cdn.dsultra.com/js/registrar.js - is this suspicious?

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
aemiller
Joomla! Hero
Joomla! Hero
Posts: 2301
Joined: Sat Aug 29, 2009 3:08 am
Location: Akron PA
Contact:

cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by aemiller » Thu Dec 29, 2011 1:21 am

I was checking the load time of one of my sites. cdn.dsultra.com/js/registrar.js was a file I did not recognize. When I googled it, several hits came back saying this was suspicious. Does this belong on a Joomla site?

aemiller
Joomla! Hero
Joomla! Hero
Posts: 2301
Joined: Sat Aug 29, 2009 3:08 am
Location: Akron PA
Contact:

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by aemiller » Thu Dec 29, 2011 1:50 am

I just had a conversation with my webhost tech. This was his response.

Pavel Grivenko: There is nothing to worry about, it's a simple testing file.

you: That's helpful information. Thank you!

you: Can you tell me how it would have gotten into my site. Is this part of a Joomla installation? Or does it come from ixwebhosting?

Pavel Grivenko: It's a simple file, that going to your server (domain) for testing.

you: OK

Does this sound legit? Should I be worried? (I'm still wondering how the file got on my site?)

User avatar
kenmcd
Joomla! Champion
Joomla! Champion
Posts: 5672
Joined: Thu Aug 18, 2005 2:09 am
Location: California
Contact:

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by kenmcd » Thu Dec 29, 2011 4:05 am

.
You are being lied to.
That is not some benign testing file.
Looks like it is hiding advertising in a frame.

Contents of: h##p://cdn.dsultra#com/js/registrar.js

Code: Select all

var domainname = window.location.hostname;
var google_afd_request = {
    client: 'ca-dp-oversee_ncd',
    domain_name: domainname,
    referrer: document.referrer,
    session_token: 'create'
};
var param_name = '';
var param_value = '';
var frame;

var registrar_frameset = function(params) {
    if (params['a_id']) {
        param_name = 'a_id';
    }
    else if (params['o_id']) {
        param_name = 'o_id';
    }
    param_value = params[param_name];
    frame = document.getElementById(params['frame']);

    if (!frame) {
        document.write('<title>' + domainname + '</title>\n');
        document.write('<meta name="keywords" content="' + domainname + '">\n');
        document.write('<meta name="description" content="' + domainname + '">\n');
    }

    var token_url = 'http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js';
    document.write('<script type="text/javascript" language="JavaScript" ' +
                   'src="' + token_url + '"></' + 'script>\n');
}

function google_afd_ad_request_done(response) {
    var url = 'http://dsnextgen#com/?domainname=' + domainname +
              (param_name ? ('&' + param_name + '=' + param_value) : '') +
              '&session_token=' + response.session_token;
    if (frame) {
        frame.name = domainname;
        frame.src = url;
    }
    else {
        document.write('<frameset rows="100%,*" frameborder="no" border="0" framespacing="0"><frame name="'
                       + domainname + '" src="' + url + '"/></frameset>');
    }
}

Looks like you should get rid of that hosting company as soon as possible.

.
Last edited by mandville on Thu Dec 29, 2011 6:08 pm, edited 1 time in total.
Reason: replaced urls with # to break link
██ LibreTraining

aemiller
Joomla! Hero
Joomla! Hero
Posts: 2301
Joined: Sat Aug 29, 2009 3:08 am
Location: Akron PA
Contact:

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by aemiller » Thu Dec 29, 2011 12:49 pm

Thank you for your help. Do you have any idea how it would get into my site? What can I do to get rid of it?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by mandville » Thu Dec 29, 2011 6:07 pm

I would follow the safe recovery procedure after informing your host that interference of YOUR site by THEM without YOUR agreement could be dangerous and expensive

Apart from the insertion of forced adverts the site mentioned in the full JScript is flagged

McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.

edit: both the urls in that script lead to malware dropping websites
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

aemiller
Joomla! Hero
Joomla! Hero
Posts: 2301
Joined: Sat Aug 29, 2009 3:08 am
Location: Akron PA
Contact:

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by aemiller » Thu Dec 29, 2011 9:57 pm

Mandville - Thank you! I'm submitting a help ticket / protest letter to ixwebhosting. I'll keep you posted.

RedEye
Joomla! Ace
Joomla! Ace
Posts: 1460
Joined: Sat Jan 21, 2006 8:42 pm

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by RedEye » Fri Dec 30, 2011 2:33 pm

AdSense for Domains (AFD) from Google is used in that script and it seems that ixwebhosting is not the only host who uses this. If there is nothing in their Terms & Conditions about that, then this is not legal from your host, at least not in my country.
Here is another thread on that, here the hosting company is HostMonster.
http://www.[red dit].com/r/techsupport/com ... have_been/

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by brian » Fri Dec 30, 2011 3:42 pm

Legal or illegal it doesnt really matter. It's your web site and nothing should o on your web site that you didnt put their yourself..

Time to get a new host!!
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

aemiller
Joomla! Hero
Joomla! Hero
Posts: 2301
Joined: Sat Aug 29, 2009 3:08 am
Location: Akron PA
Contact:

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by aemiller » Fri Dec 30, 2011 4:03 pm

Here's the most recent response from the ixwebhosting tech support -

We are extremely apologizing for the inconveniences. Unfortunately, we can't know all malware code and due to this such mistakes are possible, but we are really sorry about it. Please supply us with the url to the page there we can find mentioned included code and our security department will help you to handle this issue.

It looks like they are recognizing that their tech was wrong.

