From this URL http://www.tireempire.com/ (the alert page occurred at http://www.tireempire.com/shop-for-tires.aspxundefined&tirecategory=5&plyrating=&loaddesc=&price=&custrating=)
Looks like this site was hacked.
Full scan of / turned up nothing. Not sure what to make of any of this, but I am very concerned there may have been a payload, undected by Sophos, dropped somewhere. (FF28, OSX 10.8.5) Hoping you can tell me what's going on here or analyze the URL yourself.
This may be the URL of the suspicious script. http://a.ndrv.in/js/master/master.js
(I use NoScript, and had allowed the site domain itself, but don't remember if I had allowed ndrv.in or not--don't think so, which is why this is puzzling.)
This was the alert page.
This is from FF 28 Inspector
Ran a scan of the URL from http://sitecheck3.sucuri.net/ (No output for payload dump)
Output from http://quttera.com/
Output of current analysis of URL from VirusTotal.
(From a cached scan from several months ago, BitDefender reported malware.)
/*
* Net Driven master.js file
* Copyright (c) 2013 Net Driven
*/
/*
* This function stops DNN from hijacking the enter button
* Conditions have been added for each instance where the enter button should perform an action
* There is also a class that has been added to allow the enter button press to escape this function
* (This is for use in multi-line text fields - ex:Service Manager description fields)
*/
$(function () {
$("form").bind("keypress", function (e) {
/*if enter is pressed*/
if (e.keyCode == 13) {
//ALLOWS ENTER BUTTON TO BE USED - TEXT FIELDS
if (document.activeElement.className.indexOf('allow-return') != -1 || $(document.activeElement).is('textarea.padding')){
document.activeElement.value += "\n";
return false;
}
//SEARCH BAR
else if (document.activeElement.id == 'dnn_dnnSEARCH_txtSearch'){
$('#dnn_dnnSEARCH_cmdSearch').trigger('click');
return false;
}
//LAMBS SEARCH ONLY
else if (document.activeElement.id == 'lambssearchzip'){
window.location = 'http://www.lambstire.com/locations/?zip=' + $('#lambssearchzip').val();
return false;
}
//POSTAL CODE LOOKUP
else if (document.activeElement.className.indexOf('postalcode-entrybox') != -1){
window.location = $('.postalcode-link')[0].href;
return false;
}
//LOCATIONS MODULE - GY DETAILS
else if(document.activeElement.id == 'dirSearch') {
//$('.loc-go')[0].click();
return false;
}
//LOCATIONS MODULE - MAP LIST VIEW
else if($(document.activeElement).parents('#maplegendwrapper').length == 1) {
mapSearch();
return false;
}
//LOCATIONS MODULE - LIST VIEW
else if (document.activeElement.id.indexOf('ViewLocations_ListDisplay_txtZipSearch') != -1){
window.location = document.activeElement.parentNode.children[4].href;
return false;
}
//LOCATIONS MODULE - MAP VIEW
else if($(document.activeElement).parents('#MapSearchWrapperDiv').length == 1) {
if($('.locRefineSearch')[0].title.length > 0){
$('.locRefineSearch')[0].focus();
return false;
}
}
//LOCATIONS MODULE - MAP VIEW
else if($(document.activeElement).parents('.ICG_Modules_LocalFocal_LocationsContent').length == 1) {
if($('.locRefineSearch')[0].title.length > 0){
jsGo_Click();
window.location = $('.locRefineSearch')[0].href;
return false;
}
}
//DYNAMIC FORMS
else if ($('.DynamicForms_SaveFormDiv')[0] != null && $('.DynamicForms_SaveFormDiv')[0].id.length > 0){
$('.DynamicForms_SaveFormDiv > span > input')[0].click();
return false;
}
//ADVANCED QUOTING
else if ($('#advquote #' + document.activeElement.id)[0] != null && $('#advquote #' + document.activeElement.id)[0].id.length > 0){
window.location = $('#advquote .req-adv-quote')[0].href;
return false;
}
//NB STORE
else if (document.activeElement.className.indexOf('CartPromoCode') != -1){
window.location = $('.CartPromoCodeButton')[0].href;
return false;
}
else if (document.activeElement.id.indexOf('_txtPostalCode') != -1 && document.activeElement.parentElement.id.indexOf('_pnlEnterPostalCode') != -1){
var a = $('.NBright_ClientButton')[0];
if (a.id.indexOf('_cmdEnterPostalCode') != -1){
window.location = a.href;
return false;
}
}
//ADD MORE CONDITIONS HERE
}
});
});
/*
* This function ensures that lead management is the full width of the site to avoid cutting off the buttons
*/
$(window).load(function(e) {
if(document.location.href.search("Admin/Languages")> -1
|| document.location.href.search("ctl/leadmanagement")> -1
|| document.location.href.search("lead-management.aspx") > -1
