Can/do CDN's inject code into the html?

I have an odd question . . . I'm just trying to theorize something.

I had a client set up ONE of the stores of his Magento installation using some type of content delivery network.  I'm not sure of the provider, but the host he is pointing to is hisdomain.com.adn.fblcloud.net

Yesterday, a few days after he set it up,  his site slowed to a crawl ONLY for the one store.  His other 2 stores were working fine.  They share all code and all products, just different themes.

Upon researching we found the following code was inserted into every page of the site.  However after searching with grep and also downloading the entire app and searching for changed files, we couldn't find anything with code that looked familiar.  I also checked all of the CMS pages, blocks, category design and layout settings, etc.

This morning it is magically fixed.  And my tech said it shouldn't have been the CDN . . . but he scanned our server and found nothing (he's my security/pci  expert so hopefully he wouldn't miss something).

I'm trying to figure out if the CDN COULD be injecting script code into html as it is delivered . . and if so, is this a problem to be concerned with in the future?

Here is the code -
<body class=" catalog-category-view categorypath-headsets-bluetooth-html category-bluetooth"><div style='display:none' id='sbbhscc'></div><script type="text/javascript">sbbvscc=''; sbbgscc='; function genPid() {return String.fromCharCode(73)+String.fromCharCode(69); }';</script><div id='sbbfrcc' style='position: absolute; top: -10px; left: 30px; font-size:1px'></div><script type="text/javascript">(function(XHR) { var open = XHR.prototype.open; var send = XHR.prototype.send; var parser = document.createElement('a'); XHR.prototype.open = function(method, url, async, user, pass) { parser.href = url; if (parser.host == '') parser.href = parser.href; this.ajax_hostname = parser.hostname; open.call(this, method, url, async, user, pass); }; XHR.prototype.send = function(data) { if (location.hostname == this.ajax_hostname) this.setRequestHeader("X-MOD-SBB-CTYPE", "xhr"); send.call(this, data); } })(XMLHttpRequest); function sbbgc( check_name ) { var start=document.cookie.indexOf(check_name+"="); var oVal=''; var len=start+check_name.length+1; if((!start)&&(document.cookie.substring(0,check_name.length)!=check_name)){ oVal=''; } else if(start==-1){ oVal=''; } else { var end=document.cookie.indexOf(';',len); if(end==-1)end=document.cookie.length; var oVal=document.cookie.substring(len,end); }; return oVal; } function addmg(inm,ext){ var primgobj = document.createElement ('IMG'); primgobj.src = window.location.protocol + "//" + window.location.hostname + (window.location.port && window.location.port!=80 ? ':' + window.location.port: '')+"/sbbi/?sbbpg="+inm+(ext?"&"+ext:""); var sbbDiv = document.getElementById('sbbfrcc'); sbbDiv.appendChild (primgobj); }; function addprid(prid){ var oldVal=sbbgc("PRLST"); if((oldVal.indexOf(prid)==-1)&&(oldVal.split('/').length<5)){ if(oldVal!='')oldVal+='/'; document.cookie='PRLST='+oldVal+escape(prid)+'; path=/; domain=.nationalwireless.com'; } } var sbbeccf = function () { this.sp3 = "jass"; this.sf1 = function (vd) { return sf2(vd)+32; }; var sf2 = function (avd) { return avd*12; }; this.sf4 = function (yavd) { return yavd+2; }; var strrp = function (str, key, value) { if (str.indexOf('&' + key + '=') > -1 || str.indexOf(key + '=') == 0) { var idx = str.indexOf('&' + key + '='); if (idx == -1) idx = str.indexOf(key + '='); var end = str.indexOf('&', idx + 1); var newstr; if (end != -1) newstr = str.substr(0, idx) + str.substr(end + (idx ? 