#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2009
    Posts
    153
    Rep Power
    6

    Have we been hacked, or have i missed something?


    Hello all,

    This is very strange, hope someone can help.

    [background]
    A member of staff has just pointed something out regarding our homepage, and i couldn't figure out what it could be. then using web developer tools in firefox, i saw something strange.

    [the problem]
    Our homepage homepage is split down the middle, and the issue is with the three options on the right - the "new for members" section. When you click on one of these images you should be taken to a sample flip book, but unfortunately this doesn't happen. instead the entire page freezes, and you can't click on anything else.

    Using the web developer tools in firefox, i found some sort of iframe that seems to be on our page, but i dont know where to start to get rid of it. It references something called "dealply.com". I've never heard of this thing, but after searching the web some sites say it's an extension. However, when i try to remove it, it's nowhere to be found in the extensions section of firefox or chrome.

    Any pointers are welcome.

    Kind regards
    MG
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2009
    Posts
    153
    Rep Power
    6
    Hello all, just an update.

    When you click the images, something appears at the very bottom of the page, on the left-hand side.

    Regards
    MG
  4. #3
  5. No Profile Picture
    Super Moderator
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,009
    Rep Power
    2791
    dealply is a browser adware plugin. Get rid of it.
    http://forums.spybot.info/showthread.php?t=65995
    [PHP] | [Perl] | [Python] | [Java] != [JavaScript] | [XML] | [C] | [C++] | [LUA] | [MySQL] | [FirebirdSQL] | [PostgreSQL] | [HTML] | [XHTML] | [CSS]

    W3Fools - A W3Schools Intervention.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2009
    Posts
    153
    Rep Power
    6
    Hi, thanks for the reply.

    but nothing works on any persons' pc here at work. I've also ask a friend in a different part of the country to test the page, and still nothing.

    Regards
    MG
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2009
    Posts
    153
    Rep Power
    6
    Hello all,

    I followed the instructions on the link you sent through. no joy.

    Also, I have tried to uninstall it directly form all browsers - as many sites recommend - and no joy.

    Regards
    MG
  10. #6
  11. No Profile Picture
    Super Moderator
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,009
    Rep Power
    2791
    Install and run both of these programs, one of them should kill it.
    Spybot 2
    MalwareBytes
    [PHP] | [Perl] | [Python] | [Java] != [JavaScript] | [XML] | [C] | [C++] | [LUA] | [MySQL] | [FirebirdSQL] | [PostgreSQL] | [HTML] | [XHTML] | [CSS]

    W3Fools - A W3Schools Intervention.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2009
    Posts
    153
    Rep Power
    6
    Hello, thanks for the pointers.

    I ran the scans as you suggested, and nothing. It didnt show up.

    I'll keep searching.

    Regards
    MG
  14. #8
  15. No Profile Picture
    Super Moderator
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,009
    Rep Power
    2791
    Can you post some screenshots please?

    There are a few more options that I know of but they tend to be extremely aggressive programs which can damage systems if they are not used carefully.

    I'm going to move this to the Anti Virus forums to see if people with more expertise can offer some advise.
    Last edited by Winters; March 22nd, 2013 at 05:27 AM. Reason: Typo
    [PHP] | [Perl] | [Python] | [Java] != [JavaScript] | [XML] | [C] | [C++] | [LUA] | [MySQL] | [FirebirdSQL] | [PostgreSQL] | [HTML] | [XHTML] | [CSS]

    W3Fools - A W3Schools Intervention.
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2009
    Posts
    153
    Rep Power
    6
    Hi thanks for your post.

    I've been searching online for clues and came upon this post over on stackoverflow:

    http://stackoverflow.com/questions/1...orking-in-html

    It's essentially the same thing we experience. The links towards the bottom of the page suggest it could be some sort of hacked malware that has been put on our servers - im still reading.

    Let me know if you still want screen shots, but this question is essentially the issue we have. The only thing to add, is what i mentioned before, in that, when i click on certain images everything freezes. If you go to our homepage and click on the images - below "NEW! for members" - you will see something appear at the bottom of the screen - bottom left.


    Regards
    MG
    Last edited by mind_grapes; March 22nd, 2013 at 07:14 AM.
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Oct 2009
    Location
    Nebraska, USA
    Posts
    876
    Rep Power
    275
    I'm not sure this is virus/malware related.
    I notice there are 3 "onclick" items for the "NEW! for Members" section: samples('practice'), samples('primary'), and samples('design').
    And when any of these sections are clicked, you get the image in lower left...which is actually a jQuery popup alert from jquery.alerts.js and jquery.alerts.css.

