Is this a javascript injection

Forum Moderators: open

Message Too Old, No Replies

Is this a javascript injection

eleventy

4:54 pm on Jun 13, 2016 (gmt 0)

Hey folks :)

I have a joomla site which has this snippet at the bottom of every page when you view source:

 <script type="text/javascript">function x9b19e(className) {var elements = document.getElementsByClassName(className);while(elements.length > 0){elements[0].parentNode.removeChild(elements[0]);}}x9b19e("ba188");</script>

It's interfering with a JSON response and breaking the cart, and also some buttons in the backend aren't working.

I scanned the site on sucuri.net/scanner and it reports that it is clean (although I know this might not be accurate). I've checked the main index.php files and there's nothing suspicious. So now I'm about to embark on an extension disabling mission (made more laborious by the fact it is a Joomla installation connected to Magento using Magebridge - so I have all those extensions to disable etc.). I just thought I'd ask the question to see if anyone has some suggestions while I'm doing so.

Thanks
11ty

Fotiman

5:58 pm on Jun 13, 2016 (gmt 0)

That script is essentially removing all elements with class "ba188" from the document. My hunch would be that this is related to some extension, but our best bet is to do just what you're doing... disable all extensions, then re-enable them a bit at a time to find the offending one.

eleventy

6:38 pm on Jun 13, 2016 (gmt 0)

Thank you Fotiman, much appreciated.

I'll report back when(/if) I find it :)

eleventy

9:48 pm on Jun 13, 2016 (gmt 0)

I first opted to disable joomla extensions one after the other, then check the home page for the snippet. After 10 or so I decided to disable all of the enabled plugins, which broke the site. Every page source now contains only the snippet.

So in phpmyadmin, they are all still enabled? I checked every one as I saved a list.

I think it must an infection, so I'm restoring from a backup :( happy days (sarcasm)