2/24/2018

What is this code from positiverefreshment -- spyware / tracker?

Mystery Code Inserted Into Document Header -- PositiveRefreshment.org

I have been updating our website so that it will comply with full conversion of https:// and SSL requirements that are pending with Google's upcoming Chrome release. I think it's silly to force sites to use expensive SSL certificates that have no need for privacy of traffic, but what are ya gonna do at this point? The market winds have shifted.

And in the process, I have discovered that you can view the security of a page by right-clicking on it, and hitting "Inspect" from the menu. There is a "Security" tab. You probably will have to refresh the page to get the Inspector to show the secure and insecure elements.

Well, there is this mystery code that's been popping up on our site that looks like this:


 The http:// is what's keeping our site from validating as secure.

I went searching for information about this tracking site, and there is hardly anything listed on Google about it, and nothing on Bing. There are less than 10 sites that mention "positiverefreshment" at all.

So, I tried to sort through all of the code in WordPress and the Theme we use, and nothing seemed to reference this "positiverefreshment" site.

I thought it might be coming from AdSense or some other third party plug-in -- nothing. 


I searched our Ubuntu server for any reference -- nothing.

I went back to the browser and noticed that this line is not in the HTML code. It only shows up in the Elements when you use the Inspect option.

It is being spontaneously inserted!

Okay, hmmm. That's really weird.

So, I duplicated one of the pages from WordPress, and chunk by chunk removed elements until I had isolated the culprit. What you see above is the minimum amount of code I had on the page (that would still invoke the mysterious insertion) -- just the JQuery source reference. That's it, nothing else.


So, I downloaded that version of JQuery and replaced it in WordPress with new code. Problem is still there.

If I remove the JQuery, the positiverefreshment reference disappears. SO VERY WEIRD.

I saved it as a .php and a .html page to see if it is being inserted on the server level somehow -- nope, no difference.

Hmmm.

I switched browsers -- to Firefox. And darnit! There it is again.

I switched computers. And it's not there. Not in any of the browsers.

Tried a Mac. Nope, it's not there.

I switched back to the original computer and opened it in MS Edge and Opera. The code is not there in the elements.


So, Chrome and Firefox are both Mozilla and it only shows up in those browsers.

I think I have an interloper -- spyware or a virus.

I edited the HOSTS file and added a line to block any outgoing reference to "track.positiverefreshement.org."


I turned the computer off and switched it with a drive I had been using a month ago. The code is not there -- not in any of the browsers.

So, it must be a fairly recent infection of the Mozilla browsers. Hmmm. Must have gone to some site that I should not have.

I run a MalwareBytes scan and it's still there.

I download Avast and run a full scan. It's still there.


I can't get rid of it. OK, I give up.

And suddenly, as I write this.... It's gone. It's not showing up.

Seriously, it was there a couple of hours ago, still saying our pages were not secure.

And now it's not showing up. The pages are green-locked secure.


Hmmm. This is getting to be very strange indeed. I think I will collect all of my emails and other files from the last month and go back to the old drive; and wipe this new drive. Something is not right here.

To the spyware thieves -- probably Russians, I say: "
прощай сука."

2022, August 1 UPDATE: Blogger has removed this public post as being a violation as if I were intentionally posting spyware — even though I did not embed or link to any code. And I was, in fact, pointing out that this code is suspicious and probably spyware, and was mysteriously showing up on our site years ago. This post is a warning and notification for others to be on the lookout for this weird javascript insertion. So, I have posted an image of the code instead, and hope Blogger reconsiders tagging this as pushing spyware, which it is not and never intended to be. To whomever “reported” this as spyware: That is ridiculous and rude and terribly untrue. Could one guess that it was a Russian crook, or someone connected to PositiveRefreshment? Really awful people in the world, and Blogger is not correct to side with them.

14 comments :

  1. its stored in your databases,atleast on my drupal blog ...your computer is fine..try to find string containing "text/javascript" or similar to that within your post...my experience is not only they redirect blog traffic to malware install site, they also using the site as crypto mining

    ReplyDelete
  2. favourite posts of the week within their respective areas of interest and expertise:https://www.bullyingornot.org/

    ReplyDelete
  3. This is one of the excellent insights I have read for web development. I definitely use these tips more often to my site. Thank you!
    Opencart Developers India
    Hire a Coder
    Hire PHP Developer India
    Hire Opencart Developer
    Hire Wordpress Programmer

    ReplyDelete
  4. Thank you for having the time to discuss this topic. I truly appreciate it. I’ll stick a link of this entry in my site. https://royalcbd.com/product/cbd-oil-250mg/

    ReplyDelete
  5. Great article by the great author, it is very massive and informative but still preaches the way to sound like that it has some beautiful thoughts described so I really appreciate this article. Limerick Website Design Service

    ReplyDelete
  6. Are you interested in doing Data Science Training in Chennai with a Certification Exam? Catch the best features of Data Science training courses with Infycle Technologies, the best Data Science Training & Placement institutes in and around Chennai. Infycle offers the best hands-on training to the students with the revised curriculum to enhance their knowledge. In addition to the Certification & Training, Infycle offers placement classes for personality tests, interview preparation, and mock interviews for clearing the interviews with the best records. To have all it in your hands, dial 7504633633 for a free demo from the experts.

    ReplyDelete