PhilETaylor/silktide.html

## silktide.html
You can believe what ever you want to believe. But facts are facts.

Lets start by assuming that myJoomla.com is actually a valuable service (its multi award winning for a reason) and doesn’t mark things as hacked just for the fun of it shall we - lets assume I have a lot of experience in what im doing and myJoomla.com reflects that, and builds on not only my experience, but the experience of the 50,000+ sites connected to myJoomla.com daily? We are at the cutting edge of this.

Right, with that being a fact, there is a good reason this file is now marked by myJoomla.com

Just because the file has not changed doesn’t mean its now not a threat. Actually myJoomla.com has new things added DAILY to its database of things to look for and the code that powers our service is deployed MANY times a day. The information gathered from one audit can effect every new audit on every site connected to our service.

This file is specifically marked because the external assets loaded by this plugin are serving malicious content.

If you google you will see that this was a major issue in the previous months with redirecting users to porn sites.

Just because it pretends to be something legitimate, it is not. It is not legitimate.

The file CURRENTLY in your webspace - /templates/gk*/layouts/blocks/cookielaw.php contains links to:

https://s3-eu-west-1.amazonaws.com/assets.cookieconsent.silktide.com/1.0.7/plugin.min.js
and
https://s3-eu-west-1.amazonaws.com/assets.cookieconsent.silktide.com/current/plugin.min.js

These files contain "packed" Javascript code If you take the source code from these files and place in this web tool:

http://matthewfl.com/unPacker.html

You will see this code: https://gist.github.com/899aae35ce0943d628be8769c9a3bac1

Which you can see is loading information from get.imobilecontent.tk and s3-cdn.com - neither are to do with cookie consent… This code is in fact used to redirect users to spam content and porn sites. Luckily some of the domain names it uses now no longer exist, but the fact remains these scripts can, have been, and could still be used to inject into your site, and also redirect your users.

If you go to imobilecontent.tk in your browser you will see that it redirects several times, and then ultimately leads you to spam/porn sites.

If you go to http://s3-cdn.com/ it tells you its a "Private Advertising Network” which is just another fake term spammers are using.

Nothing good has ever come from these domains.

The fact therefore remains, that we are going to flag these files in myJoomla.com as hacked.  We will continue to monitor this, but at the moment we have no plans to remove this pattern from our 10000s we search for.

myJoomla.com was one of the first audit vendors to identify this hack - now others have caught up - see:
 - http://labs.sucuri.net/db/malware/rogueads.cookieconsent.1
 - https://www.gavick.com/forums/11/templates-hacked-54263

If you do nothing then your visitors to your site remain open to being highjacked, redirected or worse.

Kindest regards
Phil.
	You can believe what ever you want to believe. But facts are facts.

	Lets start by assuming that myJoomla.com is actually a valuable service (its multi award winning for a reason) and doesn’t mark things as hacked just for the fun of it shall we - lets assume I have a lot of experience in what im doing and myJoomla.com reflects that, and builds on not only my experience, but the experience of the 50,000+ sites connected to myJoomla.com daily? We are at the cutting edge of this.

	Right, with that being a fact, there is a good reason this file is now marked by myJoomla.com

	Just because the file has not changed doesn’t mean its now not a threat. Actually myJoomla.com has new things added DAILY to its database of things to look for and the code that powers our service is deployed MANY times a day. The information gathered from one audit can effect every new audit on every site connected to our service.

	This file is specifically marked because the external assets loaded by this plugin are serving malicious content.

	If you google you will see that this was a major issue in the previous months with redirecting users to porn sites.

	Just because it pretends to be something legitimate, it is not. It is not legitimate.

	The file CURRENTLY in your webspace - /templates/gk*/layouts/blocks/cookielaw.php contains links to:

	https://s3-eu-west-1.amazonaws.com/assets.cookieconsent.silktide.com/1.0.7/plugin.min.js
	and
	https://s3-eu-west-1.amazonaws.com/assets.cookieconsent.silktide.com/current/plugin.min.js

	These files contain "packed" Javascript code If you take the source code from these files and place in this web tool:

	http://matthewfl.com/unPacker.html

	You will see this code: https://gist.github.com/899aae35ce0943d628be8769c9a3bac1

	Which you can see is loading information from get.imobilecontent.tk and s3-cdn.com - neither are to do with cookie consent… This code is in fact used to redirect users to spam content and porn sites. Luckily some of the domain names it uses now no longer exist, but the fact remains these scripts can, have been, and could still be used to inject into your site, and also redirect your users.

	If you go to imobilecontent.tk in your browser you will see that it redirects several times, and then ultimately leads you to spam/porn sites.

	If you go to http://s3-cdn.com/ it tells you its a "Private Advertising Network” which is just another fake term spammers are using.

	Nothing good has ever come from these domains.

	The fact therefore remains, that we are going to flag these files in myJoomla.com as hacked. We will continue to monitor this, but at the moment we have no plans to remove this pattern from our 10000s we search for.

	myJoomla.com was one of the first audit vendors to identify this hack - now others have caught up - see:
	- http://labs.sucuri.net/db/malware/rogueads.cookieconsent.1
	- https://www.gavick.com/forums/11/templates-hacked-54263

	If you do nothing then your visitors to your site remain open to being highjacked, redirected or worse.

	Kindest regards
	Phil.