[QrazyKermi]

I use Drupal to manage my site. Over the last two weeks I noticed that whenever I look at the activity logs, its shows "X.js not found" (where X=7 random letters) every time ANY page on my site is accessed by anyone. When I go to my domain administration tools through my hosting company, there are no errors listed at all.

My gut feeling is that my site is either in the process of being hacked, or was attempted to be hacked but not completed for some reason. I'm also not using the latest version of Drupal: I'm using 4.6.0, with 4.6.3 being the latest.

I know I need to update to the latest, but can you shed any light on what I'm seeing?

PS: I'm asking you because I couldn't find anything on the Drupal forums, or any other forum for that matter. Help me Obi-Jump-Kanobi... You're my only hope

[Jump]

I will need the link to the site. Most likely a theme/skin issue.

[QrazyKermi]

Sorry for the delay. The site is http://qrazykermi.net

[Jump]

Code:

<script language=JavaScript src=/twxdqdg.js></script>            
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
   <title>Qrazykermi.net | A place to explore the void in my head</title>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <base href="http://qrazykermi.net/" />
 <style type="text/css" media="all">@import "misc/drupal.css";</style><link rel="stylesheet" type="text/css" href="modules/quote/quote.css" />
 <link rel="alternate" type="application/rss+xml" title="RSS" href="http://qrazykermi.net/node/feed" />
 
   <style type="text/css" media="all">@import "themes/pushbutton/style.css";</style>
    <script type="text/javascript"> </script>
 </head>

The first line on every page of your site is a randomly generated call to a javascript file, that does not exist in the location implied.

Also, this should not be here. All script tags should be between the head tags.

So, something is generating these random id's and putting the code in the wrong place. It could be a theme problem. It could be a setting in drupal.

I would test another theme to see if that line disappears first. Then investigate the templates and such.

You might also check settings in drupal. Is there a choice to save js to file or write to page?

Hope this helps get you started investigating. Let me know.

[QrazyKermi]

Did some digging using "radom javascript" and similar terms. Looks like there's a vulnerability in xmlrpc.php. The only real solution is to upgrade, which I'll attempt tomorrow. I don't know if this is specifically what I'm experiencing, but seeing terms like "SQL injection exploit" and "javascript injection exploit" make me think the upgrade is not really optional. Wish me luck

[Jump]

It's always good to keep up with security updates. But I'm pretty sure it's a problem with your theme/style. The good news is, as long as the js file doesn't exist it doesn't pose a problem as far as security goes. It just creates fast growing error logs.

Looking at other Drupal sites and the way that the Drupal coders place the markup between the head tags, it seems that there is a setting to write javascript to file or page. Vbulletin has the same feature for css files. For some reason, your theme/style has botched it up.

That's my view at this time with what info I have.

Hope it helps.

[QrazyKermi]

I haven't changed the theme in several months though. And although there are several themes loaded, only one is available to people.

Could this theme have gotten corrupted or something?

/edit

I just tried some of the other themes, and the error messages still come up for every time a page is viewed. Is there some theme management file that I'd need to muck around with to clean this up?

[Jump]

Do you have any non drupal pages on your site that I can look at?

Something is inserting that code at the top of every page. I'm afraid I have never used Drupal so have nothing to go on with that app.

[QrazyKermi]

I don't have any non-drupal pages, unfortunately.

I've turned off every module, one at a time, and all together, to see if possibly they are involved in this in any way. But that had no impact. But I did notice a new error message in the log today:

TYPE: php
DATE: 2005-09-14 11:15 (and 13:15, btw)
MESSAGE: Got error 28 from table handler query: SELECT DISTINCT(p.perm) F
USER: Anonymous

Clicking on "details" gives me the following:
Type php
Date Wednesday, September 14, 2005 - 11:15pm
User Anonymous
Location /cron.php
Message Got error 28 from table handler query: SELECT DISTINCT(p.perm) FROM role r INNER JOIN permission p ON p.rid = r.rid INNER JOIN users_roles ur ON ur.rid = r.rid WHERE ur.uid = 0 in /home2/*****/public_html/includes/database.mysql.inc on line 66.
Severity error
Hostname 67.15.28.12

(Account named replaced with "*****" by me)

Regarding your 9/12@11:40 post: do you have any idea where I would find a setting to write js to a file or page? Would this be something accessible through the drupal admin menus, or something I'd have to do manually to files on the host? I don't recall ever seeing any setting like that, so I'm kinda at a loss. I also couldn't tell the difference between javascript code and an oreo cookie, but first things first.

[Jump]

Personally, I would just delete all the Drupal files (Not the database) and re-instal with the latest version.

Sometimes a clean slate is the best investigator.

Like I said, I don't use Drupal and have no idea what it could have contributed to the problem.

[Jump]

After you reinstalled it was gone. Now it's back. Could also be something with your host. You get what you pay for in that game.

Honestly, free blogs give you a tool but little support that you can count on.

If I had the money, I would be using Expression Engine which is not free but highly developed and supported. Plus it's modular and supports plugins. You might want to check that out.

[QrazyKermi]

I reinstalled, but couldn't reconnect the guts to the database. With my 2nd child due at any moment, I haven't had the time to learn much about php, MySQL, etc. So I simply restored my previous version. I'm still getting those errors, but it isn't impacting the site at all that I can tell.

I am largely disappointed with Drupal, mostly because the modules usually suck. The forums are lame and difficult to get working or looking the way I like, and the Image Gallery modules that I've tried are really poor. But, I get what I pay for I guess

EE looks interesting. My only concern is that I don't want to have to spend time tinkering with php files and such. I don't mind playing with html, as I'm already fairly familiar with that. I just don't have the time to learn new stuff.