Hi,
I don't want to raise alarm bells, but i think you may have a vulnerability in a specific file: [email protected]
We are noticing a number of users are seeing an injected iframe ad application being driven by a Russian collection of traffic generating sites and they all look to be using the following buffer extension file [[email protected]] as the entry point.
Maybe worth investigating?
<span id="buffer-extension-hover-button" style="display: none;position: absolute;z-index: 8675309;width: 100px;height: 25px;background-image: url(chrome-extension://noojglkidnpfjbincgijbaiedldjfbhh/data/shared/img/[email protected]);background-size: 100px 25px;opacity: 0.9;cursor: pointer;"></span>
This is the inner <iframe> being injected, and also not good as it renders the current URL which is not good to those not in the know.
I have tracked down a number of URLs being used to run the application but there are many being used to relay the same output in case of one being closed down.
so far i have traced them back to the following 2 sources, but time is not available to keep digging.
http://rmbn.net/
http://gnezdo.ru
Replacing that file should remove their entry point.
Collected URLs:
http://rmbn.net/
http://gnezdo.ru (Linked to a single individual located in Moscow)
http://xlog.info/ (Hiding the embed frames content wrapper)
http://tredman.com/ (Another frame holder generator)
but all pointing at the same file for entry point to inject their iframe for the ad engine.
See attached images for more details.
Hopefully we can resolve this vulnerability ASAP.
)