareaholic in the js. That could be a red herring or it could be somehow related to the (very bloated) sexy bookmarks plugin.

Sabinou
(@sabinou1)

12 years, 6 months ago

The simple fact that a call for an external JS has been inserted into her blog without her being asked for it is enough proof : yes, you’ve been hacked.

It’s time to change all your passwords, including your email and your web hosting and your FTP access and your SSH logins, to reinstall wordpress afresh after backing up just your database and your template unless it’s not a template you customized yourself anyway, etcetera, etcetera 🙁

Well, I might be exaggerating, but not that much I’m afraid, cf the bible :
http://codex.wordpress.org/FAQ_My_site_was_hacked

Thread Starter Debra Weiss
(@debraweiss)

12 years, 6 months ago

Thank you, cubecolor and sabinou1! It appears the website is fine and un-hacked. The culprit was Sexybookmarks. I changed a setting in the plugin and the code went away.

One last question for ya, cubecolor, you mention that SexyBookmarks is bloated. Is there an alternative sharing plugin you’d recommend?

Thank you both for your help!

Moderator cubecolour
(@numeeja)

12 years, 6 months ago

sucuri reports the site as being clean – http://sitecheck.sucuri.net/scanner
there are many similar plugins that do the same job with a tiny amount of code in comparison to SB

Moderator cubecolour
(@numeeja)

12 years, 6 months ago

To add to my previous post, I can’t suggest a specific plugin as I don’t actually use one for my site builds. I put together my own solution ( example at http://bit.ly/byxpOl ) which has share & bookmark links on posts that look like the output from sexyBookmarks and work much the same, however my version doesn’t have any admin panel andis implemented with is just a few lines within my custom functionality plugin, a customised version of the sprite graphic from sexyBookmarks and a chunk of css in the theme’s stylesheet. This functionality only requires linked graphics that change on mouseover, so is easy to implement in very little code. Unfortunately as its integrated into the site without adding extra inline CSS or additional stylesheets its not suitable to package up as a plugin for download.

erjon07
(@erjon07)

12 years, 3 months ago

I’m having the same problem.
I think it has caused by plugin Sexybookmarks

eulkloss
(@eulkloss)

12 years, 3 months ago

Debra,

Do you know which settings you changed to remove the error? I get the same error and have not be able to eliminate it. It doesn’t seem to hurt anything… But I want the error to go away regardless.

Thanks,
EUlkloss

Naidobria
(@naidobria)

12 years, 3 months ago

THAT is from SexyBookmarks!

they use the code to track the users that visit your website and after that sell the information to 3rd party AD networks. in few words they make money with your users without your permission….

I suggest you to delete the plugin!
Because even if you deactivate the “Track Performance” option there’s still files that are loaded from this “mean” plugin.

for more:
http://wordpress.org/support/topic/plugin-sexybookmarks-email-bookmark-and-share-buttons-warning-unwanted-injection-of-tracking-code-selling-info-to-ad-networks

http://wordpress.org/support/topic/plugin-sexybookmarks-email-bookmark-and-share-buttons-make-your-3rd-party-tracking-and-privacy-policy-clear

Pioneer Web Design
(@swansonphotos)

12 years, 3 months ago

Isn’t cloudfront the CDN (Amazon) used by Sexy Bookmarks?

Naidobria
(@naidobria)

12 years, 3 months ago

it is and is doing what I described above!

Pioneer Web Design
(@swansonphotos)

12 years, 3 months ago

It is pulling a js file from a cdn instead of your site? The js is not run on your site, it is run within the client browser and yes has the settings required to share with all the possible social sites – am I missing something about what is well known already? It’s a Social Plugin…they all gather and use aggregated data, do they not? Just belonging to a social network does this also with your own data?

Naidobria
(@naidobria)

12 years, 3 months ago

I’m just saying that a part of the social networks… they are sending important data to AD & Tracking networks that will use these data to spam your email, later, or send you ADS in some way

these are the sites:
adnxs.com
w55c.net

and here you can read about them

http://www.donottrackplus.com/trackers/adnxs.com.php
http://google.com/safebrowsing/diagnostic?site=adnxs.com/

w55c.net is a domain used by Lotame which is an advertising company that is part of a network of sites, cookies, and other technologies used to track you, what you do and what you click on, as you go from site to site, surfing the Web. Over time, sites like w55c.net can help make an online profile of you usually including the sites you visit, your searches, purchases, and other behavior. Your profile can then be exchanged and sold between various companies like w55c.net as well as being sold to other advertisers and marketers.

CouponCodePlugin
(@couponcodeplugin)

12 years, 1 month ago

@sabinou how often does a theme or plugin ask you before using an external file? Never. Many themes use css or js from other sites.

@naidobria they are sending important data to AD & Tracking networks that will use these data to spam your email, later, or send you ADS in some way? How did you find this out? How do you know that they are sending data to ad and tracking networks *that will use the data to spam your email or send ads*??? It seems like a rather specific assumption which I could only assume would be based on evidence. If the plugin is making a call home, it will be in conflict with the plugin repository terms. However, it seems that jetpack does the same. If the plugin is sending your email address, they are not only breaking the repository terms, but they are also breaking the law.