Site Hack

I'm glad you quickly recovered from the site defacement! I've recently directed people to download this extension. Should people be concerned over the integrity of the XPIs they've downloaded? Are there hashes available for the XPIs?
  • The site was defaced by a mass defacing script started via an exploit in an old, third-party PHP script on another CHNM site. (Zotero currently shares the same servers as other CHNM sites, though it'll be moving to a dedicated server soon.) We caught it in progress and stopped it immediately. We've removed the vulnerable code and patched PHP to prevent similar exploits in the future.

    Only index* files were affected, so there's no need to be concerned about other data, but we've verified the XPI to be safe--it hasn't been changed.

    Let us know if you have any additional questions.
  • Is this related to a JS/Exploit-script trojan virus? recently my Macafee Virus scan has been picking up this virus within the content of zotero folders? I don't know how to remove it, please help.
  • The two are unrelated. Assuming that this isn't a false positive, I suppose that you might have visited an infected page & taken a snapshot of it, saving the malicious code to your machine. If I were you, I'd save a copy of the file it claims is infected & delete the one from your zotero directory. Confirm that the snapshot still works. If it does, delete the backup of the file you removed. If it doesn't, look at obtaining a new copy of the snapshot or find another antivirus program to confirm that there is a real infection and/or to clean it.
  • Although this isn't the best forum for troubleshooting virus problems...

    Viruses often look for what appear to be unused folders or folders where the user will not look in often and will therefore not notice extra files accumulating. This is where they then take up residence, so to speak, and store data files and replicated copies of themselves. This means it is entirely possible that a virus is in one of your Zotero folders completely independently of the operation of the Zotero program itself. Unfortunately, Zotero stores it's files with seemingly randomly named file names so it is difficult to discern the difference between legitimate files and virus files just by looking at the names.

    In order to help troubleshoot this problem I will need some technical information from someone on the Zotero team: When Zotero exports the database, and if the user selects the "Export Files" option, will the export process simply copy every single file in the Zotero storage folder regardless of whether it is actually used by Zotero? Or will Zotero only copy files that are directly used by the Zotero database? This information is crucial in determining whether it is possible to use the Export/Import process to clean out the database folders so that they only contain exactly the files used by Zotero.

    P.S. If Zotero does simply copy all of the files in the Zotero storage folder into the export folder, then this means it is possible to spread viruses by exporting one's database and sharing it with someone else. That is not good and should be fixed.
  • edited March 20, 2009
    Note that this was described as a javascript exploit. It may be a false positive; it may be a real exploit that is benign when it is on the local machine. If it is a real exploit, it likely came from the web. While it is true that another virus could have hidden a javascript exploit somewhere on the machine, I think it is fairly unlikely (as most don't & the suspect file just happens to be in the subdirectory of a program that saves webpages).
    In order to help troubleshoot this problem I will need some technical information from someone on the Zotero team: When Zotero exports the database, and if the user selects the "Export Files" option, will the export process simply copy every single file in the Zotero storage folder regardless of whether it is actually used by Zotero?
    I'm not on the dev team, but yes it will just copy every single file. There is no record of all files used in a particular snapshot (nor, I think, does their need to be).
    P.S. If Zotero does simply copy all of the files in the Zotero storage folder into the export folder, then this means it is possible to spread viruses by exporting one's database and sharing it with someone else. That is not good and should be fixed.
    I disagree. A virus could, just as easily, replace files already in the directory. Or, you could have taken a web snapshot of an infected page (as may have happened here).
  • edited March 21, 2009
    I can tell you the specific file that it keeps picking up it is 00001b43.js
    I have gone to the individual folder each time to delete it. The anti-virus software that I have identifies it as a java-script exploit, but I am unaware of the details of the virus. The snapshots are not that important too me, my thought to rectify the situation is to uninstall zotero from firefox and delete the entire zotero database. My only question then is when I reinstall zotero and sync it with my online zotero account (I am using 1.5 beta), will it pull the info or replace it with what I have locally?
  • noksagt:
    Note that this was described as a javascript exploit.
    You are correct. I missed that part. I know of no viruses that place javascript exploit code in folders on a user's hard drive.
    A virus could, just as easily, replace files already in the directory.
    While many viruses used to do that it is not as common any more. And they don't usually do that in random folders. Instead they would normally replace system files or something that is normally run at startup.

    Be that as it may, I think you are correct. It probably is just something that was downloaded when mahood took the snapshot in Zotero.

    Mahood, it seems that you may need to figure out which snapshot this file belongs to and delete that snapshot within Zotero. If Zotero is truly synchronizing then it should also delete that snapshot from the online copy as well and your problem will be over. By uninstalling Zotero and doing a complete resync you are essentially telling Zotero that you want to copy down that exploit infected file.

    If you feel you must have a copy of that snapshot in your database then you could possibly try this:

    1. Delete the snapshot as stated above and make sure Zotero syncs with the server. (This should remove all of the snapshot files from the copy of your database synchronized up to the server.)

    2. Go into Zotero preferences and turn off automatic syncing.

    3. Make sure that JavaScript is turned off in Firefox. At least temporarily.

    4. Go back to that web page and take a new snapshot.

    5. Run your virus scan, find offending the file, and delete it.

    6. Now go back into Zotero's preferences and turn automatic synchronization back on. (Or just manually sync with the server.)
      • Now that the offending file is not even on your hard drive it can't be synced up to the server can it?

    There you go. The file is gone and you still have your snapshot.
This discussion has been closed.