Unfortunately, it looks like MenuMachine is deployed in enough sites that it has become a target for malware authors.
Yesterday we were made aware of a piece of malware that specifically modifies GoLive-generated JavaScript files, including MenuMachine JavaScript files.
Anirban Banerjee from stopthehacker.com explains:
Hackers are choosing to insert malicious code directly into local copies of menumachine scripts which are linked to compromised sites. This is primarily being done by harvesting client side ftp credentials using a backdoor trojan which then proceeds to hand over the credentials to a bot which in turn pumps in the infected code.
The trojan affects MenuMachine JavaScript files as well as the GoLive CSScriptLib.js file used for GoLive Actions support. The page at stopthehacker.com has an example of the modified code.
I must point out that unless your local machine is compromised, there is no way that this can affect you. This is not a vulnerability in MenuMachine itself. Your site cannot be modified unless the trojan has gained access to your local machine, in which case you have other problems. Your site cannot be affected by other machines on the internet.
I highly recommend that you have a look at the MenuMachine files in your site. If any of them contain this line at the end then your computer and your site are compromised:
function(hVAxp){varv120='va@72@20a@3d@22@53
As far as I am aware this issue can only affect Windows machines and if you’re running Windows then I highly recommend that you install anti-malware software immediately if you do not already have it in place and also make sure that you are completely up to date with Windows updates. This also applies to you if you run Windows in a virtual machine on your Mac.
This is certainly an unexpected development, if we discover any further information I’ll let you know.
Leave a Comment