Sucuri reports a malware infection?


(ampburner) #1

It appears that my discourse installation is blacklisted as infected/malware.

I’m sure that I am up to date in terms of installation. Running on a pretty standard digital ocean droplet.

I’m kind of at a loss… how could this have happened, how could I fix it? and how do I prevent such stuff in the future?

https://sitecheck.sucuri.net/results/www.hitmanforum.com

known javascript malware. Details: Sucuri Malware Signatures

return Discourse.Utilities.validateUploadedFile(r,a,t)},validateUploadedFile:function(e,t,r){if(!Discourse.Utilities.authorizesAllExtensions()&&!Discourse.Utilities.isAuthorizedUpload(e)){var a=Discourse.Utilities.authorizedExtensions();return bootbox.alert(I18n.t("post.errors.upload_not_authorized",{authorized_extensions:a})),!1}return r||Discourse.User.current().isAllowedToUploadAFile(t)?!0:(bootbox.alert(I18n.t("post.errors."+t+"_upload_not_allowed_for_new_user")),!1)},uploadTypeFromFileName:function(e){return Discourse.Utilities.isAnImage(e)?"image":"attachment"},authorizesAllExtensions:function(){return Discourse.SiteSettings.authorized_extensions.indexOf("*")>=0},isAuthorizedUpload:function(e){if(e&&e.name){var t=_.chain(Discourse.SiteSettings.authorized_extensions.split("|")).reject(function(e){return e.indexOf("*")>=0}).map(function(e){return(0===e.indexOf(".")?e.substring(1):e).replace(".","\\.")}).value();return new RegExp("\\.("+t.join("|")+")$","i").test(e.name)}return!1},authorizedExtensions:function(){return _.chain(Discourse.SiteSettings.authorized_extensions.split("|")).reject(function(e){return e.indexOf("*")>=0}).map(function(e){return e.toLowerCase()}).value().join(", ")},getUploadMarkdown:function(e){return Discourse.Utilities.isAnImage(e.original_filename)?'<img src="'+e.url+'" width="'+e.width+'" height="'+e.height+'">':!Discourse.SiteSettings.prevent_anons_from_downloading_files&&/\.(mov|mp4|webm|ogv|mp3|ogg|wav)$/i.test(e.original_filename)?Discourse.CDN?Discourse.CDN.startsWith("//")?"http:"+Discourse.getURLWithCDN(e.url):Discourse.getURLWithCDN(e.url):"http://"+Discourse.BaseUrl+e.url:'<a class="attachment" href="'+e.url+'">'+e.original_filename+"</a> ("+I18n.toHumanSize(e.filesize)+")"},isAnImage:function(e){return/\.(png|jpe?g|gif|bmp|tiff?|svg|webp|ico)$/i.test(e)},allowsImages:function(){return Discourse.Utilities.authorizesAllExtensions()||/(png|jpe?g|gif|bmp|tiff?|svg|webp|ico)/i.test(Discourse.Utilities.authorizedExtensions())},allowsAttachments:function(){return Discourse.Utilities.authorizesAllExtensions()||!/((png|jpe?g|gif|bmp|tiff?|svg|web|ico)(,\s)?)+$/i.test(Discourse.Utilities.authorizedExtensions())},displayErrorForUpload:function(e){if(e.jqXHR)switch(e.jqXHR.status){case 0:return;case 413:var t=Discourse.Utilities.uploadTypeFromFileName(e.files[0].name),r=Discourse.SiteSettings["max_"+t+"_size_kb"];return void bootbox.alert(I18n.t("post.errors.file_too_large",{max_size_kb:r}));case 422:return void(e.jqXHR.responseJSON.message?bootbox.alert(e.jqXHR.responseJSON.message):bootbox.alert(e.jqXHR.responseJSON.join("\n")))}else if(e.errors&&e.errors.length>0)return void bootbox.alert(e.errors.join("\n"));bootbox.alert(I18n.t("post.errors.upload"))},defaultHomepage:function(){return Discourse.SiteSettings.top_menu.split("|")[0].split(",")[0]}}}(this),function(){function e(){p.buildBlockOrder(g.block);var e=g.block.__order__.indexOf("code");e>-1&&(g.block.__order__.splice(e,1),g.block.__order__.unshift("code")),p.buildInlinePatterns(g.inline),v=!0}function t(e,t,r){if(!