RayLP Posted September 14, 2023 ID:1588961 Share Posted September 14, 2023 We are a web-agency, one of our customers reported, that his Shopify-Shop is blocked. Can you please let me know more details about that rating as a malicious / phishing website? We did not find anything. https://www.virustotal.com/gui/domain/art-mind.shop/details Thanks! Raimund Link to post Share on other sites More sharing options...
1PW Posted September 14, 2023 ID:1588971 Share Posted September 14, 2023 (edited) For Malwarebytes staffers: Trojan.JS.Redir.gen.94 might be detected in 11 JavaScript files. https://quttera.com/detailed_report/www.art-mind.shop https://www.abuseipdb.com/check/23.227.38.32 https://www.phishtank.com/phish_detail.php?phish_id=8151445 MBG: Website Blocked: www.art-mind.shop v2.6.10 | Riskware: 2.0.202309141321 Edited September 14, 2023 by 1PW Link to post Share on other sites More sharing options...
RayLP Posted September 14, 2023 Author ID:1588987 Share Posted September 14, 2023 thanks - we will investigate further! Link to post Share on other sites More sharing options...
Staff TeMerc Posted September 14, 2023 Staff ID:1589013 Share Posted September 14, 2023 1 hour ago, RayLP said: thanks - we will investigate further! Hi- Some more here: VirusTotal - Domain - art-mind.shop Link to post Share on other sites More sharing options...
RayLP Posted September 15, 2023 Author ID:1589074 Share Posted September 15, 2023 We identified the reason and removed the code - it is a very bad attempt to trick page speed performance tools like Google Lighthouse. It checks if such a performance tool is accessing the page and delivers only header and footer then, no other page content, which of course has a huge impact on speed score then... Thanks all for your hints! https://guides.magefix.com/2022/01/shopify-speed-optimization-scam/ Link to post Share on other sites More sharing options...
Staff BjelakovicL Posted September 15, 2023 Staff ID:1589107 Share Posted September 15, 2023 Hi, The suspicious code is still present on the site. [[var _0xb950=["\x73\x74\x61\x72\x74\x61\x73\x79\x6E\x63\x6C\x6F\x61\x64\x69\x6E\x67","\x6C\x69\x6E\x6B","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x6C\x65\x6E\x67\x74\x68","\x64\x61\x74\x61\x2D\x68\x72\x65\x66","\x67\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x68\x72\x65\x66","\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x64\x61\x74\x61\x73\x65\x74","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72"];document[_0xb950[9]](_0xb950[0],function(){var _0x10b6x1=document[_0xb950[2]](_0xb950[1]);for(i= 0;i< _0x10b6x1[_0xb950[3]];i++){if(_0x10b6x1[i][_0xb950[5]](_0xb950[4])!== null){_0x10b6x1[i][_0xb950[7]](_0xb950[6],_0x10b6x1[i][_0xb950[5]](_0xb950[4]));]] Link to post Share on other sites More sharing options...
RayLP Posted September 15, 2023 Author ID:1589123 Share Posted September 15, 2023 sorry to ask dumb questions - just to be sure.. Did you reload the page Cmd+F5? Because if I check the source of the page now, I can not find that snippet anymore. Or, otherwise, could you give me the exact URL where you still found it? Thx! 53 minutes ago, BjelakovicL said: Hi, The suspicious code is still present on the site. [[var _0xb950=["\x73\x74\x61\x72\x74\x61\x73\x79\x6E\x63\x6C\x6F\x61\x64\x69\x6E\x67","\x6C\x69\x6E\x6B","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x6C\x65\x6E\x67\x74\x68","\x64\x61\x74\x61\x2D\x68\x72\x65\x66","\x67\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x68\x72\x65\x66","\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x64\x61\x74\x61\x73\x65\x74","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72"];document[_0xb950[9]](_0xb950[0],function(){var _0x10b6x1=document[_0xb950[2]](_0xb950[1]);for(i= 0;i< _0x10b6x1[_0xb950[3]];i++){if(_0x10b6x1[i][_0xb950[5]](_0xb950[4])!== null){_0x10b6x1[i][_0xb950[7]](_0xb950[6],_0x10b6x1[i][_0xb950[5]](_0xb950[4]));]] Link to post Share on other sites More sharing options...
Staff BjelakovicL Posted September 15, 2023 Staff ID:1589128 Share Posted September 15, 2023 Just checked again. It's on your homepage: https://art-mind.shop Link to post Share on other sites More sharing options...
RayLP Posted September 15, 2023 Author ID:1589137 Share Posted September 15, 2023 thx - found it and the origin, removed Link to post Share on other sites More sharing options...
1PW Posted September 15, 2023 ID:1589148 Share Posted September 15, 2023 Hello @RayLP: I IRC, a few hours ago, I believe 12 files were affected. IMHO, there are still 11 more files left to correct. Reference: https://quttera.com/detailed_report/www.art-mind.shop HTH Link to post Share on other sites More sharing options...
RayLP Posted September 15, 2023 Author ID:1589169 Share Posted September 15, 2023 everything else cleaned now: https://quttera.com/detailed_report/art-mind.shop Link to post Share on other sites More sharing options...
Staff Solution BjelakovicL Posted September 17, 2023 Staff Solution ID:1589503 Share Posted September 17, 2023 Thanks for having it cleaned. The block will be removed in the next database update. Link to post Share on other sites More sharing options...
Recommended Posts