Vicious website.

Yesterday, I was going to jonnyguru to check some power supply reviews and accidentally typed johnnyguru.com and was greeted with malware ads.

I quickly exited Chrome and then tried the Avast Safezone browser with the same results.

All seemed fine, but today Chrome won’t open at all. I then tun Avast with no reports of anything bad. I decided to download Malwarebytes Anti-Malware and it found over 300 PUPs. I then wondered about Avast not finding them and quickly found it wasn’t enabled in setting. After enabling and reboot and rescan it found no issues.

So, I’m reporting johnnyguru.com is a bad site and seems to install malware automatically… I’m not sure what you guys can do about it. But I thought I’d bring up my experience.

I’ve reported the site to avast.
Someone from them will soon have a look at it.

I suggest you follow these instructions to have a good system check :
https://forum.avast.com/index.php?topic=53253.0

I couldn’t find anything malicious…
If the ads are installing anything without user’s content, I will be happy to block them :slight_smile:
Do you have scanning for PUPs enabled in Avast?

We see conditional redirect: GoogleBot returned code 302 to -http://ww38.johnnyguru.com/
Google Chrome returned code 302 to -http://ww38.johnnyguru.com/

Consider: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fww38.johnnyguru.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1

The iFrame in the code has been blocked as hxxp://quickdomainfwd.com/?dn=johnnyguru.com&pid=9PO755G95
an ad- and tracking service that we like to block with any adblocker: hxtp://quickdomainfwd.com

Detected jQuery code: -http://ww38.johnnyguru.com
Detected libraries:
jquery - 2.1.4 : -http://d32ffatx74qnju.cloudfront.net/scripts/jquery-2.1.4.min.js
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
1 vulnerable library detected → http://www.domxssscanner.com/scan?url=http%3A%2F%2Fd32ffatx74qnju.cloudfront.net%2Fscripts%2Fjquery-2.1.4.min.js

And what do we detect there:


script
     info: [decodingLevel=0] found JavaScript
     error: line:3: SyntaxError: missing ) in parenthetical: *
          error: line:3: t?(n=g,o=g.documentElement,e=g.defaultView,e&&e!==e.top&&(e.addEventListener?e.addEventListener("unload",ea,!1):e.attachEvent&&e.attachEvent("onunload",ea)),p=!f(g),c.attributes=ja(function(a){return a.className="i",!a.getAttribute("className")}),c.ge
          error: line:3: ...........................................................^

  • Output of the server is invalid, caused by a typo in string concatenation, often this is a missing + (info credits StackOverflow’s przemo_li).
    May reveal innerHTML …localhost:/js, or the odd one out: localhost/js will kick up errors.

This is adding to the insecurity: https://sritest.io/#report/93efec09-14ed-4638-bc7d-5bddbc9f3ed3 : Missing SRI hash

polonus (volunteer website security analyst and website error-hunter)