/srv/irclogs.ubuntu.com/2021/12/09/#ubuntustudio-devel.txt

tomreyn	aaw crap, sorry to hear about the website compromise. i'd definitely go for a static generator if that's an option.	01:03
tomreyn	wordpress is a mess :-/	01:03
tomreyn	Eickmeyer / Eickmeyer[k] https://sitecheck.sucuri.net/results/ubuntustudio.com	01:05
tomreyn	I know you most likely have to work, or more urgent things to turn to, but ubuntustudio.org is still injecting malicious JS.	11:57
Eickmeyer	tomreyn: There's been a ticket open with RT on this since yesterday.	19:17
tomreyn	Eickmeyer: :-/ meh, maybe if you ping the security folks about it to get a priority boost?	19:21
Eickmeyer	tomreyn: Unfortunately, #ubuntu-security has nothing to do with it as that's for security vulnerabilities in packages. This is all #canonical-sysadmin stuff.	19:21
tomreyn	i see	19:22
tomreyn	so this is probably file system modifications now which you can't undo, right	19:22
tomreyn	OR needing raw DB edits	19:22
Eickmeyer	tomreyn: Nah, it was literally right in the file. Was easy to eradicate by going to a previous revision of the page(s).	19:24
tomreyn	Eickmeyer: but it's still there, right	19:25
Eickmeyer	tomreyn: I literally just now committed the change.	19:25
tomreyn	hmm maybe it's caching then	19:25
Eickmeyer	Yeah, likely.	19:26
tomreyn	https://ubuntustudio.org/tour/photography/ and https://ubuntustudio.org/about-ubuntustudio/ still show the injected code	19:26
Eickmeyer	Or cached on your system.	19:26
tomreyn	not my end	19:26
Eickmeyer	I can't see it as I load the pages.	19:27
tomreyn	weird. i keep shift reloading in firefox, clearing my cache, it still shows, but not in chromium or when i run curl	19:31
Eickmeyer	Yeah, probably stuck in Firefox's cache somewhere.	19:35
tomreyn	Eickmeyer: sorry, must have been my end	19:35
tomreyn	yes, its gone after firefox restart	19:36
Eickmeyer	tomreyn: No worries. I was looking for a way to clear the cache on the server end, but apparently we don't have a webcaching plugin (probably for the best).	19:36
Eickmeyer	secrurinet still shows it, but I'm willing to bet they need another cache rese ton their end.	19:37
tomreyn	https://www.siteguarding.com/ still claims the code to be present also	19:37
Eickmeyer	*reset	19:37
Eickmeyer	Probably still needs to propogate then. Not sure how Canonical does it.	19:37
tomreyn	oh right, i had not checked against multiple mirrors	19:38
tomreyn	Eickmeyer: and now i see it again :/	19:46
tomreyn	on https://ubuntustudio.org/about-ubuntustudio/	19:47
Eickmeyer	Looking....	19:47
Eickmeyer	tomreyn: I still don't see it, but I went ahead and restored the revision prior to the code injection. That should solve it, but I confirmed on the backend that it hasn't been changed since I fixed it earlier.	19:48
tomreyn	can't reproduce it outside firefox, though	19:49
Eickmeyer	Yeah, I'd wipe your cache. I can't produce it at all, though I admit I didn't check the site except from the backend (wp-admin).	19:49
tomreyn	now i got it in chromium, too	19:53
Eickmeyer	I had it show up temporarily, but it's gone now.	19:53
tomreyn	i'll see if i can come up with something reproducible, otherwise remain silent for now ;)	19:53
Eickmeyer	I pulled-it up in Firefox. :( Contacting IS...	19:54
tomreyn	there are such malwares which actually sit in the web server and only occasionally spit it out	19:56
tomreyn	i think i even read about a kernel module	19:57
Eickmeyer	sigh well, I pinged #canonical-sysadmin about it, stating it's urgent.	19:58
Eickmeyer	And now I can't get it to show up at all.	20:00
Eickmeyer	tomreyn: Yeah, I see it too. Nothing I can do from my end. The photography page looks clean at this point, though.	20:11
Eickmeyer	I can get it to show-up on https://ubuntustudio.org/about-ubuntustudio/ reproducibly.	20:12
tomreyn	https://pastebin.ubuntu.com/p/WTf67WNdpP/plain/	20:14
tomreyn	i still can't get it to show with curl	20:14
tomreyn	firefox's developer tools -> network has a "copy ... as curl" option, which gives you a bulky curl command line with many options set to reproduce the same request	20:15
tomreyn	but this doesn'T help me repro it	20:15
tomreyn	but with javascript it's not easy to tell where the code is coming from, and maybe curl just doesn't show it because it's actually eval'd javascript	20:17
Eickmeyer	tomreyn: Canonical IS just cleared the cache, I can't reproduce it anymore.	20:57
tomreyn	the page content was also modified, which might affect whether or how injection occurs	20:58
Eickmeyer	Yep, but that's something I need to fix anyways.	20:58
tomreyn	Eickmeyer: are you able to check last modification timestamps on the .js files embedded to these pages?	20:59
Eickmeyer	tomreyn: There should be no .js files at all.	20:59
tomreyn	Eickmeyer: https://ubuntustudio.org/wp-includes/js/jquery/jquery.js 'https://ubuntustudio.org/wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/bootstrap-util-dropdown.min.js?ver=4.3.1' 'https://ubuntustudio.org/wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/skip-link-focus-fix.js?ver=20130115' 'https://ubuntustudio.org/wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/app.js?ver=20130115' wget	21:00
tomreyn	'https://ubuntustudio.org/wp-includes/js/wp-embed.min.js?ver=5.8'	21:00
tomreyn	shorter version: /wp-includes/js/jquery/jquery.js /wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/bootstrap-util-dropdown.min.js /wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/skip-link-focus-fix.js /wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/app.js /wp-includes/js/wp-embed.min.js	21:02
tomreyn	those get loaded + executed while rendering https://ubuntustudio.org/about-ubuntustudio/	21:02
Eickmeyer	Yeah, I can't do anything about those, that's on the extreme backend. I can only edit via the dashboard.	21:03
Eickmeyer	tomreyn: ^	21:03
tomreyn	i see	21:04
tomreyn	sucuri + siteguarding seem to be happy now	21:21
Eickmeyer	Sweet.	21:23

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!