This past week we have seen a sharp increase in the use of old tactics designed to poison your search engine results – also known as Search Engine Poisoning (SEP) attacks. If you use our free scanner, SiteCheck, you’ll likely see something like the following:
You’re probably wondering, what the heck, how is that SEO SPAM? Allow me to explain what this is doing.
The Payload
As you might be able to tell this is some pretty JavaScript, this is what it actually looks like:
<script language=”JavaScript”>function xViewState(){var a=0,m,v,t,z,x=new Array(‘9091968376′,’8887918192818786347374918784939277359287883421333333338896′,’877886888787′,’949990793917947998942577939317’),l=x.length;while(++a<=l){m=x[l-a];t=z=”;for(v=0;v<m.length;){t+=m.charAt(v++);if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);t=”;}}x[l-a]=z;}document.write(‘<‘+x[0]+’ ‘+x[4]+’>.’+x[2]+'{‘+x[1]+’}</’+x[0]+’>’);}xViewState();</script>If you modify it slightly you can get it to tell you what it’s doing, for instance, in this case it’s calling a specific div:
<style undefined>.nemonn{position:absolute;top:-9999px}</style>What’s that Do?
What really matters is what it’s outputting. As you can see it’s calling the .nemonn class and setting it’s positioning at -9999px. This means you’d never see it. Why? Because your browser is a graph for lack of a better word. The X and Y both start at 0, to better understand I turn to our favorite Dre Armeda to explain:
So by default on absolute positioning you add the top property. The value 0 on that property places whatever object you’re setting the rule flush to the top, hence position: absolute; top:0;. If you change absolute: 0; to lets say absolute: 100; it will push the content down from the top 100 pixels. Hence when you see -9999px it is negative so it pulls it up over top by 9999 pixels. The same thing can be done left/right/bottom by adding the appropriate property – left: 0; right: 0; bottom: 0;
In short, the class being called, nemon, is being pushed off the screen. You’d never see it, but Google sure will. Now when you look at the class you might see something like this:
Pretty nasty, but here is the thing. This isn’t new, it’s actually old but hasn’t been used for a while, at least not as extensively as we have seen it this past week. It seems to be targeting mostly WordPress and Joomla websites. If you find yourself in this predicament you can always contact us and have us clean it for you, or you can go about it yourself.
We’re currently seeing two different variants, xViewState and dnnViewState, first is targeting WordPress and the second is targeting Joomla. WordPress users check your theme files, and Joomla users check your modules.
Cheers and happy hunting!
Leave a reply
