Site Compromised with Malicious JavaScript

Joined
Dec 13, 2017
Messages
642
Location
SE AZ
@Ryan Avery

I haven't found the root cause yet (software or plugin vulnerability, for example), but at least some pages on Rokslide are serving a malicious JavaScript inject that attempts to get the visitor to enable notifications to later serve them notifications on their desktop. These malicious notifications can be used to serve annoying spam notifications or fake antivirus scam notifications that can dupe users into downloading and executing malware.

This isn't the first time I've seen them here on Rokslide, but is the first time I've captured one reliably. It looks like others in this section of the forum have noticed some of the same activity.

Here is (one of) the pages that loaded for me. Another had a robot. Another time, a dog. All prompting to enable notifications.
1725883699234.png

The chain of site redirects from the JavaScript inject.
1725883729221.png

The JavaScript right at the top of the Kenai 5400 Review page, being loaded from lib.csscloud[.]live.
1725883922337.png

Malicious response archived here:
https://urlscan.io/result/0f5229eb-3906-4824-866d-9ab9305c4d9b/#transactions

You can remove this script element, but it won't address how these bad actors are getting the code there in the first place, and the code is likely being rotated between pages.

This sort of malicious activity is pretty common on WordPress sites with vulnerable plugins that are no longer supported or out of date. Similar injects have also been known to abuse the admin privileges of WordPress site admins who visit a compromised page while they're logged in, executing commands and creating new admin users with those privileges. Website security services like Sucuri have published articles on the subject which can provide more information.

Good luck!
 
OP
4
Joined
Dec 13, 2017
Messages
642
Location
SE AZ
@Ryan Avery

The site is still serving malicious redirects.

Since the site is compromised in some manner, anyone who has desktop notifications enabled for Rokslide.com is also at increased risk.

Users will enable notifications for a benign site (like this one) and then will get malicious popups on their desktop through the site when it gets compromised--I see it ALL THE TIME.

1726761042043.png
 

fngTony

Super Moderator
Staff member
Joined
Jan 18, 2016
Messages
5,562
I haven’t had this happen. Is it only on desktop with alerts enabled?
 
OP
4
Joined
Dec 13, 2017
Messages
642
Location
SE AZ
I haven’t had this happen. Is it only on desktop with alerts enabled?
It is not from desktop notifications. I only wanted to share for awareness that users who have them enabled could see malicious desktop notifications, as it would be consistent behavior from this sort of activity.

Based on other posts here in the Feedback forum, others have noticed the effects of this issue as well.

The only injected code that has stuck around long enough in one place to reproduce and record on the client side was that from my first post.
 
OP
4
Joined
Dec 13, 2017
Messages
642
Location
SE AZ
Hilariously, I reloaded this post a moment ago and got the same fake AV alert... there's a chance these are coming from one of the ad services in use on the site.
 
OP
4
Joined
Dec 13, 2017
Messages
642
Location
SE AZ
I'm increasingly leaning toward this coming from one of the ad providers used on this site.

I had it happen again today, midway through reading a thread (as opposed to when the page first loads), suggesting it's coming from the dynamically loaded ads.
 

intunegp

WKR
Joined
Sep 28, 2021
Messages
580
I've gotten the antivirus popup several times over the past couple weeks. Desktop using Chrome. I always just close the tab when it pops up.
 
Joined
Aug 10, 2020
Messages
19
Ads were my first suspicion when reading the opening post. I've dealt with a lot of hacked WordPress and Joomla sites over many years, but those days are mostly behind us, and unless this forum is running extremely outdated software or is on a shared hosting server that shouldn't be much of a concern.
 
OP
4
Joined
Dec 13, 2017
Messages
642
Location
SE AZ
I've dealt with a lot of hacked WordPress and Joomla sites over many years, but those days are mostly behind us.
I wish I shared that same experience--the user base I'm dealing with seems to encounter new ones every other day.
 
Top