(e.length<2)){if("__RAW"===e[0]){var a=Discourse.Dialect.guid();return h[a]=e[1],void(e[1]=a)}for(var n=1;n<e.length;n++){var i=e[n];if("string"==typeof i){var o=r(i,t);o?o instanceof Array?e.splice.apply(e,[n,1].concat(o)):e[n]=o:e[n]=i}}}}function r(e,a,n){if(e instanceof Array){var i={node:e,path:a,dialect:g,insideCounts:n||{}};Discourse.Dialect.trigger("parseNode",i);for(var o=0;o<f.length;o++)t(e,i,f[o]);a=a||[],n=n||{},a.push(e);for(var s=1;s<e.length;s++){var c=e[s],d=c[0];n[d]=(n[d]||0)+1,c&&2===c.length&&"p"===c[0]&&/^<!--([\s\S]*)-->$/.exec(c[1])?e[s]=c[1]:r(c,a,n),n[d]=n[d]-1}if(2===e.length&&"p"===e[0]&&e[1]instanceof Array&&"__RAW"===e[1][0]){var l=e[1][1];e[0]="__RAW",e[1]=l}a.pop()}return e}function a(e,t){if(!(e.wordBoundary||e.spaceBoundary||e.spaceOrTagBoundary))return!1;var r=t[t.length-1];return"string"!=typeof r?!1:e.wordBoundary&&!r.match(/\W$/)?!0:e.spaceBoundary&&!r.match(/\s$/)?!0:e.spaceOrTagBoundary&&!r.match(/(\s|\>)$/)?!0:void 0}function n(e){for(var t=-1,r=0;-1!==(t=e.indexOf("\n",t+1));)r++;return r}function i(e,t,r){var a=new RegExp(t.replace(/[-\/\\^$*+?.()|[\]{}]/g,"\\$&"),"g");if(e.match(a)){var n=Discourse.Dialect.guid();e=e.replace(a,n),h[n]=r}return e}function o(e){return e.replace(/^([ ]{4}|\t)/gm,"")}function s(e){return e.replace(/^\n+/,"").replace(/\s+$/,"")}function c(e){return e.replace(/\\\\/g,"Ẁ0").replace(/\\`/g,"Ẁ01")}function d(e){return e.replace(/\u1E8001/g,"\\`").replace(/\u1E800/g,"\\\\")}function l(e){return e=c(e),e=e.replace(/(^\n*|\n)```([a-z0-9\-]*)\n([\s\S]*?)\n```/g,function(e,t,r,a){var n=Discourse.Dialect.guid();return h[n]=C(d(s(a))),t+"```"+r+"\n"+n+"\n```"}),e=e.replace(/(^\n*|\n\n)((?:(?:[ ]{4}|\t).*\n*)+)/g,function(t,r,a,n){var i=e.slice(0,n).trim().match(/.*$/);if(i&&i[0].length&&(i=i[0].trim(),/^(?:\*|\+|-|\d+\.)\s+/.test(i)))return t;var c=Discourse.Dialect.guid();return h[c]=C(o(d(s(a)))),r+"    "+c+"\n"}),e=e.replace(/(\s|^)<pre>([\s\S]*?)<\/pre>/gi,function(e,t,r){var a=Discourse.Dialect.guid();return h[a]=C(d(s(r))),t+"<pre>"+a+"</pre>"}),["``","`"].forEach(function(t){var r=new RegExp("(^|[^`])"+t+"([^`\\n]+?)"+t+"([^`]|$)","g");e=e.replace(r,function(e,r,a,n){var i=Discourse.Dialect.guid();return h[i]=C(d(a.trim())),r+t+i+t+n})}),d(e)}var h,u=(window.jQuery,window.BetterMarkdown),p=u.Markdown,m=u.DialectHelpers,g=p.dialects.Discourse=m.subclassDialect(p.dialects.Gruber),v=!1,f=[],b=[],C=Discourse.Utilities.escapeExpression;Discourse.Dialect={guid:function(){var e=(new Date).getTime();window.performance&&"function"==typeof window.performance.now&&(e+=performance.now());var t="xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g,function(t){var r=(e+16*Math.random())%16|0;return e=Math.floor(e/16),("x"===t?r:3&r|8).toString(16)});return t},cook:function(t,a){v||e(),g.options=a,h={},t=l(t),b.forEach(function(e){t=e(t,i)});var n=u.toHTMLTree(t,"Discourse"),o=u.renderJsonML(r(n));a.sanitize?o=Discourse.Markdown.sanitize(o):a.sanitizerFunction&&(o=a.sanitizerFunction(o));var s=Object.keys(h);if(s.length)for(var c=!0,d=function(e){o=o.replace(new RegExp(e,"g"),function(){return c=!0,h[e]})};c;)c=!1,s.forEach(d);return o.trim()},addPreProcessor:function(e){b.push(e)},registerInline:function(e,t){g.inline[e]=t},inlineReplace:function(e,t){this.registerInline(e,function(r,a,n){return[e.length,t.call(this,e,a,n)]})},inlineRegexp:function(e){this.registerInline(e.start,function(t,r,n){if(!a(e,n)){e.matcher.lastIndex=0;var i=e.matcher.exec(t);if(i){var o=e.emitter.call(this,i);if(o)return[i[0].length,o]}}})},inlineBetween:function(e){var t=e.start||e.between,r=e.stop||e.between,n=t.length,i=this;this.registerInline(t,function(o,s,c){if(!a(e,c)){var d=i.findEndPos(o,t,r,e,n);if(-1!==d){var l=o.slice(n,d);e.rawContents||(l=this.processInline(l));var h=e.emitter.call(this,l);return h?[d+r.length,h]:void 0}}})},findEndPos:function(e,t,r,a,n){var i,o;do{if(i=e.indexOf(r,n),-1===i)return-1;o=e.indexOf(t,n),n=i+r.length}while(-1!