WordPress.org

Ready to get started?Download WordPress

Forums

How to recognise a script injection (46 posts)

  1. insurgenesis
    Member
    Posted 1 year ago #

    Is there a sure-fire way to recognise a script injection on a site that's on a local server, and remove it?
    Is it even possible to get a script injection on a local site?

  2. s_ha_dum
    Member
    Posted 1 year ago #

    Is there a sure-fire way to recognise a script injection on a site that's on a local server, and remove it?

    Probably not a sure-fire way. If you can duplicate it, you have something to work with. Otherwise you probably need one or more scanners/analyzers.

    http://www.google.com/search?q=scan+script+injection

    Is it even possible to get a script injection on a local site?

    Of course. A local server is still a server, but being local the only danger is from people with access to your local network. You can't hack a local server without first hacking into the local area network, and presumably you have a router/firewall in the way.

  3. insurgenesis
    Member
    Posted 1 year ago #

    Yes there's firewall.
    So I think it's internal not external.
    The situation is that a certain plugin attempts to connect to an outside location. It's JavaScript related. When I disable JavaScript in the browser it seems it doesn't do it.
    But when JavaScript is ON, (even when I've removed all instances of the code that produces the call) it connects to that location upon page load.

  4. s_ha_dum
    Member
    Posted 1 year ago #

    even when I've removed all instances of the code that produces the call

    Then you didn't remove all of the code.

    If something is intentionally connecting to the outside then it could suck in bad code.

    What is the plugin? Why does it worry you?

    Also, did the code on your local site come from code online? If it did you could have imported an infection.

  5. insurgenesis
    Member
    Posted 1 year ago #

    It's the "Tippy" tool-tip plugin because the JavaScript with url it pointed was produced under every instance of the tooltip in my posts and when I disabled javascript the behaviour was gone.
    As soon as JavaScript is enabled and the plugin is active the behaviour persists - despite the fact that I'e removed it under posts using the tool tip.
    I also notice that my kitchen zink has disappeared.
    Where else could the code have been inserted?

    I basically don't like the idea. It worries me because it looks malicious.
    The url it points to is: http://in.admedia.com/ and it looks suspicious.

  6. insurgenesis
    Member
    Posted 1 year ago #

    a google search for the produced code also reveals unwholesome things.

  7. s_ha_dum
    Member
    Posted 1 year ago #

    As soon as JavaScript is enabled and the plugin is active the behaviour persists - despite the fact that I'e removed it under posts using the tool tip.

    It is probably inserting its Javascript on every page in case its happens to be needed. Just guessing.

    It sounds like the plugin is either malicious, very badly coded, or you have a hacked copy of it. I don't really see any complaints about the plugin. That is a plus, and assuming this is the plugin, I also don't see anything squirelly in the code. so I thinking there is something wrong with your copy. Have you tried using a fresh copy?

  8. insurgenesis
    Member
    Posted 1 year ago #

    I'm downloading it now.
    Would it help if I post the JavaScript associated with the problem here?

  9. insurgenesis
    Member
    Posted 1 year ago #

    I have already rummaged its code for a trace of the JavaScript I found on my posts but found nothing.
    Would it be visibly "hacked" or should I just replace its files with mine and not attempt to look for anything funny?

  10. s_ha_dum
    Member
    Posted 1 year ago #

    I have already rummaged its code for a trace of the JavaScript I found on my posts but found nothing.

    If the problem persists with the clean copy then the plugin isn't the problem.

    Yes, it would be visibly hacked-- probably some eval code.

    You never responded to this:

    Also, did the code on your local site come from code online? If it did you could have imported an infection.

  11. insurgenesis
    Member
    Posted 1 year ago #

    What do you mean:

    did the code on your local site come from code online?

    How do I confirm this?
    All I know is it points to a url from which it draws information and sends to.
    I don't remember authorising it and it looks suspicious.

  12. insurgenesis
    Member
    Posted 1 year ago #

    Any more ideas on this?

  13. s_ha_dum
    Member
    Posted 1 year ago #

    Has the code that you are running on your local server ever been online? Any of the code? Your theme? Some plugins? The whole thing? Did you download an existing site from a publicly accessible server and install it on your local server?

    Or... did you install to your local server from fresh, clean files?

  14. insurgenesis
    Member
    Posted 1 year ago #

    No, the site was local forever.