0 : 1)) + '&' + key + '=' + value; else newstr = str.substr(0, idx) + '&' + key + '=' + value; return newstr; } else return str + '&' + key + '=' + value; }; var strgt = function(name, text) { if (typeof text != 'string') return ""; var nameEQ = name + "="; var ca = text.split(/[;&]/); for (var i = 0; i < ca.length; i++) { var c = ca[i]; while (c.charAt(0) == ' ') c = c.substring(1, c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length); } return ""; }; this.sfecud = { f:function(name, value) { var fv=""; try { var elm = document.getElementById('sbbfrcc'); elm.style.behavior = "url(#default#userData)"; if (typeof(value) != "undefined") { elm.setAttribute(name, value); elm.save(name); } else { elm.load(name); fv=elm.getAttribute(name); } } catch(e) { } return fv; }, name:"sbbrf" }; this.sfecgs = { sbbgh:function() { var domain = document.location.host; if (domain.indexOf('www.') == 0) domain = domain.replace('www.', ''); return domain; }, f:function(name, value) { var fv=""; if (window.globalStorage) { var host = this.sbbgh(); try { if (typeof(value) != "undefined") globalStorage[host][name] = value; else { fv=globalStorage[host][name]; if (typeof (fv.toString)!="undefined") fv=fv.toString(); } } catch(e) { } } return fv; }, name:"sbbrf" }; this.sfecls = { f:function(name, value) { var fv=""; try { if (window.localStorage) { if (typeof(value) != "undefined") localStorage.setItem(name, value); else { fv=localStorage.getItem(name); if (typeof (fv.toString)!="undefined") fv=fv.toString(); } } } catch (e) { } return fv; }, name:"sbbrf" }; this.sbbcv = function (invl) { try { var invalArr = invl.split("-"); if (invalArr.length>1) { if (invalArr[0]=="A"||invalArr[0]=="D") { invl=invalArr[1]; } else invl=""; } if (invl==null||typeof(invl)=="undefined"||invl=="falseImgUT"||invl=="undefined"||invl=="null"||invl!=encodeURI(invl)) invl=""; if (typeof(invl).toLowerCase()=="string") if (invl.length>20) if (invl.substr(0,2)!="h4") invl=""; } catch (ex) { invl=""; } return invl; }; this.sbbsv = function (fv) { for (var elm in this) { if (this[elm].name=="sbbrf") { this[elm].f("altutgv2",fv); } } document.cookie = "UTGv2="+fv+'; expires=Tue, 31 Dec 2030 00:00:00 UTC; path=/; domain=.nationalwireless.com'; }; this.sbbgv = function() { var valArr=Array(); var currVal=""; for (var elm in this) { if (this[elm].name=="sbbrf") { currVal = this[elm].f("altutgv2"); currVal = this.sbbcv(currVal); if (currVal!="") valArr[currVal]=(typeof(valArr[currVal])!="undefined"?valArr[currVal]+1:1); } } var lb=0; var fv=""; for (var val in valArr) { if (valArr[val]>lb) { fv = val; lb=valArr[val] } } if (fv=="") fv=sbbgc("UTGv2"); fv = this.sbbcv(fv); if (fv!="") this.sbbsv (fv); else this.sbbsv("A-h47ad0fb8bb49ce11021b482c7aec048d173-91a2a4a78a51a121a40a77a9a86a77a4a22a83a74a0a5a5a"); return fv; }; }; function m2vr(m1,m2) { var i=0; var rc=""; var est = "ghijklmnopqrstuvwyz"; var rnum; var rpl; var charm1 = m1.charAt(i); var charm2 = m2.charAt(i); while (charm1!=""||charm2!="") { rnum = Math.floor(Math.random() * est.length); rpl = est.substring(rnum,rnum+1); rc +=(charm1==""?rpl:charm1)+(charm2==""?rpl:charm2); i++; charm1 = m1.charAt(i); charm2 = m2.charAt(i); } return rc; } function sbbls(prid) { try { var eut = sbbgc("UTGv2"); sbbeccfi = new sbbeccf(); sbbgs=sbbeccfi.sbbgv(); if (eut!=sbbgs && sbbgs!="" && typeof(sbbfcr)=="undefined") { addmg('utMedia',"vii="+m2vr("08e1427711c978193f5319ad2f0452fc",sbbgs)); } var sbbiframeObj = document.createElement ('IFRAME'); var dfx=new Date(); sbbiframeObj.id = 'SBBCrossIframe'; sbbiframeObj.style.border='0px'; if (document.all) { sbbiframeObj.style.position='absolute'; sbbiframeObj.style.top='-1px'; sbbiframeObj.style.height='1px'; sbbiframeObj.style.width='28px'; } else { sbbiframeObj.style.height='1px'; sbbiframeObj.style.width='0px'; } sbbiframeObj.scrolling="NO"; sbbiframeObj.src = window.location.protocol + "//" + window.location.hostname + (window.location.port && window.location.port!=80 ? ':' + window.location.port: '')+'/sbbi/?sbbpg=sbbShell&gprid='+prid+''; var sbbDiv = document.getElementById('sbbfrcc'); sbbDiv.appendChild (sbbiframeObj); } catch (ex) { alert (ex.message); } } try{ y=unescape(sbbvscc.replace(/^<\!\-\-\s*|\s*\-\->$/g,'')); document.getElementById('sbbhscc').innerHTML=y; x=unescape(sbbgscc.replace(/^<\!\-\-\s*|\s*\-\->$/g,'')); } catch(e){ x='function genPid() {return "jser"; }'; } try { if (window.gprid==undefined) document.write('<'+'script type="text/javascri'+'pt">'+x+"var gprid=genPid(); addprid(gprid);  sbbfcr=true;sbbls(gprid);<"+"/script>"); } catch (e) { addprid("dwer"); } </script>

