Security compromised for WordPress.com ?

  • Unknown's avatar
    rvencu · Member ·

    It was Windows 2016 Server. I can expand the test by asking friends since all computers I tested so far are connected to the internet via same ISP (RDS-RCS)

  • Unknown's avatar
    rvencu · Member ·

    I disabled all my browser extensions and the situation is the same. I am advertising through google adwords and google waze at this time but have no specific tools installed, just use the web tools they provide.

  • Unknown's avatar
    rvencu · Member ·

    Apaprently that pixel url is called by
    https://6355556.fls.doubleclick.net/activityi;dc_pre=CLz_jujth9gCFY2_dwod1dgEnw;type=wordp0;cat=wppv;u6=plugins;u7=e99a7d7c703543479205e2373243173e;u4=10474899;src=6355556;ord=8068957357400.466;num=8895614388047.293?

  • Unknown's avatar
    rvencu · Member ·

    With this content 

    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title></title></head><body style="background-color: transparent"><img src="https://secure.leadback.advertising.com/adcedge/lb?site=695501&betr=sslbet_1501625044=ssprlb_1501625044[720]" width="1" height="1" border="0"><img src="https://sp.analytics.yahoo.com/spp.pl?a=10000&.yp=10023913&ec=AllPages"/><IMG SRC="https://ds.reson8.com/insights.gif?rand=1925479376&t=0&pixt=resonate&advkey=0010M00001RV2QuQAL&opptykey=MASW0517A&evkey=163211&evtype=custom" WIDTH=1 HEIGHT=1 BORDER=0><!--
Start of DoubleClick Floodlight Tag: Please do not remove
Activity name of this tag: DBM - All Pages
URL of the webpage where the tag is expected to be placed: https://wordpress.com
This tag must be placed between the <body> and </body> tags, as close as possible to the opening tag.
Creation Date: 06/13/2017
-->
<script type="text/javascript">
var axel = Math.random() + "";
var a = axel * 10000000000000;
document.write('<iframe src="https://8017305.fls.doubleclick.net/activityi;src=8017305;type=invmedia;cat=obyv3klj;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=' + a + '?" width="1" height="1" frameborder="0" style="display:none"></iframe>');
</script>
<noscript>
<iframe src="https://8017305.fls.doubleclick.net/activityi;src=8017305;type=invmedia;cat=obyv3klj;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=1?" width="1" height="1" frameborder="0" style="display:none"></iframe>
</noscript>
<!-- End of DoubleClick Floodlight Tag: Please do not remove --><!-- Rockerbox - Place on all pages --> <script type="text/javascript"> (function(d,RB) {window.RB=RB;RB.queue=[];RB.track=RB.track||function(){RB.queue.push(Array.prototype.slice.call(arguments))};RB.initialize=function(s){RB.source=s};var a = d.createElement("script"); a.type="text/javascript"; a.async=!0; a.src="https://getrockerbox.com/assets/xyz.js"; f=d.getElementsByTagName("script")[0]; f.parentNode.insertBefore(a,f);})(document,window.RB || {}); RB.initialize("d29yZHByZXNzfDc5MjA3NzB8NzkyMDc2NTo4MTY1NDV8NzkyMDc2Njo4MTY1NDR8NzkyMDc3MQ=="); </script> <!-- Rockerbox --><img src="https://sp.analytics.yahoo.com/spp.pl?a=10000&.yp=10023913"/><img src="https://secure.leadback.advertising.com/adcedge/lb?site=695501&betr=sslbet_1487351074=[+]ssprlb_1487351074[720]|sslbet_1487351090=[+]ssprlb_1487351090[8760]" width="1" height="1" border="0"><iframe width="0" height="0" name="Trade Desk Tracking - All Pages Retarget TTD" frameborder="0" scrolling="no" src="//insight.adsrvr.org/tags/l8hfnf9/4gktlyq/iframe"></iframe></body></html>
  • supernovia · Staff ·

    I did a bit of googling about this particular pixel and it seems it’s a part of adware that some are even calling a virus.

