Page 1 of 1 [ 2 posts ]
21 Oct 2018, 5:56 am
Admin
These scripts are present in the Search page, User Access Control page, and about half of the forums.
If a forum is affected it seems that every page contains the following scripts
which can be found in “primarycontent” and “pagecontent” respectively:
Code:
<div class="horizontalad" style="display:inline-block;width:225px;height:90px;">
<script id="mNCC" language="javascript"> medianet_width='160'; medianet_height= '90'; medianet_crid='639511893'; </script> <script id="mNSC" src="https://qsearch-a.akamaihd.net/nmedianet.js?cid=8CUHL05MI" language="javascript"></script>
</div>
<script id="mNCC" language="javascript"> medianet_width='160'; medianet_height= '90'; medianet_crid='639511893'; </script> <script id="mNSC" src="https://qsearch-a.akamaihd.net/nmedianet.js?cid=8CUHL05MI" language="javascript"></script>
</div>
Code:
<p style="text-align: center;">
<script id="mNCC" language="javascript"> medianet_width='468'; medianet_height= '60'; medianet_crid='808913025'; </script> <script id="mNSC" src="https://qsearch-a.akamaihd.net/nmedianet.js?cid=8CUHL05MI" language="javascript"></script>
</p>
<script id="mNCC" language="javascript"> medianet_width='468'; medianet_height= '60'; medianet_crid='808913025'; </script> <script id="mNSC" src="https://qsearch-a.akamaihd.net/nmedianet.js?cid=8CUHL05MI" language="javascript"></script>
</p>
After script execution, iframes to display adverts are dynamically created and placed at the
top of the page and appended to the panel at the bottom of the first message, replacing
the google ads that are normally present there.
The script seems to be using contextual advertising and real-time bidding to select the
adverts to be displayed to the user and delivering them through media.net.
The iframe that is created on the panel at the bottom of the first message of the page
has a width and height of 0, so it’s hidden from the user.
The iframe is sandboxed but has the following restrictions lifted, which suggests it’s purpose
is one of popup advert delivery:
Code:
allow-forms allows form submission.
allow-popups allows popups (window.open(), showModalDialog(), target=”_blank”, etc.).
allow-pointer-lock re-enables API (mouse movement capture)
allow-same-origin allows the document to maintain its origin;
(popup windows will retain access to the origin’s data.)
allow-scripts allows JavaScript execution, and also allows features to trigger automatically
(as they’d be trivial to implement via JavaScript).
allow-popups-to-escape-sandbox new popup windows can be spawned without forcing any
sandboxing flags upon them.
allow-popups allows popups (window.open(), showModalDialog(), target=”_blank”, etc.).
allow-pointer-lock re-enables API (mouse movement capture)
allow-same-origin allows the document to maintain its origin;
(popup windows will retain access to the origin’s data.)
allow-scripts allows JavaScript execution, and also allows features to trigger automatically
(as they’d be trivial to implement via JavaScript).
allow-popups-to-escape-sandbox new popup windows can be spawned without forcing any
sandboxing flags upon them.
Although both akamaihd.net and media.net are legitimate domains they have
both been used to serve malware in the past and are on malvertising blocklists.
Members
These are third party scripts, so they are easy to block without compromising the sites functionality.
ScriptSafe and NoScript
By default both ScriptSafe and NoScript will block all scripts on the page, but setting
ScriptSafe as “allow” and NoScript as “trusted” for Wrongplanet.net, they will allow
inline scripts to run, while blocking Third party script execution.
Ublock origin
Ublock origin also has script blocking capabilities.
To use this you have to open the dashboard And select “I am an advanced user”
Now clicking on the Ublock icon will give the option To block scripts.
To block these scripts, click on the right-hand column of 3rd-party scripts
so it shows red and then click on the padlock to save the changes.
(Left-hand column is a global rule, right-hand column is local to the website you are currently viewing).
I’ve updated the malware removal tool that I created to remove the previous
malicious script infection, to include these two scripts.
This tool will notify of the presence of the scripts before removing them,
so it can be used as a visual diagnostic tool to determine what parts of the forum are affected.
If wanted it can be downloaded from here:
https://soliloquist.droppages.com
21 Oct 2018, 10:01 pm
Page 1 of 1 [ 2 posts ]
| Similar Topics | |
|---|---|
| How do you search the forum to not repeat topics? |
02 Mar 2024, 8:41 am |
