Nita Nita - 13 days ago 5
Javascript Question

Suspicious javascript in the header on all pages (mulitiple website on the same server)

Recently i discover some extra code in the headers of all pages in all websites hosted on my server. Obviously I didn't put it in myself. From what I see is some ad related scam (injection maybe). My questions is how dangerous is that?, how do I get read of it? and then how do I prevent of this never happening again?. I need help and advise on this. Thank you.

Code in question: and :

<!DOCTYPE html>
<html lang="en-US">
<head>
<style>[class*="adsbygoogle"],[id*="google_ads"],[id^="gpt-unit"],div[id^="div-gpt-ad-"],img[src*="doubleclick.net"],img[src*="googlesyndication"],ins[id^="aswift_"] { display:none!important; }</style>
<script src=http://54.171.234.214/x2xmv9hn.js type='text/javascript'></script>
<meta charset="UTF-8">


And content of x2xmv9hn.js

! function() {
"use strict";

function a() {}
try {
var b = window.addEventListener ? "addEventListener" : "attachEvent",
c = window[b],
d = function() {
function a(a) {
d(a.target, e, !0)
}

function b(a) {
d(a.target, e, !1)
}

function c() {
document.addEventListener("error", a, !0), document.addEventListener("load", b, !0)
}

function d(a, b, c) {
if (a) {
var d = a.tagName.toLowerCase(),
e = b[d];
if (void 0 !== e) {
var f = a[e];
if ("string" == typeof f && "" !== f && 0 === f.lastIndexOf("http", 0))
if (c) a.style.hasOwnProperty("display") && a.setAttribute("data-adblock-preserve-display-value", a.style.display), a.style.setProperty("display", "none", "important");
else {
var g = "";
a.hasAttribute("data-adblock-preserve-display-value") && (g = a.getAttribute("data-adblock-preserve-display-value"), a.style.setProperty("display", g, ""))
}
}
}
}
var e = {
img: "src",
input: "src",
object: "data"
};
return {
startEventListener: c
}
}();
! function() {
var a = "attachEvent" == b ? "onmessage" : "message";
c(a, function(a) {
if ("lachsom" === a.data) {
for (var b = document.getElementsByTagName("iframe"), c = 0, d = b.length; d > c; c++) {
var e = b[c];
e && e.contentWindow && e.contentWindow === a.source && e.setAttribute("style", "display:none !important")
}
a.stopPropagation(), a.stopImmediatePropagation()
}
}, !1)
}(), document.addEventListener("DOMContentLoaded", a, !1)
} catch (e) {
return !1
}
d.startEventListener()
}();

Answer

From what you have posted so far, it seems like it is fairly innocuous. Since you say it is not actually in the source file, but only when you view source in your browser, I would say it is added by an ad blocker plugin in your browser. Try access the page using a different browser - if you are currently using FireFox, try opening the page in IE and view source via that browser. Likely the script in question will not be there in an alternative browser.

Now, when I say 'innocuous', it could be a helpful plugin. However, if you do not recall installing anything recently, I would go through my plugin list and try to determine what is adding this script. It may not be harmful at the moment, but if it is something that got installed without your knowledge, it could potentially be an attack of some kind. If it is something you did not want installed, I would find a way to remove it once you determine what plugin is adding this script.

If you do not have any plugins installed, but when accessing the same sites using HTTPS and the injected code is no longer there, the likely issue is that it is being injected by your ISP. Accessing the website via HTTPS instead of HTTP, encrypts the site from server to client preventing anything from tampering with the content. What ISP do you use? To disable this, you should contact your ISP directly and request that it be disabled for your account if possible.