[Techtalk] is this malicious code? -- the code in Pastebin
Elwing
elwing at elwing.org
Wed Jan 16 01:14:32 UTC 2013
On Jan 15, 2013, at 6:46 PM, Carla Schroder wrote:
> On Tue, 15 Jan 2013 23:30:12 +0000
> James Sutherland <james at deadnode.org> wrote:
>
>> On 15 Jan 2013, at 23:20, Carla Schroder <carla at bratgrrl.com> wrote:
>>> On Tue, 15 Jan 2013 23:03:57 +0000
>>> James Sutherland <james at deadnode.org> wrote:
>>>
>>>> On 15 Jan 2013, at 23:01, Carla Schroder <carla at bratgrrl.com>
>>>> wrote:
>>>>
>>>>> Hey all,
>>>>>
>>>>> I have a snippet of a Javascript ad that Google flagged as
>>>>> malicious. I would like a second opinion from you fine
>>>>> Techtalkers-- what's the best way to safely share this code? It's
>>>>> about a dozen lines.
>>>>
>>> ...
>>>
>>> http://pastebin.com/NvTGxDQd
>>
>> Looks harmless: all it does is insert a <script> tag referencing
>> adsbyisocket.com. The "odd" bits are just it putting things like the
>> current page address and the page 'referer'(sic) into that URL, so
>> they get a better idea whom they're serving their ads to.
>>
>> It's possible adsbyisocket.com is a malware domain, but it certainly
>> looks like a regular online ad broker from a quick look.
>
> Here's the whole story: one of the sites I work for uses Isocket for
> serving ads. This ad was flagged by Google this morning and they
> blocked 5 of our 8 sites. We removed the ads early this morning, and I
> manually inspected every page that Google flagged, and they were clean.
> Google still has not removed the block.
>
> Isocket did this once before, and despite vowing to 'do whatever it
> takes' to get their customers back online they are utterly useless and
> helpless. Google, of course, is impenetrable and unresponsive. We've
> lost a day's business.
>
> Carla
I'm with Cynthia the last document.write ("'><\/scr"+"ipt>"); looks suspicious and is used by attackers trying to obsfucate cross-site scripting, so I can see why Google is flagging it.
More information about the Techtalk
mailing list