Internet Nasties

A few days ago Alan alerted me to a problem here.

Just to let you know that my Kaspersky anti-virus thinks your site has been got at.
It says it has blocked download of “legal software which can be used to damage your computer or personal data”

This was something calling itself cosmeticsrc.com.

I was somewhat baffled and it took me a while to find out where it was coming from. Somehow, a hidden image had been inserted into the post that was cross scripting. The reason it took me a while to find it was because under normal circumstances, it was pointing to an invisible image. I could, however, see it if I switched to text mode. The last three posts were infected with this code at the foot of the post. So I deleted the code and it didn’t reappear.

I use Ublock Origin to block adverts and scripts in my browser. When I checked this, despite having removed the rogue code, Ublock, was still blocking cosmeticsrc.com, so it was still lurking somewhere.

Anyway, I put up another post yesterday and before publishing, checked text mode and there it was again, code injected at the foot of the post.

I could find nothing on the site’s database.

Then I tried something different. I loaded the site using Edge instead of Vivaldi. Ublock wasn’t blocking anything from cosmeticsrc.com. I tried making a test post. Everything was fine.

I went back to Vivaldi and tried again and there was code in the post.

So, Vivaldi was the culprit. I removed it, wiped the folders and reinstalled it. So far, no recurrence. I’m not sure how the infection got there, but it had buried itself into the browser and was injecting my blog with rogue code. A new one on me.

I do apologise, but suggest you guys carry out a check looking for cosmeticsrc.com/metric