    Can you test with a totally different computer?

  • supernovia · Staff ·

    You can see several complaints about that site here.

  • Unknown's avatar
    rvencu · Member ·

    And at the end of the code we get
    src=”//insight.adsrvr.org/tags/l8hfnf9/4gktlyq/iframe
    exactly the link that is transformed into
    http://d1eoo1tco6rr5e.cloudfront.net/l8hfnf9/4gktlyq/iframe

  • Unknown's avatar
    rvencu · Member ·

    OK. Thanks, it seems that many computers I am having access to have this issue.

    Thanks again for helping with that.

  • supernovia · Staff ·

    You bet. I hope you’re able to resolve it quickly.

  • Unknown's avatar
    rvencu · Member ·

    Well, I did a lot of tests, scanned my computer, etc. I even called friends and performed TeamViewer session to check from their browsers, PC, Mac computers as well.

    All of my tests shown the iframe issue from adsrvr.org

    So I think this is not from our end, should be some form of code injection from either the source or on its way to us.

    And now it is so much harder to track because as of this morning the issue dissapeared, perhaps it was removed or the hackers fixed the non-SSL problem.

  • Unknown's avatar
    rvencu · Member ·

    Yes, I found the code, now properly loaded via https.

    In Sources View in developer tools I can find these entries: https://prnt.sc/hnr7hv

    From my tests only wordpress.com appears to be affected so far with this adsrvr.org code injection

  • supernovia · Staff ·

    Very odd.

    You mentioned you tried other computers outside the network – would you be able to test on a computer you haven’t used before, in case it’s something all of your computers have in common?

  • Unknown's avatar
    rvencu · Member ·

    Yes I did so. I called a friend who has a Mac at home, totally unrelated to my network. I just opened Chrome browser on Mac and the iframe was there.

    Also it happened at my job network.

    It happened when I changed the ISP from fiber landline to 4G wireless.

    So maybe some of your servers just serve this code or some backbone operator can inject such code. I am not sure but the sdsrvr.org pixel is still on the wordpress.com pages

    That pixel seems to be triggered on by a doubleclick cookie though. Maybe doubleclick is serving different trackers mixup depending on the region or they have been hacked somehow.

  • Unknown's avatar
    rvencu · Member ·

    If you like I can setup a clean Windows 10 VM on one of my servers, install Chrome and give you full remote desktop access to it so you can investigate things from my end.

  • supernovia · Staff ·

    Would you please set up a clean VM and test to see if it’s happening there? That would be great.

  • Unknown's avatar
    barnsblog · Member ·

    rvencu is not talking nonsense – I am getting the same issue – have been for months!!

  • Unknown's avatar
    rvencu · Member ·

    I still need some time to setup the VM. In the meanwhile I found the activityi object in the last screenshot, it is DoubleClick Floodlight conversion tracking and it is iframe based!

    https://support.google.com/dfa/partner/answer/154049?hl=en

    I am not sure why doubleclick will give tracking information to a whole bunch of trackers including the alleged virus like adsrvr.org. Beside this one there are reson8.com, even yahoo.com is tracking something when I am using wordpress.com website.

  • supernovia · Staff ·

    I don’t believe @rvencu is being nonsensical at all. We just have not been able to duplicate this on our systems. The VM should help us narrow things down.

    @barnsblog could you try a different computer on a different network and let me know whether you also see the same thing there?

  • Unknown's avatar
    rvencu · Member ·

    VM ready, windows 10 enterprise trial, fresh install no other software setup. Using Edge browser I still can see the issue. We have no proxy server in our environment.

    Edge presents a better view of the source in Debug window. See screenshot: https://prnt.sc/hp9kt7

  • supernovia · Staff ·

    Thanks @rvencu. I’m stumped, as I really can’t duplicate it here even when logged in as you. Digging for more ideas on this end.

1 2 3
  • The topic ‘Security compromised for WordPress.com ?’ is closed to new replies.