[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Can/do CDN's inject code into the html?

Posted on 2014-08-05
9
Medium Priority
?
644 Views
Last Modified: 2016-03-02
I have an odd question . . . I'm just trying to theorize something.

I had a client set up ONE of the stores of his Magento installation using some type of content delivery network.  I'm not sure of the provider, but the host he is pointing to is hisdomain.com.adn.fblcloud.net

Yesterday, a few days after he set it up,  his site slowed to a crawl ONLY for the one store.  His other 2 stores were working fine.  They share all code and all products, just different themes.

Upon researching we found the following code was inserted into every page of the site.  However after searching with grep and also downloading the entire app and searching for changed files, we couldn't find anything with code that looked familiar.  I also checked all of the CMS pages, blocks, category design and layout settings, etc.

This morning it is magically fixed.  And my tech said it shouldn't have been the CDN . . . but he scanned our server and found nothing (he's my security/pci  expert so hopefully he wouldn't miss something).

I'm trying to figure out if the CDN COULD be injecting script code into html as it is delivered . . and if so, is this a problem to be concerned with in the future?

Here is the code -
<body class=" catalog-category-view categorypath-headsets-bluetooth-html category-bluetooth"><div style='display:none' id='sbbhscc'></div><script type="text/javascript">sbbvscc=''; sbbgscc='; function genPid() {return String.fromCharCode(73)+String.fromCharCode(69); }';</script><div id='sbbfrcc' style='position: absolute; top: -10px; left: 30px; font-size:1px'></div><script type="text/javascript">(function(XHR) { var open = XHR.prototype.open; var send = XHR.prototype.send; var parser = document.createElement('a'); XHR.prototype.open = function(method, url, async, user, pass) { parser.href = url; if (parser.host == '') parser.href = parser.href; this.ajax_hostname = parser.hostname; open.call(this, method, url, async, user, pass); }; XHR.prototype.send = function(data) { if (location.hostname == this.ajax_hostname) this.setRequestHeader("X-MOD-SBB-CTYPE", "xhr"); send.call(this, data); } })(XMLHttpRequest); function sbbgc( check_name ) { var start=document.cookie.indexOf(check_name+"="); var oVal=''; var len=start+check_name.length+1; if((!start)&&(document.cookie.substring(0,check_name.length)!=check_name)){ oVal=''; } else if(start==-1){ oVal=''; } else { var end=document.cookie.indexOf(';',len); if(end==-1)end=document.cookie.length; var oVal=document.cookie.substring(len,end); }; return oVal; } function addmg(inm,ext){ var primgobj = document.createElement ('IMG'); primgobj.src = window.location.protocol + "//" + window.location.hostname + (window.location.port && window.location.port!=80 ? ':' + window.location.port: '')+"/sbbi/?sbbpg="+inm+(ext?"&"+ext:""); var sbbDiv = document.getElementById('sbbfrcc'); sbbDiv.appendChild (primgobj); }; function addprid(prid){ var oldVal=sbbgc("PRLST"); if((oldVal.indexOf(prid)==-1)&&(oldVal.split('/').length<5)){ if(oldVal!='')oldVal+='/'; document.cookie='PRLST='+oldVal+escape(prid)+'; path=/; domain=.nationalwireless.com'; } } var sbbeccf = function () { this.sp3 = "jass"; this.sf1 = function (vd) { return sf2(vd)+32; }; var sf2 = function (avd) { return avd*12; }; this.sf4 = function (yavd) { return yavd+2; }; var strrp = function (str, key, value) { if (str.indexOf('&' + key + '=') > -1 || str.indexOf(key + '=') == 0) { var idx = str.indexOf('&' + key + '='); if (idx == -1) idx = str.indexOf(key + '='); var end = str.indexOf('&', idx + 1); var newstr; if (end != -1) newstr = str.substr(0, idx) + str.substr(end + (idx ? 