[y2ksw]

Quote:

Originally Posted by zackw

"Remove it..." How does one find "it"? VB file checker only shows RBS files as suspicious. Should I delete them? Reinstall RBS?

I realize RBS doesn't change templates. And you know, html forms don't delete databases, but people have used insecure forms to do just that with SQL injection.
I doesn't matter what RBS "does" in normal operation, the question is whether things were hacked through it.

In any event, I edited the templates to remove the payload, but what other means can tell me where some worm is hiding?

I know this is probably not the thread to continue this, but if someone has a link to a method of validating the whole install, that would help.

This particular WORM enters via XSS your admin panel and installs itself into the plugin cache. Some versions keep also a plugin you never installed, but most of them just have the cached code, which may be found by extracting all plugin code from the datastore table. It has a suspiciously long white space line (to move out of sight) and some eval/base64_decode sequences which install and quirk the templates in order to show their links.

You can get rid of the cache-only version by saving a single plugin, but usually there is also an infected script (tampered image) which then reinstalls the WORM once again. I found that Avast makes a good job to find infected scripts, but also a global search on files for some pattern may work as well.

Please note, that this WORM is carefully designed and not as stupid as most of their kind. It is hard to remove and usually requires to check all files on your installation, including plugins where it may hide (appended or prepended, rarely inserted). There also may be some templates which attempt to load external files in order to reinfect the whole.