Open in new window


Thanks for any information you can give me!
lthamesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GaryCommented:
Looks suspiciously like someone has hacked the site, unusual for Magento
It's unlikely the CDN was hacked but not beyond the realm of possibility.

Check your plugins are all up to date
What version of Magento are you on?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lthamesAuthor Commented:
They are on 1.72 . . but if magento was hacked it wouldn't have just been the one store and it wouldn't have gone away without anyone doing anything on the 'real' server (and I am 100% sure nothing was done on the real server).
0
lthamesAuthor Commented:
something I didn't mention.  The script created a bunch of results in google  -
https://www.google.ca/search?q=sbbi%2F%25253Fsbbpg%3DsbbShell%26gprid%3D%27%2Bprid%2B%27&oq=sbbi%2F%25253Fsbbpg%3DsbbShell%26gprid%3D%27%2Bprid%2B%27&aqs=chrome..69i57j69i58.263j0j4&client=ubuntu-browser&sourceid=chrome&espv=2&es_sm=94&ie=UTF-8#filter=0&q=/sbbi/%3Fsbbpg%3DsbbShell&start=20

Yesterday, when clicking on any of the results it went to a blank page (which you can see when looking at the cached).  Today when clicking on any of the results it goes to the real site's oops, page not found page.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

lthamesAuthor Commented:
One other 'additional' piece of information . . .  there was no folder /sbbi/ on the real server yesterday either.
0
Dave BaldwinFixer of ProblemsCommented:
The basic answer to your question is Yes, it is possible.  Some 'Free' hosting services put ads in the pages they deliver.  That code also looks vaguely like spam advertising code or even virus download code.
0
GaryCommented:
What plugins are you using if any - did you check they were all upto date?
0
lthamesAuthor Commented:
They use several extensions and not all are up to date.  They need to upgrade to 1.9 and updated extensions . . . but he's been putting it off.

However,  all stores use the same extensions but only the one store on CDN had the issue.  And an out of date extension surely wouldn't be a problem yesterday and not today - with no intervention.

The client hasn't questioned what happened . . . so I'm really just curious.
0
GaryCommented:
What are they using the CDN for? Images, js, css ?
0
lthamesAuthor Commented:
Their site was not hacked . . I never got an answer but within a couple of hours after I told the client to check with his consultant that set up the CDN . . . everything was back to normal.  

My inquiries to find out what it was were not answered :(
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.