[01:03] <tomreyn> aaw crap, sorry to hear about the website compromise. i'd definitely go for a static generator if that's an option.
[01:03] <tomreyn> wordpress is a mess :-/
[01:05] <tomreyn> Eickmeyer / Eickmeyer[k] https://sitecheck.sucuri.net/results/ubuntustudio.com
[11:57] <tomreyn> I know you most likely have to work, or more urgent things to turn to, but ubuntustudio.org is still injecting malicious JS.
[19:17] <Eickmeyer> tomreyn: There's been a ticket open with RT on this since yesterday.
[19:21] <tomreyn> Eickmeyer: :-/ meh, maybe if you ping the security folks about it to get a priority boost?
[19:21] <Eickmeyer> tomreyn: Unfortunately, #ubuntu-security has nothing to do with it as that's for security vulnerabilities in packages. This is all #canonical-sysadmin stuff.
[19:22] <tomreyn> i see
[19:22] <tomreyn> so this is probably file system modifications now which you can't undo, right
[19:22] <tomreyn> OR needing raw DB edits
[19:24] <Eickmeyer> tomreyn: Nah, it was literally right in the file. Was easy to eradicate by going to a previous revision of the page(s).
[19:25] <tomreyn> Eickmeyer: but it's still there, right
[19:25] <Eickmeyer> tomreyn: I literally just now committed the change.
[19:25] <tomreyn> hmm maybe it's caching then
[19:26] <Eickmeyer> Yeah, likely.
[19:26] <tomreyn> https://ubuntustudio.org/tour/photography/ and https://ubuntustudio.org/about-ubuntustudio/ still show the injected code
[19:26] <Eickmeyer> Or cached on your system.
[19:26] <tomreyn> not my end
[19:27] <Eickmeyer> I can't see it as I load the pages.
[19:31] <tomreyn> weird. i keep shift reloading in firefox, clearing my cache, it still shows, but not in chromium or when i run curl
[19:35] <Eickmeyer> Yeah, probably stuck in Firefox's cache somewhere.
[19:35] <tomreyn> Eickmeyer: sorry, must have been my end
[19:36] <tomreyn> yes, its gone after firefox restart
[19:36] <Eickmeyer> tomreyn: No worries. I was looking for a way to clear the cache on the server end, but apparently we don't have a webcaching plugin (probably for the best).
[19:37] <Eickmeyer> secrurinet still shows it, but I'm willing to bet they need another cache rese ton their end.
[19:37] <tomreyn> https://www.siteguarding.com/ still claims the code to be present also
[19:37] <Eickmeyer> *reset
[19:37] <Eickmeyer> Probably still needs to propogate then. Not sure how Canonical does it.
[19:38] <tomreyn> oh right, i had not checked against multiple mirrors
[19:46] <tomreyn> Eickmeyer: and now i see it again :/
[19:47] <tomreyn> on https://ubuntustudio.org/about-ubuntustudio/
[19:47] <Eickmeyer> Looking....
[19:48] <Eickmeyer> tomreyn: I still don't see it, but I went ahead and restored the revision prior to the code injection. That should solve it, but I confirmed on the backend that it hasn't been changed since I fixed it earlier.
[19:49] <tomreyn> can't reproduce it outside firefox, though
[19:49] <Eickmeyer> Yeah, I'd wipe your cache. I can't produce it at all, though I admit I didn't check the site except from the backend (wp-admin).
[19:53] <tomreyn> now i got it in chromium, too
[19:53] <Eickmeyer> I had it show up temporarily, but it's gone now.
[19:53] <tomreyn> i'll see if i can come up with something reproducible, otherwise remain silent for now ;)
[19:54] <Eickmeyer> I pulled-it up in Firefox. :( Contacting IS...
[19:56] <tomreyn> there are such malwares which actually sit in the web server and only occasionally spit it out
[19:57] <tomreyn> i think i even read about a kernel module
[19:58] <Eickmeyer> *sigh* well, I pinged #canonical-sysadmin about it, stating it's urgent.
[20:00] <Eickmeyer> And now I can't get it to show up at all.
[20:11] <Eickmeyer> tomreyn: Yeah, I see it too. Nothing I can do from my end. The photography page looks clean at this point, though.
[20:12] <Eickmeyer> I can get it to show-up on https://ubuntustudio.org/about-ubuntustudio/ reproducibly.
[20:14] <tomreyn> https://pastebin.ubuntu.com/p/WTf67WNdpP/plain/
[20:14] <tomreyn> i still can't get it to show with curl
[20:15] <tomreyn> firefox's developer tools -> network has a "copy ... as curl" option, which gives you a bulky curl command line with many options set to reproduce the same request
[20:15] <tomreyn> but this doesn'T help me repro it
[20:17] <tomreyn> but with javascript it's not easy to tell where the code is coming from, and maybe curl just doesn't show it because it's actually eval'd javascript
[20:57] <Eickmeyer> tomreyn: Canonical IS just cleared the cache, I can't reproduce it anymore.
[20:58] <tomreyn> the page content was also modified, which might affect whether or how injection occurs
[20:58] <Eickmeyer> Yep, but that's something I need to fix anyways.
[20:59] <tomreyn> Eickmeyer: are you able to check last modification timestamps on the .js files embedded  to these pages?
[20:59] <Eickmeyer> tomreyn: There should be no .js files at all.
[21:00] <tomreyn> Eickmeyer: https://ubuntustudio.org/wp-includes/js/jquery/jquery.js 'https://ubuntustudio.org/wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/bootstrap-util-dropdown.min.js?ver=4.3.1' 'https://ubuntustudio.org/wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/skip-link-focus-fix.js?ver=20130115' 'https://ubuntustudio.org/wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/app.js?ver=20130115' wget 
[21:00] <tomreyn> 'https://ubuntustudio.org/wp-includes/js/wp-embed.min.js?ver=5.8'
[21:02] <tomreyn> shorter version: /wp-includes/js/jquery/jquery.js /wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/bootstrap-util-dropdown.min.js /wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/skip-link-focus-fix.js /wp-content/themes/ubuntustudio-website/wp_ubuntustudio/js/app.js /wp-includes/js/wp-embed.min.js
[21:02] <tomreyn> those get loaded + executed while rendering https://ubuntustudio.org/about-ubuntustudio/
[21:03] <Eickmeyer> Yeah, I can't do anything about those, that's on the extreme backend. I can only edit via the dashboard.
[21:03] <Eickmeyer> tomreyn: ^
[21:04] <tomreyn> i see
[21:21] <tomreyn> sucuri + siteguarding seem to be happy now
[21:23] <Eickmeyer> Sweet.