1
pinchecl
hacked?
  • 2013/10/29 14:04

  • pinchecl

  • Friend of XOOPS

  • Posts: 193

  • Since: 2005/4/22


I'm running on 2.5.6.
I have done a completely fresh install and run into a norton popup about this:

In my source code I found this line: "http://skinnalicious.net/final/browse.php?Frameworks/jquery/jquery.js".
That redirects to: "http://9eklkgar7iuibw80yth0kjt.akaytel.com.tr/index.php?r=eHFibmFtYT1wZ2xhcXJ0biZ0aW1lPTEzMTAyOTExMzktNjc3ODY1OTIyJnNyYz0yNjUmc3VybD1za2lubmFsaWNpb3VzLm5ldCZzcG9ydD04MCZrZXk9REY0NEE3MTUmc3VyaT0vZmluYWwvYnJvd3NlLnBocCUzZkZyYW1ld29ya3MvanF1ZXJ5L2pxdWVyeS5qcw=="
I really can't find the file that holds the line "http://skinnalicious.net/final/browse.php?Frameworks/jquery/jquery.js". Is there anyone who can lead me in the right direction? The weirtd thing is that there isn't a directory Frameworks/jquery at all.
According to my hosting provider the server is completely clean. However, every fresh install runs into the same problem. So there are a couple of possibilities in my opinion:
1 - the server is compromised, despite what my provider says
2 - the code is falsly recognised as being maicious
3 - I'm using xoops parts(theme, module a.s.o) that somehow has been infected
4 - I'm doing something completely wrong

Whichever it is, I would like to solve it if possible before I decide to move everything away from this host. Any suggestions?

2
dbman
Re: hacked?
  • 2013/10/30 2:30

  • dbman

  • Friend of XOOPS

  • Posts: 172

  • Since: 2005/4/28


Scan your source files using an antivirus program. If you can't find the redirection url, check for the use of this javascript function: fromCharCode.


3
pinchecl
Re: hacked?
  • 2013/10/30 7:49

  • pinchecl

  • Friend of XOOPS

  • Posts: 193

  • Since: 2005/4/22


Thanks! Already scanned everything for a virus. None found. So I'll check the source for fromCharCode now.

4
pinchecl
Re: hacked?
  • 2013/10/30 8:02

  • pinchecl

  • Friend of XOOPS

  • Posts: 193

  • Since: 2005/4/22


I found three files with the "fromCharCode": easing.js in extGallery, tiny_mce.js and editor_plugin.js in tinyeditor. Where do I go now?

5
dbman
Re: hacked?
  • 2013/10/30 12:50

  • dbman

  • Friend of XOOPS

  • Posts: 172

  • Since: 2005/4/28


Look for statically assigned unicode values in the function arguments like this:
String.fromCharCode(887979808332677783 )


You can copy/paste these to a test page and use a js alert() to view the values or translate the unicode values here:
http://jdstiles.com/java/cct.html

It's likely the use of this function in your editor files is legitimate. Wondering if you are still experiencing this after removing the reference from the jquery.js file (http://skinnalicious.net/final/browse.php?Frameworks/jquery/jquery.js)

6
pinchecl
Re: hacked?
  • 2013/10/30 13:13

  • pinchecl

  • Friend of XOOPS

  • Posts: 193

  • Since: 2005/4/22


How do I remove the reference? (I'm not that experienced....), is it done in the particular js file? Anyway, what I've done now is disabling the jquery.js (which by the way was found in the xoops_lib directory (yes, I have renamed that dir). When I scan for redirects that particular one has gone. However, members still report norton alerting for that intrusion. I have asked them to clear their cache and await the results. Meanwhile I'll scan for the code you mentioned. Thanks so far for your help!

7
pinchecl
Re: hacked?
  • 2013/10/30 13:21

  • pinchecl

  • Friend of XOOPS

  • Posts: 193

  • Since: 2005/4/22


I have scanned for the fromCharCode and these are the results:

fromCharCode(c+29):c.toString(36))}; in easing.js

fromCharCode(parseInt(m[n],p)); in tinymce.js

fromCharCode(55296+(o>>10),56320+(o&1023))}else{return i[o]||String.fromCharCode(o)}}return d[n]||a[n]||h(n)})}}})(tinymce);in tinymce.js

fromCharCode(160)||X.nodeValue==String.fromCharCode(32))} in editor_plugin.js

Does that look suspicious to you?

8
dbman
Re: hacked?
  • 2013/10/31 1:13

  • dbman

  • Friend of XOOPS

  • Posts: 172

  • Since: 2005/4/28


Those function calls look ok.
Although it appears just the jquery file which you cleaned was the only thing infected, some other things to check:
- include files like CDN or resources and files not on your server
- .htaccess files

Another good practice is to sign you site up at google webmaster tools: https://www.google.com/webmasters/tools/home?hl=en

It will check for security issues on a regular basis.

Regarding your site being listed as containing malware, you may need to contact these companies directly to have your site removed from their list after you've confirmed it's clean.



9
pinchecl
Re: hacked?
  • 2013/10/31 7:10

  • pinchecl

  • Friend of XOOPS

  • Posts: 193

  • Since: 2005/4/22


Thanks!

10
pinchecl
Re: hacked?
  • 2013/11/1 14:12

  • pinchecl

  • Friend of XOOPS

  • Posts: 193

  • Since: 2005/4/22


After a lot of help(thanks dbman and mamba!!) and anayzing we found that it was the server that was hacked. So xoops performed as may be expected :)

Login

Who's Online

451 user(s) are online (342 user(s) are browsing Support Forums)


Members: 0


Guests: 451


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits