What does this warning about malicious javascript actually means

Not long ago, I was browsing in this domain htxp://tieba.baidu.com/, which is baidu forum.
When I was in htxp://tieba.baidu.com/p/3658693347, this warning not from avast popup up

Warning: Malicious javascript detected on this domain.
There is a "OK" button to click in the popup. What does this mean? Is baidu being hacked? Or Is this message fake?

Without knowing what gave you the pop-up it is not possible to tell.
A screenshot of it could help.

Did a search and find it.

This warning arise from the ads baidu put on the site (not sure which specific one as there is about 3 - 5 ads on one page)
It is related to a redirection to the following two sites

  1. htxps://github.com/greatfire/
  2. htxps://github.com/cn-nytimes/

See detail here: http://apple.stackexchange.com/questions/178471/safari-keeps-warning-malicious-javascript-detected-on-this-domain

GitHub cannot function well in China
This only popup when you go to site that have baidu ads AND you are not in mainland China.

Confirmed by the Chinese: htxp://zhidao.baidu.com/question/1575638718749399340.html (not suggest to go to baidu website now)
I didn’t screenshot the popup. It just happen randomly in htxp://tieba.baidu.com/

Edit: Additional information: The following JS, htxp://hm.baidu.com/h.js, have been hijacked by something to launch a DDOS attack to github.com
Oops… clicked the quote button instead of the edit button :frowning:

You could use this to research it further: https://github.com/piwik/piwik/blob/master/tests/resources/extractSearchEngineInformationFromUrlTests.yml
You can get an established view of what is out there by skimming the code in a secure way: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Ftieba.baidu.com%2Fp%2F3658693347&useragentheader=&acceptheader=
We land at Ducky Adobe - caption viewer = http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http://tb1.bdstatic.com/tb/cms/ngmis/adsense/file_1427594805813.jpg&acceptheader=&useragentheader=
http://www.eeggs.com/items/45962.html

You certainly stumbled upon something there, this here is revealing info: http://insight-labs.org/?p=1682
The ssl connection is not hijacked - the http connection was. Info credits: ← BadIRET漏洞利用

polonus

Hello,

It is best to block all baidu scripts until this massive DDoS threat can be resolved. Use an extension such as NoScript or NotScripts.

Donovan

See when it was blocked: http://www.greatfirewallofchina.org/index.php?siteurl=https%3A%2F%2Fgithub.com%2F
and here I get errors all the time: http://www.greatfirewallofchina.org/index.php?siteurl=https%2Fgithub.com
But as attached we see a DNS poisoning of github.com

polonus

Hi !Donovan and rickyyeung,

Recent Update -

After 113 hours of being under constant ddos attack Github defenses are holding. The attacks were aimed to make certain content unavailable. Probably so-called “scrubbers” from various scrubbing centers in London, Hong Kong, San Jose, California, Ashburn, Virginia, Frankfurt, Germany and Tokyo, Japan could alleviate these attacks to normalize traffic again with dedicated bandwidth.

I think scrubber services are going to play a further major role against these ungoing attacks also seen in the light of online threats like this one, described here : http://www.newsweek.com/hacker-group-anonymous-threaten-israel-electronic-holocaust-317729

polonus

I remember in the last incarnation of the avast forum, when looking at the bottom of the index.php page you could see members logged in, Guests and Spiders.

Well if my memory serves me well, baidu used to feature heavily in the numbers of search engine spiders. When the likes of Google, Yahoo, Microsoft used to have one or two spiders, baidu had in the region of 90.

I don’t know if there are settings to prevent spiders or if they just aren’t reported.

Hi DavidR,

Regrettably, most spiders that cause trouble here feature their robots.txt specs only in Chinese, Japanese, Russian, or Korean.
Also I assume Baidu spider and Great Firewall authorities work hand in foot. ;D
See: http://bgp.he.net/AS55967#_prefixes (for Baidu IP-ranges).

polonus

More https could have prevented this scenario from taking place, according to this in depth analysis of the organized ddos attack: https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack
link article author = BILL BUDINGTON Analysis: http://www.netresec.com/?page=Blog&month=2015-03&post=China's-Man-on-the-Side-Attack-on-GitHub posted by official GitHub blog.

polonus

Hello,

It is best to block all baidu scripts until this massive DDoS threat can be resolved. Use an extension such as NoScript or NotScripts.

Donovan


I have installed NoScript to disable all baidu script as well as to see which site are running baidu statistic script. I observe a interesting trend through, most of the site that use “cnzz statistic script” have change to use “baidu statistic script”. 7k7k games (http://www.7k7k.com/) is one of the example, which I get the malicious script ran before getting Noscript.

Sadly, I can’t find any of the tool simular to NoScript for IE. Using IE, It does that again in the baidu forum in the thread “p/3668178421” (Well you know the domain as I give it out at the very beggining). Doesn’t know why it doesn’t happen on every baidu page, and going to the same site again doesn’t run the malicious script.

Did a scan in urlquery for htxp://tieba.baidu.com/p/3668178421/ but the scan locked up for about 30 minutes already. Very sure that it is because of the JS script.

Any suggestion for tool that I can use for blocking baidu script in IE?