XF 1.4 1.4.3 Login Javascript Error

[sweetfoo]

Hey there XF forums! So my forums have suddenly ran into a problem with it's login. Out of the blue, clients are getting "The server responded with an error. The error message is in the JavaScript console." when pressing the login button. I haven't made any changes in the last while so I'm not sure where to look and the console error has me scratching my head. If anyone could shed a bit of light on this for me that would be great!

Here is the error in console:

Spoiler

PHP {"templateHtml":"\n\n\n\n\n\n\n\n\n<form action=\"login\/login\" method=\"post\" class=\"xenForm\" id=\"pageLogin\">\n\n\t\n\t\n\t<h2 class=\"textHeading\">Log in or Sign up<\/h2>\n\n\t<dl class=\"ctrlUnit\">\n\t\t<dt><label for=\"ctrl_pageLogin_login\">Your name or email address:<\/label><\/dt>\n\t\t<dd><input type=\"text\" name=\"login\" value=\"\" id=\"ctrl_pageLogin_login\" class=\"textCtrl\" tabindex=\"1\" \/><\/dd>\n\t<\/dl>\n\n\n\t<dl class=\"ctrlUnit\">\n\t\t<dt class=\"altLogins\"><label for=\"ctrl_pageLogin_password\">Your Password:<\/label><\/dt>\n\t\t<dt class=\"altLogin\"><label for=\"ctrl_pageLogin_password\">Do you already have an account?<\/label><\/dt>\n\t\t<dd>\n\t\t\t<ul>\n\t\t\t\t<li class=\"altLogin\"><label for=\"ctrl_pageLogin_not_registered\"><input type=\"radio\" name=\"register\" value=\"1\" id=\"ctrl_pageLogin_not_registered\" tabindex=\"5\" \/>\n\t\t\t\t\tNo, create an account now.<\/label><\/li>\n\t\t\t\t<li class=\"altLogin\"><label for=\"ctrl_pageLogin_registered\"><input type=\"radio\" name=\"register\" value=\"0\" id=\"ctrl_pageLogin_registered\" checked=\"checked\" class=\"Disabler\" tabindex=\"5\" \/>\n\t\t\t\t\tYes, my password is:<\/label><\/li>\n\t\t\t\t<li id=\"ctrl_pageLogin_registered_Disabler\">\n\t\t\t\t\t<input type=\"password\" name=\"password\" class=\"textCtrl\" id=\"ctrl_pageLogin_password\" tabindex=\"2\" \/>\t\t\t\t\t\n\t\t\t\t\t<div><a href=\"lost-password\/\" class=\"OverlayTrigger OverlayCloser\" tabindex=\"6\">Forgot your password?<\/a><\/div>\n\t\t\t\t<\/li>\n\t\t\t<\/ul>\n\t\t<\/dd>\n\t<\/dl>\n\n\t\n\t\n\n\t<dl class=\"ctrlUnit submitUnit\">\n\t\t<dt><\/dt>\n\t\t<dd>\n\t\t\t<label class=\"rememberPassword\"><input type=\"checkbox\" name=\"remember\" value=\"1\" id=\"ctrl_pageLogin_remember\" tabindex=\"3\" \/> Stay logged in<\/label>\n\t\t\t<input type=\"submit\" class=\"button primary\" value=\"Log in\" data-loginPhrase=\"Log in\" data-signupPhrase=\"Sign up\" tabindex=\"4\" \/>\n\t\t\t<a href=\"register\/\" class=\"newAccount button\">Register<\/a>\n\t\t<\/dd>\n\t<\/dl>\n\n\t\n\t\n\t\n\t\n\t\n \n \t\t\t\t\n <dl class=\"ctrlUnit\">\n <dt><\/dt>\n <dd style=\"margin-left:-14px;\"><a href=\"register\/steam?reg=1\" style=\"text-decoration:none;display: inline-block;\">\n <img src=\"styles\/default\/steamauth\/steam_signin.png\" alt=\"Log in with Steam\" style=\"margin:0 14px;\"\/>\n<\/a><\/dd>\n<\/dl>\n \n \n \n\t\n\t<input type=\"hidden\" name=\"cookie_check\" value=\"1\" \/>\n\t<input type=\"hidden\" name=\"_xfToken\" value=\"\" \/>\n\t<input type=\"hidden\" name=\"redirect\" value=\"https:\/\/www.evidencegaming.com\/community\/\" \/>\n\t\n\n<\/form>\n\n<script>\n\t$(function()\n\t{\n\t\tvar $button = $('#pageLogin input.button.primary');\n\t\t$('#pageLogin input[name=\"register\"]').click(function()\n\t\t{\n\t\t\t$button.val(\n\t\t\t\t$('#pageLogin input[name=\"register\"]:checked').val() == '1'\n\t\t\t\t? $button.data('signupphrase')\n\t\t\t\t: $button.data('loginphrase')\n\t\t\t);\n\t\t});\n\t});\n<\/script>\n","css":{"stylesheets":["xb_alt_login"],"urlTemplate":"css.php?css=__sentinel__&style=46&dir=LTR&d=1436008830"},"js":"","title":"Log in"}<script type="text/javascript" src="404 Not Found"></script>

There also seems to be a strange script at the end there that redirects to a strange site. No idea how that got there... Should I be concerned?

 

[Jeremy]

Have you recently done any server maintenance? The standard response is having text injected in, which is causing the issue.

 

[Mike]

The URL makes me think something on the server has been compromised. I would run the file health check in the control panel.

 

[sweetfoo]

Thanks for the responses.

I ran a file health check and just about everything in /install/ was reported back as well as "js/xenforo/xenforo.js" and "index.php". What do you guys recommend I do from here?

EDIT: Snipping out the code from index.php that redirected to that site was easy enough. Have no idea how that got there though. I figure I should look into securing my site better, where should look to start?

Finding the issue in the xenforo.js might be tricky since it is minified.

 

[Mike]

To find the changes, you can diff against a clean version, but otherwise you may just want to upload fresh versions of files. Ideally, you should restore from a backup before the compromise happened, but that may no be viable.

Issues like this usually come from other applications on the server (depending on server configuration), but it's generally hard to say. It requires a fair amount of analysis to find anything of note. (As a side note, I do see debug mode enabled on your site. This shouldn't be enabled.)