Strange elements appearing in javascript rich text editors

Question

There's been a rash of strange HTML form elements showing up in javascript-based rich text editors all around the web. The first evidence I can find of this is in the joomla forums a little under a month ago. Since then there have also been reports from drupal users and wordpress users, and there's now evidence of this all over the web -- and finally, we've just had a report of this on a site I'm responsible for. It seems to be limited to firefox.

Any ideas where this is coming from, and how to stop it? There are some vague mentions of uninstalling firefox and running malware scanners, but nothing specific.

Answer 1

This line of code is definitively clear:

<input type="hidden" id="gwProxy" /><!--Session data--><input type="hidden" id="jsProxy" /><div id="refHTML">&nbsp;</div>

gwProxy / jsProxy code being embedded into posts

Weird gwProxy code is inserted in WYSIWYG textareas

iT seems that there is a proxy that's been embeeded into users code using a FCKeditor an JCE editor due to a malicious theme or add-on.

From support.mozilla.com:

You can start Firefox in Safe Mode to check if one of your add-ons is causing your problem (switch to the DEFAULT theme: Tools > Add-ons > Themes). See Troubleshooting extensions and themes If it does work in Safe-mode then disable all your extensions and then try to find which is causing it by enabling one at a time until the problem reappears. You can use "Disable all add-ons" on the Safe mode start window. You have to close and restart Firefox after each change (File > Exit).

Sorry about my english! Don't hesitate to comment over this post.