Intrustion when using TweenMax?

[MiloW]

Hi,

 

I'm not a hard-coding developer so please excuse my lack of professional courtesy ; )

 

Anyway. I have this Joomla site and something works out bad.

Last night the site turned dead. Discovered a lot of files in the cache directory. After turning the cache off and on - the files come back. OK, so I' debugging. RS Firewall showed something like this:

 

components/com_layer_slider/base/includes/slider_markup_init.php Suspicious JS inclusion cdnjs.cloudflare.com/ajax/libs/gsap/1.16.1/TweenMax.min.js"></script>

 

I look inside the file - OK, there it is. First it was 1.12.2 or so, changed to the latest one. RS still sees this as a suspicious JS inclusion.

Unfortunately, I have no time to wait for the slider maker's response as my client is probably up by now (I started 3 hours ago, early in the morning). Hosting loaded my day-before-yesterday backup but this started to happen again.

 

The files which are growing in the cache are like this:

461eba3d86a698b21884bd2d67f164d5-cache-page-61e660625c6877de5807d38fb35f520a.php

page-xxxxxxxxxxxxxxx is different but the beginning is the same.

 

Inside:

EDIT: This seems to be something normal for cache : /

<?php die("Access Denied"); ?>#x#a:3:{s:4:"body";s:709:"<?xml version="1.0" encoding="utf-8"?>
<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/"><ShortName>Kliniki Ziemlewski</ShortName><Description>Klinika Warszawa | Wrocław | Poznań | Łódź</Description><InputEncoding>UTF-8</InputEncoding><Image type="image/vnd.microsoft.icon" width="16" height="16">http://www.klinikiziemlewski.pl/templates/jsn_time_pro/favicon.ico</Image><Url type="application/opensearchdescription+xml" rel="self" template="http://www.klinikiziemlewski.pl/component/search/?id=115&Itemid=118&format=opensearch"/><Url type="text/html" template="http://www.klinikiziemlewski.pl/index.php?option=com_search&searchword={searchTerms}"/></OpenSearchDescription>
";s:13:"mime_encoding";s:37:"application/opensearchdescription+xml";s:7:"headers";a:1:{i:0;a:2:{s:4:"name";s:3:"P3P";s:5:"value";s:50:"CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"";}}}

So now is my question: do you guys think it's something with the actual TweenMax or is it connected with Joomla cache somehow, and therefore it's not the library problem?

I hope the layer maker will contact me back soon.

 

Any chances that this library messes up with something about cache of the system? Anyone heard of anything? : )

 

Or is it coincidence that RS Firewall shows this (TweenMax file) as a possible JS inclusion (wrong word in the topic - sorry : )?

 

Thanks for any hints.

 

Milo

[GreenSock]

I've never heard of this sort of thing before. I can assure you that TweenMax doesn't do anything to mess with Joomla's cache or anything like that - it just animates things (when you ask it to). There is no malicious code whatsoever. I Googled the error you mentioned and there are many reports of false positives. Apparently there are problems with the automated algorithm they're using to sense "malware" in your Joomla thing. 

 

GSAP is used by some of the biggest brands on the planet (Intel, McDonalds, Sony, Samsung, etc.). It's recommended by Google itself. If there were malware in it, I'm sure you'd see an outrage on the web about it.

 

I'm pretty confident there's nothing to worry about and you can write it off as a false positive. If you find any evidence to the contrary, please let us know. 

[MiloW]

It's not illegal to ask, though : )

 

Thanks and keep up the good work guys. Gonna investigate this further. I feel I'm close to the resolution.

[GreenSock]

No problem. I certainly don't blame you for asking. Let us know what you find.