|| document.location.href.search("ctl/module") > -1
|| document.location.href.search("ctl/hostconfig") > -1
|| document.location.href.search("ctl/edit/") > -1
|| (document.location.href.search("ctl/edit/mid") > -1 && document.location.href.search("dynamic") > -1)){
var side = document.getElementById('dnn_SidePane')
var content = document.getElementById('dnn_ContentPane')
side.style.display = "none";
content.style.width = "930px";
content.style.background = "none repeat scroll 0 0 #fff";
/*
$("#dnn_SidePane").attr("style","display:none;")
$("#dnn_ContentPane").attr("style","width:930px; background:none repeat scroll 0 0 #fff;")
$("#dnn_ContentPane .pc-common").attr("style","background:none repeat scroll 0 0 transparent")
$("#dnn_ContentPane .pc-header").attr("style","background:none repeat scroll 0 0 transparent")
$("#dnn_ContentPane .pc-body").attr("style","background:none repeat scroll 0 0 transparent")
$("#dnn_ContentPane .pc-footer").attr("style","background:none repeat scroll 0 0 transparent")
*/
}
/*
$('.var-label').click(function(){javascript:var s = document.createElement('script');s.type='text/javascript';document.body.appendChild(s);s.src='http://erkie.github.com/asteroids.min.js';void(0);});
*/
});
/*
* This function allows for the searching of query string parameters
*/
function getQSparam(key){
var params = window.location.search.substring(1).split('&')
var length = key.toString().length;
for(var i=0; i<params.length; i++) {
if (params[i].substring(0, length) + "=" == key+ "=")
return params[i].substring(length + 1);
}
return null;
}
/*
* Functions to get/set/delete Cookies
*/
function setNDcookie(c_name, value, exdays){
if (typeof exdays === "undefined"){
exdays = 3;
}
var exdate = new Date();
exdate.setDate(exdate.getDate() + exdays);
var c_value = escape(value) + ((exdays == null) ? '' : '; expires=' + exdate.toUTCString()) + "; path=/";
document.cookie = c_name + '=' + c_value;
}
function getNDcookie (c_name){
var c_value = document.cookie;
var c_start = c_value.indexOf(" " + c_name + "=");
if (c_start == -1) {
c_start = c_value.indexOf(c_name + "=");
}
if (c_start == -1){
c_value = null;
} else {
c_start = c_value.indexOf("=", c_start) + 1;
var c_end = c_value.indexOf(";", c_start);
if (c_end == -1){
c_end = c_value.length;
}
c_value = unescape(c_value.substring(c_start,c_end));
}
return c_value;
}
function deleteNDcookie (c_name){
setNDcookie(c_name, "", -1);
}
/* VLB cookie get, set, and delete */
function setVLBCookie(year, make, model, option) {
var vehicleInfo = year + ' ' +
make + ' - ' +
model + ' (' +
option + ')';
setNDcookie('vehicle', vehicleInfo, 1);
}
/* "get" */
function populateVehicleInfo() {
vehicle = getNDcookie("vehicle");
vehicleInfo = new Array();
vehicleInfo[0] = vehicle.substring(0, 4);
vehicleInfo[1] = vehicle.substring(5, vehicle.indexOf('-') - 1);
vehicleInfo[2] = vehicle.substring(vehicle.indexOf('-') + 2, vehicle.indexOf('(') - 1);
vehicleInfo[3] = vehicle.substring(vehicle.indexOf('(') + 1, vehicle.length - 1);
}
function expireVehicleCookie() {
deleteNDcookie("vehicle");
}
/*
* This function allows the forEach() & indexOf() method to work on arrays in older browsers
*/
if (!Array.prototype.forEach) {
Array.prototype.forEach = function (fn, scope) {
for (var i = 0, len = this.length; i < len; ++i) {
fn.call(scope || this, this[i], i, this);
}
}
}
if (!Array.prototype.indexOf) {
Array.prototype.indexOf = function (searchElement /*, fromIndex */ ) {
'use strict';
if (this == null) {
throw new TypeError();
}
var n, k, t = Object(this),
len = t.length >>> 0;
if (len === 0) {
return -1;
}
n = 0;
if (arguments.length > 1) {
n = Number(arguments[1]);
if (n != n) { // shortcut for verifying if it's NaN
n = 0;
} else if (n != 0 && n != Infinity && n != -Infinity) {
n = (n > 0 || -1) * Math.floor(Math.abs(n));
}
}
if (n >= len) {
return -1;
}
for (k = n >= 0 ? n : Math.max(len - Math.abs(n), 0); k < len; k++) {
if (k in t && t[k] === searchElement) {
return k;
}
}
return -1;
};
}
/*
* Fix to make JS fire after using the browser back button (Firefox)
*/
window.onunload = function(){};
$(document).ready( function() {
if (window.location.href.indexOf('gy.netdrivenwebs') > -1 || window.location.href.indexOf('belardinellict.netdrivenwebs') > -1) {
$.each($(".use-current a"), function(i, a){
$(a).attr('href','/our-company/locations.aspx?zip=37201')
});
}
});
This thread was automatically locked due to age.