0 : 1)) + '&' + key + '=' + value; else newstr = str.substr(0, idx) + '&' + key + '=' + value; return newstr; } else return str + '&' + key + '=' + value; }; var strgt = function(name, text) { if (typeof text != 'string') return ""; var nameEQ = name + "="; var ca = text.split(/[;&]/); for (var i = 0; i < ca.length; i++) { var c = ca[i]; while (c.charAt(0) == ' ') c = c.substring(1, c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length); } return ""; }; this.sfecud = { f:function(name, value) { var fv=""; try { var elm = document.getElementById('sbbfrcc'); elm.style.behavior = "url(#default#userData)"; if (typeof(value) != "undefined") { elm.setAttribute(name, value); elm.save(name); } else { elm.load(name); fv=elm.getAttribute(name); } } catch(e) { } return fv; }, name:"sbbrf" }; this.sfecgs = { sbbgh:function() { var domain = document.location.host; if (domain.indexOf('www.') == 0) domain = domain.replace('www.', ''); return domain; }, f:function(name, value) { var fv=""; if (window.globalStorage) { var host = this.sbbgh(); try { if (typeof(value) != "undefined") globalStorage[host][name] = value; else { fv=globalStorage[host][name]; if (typeof (fv.toString)!="undefined") fv=fv.toString(); } } catch(e) { } } return fv; }, name:"sbbrf" }; this.sfecls = { f:function(name, value) { var fv=""; try { if (window.localStorage) { if (typeof(value) != "undefined") localStorage.setItem(name, value); else { fv=localStorage.getItem(name); if (typeof (fv.toString)!="undefined") fv=fv.toString(); } } } catch (e) { } return fv; }, name:"sbbrf" }; this.sbbcv = function (invl) { try { var invalArr = invl.split("-"); if (invalArr.length>1) { if (invalArr[0]=="A"||invalArr[0]=="D") { invl=invalArr[1]; } else invl=""; } if (invl==null||typeof(invl)=="undefined"||invl=="falseImgUT"||invl=="undefined"||invl=="null"||invl!=encodeURI(invl)) invl=""; if (typeof(invl).toLowerCase()=="string") if (invl.length>20) if (invl.substr(0,2)!="h4") invl=""; } catch (ex) { invl=""; } return invl; }; this.sbbsv = function (fv) { for (var elm in this) { if (this[elm].name=="sbbrf") { this[elm].f("altutgv2",fv); } } document.cookie = "UTGv2="+fv+'; expires=Tue, 31 Dec 2030 00:00:00 UTC; path=/; domain=.nationalwireless.com'; }; this.sbbgv = function() { var valArr=Array(); var currVal=""; for (var elm in this) { if (this[elm].name=="sbbrf") { currVal = this[elm].f("altutgv2"); currVal = this.sbbcv(currVal); if (currVal!="") valArr[currVal]=(typeof(valArr[currVal])!="undefined"?valArr[currVal]+1:1); } } var lb=0; var fv=""; for (var val in valArr) { if (valArr[val]>lb) { fv = val; lb=valArr[val] } } if (fv=="") fv=sbbgc("UTGv2"); fv = this.sbbcv(fv); if (fv!="") this.sbbsv (fv); else this.sbbsv("A-h47ad0fb8bb49ce11021b482c7aec048d173-91a2a4a78a51a121a40a77a9a86a77a4a22a83a74a0a5a5a"); return fv; }; }; function m2vr(m1,m2) { var i=0; var rc=""; var est = "ghijklmnopqrstuvwyz"; var rnum; var rpl; var charm1 = m1.charAt(i); var charm2 = m2.charAt(i); while (charm1!=""||charm2!="") { rnum = Math.floor(Math.random() * est.length); rpl = est.substring(rnum,rnum+1); rc +=(charm1==""?rpl:charm1)+(charm2==""?rpl:charm2); i++; charm1 = m1.charAt(i); charm2 = m2.charAt(i); } return rc; } function sbbls(prid) { try { var eut = sbbgc("UTGv2"); sbbeccfi = new sbbeccf(); sbbgs=sbbeccfi.sbbgv(); if (eut!=sbbgs && sbbgs!="" && typeof(sbbfcr)=="undefined") { addmg('utMedia',"vii="+m2vr("08e1427711c978193f5319ad2f0452fc",sbbgs)); } var sbbiframeObj = document.createElement ('IFRAME'); var dfx=new Date(); sbbiframeObj.id = 'SBBCrossIframe'; sbbiframeObj.style.border='0px'; if (document.all) { sbbiframeObj.style.position='absolute'; sbbiframeObj.style.top='-1px'; sbbiframeObj.style.height='1px'; sbbiframeObj.style.width='28px'; } else { sbbiframeObj.style.height='1px'; sbbiframeObj.style.width='0px'; } sbbiframeObj.scrolling="NO"; sbbiframeObj.src = window.location.protocol + "//" + window.location.hostname + (window.location.port && window.location.port!=80 ? ':' + window.location.port: '')+'/sbbi/?sbbpg=sbbShell&gprid='+prid+''; var sbbDiv = document.getElementById('sbbfrcc'); sbbDiv.appendChild (sbbiframeObj); } catch (ex) { alert (ex.message); } } try{ y=unescape(sbbvscc.replace(/^<\!\-\-\s*|\s*\-\->$/g,'')); document.getElementById('sbbhscc').innerHTML=y; x=unescape(sbbgscc.replace(/^<\!\-\-\s*|\s*\-\->$/g,'')); } catch(e){ x='function genPid() {return "jser"; }'; } try { if (window.gprid==undefined) document.write('<'+'script type="text/javascri'+'pt">'+x+"var gprid=genPid(); addprid(gprid);  sbbfcr=true;sbbls(gprid);<"+"/script>"); } catch (e) { addprid("dwer"); } </script>

