Home
About Download Documentation Wiki Forums Contribute Support
The Toolkit for Online Communities
15900 Community Members, 1 member online, 2264 visitors today 		Log In Register

Forum OpenACS Q&A: Virus found JS/Obfuscated

OpenACS Home : Forums : OpenACS Q&A : Virus found JS/Obfuscated

Icon of Envelope Request notifications

+
1: Virus found JS/Obfuscated
Posted by sal berg on 03/10/11 01:18 PM
Hello,

I downloaded the Windows port of OpenACS from http://www.spazioit.com/pages_en/sol_inf_en/windows-openacs_en/ and ran an AVG scan on it. It came back with "Virus found JS/Obfuscated." I tried posting about this on the comments at that site, but for one thing, I have to wait registration approval before I can do that (still waiting for the 2nd day), and second of all it seems to be pretty low traffic there - wouldn't be surprised if it took weeks to get approved and weeks to get feedback on a post. So I decided to come here.

I'm guessing that this organization is not affiliated with that port, but at any rate, has anyone else seen this? Can anyone else confirm the virus on that download? Or is it possible that it is a false positive?

Thanks.

+
2: Re: Virus found JS/Obfuscated (response to 1)
Posted by Maurizio Martignano on 03/10/11 03:13 PM
Hello there,
can you be more specific and mention what is/are the effected file/s?

Thanks a lot in advance,
Maurizio Martignano

+
3: Re: Virus found JS/Obfuscated (response to 1)
Posted by sal berg on 03/10/11 06:08 PM
Infected files are:

"C:\Users\x\Desktop\windows-openacs-light.exe:\$JP\dotlrn\packages\acs-templating\www\resources\xinha-nightly\plugins\QuickTag\tag-lib.js"

"C:\Users\x\Desktop\windows-openacs-light.exe"

+
4: Re: Virus found JS/Obfuscated (response to 3)
Posted by Maurizio Martignano on 03/10/11 07:02 PM
Hello there,
very good catch indeed.
This is how things are:
1. I checked always all files and distributions with my antivirus: Avira Antivir and no problems where ever found.
2. When using AVG it finds the virus you mention in the file ...\packages\acs-templating\www\resources\xinha-nightly\plugins\QuickTag\tag-lib.js (of course it finds it also in the .exe file, because the .exe file - the installer - contains the above mentioned .js file).
3. I checked that file (tag-lib.js) against the orginal distributions (OpenACS 5.6.0) and (.LRN 2.5.0). There's no difference among the files contained in the original tar files and the ones in my distribution. For example if you download OpenACS 5.6.0, untar it and scan it with your anti virus, you'll get the same problem notification.
4. Now the file tag-lib.js is in an encrypted form and I can't really tell if it is infected or not. I would think it is not. If it is, also the OpenACS and .LRN distributions need to be cleaned/amended.

Hope it helps,
Maurizio

PS: we all live in a world with timezones and where people usually have a job to do (to pay for some fun time in the Open Source area...) I believe I reacted to your observations even quicker and faster than a normal company (with a properly paid support contract) would ever do...

+
5: Re: Virus found JS/Obfuscated (response to 4)
Posted by sal berg on 03/10/11 07:21 PM
Ah, are you associated with that site? I meant no disrespect, I simply meant to say that, judging from the activity level there (last posts were December-ish?), I didn't expect to hear back from any post there anytime soon.

So what do we do now? Hope that someone else sees this and responds? I don't want to install the software unless it is confirmed or not that OpenACS has a virus.

At any rate, thanks a lot for your help.

+
6: Re: Virus found JS/Obfuscated (response to 5)
Posted by Maurizio Martignano on 03/10/11 07:40 PM
Ehm....

I'll be more explicit.

I believe you found a false positive.

tag-lib.js uses javascript encryption to make the size smaller; this is called "compression". Even though some trojans use this technique, it does not inherently mean a security issue. In this case, the tag-lib.js file does not contain any trojan and is meant to be that way.

If you still feel uncomfortable, you can of course delete that file - it is only required for a specific feature of the Xinha WYSIWYG editing component ("QuickTags").

+
7: Re: Virus found JS/Obfuscated (response to 6)
Posted by sal berg on 03/10/11 11:55 PM
Thanks! I'll go ahead and install. My lawyers will be in touch in case anything bad happens.

That last sentence was a joke, heh :-)

+
8: Re: Virus found JS/Obfuscated (response to 7)
Posted by Maurizio Martignano on 03/11/11 07:44 AM
It is your own call and your call only.
It is your own resposibility and your responsibility only.
I'd like to stress what I wrote:
1. I believe... (and not I know for sure)
2. If you still feel uncomfortable, you can of course delete that file - it is only required for a specific feature of the Xinha WYSIWYG editing component ("QuickTags").
So again, it is your own call.
+
9: Re: Virus found JS/Obfuscated (response to 6)
Posted by Gustaf Neumann on 03/11/11 09:57 AM
Well, at least in the HEAD branch tag-lib,js is not compressed. The file looks pretty harmless to me:
http://fisheye.openacs.org/browse/OpenACS/openacs-4/packages/acs-templating/www/resources/xinha-nightly/plugins/QuickTag/tag-lib.js?hb=true
+
10: Re: Virus found JS/Obfuscated (response to 9)
Posted by Maurizio Martignano on 03/11/11 11:24 AM
Hello Gustav,
why is it compressed in the tar distribution and not in the HEAD branch?
If compression is important (for performance reasons) it should be present in both; if it is not it should be removed in both.

Cheers,
Maurizio

This website is maintained by the OpenACS Community. Any problems, email webmaster or Submit a bug report.