==o&&i>o);return i},registerBlock:function(e,t){g.block[e]=t},replaceBlock:function(e){var t=function(t,r){var a=g.options.traditional_markdown_linebreaks||Discourse.SiteSettings.traditional_markdown_linebreaks;if(!a||!e.skipIfTradtionalLinebreaks){e.start.lastIndex=0;var i=[],o=e.start.exec(t);if(o){var s=function(){return!r.some(function(t){return t.match(e.stop)})},c=e.start.lastIndex-o[0].length,d=t.slice(0,c),l=o[2]?o[2].replace(/^\n*/,""):"";if((!e.withoutLeading||!e.withoutLeading.test(d))&&(e.stop.lastIndex=t.length-l.length,e.stop.exec(t)||!s())){if(d.length>0){var h=this.processBlock(p.mk_block(d),[]);h&&h[0]&&i.push(h[0])}l.length>0&&r.unshift(p.mk_block(l,t.trailing,t.lineNumber+n(d)+(o[2]?o[2].length:0)-l.length));var u,m=[],v=0,f=-1;e:for(;u=r.shift();){e.start.lastIndex=0;for(var b,C=[];b=e.start.exec(u);)C.push(e.start.lastIndex-b[0].length),e.start.lastIndex=e.start.lastIndex-(b[2]?b[2].length:0);e.stop.lastIndex=0;for(var y=[];b=e.stop.exec(u);)y.push(e.stop.lastIndex-b[0].length);for(var x=0,T=0;x<y.length;)if(T<C.length&&C[T]<y[x])T++,v++;else{if(!(v>0)){f=y[x];break e}x++,v--}if(s()){f=y[y.length-1];break}v+=C.length-T,m.push(u)}var _=u.match(e.stop)[0].length,F=u.slice(0,f).replace(/\n*$/,""),k=u.slice(f+_).replace(/^\n*/,"");F.length>0&&m.push(p.mk_block(F,"",u.lineNumber)),k.length>0&&r.unshift(p.mk_block(k,u.trailing,u.lineNumber+n(F)));var N=e.emitter.call(this,m,o,g.options);return N&&i.push(N),i}}}};e.priority&&(t.priority=e.priority),this.registerBlock(e.start.toString(),t)},postProcessText:function(e){f.push(e)},postProcessTag:function(e,t){Discourse.Dialect.on("parseNode",function(r){var a=r.node;a[0]===e&&(a[a.length-1]=t(a[a.length-1]))})}},RSVP.EventTarget.mixin(Discourse.Dialect)}(this),function(){function e(e){e=e.toLowerCase();var t=urlFor(e);if(t){var e=":"+e+":";return["img",{href:t,title:e,"class":"emoji",alt:e}]}}function t(e){if(e&&e.length){var t=e[e.length-1];if(t&&t.charAt){var r=t.charAt(t.length-1);if(!/\W/.test(r))return!1}}return!0}function r(e){return e.replace(/[-\/\\^$*+?.()|[\]{}]/gi,"\\$&")}window.jQuery;Discourse.Emoji={},Discourse.Emoji.ImageVersion="2";var a=["100","1234","8ball","a","ab","abc","abcd","accept","aerial_tramway","airplane","airplane_arriving","airplane_departure","airplane_small","alarm_clock","alembic","alien","ambulance","amphora","anchor","angel","anger","anger_right","angry","anguished","ant","apple","aquarius","aries","arrow_backward","arrow_double_down","arrow_double_up","arrow_down","arrow_down_small","arrow_forward","arrow_heading_down","arrow_heading_up","arrow_left","arrow_lower_left","arrow_lower_right","arrow_right","arrow_right_hook","arrow_up","arrow_up_down","arrow_up_small","arrow_upper_left","arrow_upper_right","arrows_clockwise","arrows_counterclockwise","art","articulated_lorry","astonished","athletic_shoe","atm","atom","b","baby","baby_bottle","baby_chick","baby_symbol","back","badminton","baggage_claim","balloon","ballot_box","ballot_box_with_check","bamboo","banana","bangbang","bank","bar_chart","barber","baseball","basketball","basketball_player","bath","bathtub","battery","beach","beach_umbrella","bear","bed","bee","beer","beers","beetle","beginner","bell","bellhop","bento","bicyclist","bike","bikini","biohazard","bird","birthday","black_circle","black_joker","black_large_square","black_medium_small_square","black_medium_square","black_nib","black_small_square","black_square_button","blossom","blowfish","blue_book","blue_car","blue_heart","blush","boar","bomb","book","bookmark","bookmark_tabs","books","boom","boot","bouquet","bow","bow_and_arrow","bowling","boy","bread","bride_with_veil","bridge_at_night","briefcase","broken_heart","bug","bulb","bullettrain_front","bullettrain_side","burrito","bus","busstop","bust_in_silhouette","busts_in_silhouette","cactus","cake","calendar","calendar_spiral","calling","camel","camera","camera_with_flash","camping","cancer","candle","candy","capital_abcd","capricorn","card_box","card_index","carousel_horse","cat","cat2","cd","chains","champagne","chart","chart_with_downwards_trend","chart_with_upwards_trend","checkered_flag","cheese","cherries","cherry_blossom","chestnut","chicken","children_crossing","chipmunk","chocolate_bar","christmas_tree","church","cinema","circus_tent","city_dusk","city_sunset","cityscape","cl","clap","clapper","classical_building","clipboard","clock","clock1","clock10","clock1030","clock11","clock1130","clock12","clock1230","clock130","clock2","clock230","clock3","clock330","clock4","clock430","clock5","clock530","clock6","clock630","clock7","clock730","clock8","clock830","clock9","clock930","closed_book","closed_lock_with_key","closed_umbrella","cloud","cloud_lightning","cloud_rain","cloud_snow","cloud_tornado","clubs","cocktail","coffee","coffin","cold_sweat","comet","compression","computer","confetti_ball","confounded","confused","congratulations","construction","construction_site","construction_worker","control_knobs","convenience_store","cookie","cool","cop","copyright","corn","couch","couple","couple_with_heart","couplekiss","cow","cow2","crab","crayon","credit_card","crescent_moon","cricket","crocodile","cross","crossed_flags","crossed_swords","crown","cruise_ship","cry","crying_cat_face","crystal_ball","cupid","curly_loop","currency_exchange","curry","custard","customs","cyclone","dagger","dancer","dancers","dango","dark_sunglasses","dart","dash","date","deciduous_tree","department_store","desert","desktop","diamond_shape_with_a_dot_inside","diamonds","disappointed","disappointed_relieved","dividers","dizzy","dizzy_face","do_not_litter","dog","dog2","dollar","dolls","dolphin","door","doughnut","dove","dragon","dragon_face","dress","dromedary_camel","droplet","dvd","e-mail","ear","ear_of_rice","earth_africa","earth_americas","earth_asia","egg","eggplant","eight","eight_pointed_black_star","eight_spoked_asterisk","electric_plug","elephant","end","envelope","envelope_with_arrow","euro","european_castle","european_post_office","evergreen_tree","exclamation","expressionless","eye","eyeglasses","eyes","factory","fallen_leaf","family","fast_forward","fax","fearful","feet","ferris_wheel","ferry","field_hockey","file_cabinet","file_folder","film_frames","fire","fire_engine","fireworks","first_quarter_moon","first_quarter_moon_with_face","fish","fish_cake","fishing_pole_and_fish","fist","five","flag_black","flag_cn","flag_de","flag_es","flag_fr","flag_gb","flag_it","flag_jp","flag_kr","flag_ru","flag_us","flag_white","flags","flashlight","fleur-de-lis","floppy_disk","flower_playing_cards","flushed","fog","foggy","football","footprints","fork_and_knife","fork_knife_plate","fountain","four","four_leaf_clover","frame_photo","free","fried_shrimp","fries","frog","frowning","frowning2","fuelpump","full_moon","full_moon_with_face","game_die","gear","gem","gemini","ghost","gift","gift_heart","girl","globe_with_meridians","goat","golf","golfer","grapes","green_apple","green_book","green_heart","grey_exclamation","grey_question","grimacing","grin","grinning","guardsman","guitar","gun","haircut","hamburger","hammer","hammer_pick","hamster","hand_splayed","handbag","hash","hatched_chick","hatching_chick","head_bandage","headphones","hear_no_evil","heart","heart_decoration","heart_exclamation","heart_eyes","heart_eyes_cat","heartbeat","heartpulse","hearts","heavy_check_mark","heavy