8 Replies Latest reply on Nov 21, 2011 8:29 PM by drt12

    What is this code?

      The other day, I asked about virus scan for the web, but there is not so much responses to it. Well, all my websites got hacked later on and someone placed a malware, and I have to spend money to ask a company to clean up one of the site and then cleaned the rest of them myself.

       

      One question bothers me now is this code added to any js call that I saw in all my webpages whenever there is a call to a java script file.

       

      Can anyone tell me if this is McAfee TP generated  code or it's because I was looking at at the source code of a webpage while I was behind a fire-wall or if this is another attack code left by a Malware?

       

      The code is like this:

       

      src="jsfilename.js?sfgdata=+sfgRmluamFuX1RrcG.........+g"

       

      When I open the source code at home, the function call is simply contains it's name only without any attribute after the '?' sign..

       

      I'm talking about looking at a webpage, then view the source code instead of open the original htm file.

       

      Any help would be appreciated.

       

      Thanks,

       

      Aris/

       

      Message was edited by: drt12 on 11/21/11 12:29:20 AM CST
        • 1. Re: What is this code?

          Tried to edit but couldn't do it from my iPhone. The only reference I found was http://webmasters.stackexchange.com/questions/2308/what-is-sfgdataq-that-i-see-a ppended-to-some-requests-to-my-application.

           

          I really hope someone can enlighten us of this extra code since now I see them almost in every source code of the website I open from a machine behind a firewall. Could this be part of windows, fairfox or firewall program?

           

          Thanks,

           

          Aris/

          • 2. Re: What is this code?
            exbrit

            Source code is the property of either the web page designer or whatever software is generating it and wouldn't be open to discussion as no doubt it is copyright..  Why are you concerned about it?   At first glance it looks to me like something generated by your browser - the js being the clue = Javascript is an integral part of IE for one.

             

            However as this is all way over the heads of us volunteers I'm afraid you'd probably be better off asking these sorts of questions on a web page designer forum or a browser support one perhaps.

             

            Message was edited by: Ex_Brit on 21/11/11 10:54:05 EST AM
            • 3. Re: What is this code?
              exbrit

              By the way, if this is about SiteAdvisor please let me know and I will move it in the hope someone from that department can help.

              • 4. Re: What is this code?
                Hayton

                It is possible that the inserted js code is something to do with McAfee but it needs one of the higher-level technical experts to confirm this. I only surmise that it might be McAfee-related because of an exchange I found in this thread from a games forum :

                 

                It looks to me that this particular issue (at least in the Firefox example cited above) is caused by a network security appliance that either your corporate network (if you're accessing from work) or your ISP is using. I'd urge you to reach out to someone responsible for network technical support to let them know that one of their network appliances is making invalid HTML changes to webpages.

                 

                Some technical background: Something is clearly modifying the HTML of the page between our servers and your browser. We don't use a URL parameter called "sfgdata" anywhere. This means either a browser add-on, some other program on your PC, or something on your network intercepting traffic. If you search online for "sfgdata", there's results for an older version of a network security appliance that does some kind of JavaScript detection using that parameter

                 

                It is also possible, according to what the poster is saying, that a browser add-on might be responsible for the extra js code, or - most likely - that it might have been inserted by your ISP :

                It's common for ISP to use tricks like this to minimize website loading time over low-bandwidth connections, like wireless.

                 

                Message was edited by: Hayton on 21/11/11 17:40:33 GMT
                • 5. Re: What is this code?


                  Hi Hayton,

                   

                  Thanks for the reply.

                   

                  I'm interested in this code, since it was appended to all my js calls whenever I opened my site using my laptop that was working behind a very tight firewall. However, as you mentioned in your answer to other thread, yes, this malware was caused by redirecting to co.cr site. I just wanted to make sure that the cleaning by sucuri.net totally removed the threat.

                   

                  Thanks for your help.

                   

                  Aris/

                   

                  Message was edited by: drt12 on 11/21/11 8:20:10 PM CST
                  • 6. Re: What is this code?

                    Hi Peter,

                     

                    Yes, I thought SiteAdvisor failed to capture this Malware that were cleverly inserted by manipulating the old version WP that I didn't remove from all my sites that have been infected. Only one of my site was blocked by Google, but Google didn't touch the other two that contained the same javascript file to redirect my site to a dangerous site at co.cc domain.

                     

                    The site that being blocked by google was cleaned by sucuri.net but it got infected again. Sucuri then found out that I had a WP2.8.6 in one of my folders on the server and the theft had used that old WP as their gateway to put a file, css.js in my root directory. After I had removed the old WP, sucuri removed the js file as well as all the lines contained the call to that js file and my site was declared to be free of malware by almost all the AV companies including McAfee Siteadvisor. However, McAfee Siteadvisor still said that my other infected sites were okay even though these sites contained the css.js as well as the call to this js file in the index files on these infected sites. Sucuri picked out those sites and declared them as infected site until I removed both the css.js file and the call to it.

                     

                    This was the reason I brought this topic here, since I expected the SiteAdvisor would pick up the css.js and the call to it as malwares.

                     

                    BTW, Google has unblocked my site www.atanone.net again, after sucuri.net and I requested separately to unblock it.

                     

                    Thanks,

                     

                    Aris/

                     

                    Message was edited by: drt12 on 11/21/11 5:49:35 PM CST
                    • 7. Re: What is this code?
                      exbrit

                      Peter/Hayton,

                       

                      Should we leave this here or what?  

                       

                      Thanks for the update Aris.

                       

                      Message was edited by: Ex_Brit on 21/11/11 6:57:06 EST PM
                      • 8. Re: What is this code?

                        drt12 wrote:

                         

                        The site that being blocked by google was cleaned by sucuri.net but it got infected again. Sucuri then found out that I had a WP2.8.6 in one of my folders on the server and those thieves had used that old WP as their gateway to put a file, css.js in my root directory.

                         

                        Message was edited by: drt12 on 11/21/11 5:49:35 PM CST


                        There was a typo in my answered above and I have corrected it.

                         

                        Sorry, I don't know where to post and I don't mind if this thread has to be moved.

                         

                        Thanks,

                         

                        Aris/