xoops forums

pinchecl

Friend of XOOPS
Posted on: 2013/10/29 14:04
pinchecl
pinchecl (Show more)
Friend of XOOPS
Posts: 193
Since: 2005/4/22
#1

hacked?

I'm running on 2.5.6.
I have done a completely fresh install and run into a norton popup about this:

In my source code I found this line: "http://skinnalicious.net/final/browse ... ks/jquery/jquery.js".
That redirects to: "http://9eklkgar7iuibw80yth0kjt.akayte ... XJ5L2pxdWVyeS5qcw=="
I really can't find the file that holds the line "http://skinnalicious.net/final/browse ... ks/jquery/jquery.js". Is there anyone who can lead me in the right direction? The weirtd thing is that there isn't a directory Frameworks/jquery at all.
According to my hosting provider the server is completely clean. However, every fresh install runs into the same problem. So there are a couple of possibilities in my opinion:
1 - the server is compromised, despite what my provider says
2 - the code is falsly recognised as being maicious
3 - I'm using xoops parts(theme, module a.s.o) that somehow has been infected
4 - I'm doing something completely wrong

Whichever it is, I would like to solve it if possible before I decide to move everything away from this host. Any suggestions?

dbman

Friend of XOOPS
Posted on: 2013/10/30 2:30
dbman
dbman (Show more)
Friend of XOOPS
Posts: 172
Since: 2005/4/28
#2

Re: hacked?

Scan your source files using an antivirus program. If you can't find the redirection url, check for the use of this javascript function: fromCharCode.

pinchecl

Friend of XOOPS
Posted on: 2013/10/30 7:49
pinchecl
pinchecl (Show more)
Friend of XOOPS
Posts: 193
Since: 2005/4/22
#3

Re: hacked?

Thanks! Already scanned everything for a virus. None found. So I'll check the source for fromCharCode now.

pinchecl

Friend of XOOPS
Posted on: 2013/10/30 8:02
pinchecl
pinchecl (Show more)
Friend of XOOPS
Posts: 193
Since: 2005/4/22
#4

Re: hacked?

I found three files with the "fromCharCode": easing.js in extGallery, tiny_mce.js and editor_plugin.js in tinyeditor. Where do I go now?

dbman

Friend of XOOPS
Posted on: 2013/10/30 12:50
dbman
dbman (Show more)
Friend of XOOPS
Posts: 172
Since: 2005/4/28
#5

Re: hacked?

Look for statically assigned unicode values in the function arguments like this:
String.fromCharCode(887979808332677783 )


You can copy/paste these to a test page and use a js alert() to view the values or translate the unicode values here:
http://jdstiles.com/java/cct.html

It's likely the use of this function in your editor files is legitimate. Wondering if you are still experiencing this after removing the reference from the jquery.js file (http://skinnalicious.net/final/browse ... ameworks/jquery/jquery.js)

pinchecl

Friend of XOOPS
Posted on: 2013/10/30 13:13
pinchecl
pinchecl (Show more)
Friend of XOOPS
Posts: 193
Since: 2005/4/22
#6

Re: hacked?

How do I remove the reference? (I'm not that experienced....), is it done in the particular js file? Anyway, what I've done now is disabling the jquery.js (which by the way was found in the xoops_lib directory (yes, I have renamed that dir). When I scan for redirects that particular one has gone. However, members still report norton alerting for that intrusion. I have asked them to clear their cache and await the results. Meanwhile I'll scan for the code you mentioned. Thanks so far for your help!

pinchecl

Friend of XOOPS
Posted on: 2013/10/30 13:21
pinchecl
pinchecl (Show more)
Friend of XOOPS
Posts: 193
Since: 2005/4/22
#7

Re: hacked?

I have scanned for the fromCharCode and these are the results:

fromCharCode(c+29):c.toString(36))}; in easing.js

fromCharCode(parseInt(m[n],p)); in tinymce.js

fromCharCode(55296+(o>>10),56320+(o&1023))}else{return i[o]||String.fromCharCode(o)}}return d[n]||a[n]||h(n)})}}})(tinymce);in tinymce.js

fromCharCode(160)||X.nodeValue==String.fromCharCode(32))} in editor_plugin.js

Does that look suspicious to you?

dbman

Friend of XOOPS
Posted on: 2013/10/31 1:13
dbman
dbman (Show more)
Friend of XOOPS
Posts: 172
Since: 2005/4/28
#8

Re: hacked?

Those function calls look ok.
Although it appears just the jquery file which you cleaned was the only thing infected, some other things to check:
- include files like CDN or resources and files not on your server
- .htaccess files

Another good practice is to sign you site up at google webmaster tools: https://www.google.com/webmasters/tools/home?hl=en

It will check for security issues on a regular basis.

Regarding your site being listed as containing malware, you may need to contact these companies directly to have your site removed from their list after you've confirmed it's clean.


pinchecl

Friend of XOOPS
Posted on: 2013/10/31 7:10
pinchecl
pinchecl (Show more)
Friend of XOOPS
Posts: 193
Since: 2005/4/22
#9

Re: hacked?

Thanks!

pinchecl

Friend of XOOPS
Posted on: 2013/11/1 14:12
pinchecl
pinchecl (Show more)
Friend of XOOPS
Posts: 193
Since: 2005/4/22
#10

Re: hacked?

After a lot of help(thanks dbman and mamba!!) and anayzing we found that it was the server that was hacked. So xoops performed as may be expected :)