  15. s_ha_dum
    Member
    Posted 1 year ago #

    Ok. That is strange.

    What other plugins do you have and what theme?

  16. insurgenesis
    Member
    Posted 1 year ago #

    Using a twenty-eleven child theme.
    Plugins:
    BackWPup
    Post Types Order
    WP Gallery custom links
    WP Photo album Plus

    Don't you think we could demystify the code if I post it here?

  17. s_ha_dum
    Member
    Posted 1 year ago #

    Don't you think we could demystify the code if I post it here?

    You don't know where the problem code is, do you?

    If you got WordPress from this website, it is clean. The issue has to be one of the plugins or your theme. Or, your computer. Have you checked your computer for a virus?

  18. insurgenesis
    Member
    Posted 1 year ago #

    No, I know exactly where the code is because I could see it and remove it but where it Originates from is the concern. Do you know JavaScript?

    WP is clean. We've already established it's a plugin haven't we?
    My computer is also clean.

  19. s_ha_dum
    Member
    Posted 1 year ago #

    We've already established it's a plugin haven't we?

    No. We haven't. About all we've established is that you installed a clean WordPress and that the code for the plugin you originally thought to be at fault looks fine. And I suspect that this isn't strictly speaking a script injection.

    Find a page where this is happening, and paste the entire browser page source to the pastebin.

  20. insurgenesis
    Member
    Posted 1 year ago #

    Here's the line that was mysteriously produced below each instance of the Tippy:

    <script type="text/javascript" src="https://in.admedia.com/?id=ODorNiU"></script>

    Posting the rest in a sec.

  21. insurgenesis
    Member
    Posted 1 year ago #

    Pastebin is not operational now.
    How's that for now - does it shed any light on the matter?

  22. s_ha_dum
    Member
    Posted 1 year ago #

    The problem is that the string "admedia" is nowhere in the Tippy plugin code (that I can find), nor is there anything else suspicious. That is why I want the whole page. I am hoping there is clue in there.

  23. insurgenesis
    Member
    Posted 1 year ago #

    I cannot get the pasting right, sorry.
    It doesn't embed correctly. How should I do it?

  24. s_ha_dum
    Member
    Posted 1 year ago #

    View Source, select all, copy to the pastebin, should do it. The pastebin is build for pasting code. It should be fairly simple.

  25. insurgenesis
    Member
    Posted 1 year ago #

    [ Way too many lines of code moderated, that's just way too much. For that many lines of code please use pastebin.com instead. ]

  26. s_ha_dum
    Member
    Posted 1 year ago #

    Forum rules limit inline code to ten lines or less. That is why I specified the pastebin.

    That is being inserted into your post body-- inside the 'entry-content' div. That suggest that there is filter on the_content or save_post or maybe a few other filters. You need to find a way to search your entire code base for 'admedia'. I don't know if you are on windows or mac. If you are on Linux, best case :), or a Mac you can open a terminal and use grep.

  27. insurgenesis
    Member
    Posted 1 year ago #

    I used the pastebin.
    Thanks for getting back.
    Can you be a bit more specific please? I don't know where to start now.
    I'm on windows, WAMP.

  28. insurgenesis
    Member
    Posted 1 year ago #

    Look I don't expect a quick primer or anything, just point me in the right direction in case you happen to know what tools/techniques I can use.
    I can accept that my case won't be solved here but the truth is I'm too deep into it now.
    Any advice is much appreciated.
    Thanks.

  29. s_ha_dum
    Member
    Posted 1 year ago #

    I'd use this: http://gnuwin32.sourceforge.net/packages/grep.htm

    This one is graphic-er-ie but they ask you to pay and register: http://www.wingrep.com/

    Your case can be solved here but you are going to have to find where that bad code is. Grep is the easiest way to do that. I use it 100 times a day.

    Once you get one of those working look for 'admedia', 'eval', 'base64_decode', 'gzinflate'. Hopefully one of those will hit.

    The combination 'eval(gzinflate(base64_decode(' is especially promising. For example, eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA=='))); from a site that will let you de-obfuscate that and see what it actually does.

  30. insurgenesis
    Member
    Posted 1 year ago #

    Can I simply delete the findings or does one have to be knowledgeable? -
    I don't want to break anything...

Topic Closed

This topic has been closed to new replies.

About this Topic