<iframe width="1" height="1" src="//d2p5uuu8vyzvbv.cloudfront.net/public/AddOn2/static/pexec.html" id="pExecArea" name="gdfe345121688"></iframe>
This appeared on the code of two OJS 2.4.6.0 based journals which led Firefox to show a weird little icon.
What is this and how did it get there? Any ideas?
The iframe even has it’s own and with more suspect content.
Hi @D_Schroeder_Micheel could you give a bit more detail where this code appeared? Is it in a tpl file, in php code or maybe in the database?
The code loaded via the iframe is
! function(e, t) {
function n(t) {
e.addEventListener ? e.addEventListener("DOMContentLoaded", function() {
e.removeEventListener("DOMContentLoaded", arguments.callee, !1), t()
}, !1) : e.attachEvent && e.attachEvent("onreadystatechange", function() {
"complete" === e.readyState && (e.detachEvent("onreadystatechange", arguments.callee), t())
})
}
var a = {
baseUrl: "/p/events",
sendDaily: function(t, n) {
var a = new Image(1, 1);
if (window.__cccstat = window.__cccstat || [], a.src = e.location.protocol + "//s3.eu-central-1.amazonaws.com/sttstc/img/pxl1.png?d=" + t + "&p=" + this.getName() + "&g=" + n + "&t=" + (new Date).getTime(), window.__cccstat.push(a), "undefined" != typeof window.e_rfndmeclientcreatetime && "undefined" != typeof window.e_rfndmeclientid) {
var c = new Image(1, 1);
c.src = e.location.protocol + "//s3.eu-central-1.amazonaws.com/sttstc/img/pixel.png?i=" + encodeURIComponent(window.e_rfndmeclientcreatetime) + "&c=" + encodeURIComponent(window.e_rfndmeclientid) + "&p=" + this.getName() + "&t=" + (new Date).getTime(), window.__cccstat.push(c)
}
},
sendInstall: function() {},
getName: function() {
return window.name ? window.name : "noname"
},
addScript: function(t) {
var n = e.createElement("script");
n.type = "text/javascript", n.async = !0, n.src = t, (e.getElementsByTagName("head")[0] || e.body).appendChild(n)
}
},
c = function() {
i("run", "0");
var e = (new Date).getMonth() + "" + (new Date).getDate();
d("run") !== e && (r("run", e), a.sendDaily(d("install"), d("guid")))
},
o = function() {
if (d("install") || (r("install", (new Date).getTime()), a.sendInstall()), window.parent.postMessage({
cchpOjVok1OtRC0: d("install"),
event: "get_I"
}, "*"), !d("guid")) {
var e = new Date;
r("guid", e.getFullYear() + "" + (e.getMonth() + 1) + e.getDate() + "_" + Math.round(1e6 * Math.random()))
}
c()
},
i = function(e, t) {
d(e) || r(e, t)
},
d = function(e) {
return t.getItem(e)
},
r = function(e, n) {
t.setItem(e, n)
};
n(function() {
if (t) try {
o()
} catch (e) {}
})
}(document, window.localStorage);
Current workaround for me - patch c:\Windows\System32\drivers\etc\hosts:
127.0.0.1 spidtest.org d2p5uuu8vyzvbv.cloudfront.netHi @koppor and @D_Schroeder_Micheel,
I would suggest using the standard diff tool to compare your installation to a stock copy of the same version downloaded fresh. Once you’ve located where the code has been modified, you can go about identifying how it was modified and cleaning out the changes.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi @asmecher,
I have this iframe on all web pages. I haven’t installed any of PKP’s software recently, so your software distributions are not affected :). Google lead me to this page.
Cheers,
Oliver
The solution for me was to uninstall Download Manager (S3). I had network connections to these domains: spidtest.org d2p5uuu8vyzvbv.cloudfront.net urlvalidation.com tradeadsexchange.com tradeadsexchange.com b.scorecardresearch.com pixel.quantserve.com dc60.s290.meetrics.net. After disabling the plugin, Firefox stopped connecting to them. So, I suspect the Download Manager (S3) to cause the issue.
I did not find any indication of these domains in the source of it, but I just quickly grepped for the domains and did not investigate any more time.
The plugin has 95.024 users. I am not sure why I am the only one seeing this issue. Maybe it’s a strange setup at my side?