Page 1 of 1

cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Thu Dec 29, 2011 1:21 am
by aemiller
I was checking the load time of one of my sites. cdn.dsultra.com/js/registrar.js was a file I did not recognize. When I googled it, several hits came back saying this was suspicious. Does this belong on a Joomla site?

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Thu Dec 29, 2011 1:50 am
by aemiller
I just had a conversation with my webhost tech. This was his response.

Pavel Grivenko: There is nothing to worry about, it's a simple testing file.

you: That's helpful information. Thank you!

you: Can you tell me how it would have gotten into my site. Is this part of a Joomla installation? Or does it come from ixwebhosting?

Pavel Grivenko: It's a simple file, that going to your server (domain) for testing.

you: OK

Does this sound legit? Should I be worried? (I'm still wondering how the file got on my site?)

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Thu Dec 29, 2011 4:05 am
by kenmcd
.
You are being lied to.
That is not some benign testing file.
Looks like it is hiding advertising in a frame.

Contents of: h##p://cdn.dsultra#com/js/registrar.js

Code: Select all

var domainname = window.location.hostname;
var google_afd_request = {
    client: 'ca-dp-oversee_ncd',
    domain_name: domainname,
    referrer: document.referrer,
    session_token: 'create'
};
var param_name = '';
var param_value = '';
var frame;

var registrar_frameset = function(params) {
    if (params['a_id']) {
        param_name = 'a_id';
    }
    else if (params['o_id']) {
        param_name = 'o_id';
    }
    param_value = params[param_name];
    frame = document.getElementById(params['frame']);

    if (!frame) {
        document.write('<title>' + domainname + '</title>\n');
        document.write('<meta name="keywords" content="' + domainname + '">\n');
        document.write('<meta name="description" content="' + domainname + '">\n');
    }

    var token_url = 'http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js';
    document.write('<script type="text/javascript" language="JavaScript" ' +
                   'src="' + token_url + '"></' + 'script>\n');
}

function google_afd_ad_request_done(response) {
    var url = 'http://dsnextgen#com/?domainname=' + domainname +
              (param_name ? ('&' + param_name + '=' + param_value) : '') +
              '&session_token=' + response.session_token;
    if (frame) {
        frame.name = domainname;
        frame.src = url;
    }
    else {
        document.write('<frameset rows="100%,*" frameborder="no" border="0" framespacing="0"><frame name="'
                       + domainname + '" src="' + url + '"/></frameset>');
    }
}



Looks like you should get rid of that hosting company as soon as possible.

.

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Thu Dec 29, 2011 12:49 pm
by aemiller
Thank you for your help. Do you have any idea how it would get into my site? What can I do to get rid of it?

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Thu Dec 29, 2011 6:07 pm
by mandville
I would follow the safe recovery procedure after informing your host that interference of YOUR site by THEM without YOUR agreement could be dangerous and expensive

Apart from the insertion of forced adverts the site mentioned in the full JScript is flagged

McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.

edit: both the urls in that script lead to malware dropping websites

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Thu Dec 29, 2011 9:57 pm
by aemiller
Mandville - Thank you! I'm submitting a help ticket / protest letter to ixwebhosting. I'll keep you posted.

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Fri Dec 30, 2011 2:33 pm
by RedEye
AdSense for Domains (AFD) from Google is used in that script and it seems that ixwebhosting is not the only host who uses this. If there is nothing in their Terms & Conditions about that, then this is not legal from your host, at least not in my country.
Here is another thread on that, here the hosting company is HostMonster.
http://www.[red dit].com/r/techsupport/com ... have_been/

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Fri Dec 30, 2011 3:42 pm
by brian
Legal or illegal it doesnt really matter. It's your web site and nothing should o on your web site that you didnt put their yourself..

Time to get a new host!!

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Fri Dec 30, 2011 4:03 pm
by aemiller
Here's the most recent response from the ixwebhosting tech support -

We are extremely apologizing for the inconveniences. Unfortunately, we can't know all malware code and due to this such mistakes are possible, but we are really sorry about it. Please supply us with the url to the page there we can find mentioned included code and our security department will help you to handle this issue.

It looks like they are recognizing that their tech was wrong.

FYI - I have not found this code on any of the other four sites I have hosted there.

