Suspicious JS inclusion

[zaza1964]

Scanning my site with RSFirewall, I got the following message:

Scanning your files for common malware
We've found a total of 1 malware scripts inside your files. Please review
them manually as the scan might have detected false alerts.

plugins/vmpayment/klarna/klarna/tmpl/payment_form.php

Suspicious JS inclusion

cdn.klarna.com/public/kitt/toc/v1.0/js/klarna.terms.min.js"
type="text/javascript

In the include, there's apparently Cross Site Scripting (XSS) to:
http://cdn.klarna.com/public/kitt/toc/v1.0/js/klarna.terms.min.js

Anyone could tell me what this is?

Thanks!

Joomla 2.5.8 & VirtueMart 2.0.14

[jenkinhill]

Automated scans are all too often unreliable. You need to provide the precise report and identify the lines of code trigerring this alert.

This is the only report I have seen of this.

[zaza1964]

Off on holidays for 10 days, will do when I get back.

[Milbo]

Please review
them manually as the scan might have detected false alerts.

As they say themself it might be a false alert.

plugins/vmpayment/klarna/klarna/tmpl/payment_form.php

Suspicious JS inclusion

cdn.klarna.com/public/kitt/toc/v1.0/js/klarna.terms.min.js"
type="text/javascript

In the include, there's apparently Cross Site Scripting (XSS) to:
http://cdn.klarna.com/public/kitt/toc/v1.0/js/klarna.terms.min.js

As far as I understand this is just a dynamic include of the klarna tos. It is directly loaded from their server. Suspicious usually, yes. Other "suspicious" things we do are just whitelisted like loading jquery from google. So as far I can see, everything is fine.

[Dan1980]

I received this also with a scan tonight.

I have a fresh install of a site (in Beta, no-index/no-follow, not advertised anywhere, receives no traffic ... only my team and the odd script-kid from China scanning IP ranges randomly).

Scanning your files for common malware
We've found a total of 2 malware scripts inside your files. Please review them manually as the scan might have detected false alerts.

administrator/components/com_virtuemart_allinone/plugins/vmcalculation/avalara/classes/AvaCertSvc.class.php
Possible PHP injection (mailer)
mail("info@

plugins/vmpayment/klarna/klarna/tmpl/payment_form.php
Suspicious JS inclusion
cdn.klarna.com/public/kitt/toc/v1.0/js/klarna.terms.min.js" type="text/javascript

I would imagine that this must be a false alert. And decided to add this here in case it helps anyone - or if you can shed further light on this since responding to zaza1964.

Many Thanks!

Joomla!   2.5.8 Stable [ Ember ]
Virtuemart   2.0.14
RSFirewall!   46

plus (just in case)
WHM   11.34.0 (build 11)
MySQL version    5.1.65-cll
PHP version    5.3.18

[Dan1980]

Can anyone else confirm that this is a false alarm?

No one?

[mzone85]

I have the same problem with RSfirewall

plugins/vmcalculation/avalara/classes/AvaCertSvc.class.php   Possible PHP injection (mailer)   mail("info@
plugins/vmpayment/klarna/klarna/tmpl/payment_form.php   Suspicious JS inclusion   cdn.klarna.com/public/kitt/toc/v1.0/js/klarna.terms.min.js" type="text/javascript

Should i ignore this?

joomla 2.5.9
virtuemart 2.0.20a