During the last few weeks, we’ve found that a few of our clients’ sites are infected with malicious javascript code – code which appeared to be the result of a virus. The virus behaviour is similar to the Gumblar virus. Here is a short summary of what this virus does:
- After it infects a machine it searches for stored FTP passwords and passes them to the hacker’s server, somewhere in the world.
- Once the hacker’s collected the passwords, they will be used them to connect to the servers, adding the malicious javascript code to some HTML, PHP, ASP files and to all JS files.
- Here is the example of malicious code:
/*GNU GPL*/try {window.onload = function(){var X08yhffhg7xkxf = ...;document.body.appendChild(X08yhffhg7xkxf);}}catch(e) {}As many of sites have a lot of JS files it means that thousands of files can be infected. We had to write the tool for cleaning up the files automatically and it did good job so far, so we think it would be a good idea to share it with people who faced with the same issue. Here are the instructions for using the removal script:
- Download the script here, unpack it and upload to the web root of your server
- Run it in the browser by pointing it to http://yourdomain.com/curevir.php
- Enjoy the output
There could be troubles with file permissions, so (if that is applies to you) set writing permissions for all your files. Please also read the information in the head of the script – it explains the work of the script in more detail. Also the script is written for UNIX-based servers, though some people have tried it successfully on Windows.
Sometimes the script takes all the memory the server allows. In this case, please try using it with additional parameters like http://yourdomain.com/curevir.php?shell=1. This will force it to use unix shell commands instead of loading the file content into memory (the default method works much faster though).
Don’t forget to change the FTP password from your site in order to prevent further infection – the password has already been stolen!
If you have any feedback on the script usage please feel free to post comments here or contact us.
UPDATED ON 2009/12/28: The script was updated after some people reported about new infection code. Now the virus adds a few commented lines after the javascript like this:
UPDATED ON 2010/01/08: One more update (version 1.1): now the script uses another comment at the beginning with an additional few spaces. Now it starts with:
/*LGPL*/ try{ window.onloadYou can now set the virus comment which the script should search for in the script (line 36):
$starting_comment = '/*LGPL*/';The original link now contains updated virus code. The old version (let’s call it 1.0) of the script is available here.
UPDATED ON 2010/01/22: Version 1.2 is released: the virus code was modified a few times again. The script now searches for all of them. The original link still contains the latest version. Version 1.1 is available here.
UPDATED ON 2010/01/27: Version 1.2.1 is released: One more regular expression for the new version of the virus code is added. As always, the original link contains the latest version. Version 1.2 is available here.
UPDATED ON 2010/01/29: Version 1.2.2 : These guys are changing their code versions faster and faster… Another regular expression has been added; new version reuploaded at original link. Check version history for previous versions.
UPDATED ON 2010/01/30: Version 1.2.3 : One more update on regular expressions; as always, reuploaded the new version at original link.
UPDATED ON 2010/02/19: Version 1.3 : Too many mutations have appeared lately and it doesn’t seem to be possible to find a pattern and include all variations in the script. So this version just allows users to enter the virus code into a textarea and it will clean all the files with this code. Be careful and only put the real full code there, otherwise you can remove unnecessary parts of your files. Be sure to make backups. New version can be downloaded here.
VERSIONS HISTORY: