tomreyn | aaw crap, sorry to hear about the website compromise. i'd definitely go for a static generator if that's an option. | 01:03 |
---|---|---|
tomreyn | wordpress is a mess :-/ | 01:03 |
tomreyn | Eickmeyer / Eickmeyer[k] https://sitecheck.sucuri.net/results/ubuntustudio.com | 01:05 |
tomreyn | I know you most likely have to work, or more urgent things to turn to, but ubuntustudio.org is still injecting malicious JS. | 11:57 |
Eickmeyer | tomreyn: There's been a ticket open with RT on this since yesterday. | 19:17 |
tomreyn | Eickmeyer: :-/ meh, maybe if you ping the security folks about it to get a priority boost? | 19:21 |
Eickmeyer | tomreyn: Unfortunately, #ubuntu-security has nothing to do with it as that's for security vulnerabilities in packages. This is all #canonical-sysadmin stuff. | 19:21 |
tomreyn | i see | 19:22 |
tomreyn | so this is probably file system modifications now which you can't undo, right | 19:22 |
tomreyn | OR needing raw DB edits | 19:22 |
Eickmeyer | tomreyn: Nah, it was literally right in the file. Was easy to eradicate by going to a previous revision of the page(s). | 19:24 |
tomreyn | Eickmeyer: but it's still there, right | 19:25 |
Eickmeyer | tomreyn: I literally just now committed the change. | 19:25 |
tomreyn | hmm maybe it's caching then | 19:25 |
Eickmeyer | Yeah, likely. | 19:26 |
tomreyn | https://ubuntustudio.org/tour/photography/ and https://ubuntustudio.org/about-ubuntustudio/ still show the injected code | 19:26 |
Eickmeyer | Or cached on your system. | 19:26 |
tomreyn | not my end | 19:26 |
Eickmeyer | I can't see it as I load the pages. | 19:27 |
tomreyn | weird. i keep shift reloading in firefox, clearing my cache, it still shows, but not in chromium or when i run curl | 19:31 |
Eickmeyer | Yeah, probably stuck in Firefox's cache somewhere. | 19:35 |
tomreyn | Eickmeyer: sorry, must have been my end | 19:35 |
tomreyn | yes, its gone after firefox restart | 19:36 |
Eickmeyer | tomreyn: No worries. I was looking for a way to clear the cache on the server end, but apparently we don't have a webcaching plugin (probably for the best). | 19:36 |
Eickmeyer | secrurinet still shows it, but I'm willing to bet they need another cache rese ton their end. | 19:37 |
tomreyn | https://www.siteguarding.com/ still claims the code to be present also | 19:37 |
Eickmeyer | *reset | 19:37 |
Eickmeyer | Probably still needs to propogate then. Not sure how Canonical does it. | 19:37 |
tomreyn | oh right, i had not checked against multiple mirrors | 19:38 |
tomreyn | Eickmeyer: and now i see it again :/ | 19:46 |
tomreyn | on https://ubuntustudio.org/about-ubuntustudio/ | 19:47 |
Eickmeyer | Looking.... | 19:47 |
Eickmeyer | tomreyn: I still don't see it, but I went ahead and restored the revision prior to the code injection. That should solve it, but I confirmed on the backend that it hasn't been changed since I fixed it earlier. | 19:48 |
tomreyn | can't reproduce it outside firefox, though | 19:49 |
Eickmeyer | Yeah, I'd wipe your cache. I can't produce it at all, though I admit I didn't check the site except from the backend (wp-admin). | 19:49 |
tomreyn | now i got it in chromium, too | 19:53 |
Eickmeyer | I had it show up temporarily, but it's gone now. | 19:53 |
tomreyn | i'll see if i can come up with something reproducible, otherwise remain silent for now ;) | 19:53 |
Eickmeyer | I pulled-it up in Firefox. :( Contacting IS... | 19:54 |
tomreyn | there are such malwares which actually sit in the web server and only occasionally spit it out | 19:56 |
tomreyn | i think i even read about a kernel module | 19:57 |
Eickmeyer | *sigh* well, I pinged #canonical-sysadmin about it, stating it's urgent. | 19:58 |
Eickmeyer | And now I can't get it to show up at all. | 20:00 |
Eickmeyer | tomreyn: Yeah, I see it too. Nothing I can do from my end. The photography page looks clean at this point, though. | 20:11 |
Eickmeyer | I can get it to show-up on https://ubuntustudio.org/about-ubuntustudio/ reproducibly. | 20:12 |
tomreyn | https://pastebin.ubuntu.com/p/WTf67WNdpP/plain/ | 20:14 |
tomreyn | i still can't get it to show with curl | 20:14 |
tomreyn | firefox's developer tools -> network has a "copy ... as curl" option, which gives you a bulky curl command line with many options set to reproduce the same request | 20:15 |
tomreyn | but this doesn'T help me repro it | 20:15 |
tomreyn | but with javascript it's not easy to tell where the code is coming from, and maybe curl just doesn't show it because it's actually eval'd javascript | 20:17 |
Eickmeyer | tomreyn: Canonical IS just cleared the cache, I can't reproduce it anymore. | 20:57 |
tomreyn | the page content was also modified, which might affect whether or how injection occurs | 20:58 |
Eickmeyer | Yep, but that's something I need to fix anyways. | 20:58 |
tomreyn | Eickmeyer: are you able to check last modification timestamps on the .js files embedded to these pages? | 20:59 |
Eickmeyer | tomreyn: There should be no .js files at all. | 20:59 |
tomreyn | Eickmeyer: https://ubuntustudio.org/wp-includes/js/jquery/jquery.js 'https://ubuntustudio.org/wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/bootstrap-util-dropdown.min.js?ver=4.3.1' 'https://ubuntustudio.org/wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/skip-link-focus-fix.js?ver=20130115' 'https://ubuntustudio.org/wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/app.js?ver=20130115' wget | 21:00 |
tomreyn | 'https://ubuntustudio.org/wp-includes/js/wp-embed.min.js?ver=5.8' | 21:00 |
tomreyn | shorter version: /wp-includes/js/jquery/jquery.js /wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/bootstrap-util-dropdown.min.js /wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/skip-link-focus-fix.js /wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/app.js /wp-includes/js/wp-embed.min.js | 21:02 |
tomreyn | those get loaded + executed while rendering https://ubuntustudio.org/about-ubuntustudio/ | 21:02 |
Eickmeyer | Yeah, I can't do anything about those, that's on the extreme backend. I can only edit via the dashboard. | 21:03 |
Eickmeyer | tomreyn: ^ | 21:03 |
tomreyn | i see | 21:04 |
tomreyn | sucuri + siteguarding seem to be happy now | 21:21 |
Eickmeyer | Sweet. | 21:23 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!