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Fri Dec 30, 2011 7:52 pm
by aemiller
screenshot.churchhistory.aembz.us.jpg
This was the latest response from ixwebhosting and my response to them.

They said - Let me please inform you, that we checked your account, but found nothing suspicious. We also could not find reference to cdn.dsultra.com/js/registrar.js script on weddings.aembz.us; alsweb.aembz.us; churchhistory.aembz.us sites. Please re-check it once again. If you still find it on your sites, please provide us direct url link to the page infected. We will check it for you once again.

I wrote - Here are the screenshots from http://site-perf.com that shows the file being loaded. Is it possible that this is a link to an external site? Do you have any suggestions on how I might find this link? Do I just need to delete everything and start over?

I'm also posting the screen shots here. What is the your advice?

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Fri Dec 30, 2011 8:28 pm
by RedEye
read the link I posted, and check your 404 pages and you will see it, still there

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Fri Dec 30, 2011 9:40 pm
by aemiller
redeye-I had read that link earlier. I see some similarities but could not follow all of it. How do I check the 404 pages?

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Fri Dec 30, 2011 10:08 pm
by RedEye
Just enter a link that not exists http://alsweb.aembz.us/xxx http://weddings.aembz.us/xxx
There is a post where it says "...it is included in all 404 pages as well as on default pages for customers who have not uploaded content yet..." same by your sites, what means they will not find something in your acc but will find it in their skeleton

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Fri Dec 30, 2011 10:57 pm
by aemiller
Thank you RedEye. Here is my last post to ixwebhosting

This is looking more and more like either incompetence or dishonesty. Check out the 404 code at http://alsweb.aembz.us/xxx. The skeleton code supplied by ixwebhosting is

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>

<meta name="revisit-after" content="10">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="text/javascript" language="JavaScript"
src="http://cdn.dsultra.com/js/registrar.js"></script>

<script type="text/javascript" language="JavaScript">
registrar_frameset({a_id: 48873}); // edit this to pass your portfolio ID
</script>

</head>
</html>

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Mon Jan 02, 2012 11:03 pm
by aemiller
Here is the most recent reply from ixwebhosting. This is really very, very poor.

I'm sorry for the possible misunderstanding during your chat session and the previous ticket replies. The mentioned pages are no malicious, but our custom error pages for the no-existing customers' pages. Per our terms of service:
IX Web Hosting reserves the right to supply content-enriched pages, including but not limited to search engines, advertisements, directory links, etc., for non-existent user pages that are served by IX Web Hosting to requesting sources. These pages include error pages (i.e. 404 Not Found), new account place-holder pages, unused domains and suspended user sites.

All users of IX Web Hosting services have the option of creating their own error pages and content pages. Unless created by the user, such pages will default to the IX Web Hosting provided content.

Should you have any further questions, please feel free to contact us anytime, we are available 24/7.
Technical Support
24*7 Helpdesk / Online Chat
Alex Karamushko


And my response was
"I'm sorry for the possible misunderstanding during your chat session and the previous ticket replies. The mentioned pages are no malicious,"

I know of no polite way to respond. You win the prize for both dishonesty and incompetence!

"it's a simple testing file" . . . "We also could not find reference to cdn.dsultra.com/js/registrar.js script on weddings.aembz.us; alsweb.aembz.us; churchhistory.aembz.us sites." . . . "Most probably this is advertisement from http://site-perf.com/ site. There is no link to cdn.dsultra.com/js/registrar.js file on your sites." . . . "The mentioned pages are no malicious"

Google, Bluecoat K-9 and McAfee all flag this as a suspicious file. They have far more credibility than you. You have lost a loyal customer. I have also been posting this conversation on the Joomla forum at viewtopic.php?f=621&t=684752.

In addition to this site aembz.us, I am also the webmaster for four other sites currently hosted by ixwebhosting. I will be moving all five sites as soon as I possibly can.

Again, I am deeply offended by the dishonest, incompetent behavior of ixwebhosting.

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Mon Jan 02, 2012 11:17 pm
by mandville
I will have to say at this point, please do not turn this into a WOS discussion, it is also now a candidate for moving away from security as its not a security issue or locking as appropriate.

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Mon Jan 02, 2012 11:21 pm
by aemiller
WOS discussion?

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Posted: Mon Jan 02, 2012 11:42 pm
by mandville
The topic has been locked at the OP request

edit to add: wos= Wall of Shame