Yeloni Malware ?

  • Resolved grafityx

    (@grafityx)


    6 years, 7 months ago

    After malware scan on several websites using Yeloni, Quterra.com considered it as a malware (potentially dangerous)…

    Any update soon by the Yeloni team ?

    Thanks

    • This topic was modified 6 years, 7 months ago by grafityx.
    • This topic was modified 6 years, 7 months ago by grafityx.
Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author kranthitech

    (@kranthitech)

    Hi there,

    Thanks for bringing this to our notice.

    Our plugin uses base64 encoding to render the pop-up contents so that we are able to handle special characters and apostrophes as we noticed an issue with these characters on some non-english websites.

    It seems like this is being misinterpreted as code obfuscation by quterra. We’ll get in touch with them with clarification and take the recommended course of action.

    Regards

    Plugin Author kranthitech

    (@kranthitech)

    Hi there,

    We release a new version 7.0.0 which does not have base64 encoding. This may not work on websites using some special characters but it should no longer show up as obfuscation.

    I have also began communication with Quterra for resolution on their report. Will keep you updated.

    Regards

    Thread Starter grafityx

    (@grafityx)

    Thanks for your fast answer.

    I did the update and run a new scan, but it still show suspicious files, details bellow:

    /#content
Severity: 	
Potentially Suspicious
Reason: 	
Detected procedure that is commonly used in suspicious activity.
Details: 	
Too low entropy detected in string [['JTdCJTIyd2lkZ2V0cyUyMiUzQSU1QiU3QiUyMmNvZGUlMjIlM0ElMjJsWWRWTiUyMiUyQyUyMmluaXRpYWxpemF0aW9uJTIyJTNB']] of length 73960 which may point to obfuscation or shellcode.
Threat dump MD5: 	
F8137956B5125D540D898471B041A3D4
File size[byte]: 	
163012
File type: 	
HTML
Page/File MD5: 	
0C1B5EB62E934B815AFCC61CB5389FA9
Scan duration[sec]: 	
55.77

    Threat dump:

    [[<script type='text/javascript' language='javascript' > window.autience_post_id =1332; var autience_is_single =false; window.autience_is_home =true; var autience_path = "https://mywebsite.com/wp-content/plugins/yeloni-free-exit-popup"; window.autience_page_name = "page-exemple"; window.autience_post_type = "post"; window.autience_categories =[ { "cat_ID":64,"name":"Bordeaux" } , { "cat_ID":53,"name":"Rencontre cougar" } ]; window.autience_listen = function(obj, evt, fn,obj_name) { //some browsers support addEventListener, and some use attachEvent try { if (obj) { if (obj.addEventListener) { obj.addEventListener(evt, function(e) { fn(e, evt, obj); } , false); } else if (obj.attachEvent) { obj.attachEvent("on" + evt, function(e) { //pass event as an additional parameter to the input function fn(e, evt, obj); } ) } } } catch(err) { console.log('TRY CATCH error while binding event li

    • This reply was modified 6 years, 7 months ago by grafityx.
    • This reply was modified 6 years, 7 months ago by grafityx.
    • This reply was modified 6 years, 7 months ago by grafityx.
    Plugin Author kranthitech

    (@kranthitech)

    Is this site upgraded to plugin version 7.0.0?

    Can you share the url of the site?

    Thanks

    Thread Starter grafityx

    (@grafityx)

    Can’t share in public for negative SEO impact but if you give me your Skype or email address for sure I will send you the link.

    • This reply was modified 6 years, 7 months ago by grafityx.
    • This reply was modified 6 years, 7 months ago by grafityx.
    Plugin Author kranthitech

    (@kranthitech)

    Sure. Please email me at [email protected] .

    Plugin Author kranthitech

    (@kranthitech)

    Marking as resolved

    Thread Starter grafityx

    (@grafityx)

    Efficient team and awesome plugin. Thanks

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Yeloni Malware ?’ is closed to new replies.