_division_sign","heavy_dollar_sign","heavy_minus_sign","heavy_multiplication_x","heavy_plus_sign","helicopter","helmet_with_cross","herb","hibiscus","high_brightness","high_heel","hockey","hole","homes","honey_pot","horse","horse_racing","hospital","hot_pepper","hotdog","hotel","hotsprings","hourglass","hourglass_flowing_sand","house","house_abandoned","house_with_garden","hugging","hushed","ice_cream","ice_skate","icecream","id","ideograph_advantage","imp","inbox_tray","incoming_envelope","information_desk_person","information_source","innocent","interrobang","iphone","island","izakaya_lantern","jack_o_lantern","japan","japanese_castle","japanese_goblin","japanese_ogre","jeans","joy","joy_cat","joystick","kaaba","key","key2","keyboard","kimono","kiss","kissing","kissing_cat","kissing_closed_eyes","kissing_heart","kissing_smiling_eyes","knife","koala","koko","label","large_blue_circle","large_blue_diamond","large_orange_diamond","last_quarter_moon","last_quarter_moon_with_face","laughing","leaves","ledger","left_luggage","left_right_arrow","leftwards_arrow_with_hook","lemon","leo","leopard","level_slider","levitate","libra","lifter","light_rail","link","lion_face","lips","lipstick","lock","lock_with_ink_pen","lollipop","loop","loud_sound","loudspeaker","love_hotel","love_letter","low_brightness","m","mag","mag_right","mahjong","mailbox","mailbox_closed","mailbox_with_mail","mailbox_with_no_mail","man","man_with_gua_pi_mao","man_with_turban","mans_shoe","map","maple_leaf","mask","massage","meat_on_bone","medal","mega","melon","menorah","mens","metal","metro","microphone","microphone2","microscope","middle_finger","military_medal","milky_way","minibus","minidisc","mobile_phone_off","money_mouth","money_with_wings","moneybag","monkey","monkey_face","monorail","mortar_board","mosque","motorboat","motorcycle","motorway","mount_fuji","mountain","mountain_bicyclist","mountain_cableway","mountain_railway","mountain_snow","mouse","mouse2","mouse_three_button","movie_camera","moyai","muscle","mushroom","musical_keyboard","musical_note","musical_score","mute","nail_care","name_badge","necktie","negative_squared_cross_mark","nerd","neutral_face","new","new_moon","new_moon_with_face","newspaper","newspaper2","ng","night_with_stars","nine","no_bell","no_bicycles","no_entry","no_entry_sign","no_good","no_mobile_phones","no_mouth","no_pedestrians","no_smoking","non-potable_water","nose","notebook","notebook_with_decorative_cover","notepad_spiral","notes","nut_and_bolt","o","o2","ocean","octopus","oden","office","oil","ok","ok_hand","ok_woman","older_man","older_woman","om_symbol","on","oncoming_automobile","oncoming_bus","oncoming_police_car","oncoming_taxi","one","open_file_folder","open_hands","open_mouth","ophiuchus","orange_book","orthodox_cross","outbox_tray","ox","package","page_facing_up","page_with_curl","pager","paintbrush","palm_tree","panda_face","paperclip","paperclips","park","parking","part_alternation_mark","partly_sunny","passport_control","pause_button","peace","peach","pear","pen_ballpoint","pen_fountain","pencil","pencil2","penguin","pensive","performing_arts","persevere","person_frowning","person_with_blond_hair","person_with_pouting_face","pick","pig","pig2","pig_nose","pill","pineapple","ping_pong","pisces","pizza","place_of_worship","play_pause","point_down","point_left","point_right","point_up","point_up_2","police_car","poodle","poop","popcorn","post_office","postal_horn","postbox","potable_water","pouch","poultry_leg","pound","pouting_cat","pray","prayer_beads","princess","printer","projector","punch","purple_heart","purse","pushpin","put_litter_in_its_place","question","rabbit","rabbit2","race_car","racehorse","radio","radio_button","

