Please login or register.

Login with username, password and session length
Advanced search  

News:

You need/want an older version of sNews ? Download an older/unsupported version here.

Pages: [1] 2

Author Topic: Javascript injection problem  (Read 7284 times)

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Javascript injection problem
« on: December 28, 2007, 07:58:03 pm »

I haven't had any real security issues since the rash of hacks we had in 1.5, but all of a sudden my Templates demos have been injected with some javascript generating thing. I've been through the template folders and the funny thing is -- there are no visible files in there that shouldn't be in there. And certainly no strange pieces of javascript. So the question is, is this thing on my machine only? Being a Mac user I have no real experience with malware or viruses, but I'll run some checks of course. Just need to ask if anyone else has noticed these javascript f**k things on my site, or if anyone has a good remedy for stopping this sh**?

All help is most welcome. Thanks.
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: Javascript injection problem
« Reply #1 on: December 28, 2007, 08:30:16 pm »

If you are referring to the site linked under your avatar... I clicked a few of the templates on the dynamic websites section... and your lightbox overlays appear to be functioning just fine for me in IE7. I did notice... though... that the tabbed menu in your header - HOME, NEWS, etc. - lines all the menu links up vertically to the left-margin and the tabs themselves are only showing the left-edge image... in IE7. I know you don't design for IE7 but I just thought you ought to know what we IE7 users see on our XP machines. Looks OK in FF (of course).  :)
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: Javascript injection problem
« Reply #2 on: December 28, 2007, 08:42:59 pm »

Yeah, IE7...

The problem with the javascript injection was on www.frdk.com/templates/template_name/ (e.g the demo pages, so for the Blue Zinfandel theme, the thing appeared on /templates/zinfandel/). After having noticed the injection though, I've moved the templates section to a closed subfolder, so as not to affect any unsuspecting user ... more than usual that is...

If anyone's interested in taking a look, add oldfiles/ before templates/ (example: www.frdk.com/oldfiles/templates/apple-green/), but be warned that it may still have the javascript running on it -- I can't find the generating file or command anywhere so currently I can't stop it... very aggrevating.
« Last Edit: December 28, 2007, 08:58:10 pm by Fred K (agentsmith) »
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: Javascript injection problem
« Reply #3 on: December 28, 2007, 09:09:04 pm »

I tried to view the "oldfile" link. My Norton A/V intercepted and blocked an "Intrusion Attempt"
  - HTTP Quicktime RTSP URI BO.
  - Intruder: mail.1stdentalplan.com(206.225.83.177)(http(80)).
  - Risk Level: High.
  - Protocol: TCP.
I had the same thing happen earlier today after clicking on a link in someone else's post on the Forums (here) but I can't remember whose it was at the moment... just glad that Norton is doing its job.

BTW... I really like the color scheme you have on frdk-com at the moment.  :)
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: Javascript injection problem
« Reply #4 on: December 28, 2007, 09:45:19 pm »

Thanks. It's on its way out though... ;)
Now if I only could find the darned javscript thing-a-ma-bob... guess I have to clean out the whole darned folder... sigh.
Damn spot-faced five year-olds... :(
« Last Edit: December 28, 2007, 09:47:12 pm by Fred K (agentsmith) »
Logged

jared351

  • Sr. Member
  • ****
  • Karma: 4
  • Posts: 276
Re: Javascript injection problem
« Reply #5 on: December 28, 2007, 09:57:56 pm »

Sorry to hear about that Fred... :( Stupid kids got nothing better to do.. >:(
Logged

Joost

  • Guest
Re: Javascript injection problem
« Reply #6 on: December 28, 2007, 10:05:38 pm »

I visited your site late this afternoon. I was a bit surprised by the slow loading time. Nothing else I noticed.
I experienced something similar several months ago. Strange enough the effected directory didn't have an index file, such as index.html. But it behaved like it did have. I had to clean it out, totally. No strange files were found.

