PhilETaylor/cookielaw.txt explained

## cookielaw.txt explained

Just because the file has not changed doesn’t mean its now not a threat. Actually myJoomla.com has new things
added DAILY to its database of things to look for and the code that powers our service is deployed MANY times
a day. The information gathered from one audit can effect every new audit on every site connected to our service.

This file is specifically marked because the external assets loaded by this plugin are serving malicious content.

If you google you will see that this was a major issue in the previous months with redirecting users to porn sites.

Just because it pretends to be something legitimate, it is not. It is not legitimate.

The file CURRENTLY in your webspace - /templates/gk*/layouts/blocks/cookielaw.php contains links to:

https://s3-eu-west-1.amazonaws.com/assets.cookieconsent.silktide.com/1.0.7/plugin.min.js
and
https://s3-eu-west-1.amazonaws.com/assets.cookieconsent.silktide.com/current/plugin.min.js

These files contain "packed" Javascript code If you take the source code from these files and place in this web tool:

http://matthewfl.com/unPacker.html

You will see this code: https://gist.github.com/899aae35ce0943d628be8769c9a3bac1

Which you can see is loading information from get.imobilecontent.tk and s3-cdn.com - neither are to do
with cookie consent… This code is in fact used to redirect users to spam content and porn sites.
Luckily some of the domain names it uses now no longer exist, but the fact remains these scripts can,
have been, and could still be used to inject into your site, and also redirect your users.

If you go to imobilecontent.tk in your browser you will see that it redirects several times, and then
ultimately leads you to spam/porn sites.

If you go to http://s3-cdn.com/ it tells you its a "Private Advertising Network” which is just another
fake term spammers are using.

Nothing good has ever come from these domains.

The fact therefore remains, that we are going to flag these files in myJoomla.com as hacked.  We will
continue to monitor this, but at the moment we have no plans to remove this pattern from our 10000s we search for.

myJoomla.com was one of the first audit vendors to identify this hack - now others have caught up - see:
 - http://labs.sucuri.net/db/malware/rogueads.cookieconsent.1
 - https://www.gavick.com/forums/11/templates-hacked-54263

If you do nothing then your visitors to your site remain open to being highjacked, redirected or worse.

	Just because the file has not changed doesn’t mean its now not a threat. Actually myJoomla.com has new things
	added DAILY to its database of things to look for and the code that powers our service is deployed MANY times
	a day. The information gathered from one audit can effect every new audit on every site connected to our service.

	This file is specifically marked because the external assets loaded by this plugin are serving malicious content.

	If you google you will see that this was a major issue in the previous months with redirecting users to porn sites.

	Just because it pretends to be something legitimate, it is not. It is not legitimate.

	The file CURRENTLY in your webspace - /templates/gk*/layouts/blocks/cookielaw.php contains links to:

	https://s3-eu-west-1.amazonaws.com/assets.cookieconsent.silktide.com/1.0.7/plugin.min.js
	and
	https://s3-eu-west-1.amazonaws.com/assets.cookieconsent.silktide.com/current/plugin.min.js

	These files contain "packed" Javascript code If you take the source code from these files and place in this web tool:

	http://matthewfl.com/unPacker.html

	You will see this code: https://gist.github.com/899aae35ce0943d628be8769c9a3bac1

	Which you can see is loading information from get.imobilecontent.tk and s3-cdn.com - neither are to do
	with cookie consent… This code is in fact used to redirect users to spam content and porn sites.
	Luckily some of the domain names it uses now no longer exist, but the fact remains these scripts can,
	have been, and could still be used to inject into your site, and also redirect your users.

	If you go to imobilecontent.tk in your browser you will see that it redirects several times, and then
	ultimately leads you to spam/porn sites.

	If you go to http://s3-cdn.com/ it tells you its a "Private Advertising Network” which is just another
	fake term spammers are using.

	Nothing good has ever come from these domains.

	The fact therefore remains, that we are going to flag these files in myJoomla.com as hacked. We will
	continue to monitor this, but at the moment we have no plans to remove this pattern from our 10000s we search for.

	myJoomla.com was one of the first audit vendors to identify this hack - now others have caught up - see:
	- http://labs.sucuri.net/db/malware/rogueads.cookieconsent.1
	- https://www.gavick.com/forums/11/templates-hacked-54263

	If you do nothing then your visitors to your site remain open to being highjacked, redirected or worse.