(Jeff Atwood) #2

Can you provide a better link? That one is ultra-broken, even when clicked from the Sucuri site itself. You may need to open a ticket with Sucuri, because their site is broken:

On the other hand, meta’s scan does seem clean:

https://sitecheck.sucuri.net/results/meta.discourse.org

Maybe update to the latest version of Discourse to start?


(ampburner) #3

The best link to a sucuri page I can give you is
Sucuri SiteCheck - Free Website Malware Scanner - which contains some dead links indeed.

I suppose I’m asking - is the file they are refering to something which looks suspicious to your eyes?
http://www.hitmanforum.com/assets/application-66fe712d616a4342d7983c5590cf82fa.js

other sites offer similar scans
http://quttera.com/detailed_report/discourse.hitmanforum.com

I am tracking discourse’ stable branche and I think I’m on the latest version (1.5.2)

I am also running another website called archive.hitmanforum.com. This is basically a read only instance of our 10+ years old forum running an ancient version of Invision Power board. (we never migrated it’s content wehen we switched to discourse. It’s just there for nostalgic reasons).

That IPB forum seems to have been infected and it’s running on a php server which redirects users to the new discourse forum. I’m wondering if that’s affecting the reports.

Google webmaster tools reports a similar status for both sites.
When I drill down into the www.hitmanforum.com report it only shows supicious links in the archive subdomain though.


I’m going to take the IPB forum offline and have it re-scanned. See what that does.


(ampburner) #4

Disabling the infected IPB forum fixed the warnings in the search console - google has cleared both subdomains.
Google Chrome is also no longer blocking the archive.hitmanforum.com domain as a phising site.
So my appologies for wasting your time on that non-discourse related question.

sucuri and quttera still mention some “suspicious” files, which to my eye just look like index.html
http://quttera.com/detailed_report/www.hitmanforum.com

and font awesome:
https://sitecheck.sucuri.net/results/www.hitmanforum.com


(ampburner) #5

@codinghorror can you confirm that the code snippet listed by my second link is just FontAwesome search and replace code? or should I research this as a serious potential infection?


(Jeff Atwood) #6

Unless you can repro it here on meta or try, it’s 100% a false positive.