Success.
Logged

centered

  • Guest
Re: Javascript injection problem
« Reply #7 on: December 28, 2007, 10:11:24 pm »

Pretty odd, when I went to your site, Safari tried loading something, checked the source and found this:
<script language='JavaScript' type='text/javascript' src='zrals.js'></script>
<script type="text/javascript" src="http://track2.mybloglog.com/js/jsserv.php?mblID=2007060318233061"></script>

Refreshing the site the first line was not there anymore....
Logged

centered

  • Guest
Re: Javascript injection problem
« Reply #8 on: December 28, 2007, 10:15:18 pm »

umm on the snews part of your site: slow loading equaling this:
<script language='JavaScript' type='text/javascript' src='frgjq.js'></script>

When i refresh the page, it's gone....

I've managed to capture the file, but it is jibberish to me

wow...:
http://img80.imageshack.us/img80/9720/screenshot01yp3.jpg


here is the first half of the file, the rest looks similar to the bottom garbage:
http://img246.imageshack.us/img246/3959/screenshot02rg4.jpg
« Last Edit: December 28, 2007, 10:30:50 pm by equilni »
Logged

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: Javascript injection problem
« Reply #9 on: December 28, 2007, 10:50:50 pm »

Thanks Jason. When I checked last, the template demos were the only ones affected, but I guess the infection is somewhere on the root... fuck! Have to rip out the whole site then... not what I needed right now.
It also seems like the script thing generates new names at random refresh intervals, or something like that. I've seen three-four different jibberish names, like "frgjq.js" pop up, but not every time, sometimes there's no script visible...

Why do they do these things? What's the point?
bleh-

Thanks for the heads up.
Logged

jared351

  • Sr. Member
  • ****
  • Karma: 4
  • Posts: 276
Re: Javascript injection problem
« Reply #10 on: December 29, 2007, 01:11:17 am »

Hey Fred...don't know if this has anything to do with the intrusion, but I got on frdk.com and looked at the source..and right after the body starts next to the blog log thing...there is a script named knjgv.js.....looked odd to me..I'll attach a screen shot...and again sorry to hear about that.. :(
Logged

jlhaslip

  • Sr. Member
  • ****
  • Karma: 16
  • Posts: 374
    • My snews with AEF Forum site
Re: Javascript injection problem
« Reply #11 on: December 29, 2007, 01:41:30 am »

Any chance the Server Log might show anything? Or the 404 Error listing?
They might have tried several times and got a 404 Error on the first couple attempt???
Logged
Yes! I have no siggy.

centered

  • Guest
Re: Javascript injection problem
« Reply #12 on: December 29, 2007, 02:19:56 am »

Hey Fred...don't know if this has anything to do with the intrusion, but I got on frdk.com and looked at the source..and right after the body starts next to the blog log thing...there is a script named knjgv.js.....looked odd to me..I'll attach a screen shot...and again sorry to hear about that.. :(

Looks like the same thing I saw too...
Logged

jared351

  • Sr. Member
  • ****
  • Karma: 4
  • Posts: 276
Re: Javascript injection problem
« Reply #13 on: December 29, 2007, 02:39:04 am »

Hmmm..what seems peculiar to me is that it is right before the blog log script...Maybe the hacker got in through that somehow?...just a speculation..
Logged

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: Javascript injection problem
« Reply #14 on: December 29, 2007, 05:46:31 am »

Quote
next to the blog log thing...there is a script named xxxxx

Yeah, that's where the script is injected on all sections (right next the body tag, or if that spot is taken, next to the first tag after that, or so it seems). I'm looking through the logs right now to see if anything stands out. I've removed a few externally referenced scripts, like the bloglog thing, as well.

The problem is that there are no files placed on the physical server volume, as far as I can tell, so there's nothing to remove.
I have to take the site down for maintenance until further notice. Sorry about this, but, that's the way things go I guess.
Logged
Pages: [1] 2