    I believe this is being triggered because of a missing "samples()" function..either thru file corruption or misplacement.
    If you can find your "samples()" function in your JS files somewhere and locate why that isn't functioning, you'll probably solve your problem.

    EDIT:

    OK, I found the area that references the samples function
    Code:
    <p><script type="text/javascript">// <![CDATA[
    	function samples(sample){
    		$.alerts.okButton = "Join";
    		$.alerts.cancelButton = "Not now";
    		switch(sample){
    			case 'practice':
    								jConfirm('This is only a sample, become a member for full benefits.', 'D&T Association ', function(r){
    					if(r){
    						window.location ='index.php?option=com_content&view=article&id=534&Itemid=490';
    					}else{
    						window.location ='index.php?option=com_content&view=article&id=1114';
    					}
    				});
    								break;
    					
    					case 'primary':
    									jConfirm('This is only a sample, become a member for full benefits.', 'D&T Association', function(r){
    					if(r){
    						window.location ='index.php?option=com_content&view=article&id=534&Itemid=490';
    					}else{
    						window.open ('magazines/Primary_19_sample.pdf', 'PDF');
    					}
    				});
    								break;
    					
    					
    					case 'design':
    									jConfirm('This is only a sample, become a member for full benefits.', 'D&T Association', function(r){
    					if(r){
    						window.location ='index.php?option=com_content&view=article&id=534&Itemid=490';
    					}else{
    						window.open ('magazines/Designing_93_sample.pdf', 'PDF');
    					}
    				});
    								break;
    					}
    	}
    	// ]]></script>
    the first 2 commands for that function are ALERTS for clicking a "Join" button or a "Not Now" button. My guess would be that something in that ALERT is conflicting in the jQuery alert system.

    Maybe, removing that opening <p> tag from in front of the opening <Script> tag there [~ line746] may help [not for sure if that is interfering or not].
    Last edited by DonR; March 22nd, 2013 at 03:58 PM.
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2009
    Posts
    153
    Rep Power
    6
    Morning,

    Thanks for the reply.

    Arh, yes, you've just reminded me of the pop up - i can't believe i forgot about it.

    Yes, something did indeed pop up and ask the user if they wanted to join or not, and then, depending on their response, a sample was presented to them or the full version - but I never touched the alert script.

    The site is created in Joomla, and the script you've presented above is referenced to, from within the article that has the front page source code, using a plugin called jumi. So i'm not sure where the <p> tag is coming from, but there does appear to be a closing </p> farther down - line 917. Again I don't know where that is coming from either, but i'll look into it as per your suggestion.

    Any ideas what could be conflicting from within the Alert script? Javascript and jQuery are not my strong points - i dont know what im looknig for.

    thanks for your pointers

    [EDIT]
    I looked into the tags, and it appears that Joomla automatically includes them. I tried to remove the lines and then save the article, but when I went back in, the tags were added again.

    Here is the line copied from the joomla article which contains the homepage source code:

    <p>{jumi [*13]}{loadposition user1}</p>

    Also, I still don't understand why im seeing a "dealply-toast-344623" iFrame when using web developer tools in firefox?

    Kind regards
    MG
    Last edited by mind_grapes; March 25th, 2013 at 07:06 AM.
  22. #12
  23. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2009
    Posts
    153
    Rep Power
    6
    Hello all,

    this may be a strange question, so apologies if it is, but can anyone suggest what i need to do to hunt down the problem as i'm really struggling.

    any suggestion, such as where to look / what for etc. would be great.

    Kind regards
    MG
  24. #13
  25. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2009
    Posts
    153
    Rep Power
    6
    Hi all, problem has been fixed.

    It was because of the link to the latest version of jquery:

    This:

    <script src="http://code.jquery.com/jquery-latest.min.js" language="javascript" type="text/javascript"></script>

    was changed to this:

    <script src="http://code.jquery.com/jquery-1.8.3.min.js" type="text/javascript"></script>

    Thank you to everyone that helped.

    Regards,
    MG.
  26. #14
  27. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Oct 2009
    Location
    Nebraska, USA
    Posts
    876
    Rep Power
    275
    Glad you got it figured out.
    That is amazing how a different version of jquery can affect things.

IMN logo majestic logo threadwatch logo seochat tools logo