General Question

ETpro's avatar

Could someone with Linux tell me what Exploit Google is seeing on this site? [See Details].

Asked by ETpro (34145 points ) July 8th, 2012

The owner of this site had already retained me to give his site a makeover and move it to the Yahoo! Merchant Solutions platform. Today, his site suddenly began showing a warning that there is malware hosted there that might pose a threat to site visitors. Here’s the Google warning. http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.spacetoys.com/

Please, don’t anyone visit the site unless you are certain you know how to do so safely. I’m reluctant to jump in there with a Windows based system. If you have Linux that’s fully up to date and well insulated by a safe router and current AV software, could you hit http://www.spacetoys.com/ and tell me what Google is seeing?

Thanks.

Observing members: 0 Composing members: 0

6 Answers

jrpowell's avatar

No error from google. Image

I did curl the site and Little Snitch tossed up something odd.

And I zipped up a good chunk of the sites source for you to look through if you want. It is here.

jrpowell's avatar

Okay, odd. Every few times I try to load the page it hangs trying to connect to a site with a crazy url. Screenshot here.

It is intermittent. Maybe one out of every ten tries. I googled the url but didn’t come up with any results. I also grepped the source and couldn’t find a reference to the url.

ETpro's avatar

OK, I was able to nail it. It’s a Mass Injection exploit using JavaScript. See here.

Thanks so much for the help. I don’t have FTP access, so the server admin will need to delete it.

elbanditoroso's avatar

javascript/common.js
javascript/cart/js

Both are infected with Expolit Blackhole Exploit Kit (type 2170) accordign to AVG

jrpowell's avatar

Just a hunch.. This is the nasty line of code.

It is on line 318 in common.js

ETpro's avatar

@johnpowell & @elbanditoroso Thanks so much for the help. I have passed all the advice on to the fellow currently running the hosting service.

Answer this question

Login

or

Join

to answer.

This question is in the General Section. Responses must be helpful and on-topic.

Your answer will be saved while you login or join.

Have a question? Ask Fluther!

What do you know more about?
or
Knowledge Networking @ Fluther