CODEWITHSUNDEEP
javascriptwordpressexternalmalware
Stender
Stender

Reputation: 2492

malicious js? or what is it

I am working on a customers website (wp), and i found something in the header that looks malicious - i have searched the web for what it is, but i cannot seem to find any answers - will you help me. The code that i found is 

<script type="text/javascript" src="http://www.djkeun1bal.com/js/xxxx.js"></script>

<noscript><img src="http://www.djkeun1bal.com/xxxxx.png" style="display:none;" /></noscript>

I hope that you can help me here.

Upvotes: 0

Views: 945

Answers (2)

PeteB
PeteB

Reputation: 122

Lead Forensics uses random alias/masked domains so as to make it harder for web visitors to block them from tracking/snooping them. There is no opt-out process.

If they stuck to their primary domain leadforensics.com then they could easily be blocked from a hosts file. They have many obscure domains that they operate from and this decreases their chances of being blocked from data harvesting.

Upvotes: 1

Chris Wheeler
Chris Wheeler

Reputation: 1717

This tracking code is from a company called Lead Forensics - I added it a while ago to a customer site when they signed up to a trail with them.

I came across this question when searching for the djkeun1bal.com domain as I spotted the js when auditing their site and forgot I'd added it. They've done a good job of making it look malicious!

The number in the URLs is likely a customer ID with Lead Forensics - you may want to remove if from the SO question for privacy reasons.

Edited to add: www.djkeun1bal.com and tracker.leadforensics.com both resolve to lfvmeuw.cloudapp.net [104.40.215.103]. I'm not sure why they use two different domains. I guess one may be for privacy reasons, which I've just blown for them. Sorry!

Upvotes: 2

Related Questions