Open in new window


Thanks for any information you can give me!
0
Comment
Question by:lthames
  • 5
  • 3
9 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 1000 total points
ID: 40241338
Looks suspiciously like someone has hacked the site, unusual for Magento
It's unlikely the CDN was hacked but not beyond the realm of possibility.

Check your plugins are all up to date
What version of Magento are you on?
0
 

Author Comment

by:lthames
ID: 40241366
They are on 1.72 . . but if magento was hacked it wouldn't have just been the one store and it wouldn't have gone away without anyone doing anything on the 'real' server (and I am 100% sure nothing was done on the real server).
0
 

Author Comment

by:lthames
ID: 40241384
something I didn't mention.  The script created a bunch of results in google  -
https://www.google.ca/search?q=sbbi%2F%25253Fsbbpg%3DsbbShell%26gprid%3D%27%2Bprid%2B%27&oq=sbbi%2F%25253Fsbbpg%3DsbbShell%26gprid%3D%27%2Bprid%2B%27&aqs=chrome..69i57j69i58.263j0j4&client=ubuntu-browser&sourceid=chrome&espv=2&es_sm=94&ie=UTF-8#filter=0&q=/sbbi/%3Fsbbpg%3DsbbShell&start=20

Yesterday, when clicking on any of the results it went to a blank page (which you can see when looking at the cached).  Today when clicking on any of the results it goes to the real site's oops, page not found page.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:lthames
ID: 40241424
One other 'additional' piece of information . . .  there was no folder /sbbi/ on the real server yesterday either.
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 1000 total points
ID: 40241737
The basic answer to your question is Yes, it is possible.  Some 'Free' hosting services put ads in the pages they deliver.  That code also looks vaguely like spam advertising code or even virus download code.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40241764
What plugins are you using if any - did you check they were all upto date?
0
 

Author Comment

by:lthames
ID: 40241811
They use several extensions and not all are up to date.  They need to upgrade to 1.9 and updated extensions . . . but he's been putting it off.

However,  all stores use the same extensions but only the one store on CDN had the issue.  And an out of date extension surely wouldn't be a problem yesterday and not today - with no intervention.

The client hasn't questioned what happened . . . so I'm really just curious.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40241845
What are they using the CDN for? Images, js, css ?
0
 

Author Closing Comment

by:lthames
ID: 40271271
Their site was not hacked . . I never got an answer but within a couple of hours after I told the client to check with his consultant that set up the CDN . . . everything was back to normal.  

My inquiries to find out what it was were not answered :(
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question