Removing malware code in webpages

From http://tech.superhappykittymeow.com Good stuff here also…

More and more client workstations are being infected with keyloggers and trojans. In addition to stealing your WoW username and password (oh noes, my purpz!), they also have been stealing FTP logins.

This has manifested itself in the linux server world by seemingly legit users logging in over FTP, downloading a file, then uploading it a few seconds later with 100-ish bytes appended. A look at xferlog reveals this behavior, usually against a regex of pages (index.*, default.*, etc), and the connecting IP will often be foreign. A look at the secure log will reveal that the password was not brute-forced; rather, it was known.

The real solution is to change all passwords and force the end user to reformat their computer, since they’re infected and do not realize it. Alas, this is not quite practical (though if someone could invent a remote formatter, I’ll give you $10 for it). Rather, advise the end user of the situation and suggest reformatting — or, at the very least, using a collection of anti-spyware, anti-virus, and anti-everything software on their workstation. Change the affected user’s password.

To clean up the leftover malicious code that was appended, find out the exact string (usually a `tail index.php’ will reveal it) as it is often a javascript line or an iframe.

Copy the string completely and we’ll just sed it out:

sed -i "s# < --ignore this script tag

Sed's not very good at recursing, but luckily, grep is. Make a list of files that match:


grep -R "b.adserv.cn" * |awk -F\: '{print $1}' > filelist

And then feed it to sed:

cat filelist |while read line ; do sed -i"s# < --ignore this script tag

It should also be noted that this user logged in as the FTP user with no failed password attempts — they knew the password. This situation most often occurs when a client workstation that has access to this FTP account is compromised with a virus, spyware, trojan horse or keylogger that transmits the login credentials to a third party attacker. I strongly recommend running anti-virus and anti-spyware software on all client workstations that have access to this account.

g33kadmin

I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.