Inquiry for all you crazy cool web designer folk

[PackerFanatic]

On one of the websites I designed and maintain, I am suddenly getting the following message from AVG when I go to it:

"Exploit MDAC ActiveX code execution (type 170)"

It looks like a fairly common error from what I tell from Google, but it's all people who have come across it, not people like me who need to fix it. Odd thing is, when I checked at work on three browsers, I didn't get it. Only a handful of people have seen it (and I was actually surprised to see it here) I last went to the site probably a month ago and never got it - and I know I don't have anything ActiveX-related on the site. Any suggestions?

[SirFozzie]

Do you have outside ads on your site? One of your ad providers may be cracked...

[PackerFanatic]

Nope, no ads at all.

I do use AJAX as well, which I can't recall if that uses ActiveX at all (but the site has been running fine for two years without a sign of this warning)

[PackerFanatic]

And in case you want to check it out for yourself...

hxxp://www.leasterpool.com

Not sure what looking at the site will get you, but its worth a shot.

[Ronnie Dobbs2]

There's all this goofy hmtl at the bottom of that page.

Code:

removed for potential malware

PF, PM me if you want the code

[PackerFanatic]

...really? What the hell...

[PackerFanatic]

I probably can't see it because I get the alert and the page doesn't finish loading. I assume you don't get the alert?

[Ronnie Dobbs2]

No alert, maybe because I'm running NoScript?

[PackerFanatic]

Probably. I am going to scan those pages client-side and see if I see anything. I don't see anything in my source code that I have.

[Ronnie Dobbs2]

I should elaborate - I don't see that code when the page loads, but when I look at the source code. It's actually about halfway down.

[PackerFanatic]

Right, I got it. Thanks

[PackerFanatic]

Of course, nothing when I scan the folder and nothing when I check out that page.

[PackerFanatic]

Ha, as soon as I tried to open that file, Ronnie - I got the alert and I didn't see the piece that you pointed out earlier. Huh...I am really perplexed now.

[Ronnie Dobbs2]

Try to open it in a text editor rather than a browser.

[Ronnie Dobbs2]

Isolating it a bit further... those ads do appear on your "Message Board" tab, along with what NoScript sees as a PHP script that says

< IFRAME >httpd-php@http://www2.guestbooks4free.com/guestbook.php?username=leasterpool&ts=14439.077882407406

with the spaces removed.

This seems to describe the problem as I'm seeing it, down to the obfuscated JavaScript. I tried to decode it but no luck.

http://www.guardian.co.uk/technology...ecurity.google

[PackerFanatic]

Ah yes...I did forget about that damn guestbook. I bet you any money it is that piece of crap. I know there are ads on that thing. Let's do a test...

[PackerFanatic]

You da man, Robbie. Glad you found that piece. The code you posted before was actually the ads on that page. Must have been something wonky with it. Took out that tab, and bam - works fine.

No worries all, thanks a lot to everyone that pitched in

[RainMaker]

You may also want to throw some of the javascript into external files js files.

[PackerFanatic]

That might help actually narrow it down easier next time. But I think getting a guestbook/message board that isn't cheap would be a better route. I installed a full blown forum for them and they said it was just too much, heh. Oh well, thanks for the tip.