FYI - I have not found this code on any of the other four sites I have hosted there.

aemiller
Joomla! Hero
Joomla! Hero
Posts: 2301
Joined: Sat Aug 29, 2009 3:08 am
Location: Akron PA
Contact:

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by aemiller » Fri Dec 30, 2011 7:52 pm

screenshot.churchhistory.aembz.us.jpg
This was the latest response from ixwebhosting and my response to them.

They said - Let me please inform you, that we checked your account, but found nothing suspicious. We also could not find reference to cdn.dsultra.com/js/registrar.js script on weddings.aembz.us; alsweb.aembz.us; churchhistory.aembz.us sites. Please re-check it once again. If you still find it on your sites, please provide us direct url link to the page infected. We will check it for you once again.

I wrote - Here are the screenshots from http://site-perf.com that shows the file being loaded. Is it possible that this is a link to an external site? Do you have any suggestions on how I might find this link? Do I just need to delete everything and start over?

I'm also posting the screen shots here. What is the your advice?
You do not have the required permissions to view the files attached to this post.

RedEye
Joomla! Ace
Joomla! Ace
Posts: 1460
Joined: Sat Jan 21, 2006 8:42 pm

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by RedEye » Fri Dec 30, 2011 8:28 pm

read the link I posted, and check your 404 pages and you will see it, still there

aemiller
Joomla! Hero
Joomla! Hero
Posts: 2301
Joined: Sat Aug 29, 2009 3:08 am
Location: Akron PA
Contact:

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by aemiller » Fri Dec 30, 2011 9:40 pm

redeye-I had read that link earlier. I see some similarities but could not follow all of it. How do I check the 404 pages?

RedEye
Joomla! Ace
Joomla! Ace
Posts: 1460
Joined: Sat Jan 21, 2006 8:42 pm

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by RedEye » Fri Dec 30, 2011 10:08 pm

Just enter a link that not exists http://alsweb.aembz.us/xxx http://weddings.aembz.us/xxx
There is a post where it says "...it is included in all 404 pages as well as on default pages for customers who have not uploaded content yet..." same by your sites, what means they will not find something in your acc but will find it in their skeleton

aemiller
Joomla! Hero
Joomla! Hero
Posts: 2301
Joined: Sat Aug 29, 2009 3:08 am
Location: Akron PA
Contact:

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by aemiller » Fri Dec 30, 2011 10:57 pm

Thank you RedEye. Here is my last post to ixwebhosting

This is looking more and more like either incompetence or dishonesty. Check out the 404 code at http://alsweb.aembz.us/xxx. The skeleton code supplied by ixwebhosting is

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>

<meta name="revisit-after" content="10">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="text/javascript" language="JavaScript"
src="http://cdn.dsultra.com/js/registrar.js"></script>

<script type="text/javascript" language="JavaScript">
registrar_frameset({a_id: 48873}); // edit this to pass your portfolio ID
</script>

</head>
</html>

aemiller
Joomla! Hero
Joomla! Hero
Posts: 2301
Joined: Sat Aug 29, 2009 3:08 am
Location: Akron PA
Contact:

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by aemiller » Mon Jan 02, 2012 11:03 pm

Here is the most recent reply from ixwebhosting. This is really very, very poor.
I'm sorry for the possible misunderstanding during your chat session and the previous ticket replies. The mentioned pages are no malicious, but our custom error pages for the no-existing customers' pages. Per our terms of service:
IX Web Hosting reserves the right to supply content-enriched pages, including but not limited to search engines, advertisements, directory links, etc., for non-existent user pages that are served by IX Web Hosting to requesting sources. These pages include error pages (i.e. 404 Not Found), new account place-holder pages, unused domains and suspended user sites.

All users of IX Web Hosting services have the option of creating their own error pages and content pages. Unless created by the user, such pages will default to the IX Web Hosting provided content.

Should you have any further questions, please feel free to contact us anytime, we are available 24/7.
Technical Support
24*7 Helpdesk / Online Chat
Alex Karamushko
And my response was
"I'm sorry for the possible misunderstanding during your chat session and the previous ticket replies. The mentioned pages are no malicious,"

I know of no polite way to respond. You win the prize for both dishonesty and incompetence!

"it's a simple testing file" . . . "We also could not find reference to cdn.dsultra.com/js/registrar.js script on weddings.aembz.us; alsweb.aembz.us; churchhistory.aembz.us sites." . . . "Most probably this is advertisement from http://site-perf.com/ site. There is no link to cdn.dsultra.com/js/registrar.js file on your sites." . . . "The mentioned pages are no malicious"

Google, Bluecoat K-9 and McAfee all flag this as a suspicious file. They have far more credibility than you. You have lost a loyal customer. I have also been posting this conversation on the Joomla forum at http://forum.joomla.org/viewtopic.php?f=621&t=684752.

In addition to this site aembz.us, I am also the webmaster for four other sites currently hosted by ixwebhosting. I will be moving all five sites as soon as I possibly can.

Again, I am deeply offended by the dishonest, incompetent behavior of ixwebhosting.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by mandville » Mon Jan 02, 2012 11:17 pm

I will have to say at this point, please do not turn this into a WOS discussion, it is also now a candidate for moving away from security as its not a security issue or locking as appropriate.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

aemiller
Joomla! Hero
Joomla! Hero
Posts: 2301
Joined: Sat Aug 29, 2009 3:08 am
Location: Akron PA
Contact:

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by aemiller » Mon Jan 02, 2012 11:21 pm

WOS discussion?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: cdn.dsultra.com/js/registrar.js - is this suspicious?

Post by mandville » Mon Jan 02, 2012 11:42 pm

The topic has been locked at the OP request

edit to add: wos= Wall of Shame
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}


Locked

Return to “Security in Joomla! 2.5”