Hi,
I bumped into this from the 3.00 version days ... (see
https://www.nopcommerce.com/boards/t/26045/fake-url-injection-in-homepage-nop-300-site.aspx).
It broke several nop 3.00 and 3.40 websites on several physical machines, with several different OS versions, etc.
1. I never found any malware on the machine having this symptom and I used several different anti-malware applications from different companies.
2. All the website attacked were deployed using only the nopcommerce_no_source files, with no file or folder changes.
3. I used only plugins downloaded from this site, with full respect of the installation procedures.
4. In every affected case the website was deployed on a physical machine in my own company, me being the only admin. No hosting...
5. Every affected nop deployment was configured to use a local SQL Server database with no Windows or SQL Server remote management allowed.
6. In some cases the product pictures image link were changed to point to www.baidu.com, in other cases to www.ly.com (both points to China ...)
7. Despite my best efforts I found no suspicious Java script files on the affected machines.
8. It seems the attack is auto-eliminated when the guest customer accounts gets removed by the scheduled task. After that the picture link URLs have the correct values.
9. I noticed for every such incident that there are more than one Guest Customer Role listed in the Customer Roles page. Somehow several Guest Roles are created and many (I mean many !) guest customer accounts appear to be registered in the Customer list ... and seems to remain there. I recall some cases when I found several thousand guest customer accounts linked to more than 30 customer roles all named ”Guest”. This might be just a coincidence with the replacement of the product picture URLs.
I suspect the cause is some kind of XSS attack and the consequences get's wiped out automatically (URLs get's restored) periodically at 5 minutes interval (the schedule task is ser to clean guests every 300 seconds), thus making detecting this a little more tricky.
If someone has any suggestions on solving this very annoying problem I'd be very happy to know it !